The Maginot Line syndrome

The collapse of Barings Bank was as much a matter of compromised systems security as it was of rogue trading.Helga Drummond,...

The collapse of Barings Bank was as much a matter of compromised systems security as it was of rogue trading.Helga Drummond, professor of decision science at Liverpool University, explains why

When Admiral Horatio Nelson died he was placed in a barrel of brandy to preserve his corpse for the journey home. During the voyage, however, some miscreant drilled a tiny hole in the barrel, inserted a device known as a "monkey straw" and purloined the liquor - leaving the distinguished admiral quite literally high and dry.

The moral of this story is, of course, that workplace crime can be very subtle and its effects not immediately obvious.

In February 1995, merchant bank Barings Bank discovered this to its cost. The bank's sudden and utter collapse was primarily due to the unauthorised activities of its star futures trader Nick Leeson.

Leeson managed to deceive Barings for almost three years, reporting fictitious profits, while concealing massive losses. Yet the Barings' debacle had almost nothing to do with the murky world of derivatives trading. At the heart of the deception lay a failure of systems security.

Soon after Leeson arrived in Singapore in July 1992, he instructed a computer clerk to create an error account, number 88888. Leeson then instructed a systems engineer to amend the software in order to suppress account 88888 from reports to London.

The stage was now set. Leeson's job involved executing orders for colleagues based in Japan. Leeson appeared to be remarkably successful in obtaining discounted prices. In fact, Leeson was deliberately mis-pricing trades and hiding the loss in account 88888. Leeson's apparent success enabled him to move from execution into becoming a trader in his own right.

From September 1992, Leeson began selling options without authority in order to recoup his losses. An option gives another party the right, but not the obligation, to buy or sell a given quantity at some date in the future in return for payment of a premium. For example, to buy 1,000 apples at 10p each in nine months' time.

Options trading is a highly risky activity because if the price of apples rises, the loss may far outstrip the premium received.

This is precisely what happened to Leeson. Leeson, however, hid the losses in account 88888 and sold more options in increasingly desperate attempts to retrieve the situation. Since the premium was booked as profit, Leeson appeared increasingly successful, while in reality exposing Barings to huge risk.

Security frequently involves designing systems of control to prevent unauthorised access. Barings' collapse suggests that organisations may have more to fear from authorised users apparently going about their daily business.

Lack of supervision

Protecting systems from insider abuse is difficult because organisations require control and flexibility.

In Barings' case, however, the problem was deeper, and can be traced to a weak control culture. More specifically, the fault line in Barings was that Leeson controlled both front and back-offices - the front-office, where trading was conducted, the back-office where the documentation was processed.

The lack of segregation enabled Leeson to conceal his activities by adjusting prices, switching funds and so on. Moreover, since Leeson was virtually unsupervised there was no one close enough to see what he was up to.

Risk assessment typically concentrates on control points with greatest vulnerability and potential loss. In other words, like some imaginary Maginot Line, organisational defences are pointed in the direction from where an attack seems most probable. The defences may be impregnable, but that is irrelevant.

As the Barings' debacle shows, miscreants simply find another route. Brokers use error accounts to process mistakes made during trading. For example, if a contract to buy is wrongly executed as a contract to sell, the customer is made good and the company stands the loss. Such accounts seldom contain more than a dozen transactions and the amounts involved are relatively minuscule.

It took just three key strokes to create account 88888 and a routine instruction to suppress it from reports to London. The lesson is that the least consequential parts of the system are potentially highly vulnerable to abuse precisely because they are unguarded.

The Barings' case proves how systems of control can undermine themselves, a phenomenon known as the "paradox of consequences". Ironically, Barings' processing controls worked perfectly. Despite Leeson's efforts, the transactions booked to account 88888 were transmitted to London.

However, because the data failed to meet edit criteria - the contracts could not be matched to existing account numbers - the system rejected them into a suspense file. The suspense file was noticed only after the bank collapsed.

In part, it is the old story. The suspense file should have been audited regularly. It is more important, however, to try to understand why Barings' management was so incurious about the information. Fraud invariably generates evidence of its existence. The Barings' case suggests that although such evidence may be staring managers in the face, it may be ignored because it makes "no sense". Untimely and inappropriate output, as well as inaccuracies, indicate weaknesses in the system. For example, the piles of computer printout marked "garbage" gathering dust in office corners.

An alternative hypothesis is that "garbage" represents outcrops of fraud. To neglect such clues is to behave like the drunk who looks for his car keys not where he dropped them, but under the lamp post because the light is good.

Flawed risk system

Behind one paradox lies another. Barings possessed a "state of the art" risk management system. It was fatally flawed, however, because it depended on information fed by Leeson. Consequently, the system suggested "all clear" when the reverse was true.

In January 1995, market rumour began contradicting Barings' numerical data. During the next seven weeks the rumours became more specific. Reputable investment banks began warning customers to be careful about using Barings as a counter-party.

Had Barings investigated whether there was any substance in these rumours, Leeson's activities might have been exposed before his losses became catastrophic. Instead, since some exchanges published trading positions and others did not, Barings assumed that the market was seeing only half of the equation.

Barings' reaction to market rumour highlights the risk of relying on a single form of information technology. Computer-generated data, even if factually accurate, is not reality. Rather it depicts reality in a particular way, just as an anatomical sketch captures certain features of a human body, while missing others. The point is, to see something one way is not to see it another. Rumour can reveal features of situation that are suppressed by computer-generated data.

When systems are breached the instinctive reaction is to tighten security. Quite apart from destroying essential flexibility, this may only make the problem worse by creating an illusory sense of control.

Ultimately, system security depends not on having the most elaborate and rigorous controls, but developing a feel for the limits of those controls and a willingness to look beyond them.

Read more on IT risk management