The Barings Bank Case: Image in the Mirror

The numerous investigations into the current sensational corporate failures will expose many of the same operations control weaknesses that led to the collapse of the Barings Bank of London. 

When the smoke finally clears from the recent corporate collapses, the image in the mirror may not be an Enron or a WorldCom but it could be the infamous shortfalls in operations risk management that appear not only to be at the core of the failures but are reminiscent of the factors leading to the Barings Bank debacle.

Though the culprit in the Barings case, Nick Leeson, was several layers below the top executives in the recent catastrophes, poor operations risk controls allowed him to commit frauds similar to what we're seeing today.

The year was 1995. Nick Leeson, 28, had risen from the working class of Watford, England, to become the general manager and head trader of Barings Futures Singapore. Barings PLC of London was the oldest merchant bank in England at 233 years. But due to a combination of Leeson's greed and overreaching ambition, and Barings' serious lack of operations risk controls, the bank would soon collapse under a $1.4 billion debt.

Leeson was charged with forgeries and misrepresentations that he made to conceal unauthorized deals while trading on the Singapore International Monetary Exchange (SIME). He served two-thirds of a six-and-a-half year sentence in a Singapore jail.

Operations risks include, but aren't limited to: human resource management risk; vendor management risk; custody of assets risk; accounting and financial disclosure risk; technology risk; physical security, natural hazard, and environmental risk; fraud and embezzlement risk (internal and external); legal and political risk; modeling risk; and compliance risk.

Operations risks can be financially troubling if not devastating. The corresponding risk to reputation can be long term and even crippling as customers stay away for months if not years after an operations risk incident. Audit committees, CEOs, senior management, line-of-business executives, auditors, and fraud examiners must work collectively to control and mitigate operations risk.

Barings is the poster child for a business that practiced the following seven deadly business control sins.

1. Cash is Ignored as a Key Control  

Cash always has been a key control in any business. The London headquarters of Barings was sending significant amounts of cash to Singapore - Leeson's trading office - with only cursory review and questioning.

Leeson conducted unauthorized trading contracts that incurred significant losses, which he had to cover as the SIME issued its margin call to him. He adroitly hid his losses in the infamous 88888 account and was able to reveal a substantial profit in his reported earnings. With earnings growing, the London office didn't ask why the cash was flowing to Singapore.

"There was a howling discrepancy, which would have been obvious to a child," Leeson writes in his account of the Barings Bank collapse, "Rogue Trader." "The money they sent to Singapore was unaccounted for - but they wanted to believe otherwise because it made them feel richer."1

He writes that he was "buying the Nikkei and selling ... short, trading like a maniac and requesting about $10 million every day from London."2

After the auditors passed by approximately $80 million in the initial audit, Lesson said he "was amazed that it did not cause more discussion, because $80 million worth of the Bank's money had gone walkabout ... without anyone noticing."3

Management didn't have to fully understand the trading activity or the margin requirements of the exchanges in which Leeson traded to be curious about his frequent requests for large amounts of cash. When cash goes on a "walkabout" in your business you're violating a primary principle of good operational controls.

2. Ignoring that Controls are Inversely Proportionate to the Geographical Distance between the Transaction and Main Office  

An organization often ignores the axiom that distance increases its operations risks. Far-off subsidiaries don't maintain the same culture or level of controls as headquarters.

Unforeseen events in remote locations can affect operations risks. The Kobe, Japan, earthquake in 1995, greatly reduced values of the Asian markets, which created huge losses in Leeson's positions. The lesson is that bad things, like natural disasters, do happen to good companies.

Leeson wrote, "The rest of the market had smelled what Barings back in London were (sic) completely ignoring: that I was in so deep there was no way out."4 "There's been an earthquake in Kobe ... the market is going to fall out of bed. The market was butchered."5

Don't ignore your subsidiaries. Things may not be operating as smoothly there as in your main office. The simple fact that auditors and management are located in your headquarters increases the control. The opposite is true (and was so in Leeson's case) for your subsidiaries.

3. Star Employees and New Customers Get Special Treatment and Controls are Ignored 

Your star employees are often like your new and potentially profitable customers - they receive a "get-out-of-jail-free" card just for joining your organization. Management fails to ask these new employees and customers the pertinent questions or enforce standard policies and procedures because they seem to bring so much promise to the organization. The star employee often brings in the new customer who "has stellar credit, is going to buy a lot of product, needs it all done quickly, and won't need to adhere to the standard credit checks etc..." Leeson's profit and loss numbers from Singapore were so impressive that few dared asked questions. They felt he could do no wrong and he was bringing in heavyweight customers.

In his book, Leeson wrote that he was astonished that no one stopped him. "The only good thing about hiding losses from these people was that it was so easy," he said.6

Leeson implied that he knew that his supervisors shouldn't ignore standard controls. The stars need more controls.

4. No One, Other Than Your Star, Really Understands the Transaction 

Management above Leeson didn't fully understand his trading strategy. They knew (or deluded themselves into thinking they knew) that he was making money and that was enough for them. They never challenged the numbers and didn't follow the flow of cash requests and ask Leeson to document his trading strategy.

Also, management hadn't hired experienced operations staff under Leeson who could understand this type of trading. The staff, therefore, had to turn to Leeson each time they needed direction in settling trades and/or reconciling accounts. They accepted direction that a more experienced operations person would have challenged or at least would have seen the raised flags and alerted management.

Fraud examiners noticed that management not only ignored warning signs but also excused and fabricated explanations. Possibly the front-office people believed it was a step down in prestige to immerse themselves in back-office activities. After all, they were the rainmakers and the operational details should have been left to others. This attitude can often lead to operations risks being overlooked and disastrous consequences.

In Leeson's book, a Barings regional manager had said, "It's just a non-transaction. It's an error. It is a back office glitch. Don't worry about it."7 (emphasis added)

"I knew from my experience," Leeson wrote, "...that when it came down to detail, no senior managers actually wanted to get their hands dirty and investigate the numbers. They always assumed that they were above that. ...."8

Barings managers "knew that something must be seriously wrong if £50 million could leave the Singapore office with only my say-so: I just didn't have that authority. I was not a recognized signature on any chequebook, let alone one that could move that amount of cash."9

A good fraud examiner will always make sure that he fully understands a transaction from the person initiating that transaction because only then can the fraud examiner confirm that activity with several layers of management.

5. The Auditors aren't Strict 

Leeson knew that the auditors didn't look that hard or they would have discovered his malfeasance. In "Rogue Trader," Leeson writes that the auditors didn't follow up on a memo regarding segregation of duties, didn't complete some basic reconciliation, and accepted fraudulent documentation. The auditors relied on "conversational auditing" - they accepted answers from Leeson, and others, at face value and didn't require proper documentation to support key issues.

"All ... (the auditors) had to do was look at a balance sheet during the month, and they'd see that the funding I'd received from London didn't equal the funding I'd passed into SIME," Leeson wrote.10

"The main sources of evidence were enquiries made of key managers, primarily the General Manager," he said. "Key reports and records were reviewed but no detailed testing of these records was undertaken."11

6. The Numbers Don't Make Sense but are Still Accepted 

As any fraud examiner knows, if the numbers seem too good to be true, they probably are. Every time a company has significant negative financial operations problems the post-mortem reveals that the numbers just didn't make sense. Those who unravel the problem, scratch their heads and mutter, How could this have happened? Why weren't the basic questions asked? How could these numbers (monthly profit and loss results, balance sheet numbers, results reported to regulatory agencies) have made sense to anyone? The Barings numbers didn't make sense and there was a negligent and possible willing suspension of disbelief.

"Everyone knew that this was ridiculous - everyone, that is, apart from the Barings management, and they just didn't know anything," Leeson wrote. "They could have found out in half an hour, if they'd done the most obvious check: looking at the positions I reported to SIME (which included the 88888 account) compared with the positions I reported back to London (which made no mention of it)."12

Leeson writes that management was more willing to accept large numbers rather than small because they seemed more believable. Small numbers can be challenged and changed but once they get to be too large, management - in order to save face - has to say, "We accepted these numbers when they were smaller - how can we challenge them now without looking like utter idiots?" The fraud examiner has to ensure that large numbers don't fall into the category of "too big to be wrong."

7. Span of Control is Confusing and Reporting Lines Create Conflicts 

The lack of adequately planned and documented organizational charts compound poorly controlled operations risk. Leeson was in the position of managing the trading floor, managing back office settlement, and having weak supervision from more than one boss on the other side. Everyone was under his thumb.

Formal organizational charts are a necessity. Operations risk is managed more closely when everyone knows who works for whom, what the bosses specifically manage, and the technical and managerial experiences of all.

"I had one foot on the dealing floor and could authorize the sale of options to bring in the yen; but I was also in charge of the girls in the back office, who would carry out any of my requests," Leeson wrote. "I could see the whole picture, and it was so easy. I was probably the only person in the world to be able to operate on both sides of the balance sheet. It became an addiction."13

Though the recent corporate collapses are spectacular, most of them could have been avoided by the lessons learned from the operations control weaknesses that caused the Barings Bank disaster.

Walter J. Smiechewicz, Associate Member, is managing director of Enterprise Risk Assessment at Countrywide.  

1 Nick Leeson and Edward Whitley, Rogue Trader: How I Brought Down Barings Bank, (Boston: Little Brown & Co, 1996), p. 161.

2 Ibid. , p. 168. (The issue is not whether you understand short selling but rather who is asking for specifics on where and how the $10 million is being spent. When the auditor sees this type of cash flow he should ask a lot of questions.)

3 Ibid., p. 183. (A walkabout is Australian slang describing the often spontaneous foot journey of an Aborigine man.)

4 Ibid., p. 3.

5 Ibid., p. 162, 163.

6 Ibid., p. 141.

7 Ibid., xiii

8 Ibid., p. 177.

9 Ibid., p. 185.

10 Ibid., p. 86.

11 Ibid., p. 87.

12 Ibid., p. 6.

13 Ibid., p. 64.

SIDE BAR 

Twenty-one Questions for an Operations Audit 

If Barings Bank management had asked the following questions and received adequate answers the debacle could have been avoided.

1. Are there debits in income accounts or any other account to which you would expect credits? Fully understand the reasons for these entries and see the supporting documentation.

2. Why and how is cash being transferred into or out of the business? Fully understand the reasons for cash flow and see the supporting documentation.

3. Is there a clearly documented organizational chart that includes all employees? Is it current?

4. Is there adequate segregation of duties? This basic control would have solved a multitude of problems in the Barings downfall. The initiator of a transaction (the front-office trader) should be separate from the employee who records the transaction in the books of record (the back-office operations personnel) and they should be separate from the individual who reconciles front- to back-office activity (control personnel but not your audit staff).

5. Is the back office staff experienced enough (in both quality and quantity) to keep pace with the growth and sophistication of the front office?

6. Do you cover all employees through random drug and alcohol testing after they are hired?1 This should be a requirement as one of Leeson's traders abused alcohol and traded into many errors, forcing Leeson to cover these through the infamous 88888 account.

7. Do your front office people bend policy to accommodate key clients? This shouldn't be allowed. The policy should be rewritten and cover all clients and transactions.

8. Are you sure there is no proprietary trading or other activities outside of policy?

9. No matter what business you're in always remember that cash is a key control. Where is it? Who is spending it? Can you follow its trail through your business? Are you sure it's being reconciled?

10. How are passwords controlled and how often are they changed? Do sufficient digits make up the alpha/numeric requirement? Are employees' desks locked at night?

11. When requesting reports for an audit or review, are you extremely careful of cut- off issues?

12. During an internal audit do you ask the same question several times and in several different ways of several different people in the department you're auditing? This will ensure you're getting the same and accurate answer. Do you understand the answers?

13. Do you always look for documented proof? Don't fall into the audit trap of conversational auditing or accepting the response, "We'll get that documentation to you next week" and then you never receive it. If a transaction or account is valid it should be reasonably easy to explain, document (be wary of photocopies without original signatures), and confirm. Delays in receiving information after requested is a valid audit finding in a written report.

14. Can senior managers explain their numbers or do they always defer to their middle managers?

15. Do the auditors always discuss documentation with the originators? One of Leeson's managers supposedly signed a memo that said he understood the financial situation but the memo and the manager's signature were forgeries.

16. When an answer makes no sense, do you inquire again? You should confess, "I'm sorry but your answer just doesn't make sense to me," and then ask, "Can you explain this series of transactions?"

17. How do you ensure that policies and procedures are enforced in regional and divisional offices?

18. Are key asset accounts reconciled to source information? Are such reconciliations documented and reviewed by management, and are exceptions cleared on a timely basis?

19. Do adequate controls exist over the opening of new general ledger accounts? Is the opening of such accounts approved by the company's controller?

20. Who follows up on all audit recommendations to ensure that corrective action has occurred, controls have been put in place, and are operating as designed?

21. How do you know the answers you're receiving and the results you are reviewing are honest? Never forget that as a fraud examiner you're paid to be suspicious!

1 Obtain counsel from your attorney before proceeding.