A recent DCIG blog entry called into question the value of Bear Stearns selection of Orchestria and its inability to detect the alleged illegal activities of two of its Asset Management portfolio managers. More specifically, it asked why Orchestria did not detect the illegal activities of these individuals and why Bear Stearns did not configure it to monitor for these activities in the first place. The blog posting prompted a comment and phone call from Alan Morley, one of the individuals formerly responsible for implementing and managing Orchestria at Bear Stearns and why monitoring, detecting and preventing this activity is not as easy as it sounds.
One of the first points that Morley brought to my attention during the phone call was that to detect this sort of activity, you have to be looking for it. According to Morley, Bear Stearns had configured Orchestria to monitor, detect, flag, send out email alerts to supervisors/auditors and even block emails before they were sent that contained certain words. The last feature sounded especially appealing to Bear Stearns since if Orchestria blocked the email from ever being sent, there would be no record of it and nothing for which they could be held liable.
But what Bear Stearns found was that implementing and enforcing it was problematic. To detect and/or block specific emails, you have to set policies that look for certain keywords and/or phrases in the email. If you create blocking policies that are too restrictive, business grinds to a halt since all emails are blocked and no one can send any emails. To avoid this, Bear Stearns took a practical approach when implementing email blocking so that Orchestria only blocked certain emails, such as those that were offensive or contained inappropriate language.
Configuring Orchestria to detect key works or phrases that flagged or sent out email alerts also turned out to be more difficult than they anticipated. Morley said that Bear Stearns employees sent and/or received 1.2 – 1.5 million emails daily. This volume of email presented a problem in terms of which emails do you flag? Flag or alert on too many emails in these environments and the volume of emails that require review becomes overwhelming. Conversely, flag too few and the value of the Orchestria becomes dubious.
However even assuming you work through these issues, Morley said that you have to monitor the right thing. He used the analogy of working in a chocolate factory on the shipping line. You can be monitoring the portion of the line after the candy bar is made to make sure it is the right weight, appropriately wrapped, boxed and then shipped to the right location in an attempt to detect any problems or errors on that portion of the line. But if there is a problem earlier on the process, such as when the ingredients for the candy bar are mixed and no one is monitoring that portion of the process, defects in the make-up of the candy bar will not be caught because you are not monitoring that part of the process.
That is in part what happened at Bear Stearns. It was monitoring for problems that it had at its trading desks in the past where traders were pushing specific stocks. For example, it would look for trends where traders were pushing high growth, high risk stocks to older individuals nearing retirement. Bear Stearns would then take precautionary steps to make sure these individuals being called by these traders and purchasing these products were aware of the risks they were taking and sign off that they were accepting these risks.
Alternatively it would look for managers switching clients from front-end load mutual funds to back-end load mutual funds so they could get two commissions. However no one was monitoring the risks of these mortgage backed securities and how they were packaged. Because of this, these products were being bought, sold and traded without the proper amount of supervision and oversight.
However this spotlights a larger problem in the industry as a whole – the lack of incentive for being proactive in looking for new problems. Were there indications that the mortgage backed securities market was escalating out of control? Probably.
But Morley points out that there is no reward for proactively looking for problems like this. He views the whole industry as being reactive in nature so until the government dictates that businesses need to monitor and report on certain activities, they do not do so. His opinion was that the government needs to be more encouraging of businesses to take a proactive stance in monitoring and detecting illegal or questionable activity before it escalates to the levels recently witnessed.
Previous research by DCIG indicates that the new Obama administration may push the SEC to require businesses to go down this path. The concern I personally have with this approach, and where I disagree with Morley, is that while being proactive may detect some problems before they escalate, the potential downside is that it could stifle future innovation and business activity because businesses are afraid to do something the SEC later determines to be illegal.
In essence, if someone at the SEC later deems an activity is illegal when there is no specific law against it at the time, they can find the person guilty of intent when no actual crime has been committed as there is no law prohibiting it. So I don’t dispute the value in businesses putting in a system that attempts to proactively detect immoral behavior, putting it in the hands of the government is fraught with problems as it encourages a form of government that could lead to the SEC presuming businesses are guilty until they can prove their innocence instead of the other way around as it is now.