Systemic Breakdown Audit
Catastrophic failures require multiple control layers to fail simultaneously — find them all
The Systemic Breakdown Audit reframes catastrophic failures: no single person can produce an £862M loss alone — every layer of control had to fail simultaneously for it to happen. The framework forces post-mortems and pre-mortems to enumerate every layer that should have caught the problem and ask why each one didn't.
Leeson is unusually clear-eyed: he takes full personal accountability and calls himself 'incompetent and negligent' — but he also enumerates a dozen other failures: settlements, compliance, risk management, directors, senior management, Deloitte auditors, the Monetary Authority of Singapore, SIMEX, and Treasury. None of these would have prevented him alone, but any one of them functioning would have stopped the loss at a recoverable level.
The framework's value is that it produces actionable controls instead of scapegoats. After the fact, it identifies which layer to harden first; before the fact, it stress-tests existing controls by asking 'what would still need to fail for a Leeson-scale event to happen here?'
- A single person cannot cause a catastrophic loss without multiple control layers failing.
- Personal accountability and systemic analysis are not in tension — both are required.
- Controls that have never caught anything are usually controls that aren't running, not controls that aren't needed.
- Mid-management is the layer most prone to looking the other way, because they have the most to lose and nowhere to be promoted to.
- The presence of audits, regulators, and reconciliations means nothing if any of them is performed by someone bad at the job.
- Enumerate every layer that should catch the failure modeList every control that exists between the action and a catastrophic outcome: pre-trade limits, daily reconciliation, monthly audit, annual external audit, regulator examination, board review. Be exhaustive.Pro tipIf you can't list at least five layers for any catastrophic risk, you don't have defence in depth — you have a single point of failure dressed up.
- For each layer, ask 'what would have to fail here?'A working control is not one that exists on paper — it's one where the failure mode is documented, tested, and hard to produce. Walk each layer and define the specific failure that would let the event through.WarningBeware controls owned by the same person whose work they audit; that's not a layer, it's theatre.
- Test the layers with a simulated eventRun a tabletop exercise: a junior trader hides a £100K loss in an error account on day one. Walk it through every layer for a year. Where does it get caught? If it doesn't, you have your answer.Pro tipUse real historical cases — Barings, Sumitomo (Hamanaka), Daiwa (Iguchi), SocGen (Kerviel) — as scenarios.
- Audit the auditorsExternal auditors and regulators are layers too, and they fail. Deloitte signed off on Barings 1992 with a $5M unexplained intercompany discrepancy. The Monetary Authority of Singapore audited and found nothing. Don't assume external rigour.Pro tipSample-test your auditors with a known issue; if they don't catch it, the layer doesn't exist.
- Identify the 'capped mid-manager' layerFind the people in your organisation who are at six-figure salaries, mid-management, and have nowhere to be promoted. They are the most likely to look the other way. Either redesign their incentives or give them a path.WarningWhistleblower careers in banking ended; if your incentive design produces the same outcome, no one will surface bad news.
- Run the audit before the event, not afterMost systemic-breakdown analysis is post-mortem. The framework's value compounds when used as a pre-mortem: 'what would have to be true for a Barings-scale event to happen here, and which of those things are true today?'
By end of 1994, Leeson had £650M in Singapore from London Treasury — 13× the Bank of England's legal limit on lending to a subsidiary, and 2.5× the bank's entire capital base. A 30-year veteran treasurer kept sending money. The number was visible to anyone running the calculation.
Leeson forged an audit confirmation from Spear Leeds Kellogg by faxing it from his Singapore apartment, with his and his wife's name visible on the letterhead. Deloitte accepted it.
A Barings Hong Kong trader was caught marking trades incorrectly, lost his job, and went to a different bank. With proper controls in place, he became one of the world's biggest volatility traders. The same person, different system.
Leeson developed the framework in dialogue with Peter Norris (Barings CIO), John Gapper (FT journalist), and the Barings liquidator on a BBC Radio 4 reunion programme. Initially defensive, he came to see that calling the failure 'systemic' was not a way of dodging responsibility but the only honest description: he was the proximate cause, but the loss required compounding failures from settlements through to the Bank of England.
He formalised it through repeated speaking engagements, where he was asked the same question — 'who else was to blame?' — and learned that the productive answer was a list of layers, not a list of people.