LEADERSHIPWeeks to result88% confidence

Systemic Breakdown Audit

Catastrophic failures require multiple control layers to fail simultaneously — find them all

Problem it solves

single-point-of-blame post-mortems

Best for

Boards, risk committees, founders, and operators designing or auditing control frameworks in any high-stakes business.

Not ideal for

Early-stage companies where over-controlling kills speed and the worst-case loss is small.

Overview

Why this framework exists

The Systemic Breakdown Audit reframes catastrophic failures: no single person can produce an £862M loss alone — every layer of control had to fail simultaneously for it to happen. The framework forces post-mortems and pre-mortems to enumerate every layer that should have caught the problem and ask why each one didn't.

Leeson is unusually clear-eyed: he takes full personal accountability and calls himself 'incompetent and negligent' — but he also enumerates a dozen other failures: settlements, compliance, risk management, directors, senior management, Deloitte auditors, the Monetary Authority of Singapore, SIMEX, and Treasury. None of these would have prevented him alone, but any one of them functioning would have stopped the loss at a recoverable level.

The framework's value is that it produces actionable controls instead of scapegoats. After the fact, it identifies which layer to harden first; before the fact, it stress-tests existing controls by asking 'what would still need to fail for a Leeson-scale event to happen here?'

Core principles

5 total
  1. A single person cannot cause a catastrophic loss without multiple control layers failing.
  2. Personal accountability and systemic analysis are not in tension — both are required.
  3. Controls that have never caught anything are usually controls that aren't running, not controls that aren't needed.
  4. Mid-management is the layer most prone to looking the other way, because they have the most to lose and nowhere to be promoted to.
  5. The presence of audits, regulators, and reconciliations means nothing if any of them is performed by someone bad at the job.

Steps

6 steps
  1. Enumerate every layer that should catch the failure mode
    List every control that exists between the action and a catastrophic outcome: pre-trade limits, daily reconciliation, monthly audit, annual external audit, regulator examination, board review. Be exhaustive.
    Pro tipIf you can't list at least five layers for any catastrophic risk, you don't have defence in depth — you have a single point of failure dressed up.
  2. For each layer, ask 'what would have to fail here?'
    A working control is not one that exists on paper — it's one where the failure mode is documented, tested, and hard to produce. Walk each layer and define the specific failure that would let the event through.
    WarningBeware controls owned by the same person whose work they audit; that's not a layer, it's theatre.
  3. Test the layers with a simulated event
    Run a tabletop exercise: a junior trader hides a £100K loss in an error account on day one. Walk it through every layer for a year. Where does it get caught? If it doesn't, you have your answer.
    Pro tipUse real historical cases — Barings, Sumitomo (Hamanaka), Daiwa (Iguchi), SocGen (Kerviel) — as scenarios.
  4. Audit the auditors
    External auditors and regulators are layers too, and they fail. Deloitte signed off on Barings 1992 with a $5M unexplained intercompany discrepancy. The Monetary Authority of Singapore audited and found nothing. Don't assume external rigour.
    Pro tipSample-test your auditors with a known issue; if they don't catch it, the layer doesn't exist.
  5. Identify the 'capped mid-manager' layer
    Find the people in your organisation who are at six-figure salaries, mid-management, and have nowhere to be promoted. They are the most likely to look the other way. Either redesign their incentives or give them a path.
    WarningWhistleblower careers in banking ended; if your incentive design produces the same outcome, no one will surface bad news.
  6. Run the audit before the event, not after
    Most systemic-breakdown analysis is post-mortem. The framework's value compounds when used as a pre-mortem: 'what would have to be true for a Barings-scale event to happen here, and which of those things are true today?'

Checklist

Saved in your browser

Examples

3 cases
The 13× legal lending limit nobody flagged

By end of 1994, Leeson had £650M in Singapore from London Treasury — 13× the Bank of England's legal limit on lending to a subsidiary, and 2.5× the bank's entire capital base. A 30-year veteran treasurer kept sending money. The number was visible to anyone running the calculation.

OutcomeA single Treasury control would have ended the spiral at 20% of the bank's capital. The layer existed in regulation; it didn't exist in practice.
The faxed audit confirmation from his apartment

Leeson forged an audit confirmation from Spear Leeds Kellogg by faxing it from his Singapore apartment, with his and his wife's name visible on the letterhead. Deloitte accepted it.

OutcomeThe auditor layer failed because the test of professional skepticism — 'why is a NY broker confirmation faxed from a Singapore apartment?' — wasn't applied.
The Hong Kong trader who learned and was rehabilitated

A Barings Hong Kong trader was caught marking trades incorrectly, lost his job, and went to a different bank. With proper controls in place, he became one of the world's biggest volatility traders. The same person, different system.

OutcomeDemonstrates the framework's reverse: working layers don't just prevent catastrophe — they rehabilitate operators who would otherwise spiral.

Common mistakes

5 traps
Settling for a single scapegoat
Firing the proximate cause feels decisive but leaves every failed layer intact. The next event will use the same gaps.
Treating 'no findings' as evidence of compliance
Multiple Barings audits found nothing. The 88888 account was visible on every reconciliation. Absence of findings often means absence of competent looking.
Confusing existence of a control with operation of a control
Reconciliation procedures existed; nobody ran them properly. A control that isn't tested and reviewed regularly is a label, not a layer.
Underweighting the mid-manager 'look-the-other-way' layer
Risk frameworks typically assume layers fail randomly. In practice, the capped-mid-manager layer fails systematically because the incentives point that way.
Assuming external regulators substitute for internal controls
Singapore's regulator, SIMEX, the Bank of England, and Deloitte all interacted with Barings during the spiral. None of them substituted for a working internal reconciliation.

Origin story

How this framework came to be

Leeson developed the framework in dialogue with Peter Norris (Barings CIO), John Gapper (FT journalist), and the Barings liquidator on a BBC Radio 4 reunion programme. Initially defensive, he came to see that calling the failure 'systemic' was not a way of dodging responsibility but the only honest description: he was the proximate cause, but the loss required compounding failures from settlements through to the Bank of England.

He formalised it through repeated speaking engagements, where he was asked the same question — 'who else was to blame?' — and learned that the productive answer was a list of layers, not a list of people.

Source

Traced to primary
Source · PODCAST
The Rogue Trader Who Lost £862 Million
Nick Leeson · 2025
Open source →

Related frameworks

Browse all Leadership →