The financial services industry has been rocked by the crunch of faltering credit markets, massive layoffs and incidents where risk-management controls failed and traders lost billions for their companies. Not to mention the ominous threats from macroeconomic trends-a looming recession, depressed corporate earnings, all-time-high oil prices and a slumping real estate market.

Such was the daunting backdrop as Tom Sanzone quietly left his CIO role at Credit Suisse in late February and moved just down the street to competitor Merrill Lynch. When he starts in the second half of 2008, Sanzone's new title will be EVP and chief administrative officer, and he will report to Chairman and CEO John Thain. The title has been used before at Merrill Lynch, but never quite like this, says spokeswoman Selena Morris.

The 47-year-old Sanzone will be responsible for global client services and operations; technology applications development and infrastructure; business process and sourcing strategies; information security; and global real estate, purchasing and services. "This is the top technology role at Merrill Lynch," Morris says.

Both Merrill Lynch and Credit Suisse have had their share of internal and external economic angst during the past several months. Merrill Lynch posted an unprecedented fourth-quarter loss of $9.8 billion ($4.8 billion) that led to a loss of $7.8 billion for the fiscal year. (In contrast, Merrill posted $7.5 billion in profits in 2006.)

Credit Suisse fared better than Merrill did last fiscal year, but an unexpected write-down of $2.8 billion that the company reported on Feb. 19 left CEO Brady Dougan to explain what had happened. Dougan stated that an internal review had identified "mismarkings and pricing errors by a small number of traders in certain positions" in Credit Suisse's structured credit trading business.

Fresh on everyone's minds was the French bank Societe Generale's disclosure on 24 January that one of its traders, Jerome Kerviel, had manipulated and evaded the bank's IT controls and had lost more than $7 billion in unauthorised bets. That mug-shot-like photo of Kerviel became the symbol of banks that were under economic siege and lacking robust risk-management controls. (For more on the French bank's nightmare, see "Lessons from Societe Generale's Financial Fiasco.")

There was no such "face" at Credit Suisse, though the Financial Times reported that Kareem Serageldin, Credit Suisse's recently appointed global head of collateralised debt obligations, was among those employees suspended after the internal review.
"Even with today's announcement we feel we have actually managed our risk fairly well,' CEO Dougan said on the Feb. 19 conference call. "We will always continue to focus on improving our risk-management practices and procedures...and that's what we need to do, clearly."

Sanzone's Final Days at Credit Suisse

On 29 February, Credit Suisse announced in a brief press release that Karl Landert, the former head of IT private banking, had been appointed the new chief information officer. Sanzone, according to the release, had "decided to pursue an opportunity outside the bank."

And that was that. No mention was made of Sanzone's three-year tenure or his 10,000-strong IT team's contributions to the bank, such as the massive "One Bank" integration project, leading-edge virtualisation work or the bank's Advanced Execution Services automated trading system (for which the company won a CIO 100 award in 2007).

In interviews with CIO and his other appearances in the media, Sanzone has always been even-keeled and humble. In accepting the 2007 "CIO of the Yearr" award from the Executive Council of New York, he said, "These awards are never won alone, and I have the good fortune of working with very talented people at Credit Suisse."

"He is one of the more high-profile, longer-standing CIOs on Wall Street," says Marc Lewis, CEO of executive recruiter Leadership Capital Group (LCG). That was evidenced in Sanzone's seat on Credit Suisse's executive board, which is uncommon in financial services. "For Tom to be on the board was a compliment to him and somewhat of a rarity," Lewis says.

With all that was happening in Credit Suisse's boardroom, Sanzone's last week or so at Credit Suisse couldn't have been good.

The $2.8 billion write-down was expected to take $1 billion out of the company's first-quarter profits. Financial analysts had wanted assurances from CEO Dougan during the conference call that this was an isolated incident, that there were appropriate risk-management controls in place and that there would be no more surprises.

"The big question mark is about the bank's control systems,' said Allianz Global Investors' Stefan Raetzer, in a Bloomberg article on the day the news broke. "The write-down isn't as much of a problem here as the loss of confidence."

At this point, just what was IT's role, if there was any at all, in the context of the write-down and trading errors at Credit Suisse is unknown. (A call to Credit Suisse media relations wasn't returned. Merrill Lynch did not make Sanzone available for comment.)

Merrill Lynch's new CEO obviously liked what he saw in Sanzone. In announcing Sanzone's hire, Thain praised his "years of industry experience in technology, operations and services" and that Sanzone could help Merrill Lynch "to align these critical functions with our business strategies globally."

Risk Management on The Street

Sanzone is going to need every ounce of his managerial skills and tech wisdom to deal with Merrill Lynch's current challenges. "There is still a lot of uncertainty ahead for Merrill," said Brad Hintz, a securities analyst at Sanford C. Bernstein & Co., in a New York Times article

Thain, who became Merrill Lynch's CEO in December 2007, has called the most recent results "unacceptable." As reported in the New York Times article, one of the main areas that Thain has targeted is the company's reporting structure, which he said should be flattened to "reduce the siloing that has taken place at Merrill Lynch over the last few years."

Silo busting is one area where Sanzone has experience. The "One Bank" multiyear integration program at Credit Suisse brought its three core businesses-private banking, investment banking and asset management-into one organisation. "Those three businesses had been run independently, with very little interaction among them," Sanzone told McKinsey on IT. "As a result, their respective technology groups also had little interaction."

In addition, like other financial services companies, Sanzone will most likely have to engage in critical conversations with risk-management executives to determine just where IT controls can help.

The inaugural "Managing Information Technology Risk" survey by Ernst & Young found that global financial services companies have not effectively aligned IT risk management (ITRM) with their organisation's overall risk-management strategy.

Nearly 60 percent of the 150 risk-management and senior IT execs who responded said that their ITRM programmes were not aligned or were just partially aligned with their organisation's risk-management strategies and framework.

Incidents like the Societe Generale and Credit Suisse cases, where apparent breakdowns in IT and risk-management controls caused billions in losses, highlight the need for a better union between business risk managers and IT risk managers. Scott Crawford, a security expert and research director at Enterprise Management Associates (EMA), says that up until very recently there's been "limited interaction" between the two groups.

"The perception is that one doesn't really get the other," Crawford says. "The business risk managers feel that IT is speaking a different language, and IT feels business managers don't really understand the amount of IT-related exposure." In the Ernst & Young survey, nearly 40 percent of respondents said there was no common risk language that was broadly accepted and understood throughout their organisations, or they were uncertain whether one even existed.

In the New York Times article, Merrill Lynch CEO Thain "expressed a certain level of dismay" at the risks the company had taken to incur such hefty losses as of late. "They shouldn't be taking risks that wipe out the earnings of the entire firm," he said in the article, referring to the trading desk.

Crawford notes that there's "always this delicate balancing act between taking advantage of new opportunities and doing an effective job of risk management." And just where IT fits in to that equation is what businesses have to reassess right now.

Sanzone won't start his new job until second half of 2008, so he'll have plenty of time to think about this issue. According to LCG's Lewis, the challenges that lie ahead and the expectations on his arrival will be monumental.

"Merrill Lynch is a huge company with geographically based businesses and a political complexity that is at the highest levels of what you see in industry," says Lewis. "It will take an all-star CIO, like a Tom Sanzone, to be able to get his arms around the challenges. It's like wrestling with an octopus