Presumably, Sir James Crosby was trying to protect the FSA from further embarrassment by stepping down from his job as the regulator’s deputy chair. But in resigning, he’s brought to light the reason: that he’s said to have ignored a red alert from a risk manager while in charge of HBOS, one of the prime recipients of the government’s £37bn bank bailout.
According to Paul Moore, who was head of group risk at HBOS from 2002 to 2005, he was edged out for raising concerns about the rate at which the bank was expanding. What’s more, while his concerns were investigated, it was by the bank’s auditors, KPMG — a potential conflict of interest.
Moore’s memo to the Treasury’s Select Committee (reprinted in full here) is pretty damning of HBOS — which was cavalier in the face of not just Moore’s concerns regarding its over-exuberant growth, but the FSA’s (and where were its regulators?)
It also acts as a useful guide for a risk-management re-think — in finance, but also in other industries.
To pick out some points that apply generally:
Glaringly obvious from Moore’s memo is the need for a greater respect for the role of risk management.More basic than that, even, is a need to be able to identify more accurately the potential threats to the business — and what impact they could have. How do you define risk? Using precedents and even the most finely milled data to predict future threats is clearly insufficient.
Then there’s the role itself. In small and medium-sized organisations, in particular, the risk management role is often bundled up with finance and is in danger of becoming a box-ticking exercise without a human face. Even in some banks, risk managers seem to lack goals and clout.
As ever, it starts with the board. Risk management failures are a governance issue. There is too frequently a tug of war between gung-ho executives and those who should be tempering them, and conflicts of interest or too many “cross-connections” (croneyism) among NEDs.
Risk managers should have access to non-executives, who can bear potentially bad news without bias, and who can act on it. (That means the board has to stand up to its CEO — the Royal Bank of Scotland’s ABN Amro takeover, anyone?)
Employees at any level shouldn’t be afraid to speak up if they see a threat to the business being overlooked. You’d have thought we’d have long ago recognised the importance of allowing whistleblowers an anonymous outlet. Evidently not.
The FSA needs teeth. Moore suggests higher pay would improve its chance of hiring top regulators. But this alone won’t work — as we’ve seen in finance, money cannot guarantee talent.
Thanks to the financial meltdown and the consequent effects on consumer confidence and economic outlooks worldwide, business is all too aware of the potential results of risk-taking. The pendulum could swing too far the other way, from irrational exuberance to absolute aversion. As ever, the right course is somewhere between cavalier and cautious. It’s not called risk management for nothing.
