Governance and Risk Management Failures Contributed to Failure of Major UK Bank

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

The UK’s Financial Services Authority (FSA) has published its report on the causes of the failure of the Royal Bank of Scotland (RBS). RBS was a massive bank and its failure was significant to the UK and global economy.

You can read summaries from reporters at:

  •  inAudit (focusing on the audit profession and related areas of accounting)

The report spends most of its time explaining that the bank failed due to poor decisions and poor oversight by the regulators. It also has an interesting section explaining why nobody has yet been criminally prosecuted.

I want to draw your attention to the sections I consider relevant and important to governance, risk, and audit professionals.

RBS’s management, governance and culture

24 Some of the causes of RBS’s failure were systemic – common to many banks or the consequence of unstable features of the entire financial system. And a deficient global framework for bank capital regulation, together with an FSA supervisory approach which assigned a relatively low priority to liquidity, created conditions in which some form of systemic crisis was more likely to occur. But with hindsight it is clear that poor decisions by RBS’s management and Board during 2006 and 2007 were crucial to RBS’s failure.

25 Individual poor decisions can result from flawed analysis and judgement in particular circumstances: many of the decisions that RBS made appear poor only with the benefit of hindsight. But a pattern of decisions that may reasonably be considered poor, at the time or with hindsight, suggests the probability of underlying deficiencies in: a bank’s management capabilities and style; governance arrangements; checks and balances; mechanisms for oversight and challenge; and in its culture, particularly its attitude to the balance between risk and growth.

26 It is difficult, from the evidence now available, to be certain how aspects of RBS’s management, governance and culture affected the quality of its decision-making, but the Review Team’s analysis prompts the following questions, in addition to the conclusion (discussed in paragraph 19) about the ABN AMRO bid:

  • Whether the Board’s mode of operation, including challenge to the executive, was as effective as its composition and formal processes would suggest.
  • Whether the CEO’s management style discouraged robust and effective challenge.
  • Whether RBS was overly focused on revenue, profit and earnings per share rather than on capital, liquidity and asset quality, and whether the Board designed a CEO remuneration package which made it rational to focus on the former.
  • Whether RBS’s Board received adequate information to consider the risks associated with strategy proposals, and whether it was sufficiently disciplined in questioning and challenging what was presented to it.
  • Whether risk management information enabled the Board adequately to monitor and mitigate the aggregation of risks across the group, and whether it was sufficiently forward-looking to give early warning of emerging risks.

 

27 Potential areas of concern about RBS’s management, governance and culture were identified by the FSA Supervision Team during the Review Period. The degree of supervisory intensity applied to these issues, however, while consistent with the FSA’s prevailing practices and approach, was less than the FSA now considers appropriate.

Credit should be given to the RBS internal audit team for surfacing some of these issues. For example, at paragraph 611, this is reported:

Some additional detail about the operation and culture of the RBS senior management team [GEMC, or group executive management committee) as a whole was reported in the 15 July 2008 memorandum from RBS’s Head of Group Internal Audit to the RBS Chairman, as follows:

Most of the members of GEMC we met with criticised the way the Committee operates. Our report describes a lack of meaningful discussion of strategy and risk. However GEMC members also described dysfunctional working in relation to:

– GEMC are not operating as a team.

– Conversations are typically bilateral.

– Performance targets consume too much of the agenda.

– Discussions often seem bullying in nature.

– The atmosphere is often negative and is at a low point currently.’

It is the Review Team’s understanding that these comments related to the operation of GEMC during the period in which market conditions and results deteriorated. In addition, it needs to be recognised that the observations about the GEMC in general might not relate to the CEO in particular. In the same document, RBS’s Head of Group Internal Audit also wrote, in relation to the separation of management responsibilities, ‘There have been a number of observations made during this review that the Group CEO tends to operate too often in the CFO role and that [the CFO] should be more independent in his decision making’.

The report includes detailed criticism of RBS’ risk management processes and framework:

616 The Review Team identified a number of other issues relating to RBS’s risk controls and management information, in particular:

  • The adequacy of the process for proposing and agreeing a risk appetite.
  • The RBS Board did not formally approve a Group Liquidity Policy.
  • The Board received a monthly risk report, which was enhanced during the Review Period. However the Review Team was told that, at the beginning of 2007, this reported past and current risks, rather than being forwardlooking. The RBS Group Internal Audit report 2008 referred to an external review of the monthly risk reporting to the Board, which said that it was ‘relatively light on predictive or leading indicators’ and that ‘in places, the report is complex for non-technical readers’.673 In February 2009, RBS’s new CEO told the Treasury Select Committee that ‘risk management systems at RBS need a lot of change’ and that areas which could be improved included ‘rules on size and concentration, types of risk and amounts of risk’.674
  • While the evidence is inconclusive, the risk reports presented to the Board and the minutes of meetings suggest that the Board was not adequately sighted on the aggregation of risks across the Group and, as the financial crisis developed, the bank’s increasing vulnerability.
  • At the start of the Review Period, the RBS Group Chief Risk Officer did not sit on the GEMC or routinely attend the CEO’s morning meetings. It is the Review Team’s understanding that there was some reluctance on the part of the CEO to agree to his participation in these meetings, on the grounds that he reported to the Group Finance Director, who did attend. This situation changed following the appointment in January 2007 of a new Group Chief Risk Officer, who did attend the GEMC and the morning meetings, and had a direct reporting line to the Chairman of the Group Audit Committee. However, it was not until 1 April 2008 that the Group Chief Risk Officer was appointed as a full member of the GEMC.
  • The RBS Group Internal Audit report 2008 found that the Group Risk Committee675 was not well-attended between January 2006 and April 2008, including by GEMC members. It became a forum where the bias of discussion was to approve policies and look at historical data, rather than to ensure that emerging risks were understood and addressed. Where risks were identified, Group Internal Audit could not find evidence of their escalation in the GEMC minutes.
  • The Head of Group Internal Audit’s memorandum of 15 July 2008 referred to a Financial Times article on the degree of control exercised by some executive management teams over the information provided to boards, arguing that too much control can reduce the ability of board NEDs to play a meaningful role.676 In relation to RBS, the memorandum to the Chairman states: ‘It is clear your colleagues feel this happens too often with ‘good news’ reporting and decisions presented as a fait accompli. They contrasted this with positive experiences at other companies’ Boards on which they serve’.
  • Elsewhere, the memorandum referred to a report that the Board received from the responsible executive in October 2007 about the Citizens business, which stated that, overall, it was anticipated that Citizens would meet its budget for 2007. The memorandum suggested that a number of Board members had interpreted this as giving a positive picture, but that:

 

‘There were however a number of indicators of deterioration prior to October within Citizens. Non-performing loans in the SBO portfolio had been steadily rising, new purchases had been stopped and the portfolio had been transferred to Treasury for attention. Given these circumstances, and the previous close attention paid to the portfolio by the former Citizens CEO, it seems that making any reassuring statements, at the September Board and in October to the Group CEO, would be incautious at best.’

617 The Review Team’s assessment of RBS’s management information and risk control systems has therefore, with hindsight, raised questions about:

  • Whether there was adequate focus at Board level on the core banking fundamentals of capital, liquidity, asset quality and risk, both on an aggregated, group-wide basis and within individual businesses;
  • Whether the risk management information enabled the Board adequately to monitor and mitigate the aggregation of risks across the Group, and whether the information was sufficiently forward-looking to give early warning of emerging risks;
  • Whether the status accorded to the Group Risk function within RBS hindered the development of high-quality predictive risk management and risk management information;
  • The completeness of the management information provided to the Board by the executive; and
  • Whether the optimism, confidence and focus on revenue described elsewhere in this section were a factor in the above.

 

In 649, the reporting line for internal audit is discussed:

The Supervision Team considered the reporting arrangements for RBSGroup Internal Audit, which reported directly to the Board’s Group Audit Committee, to be in line with good practice. Group Internal Audit also reported to the Group Finance Director for ‘pay and rations’ purposes, but this arrangement is by no means uncommon, although it might under some circumstances undermine the real or perceived independence of internal audit. In the case of RBS, the issue was recognised by the Supervision Team, which kept it under review. The effectiveness of Group Internal Audit was part of the regular agenda for meetings with the external auditors and the Chairman of the Group Audit Committee.

I welcome your comments.

Posted on Dec 15, 2011 by Norman Marks

Share This Article:    

  1. It seems that while the Head of Group Internal Audit had the courage to make formal some damning criticism, the Board Chair lacked the courage to do anything about it. On the face of it, Sir Fred is an aggressive bully who got his way with regulators and Board alike. Even the best systems will fail when greed and weakness prevent them working. Perhaps there should be more focus on integrity and less on process?
  1. Apart from the more substantive issues, this presents a good study on organizational dynamics.  The reported comments are valid ground for a bit of disillusionment as to whether Internal Audit and Risk Management function can at all 'make a difference'.  Even when potentially damning comments by IA were on record, it seems the powers that be at RBS chose to substantively ignore the same.  We talk many a times of the need for IA to go up to the governance level in its reviews.  In this case it seems they did, to no avail!  Management override?  I guess the CAE could've felt like an interested expert watching a ship going the Titanic way and feeling helpless in doing anything, or at least anything more than what he had already done! (Isn't that the plight of many CAEs anyways?!)

     
    As for the CRO, it's not clear why the CEO felt a "reluctance... to agree to his participation" at key fora, "on the (specious) grounds that he reported to the Group Finance Director, who did attend"!  Clearly, it was the CRO's job, and NOT the GFD's, to keep a watch on emerging risks, so hindering his participation, including "as a full member of the GEMC", on any ground was probably totally unproductive, and just an obfuscation.  The later participation by "a new Group Chief Risk Officer... (who) had a direct reporting line to the Chairman of the Group Audit Committee" may just go to show how reporting lines matter in organizations - a hint for CAEs?
  1. As auditor of my bank, I would like to highlight on which area the audit function should focus not details of practical risk management process, but the governance structure of risk and control. In actual, I reported on the deficiencies of risk and governance, in particular reporting lines. While every bank keeps committee meetings,  anyjt risk issue or concern should be debated on the open meetings. So, it is important for internal auditors to focus this kind of reporting practices. If unofficial morning meeting dominates their substantial decision making and official GEMC becomes just tea meeting, it lacks governance process in the bank's risk management.

Leave a Reply