by Perman, Ray
Some high-profile financial scandals in the early 1990s, largely seen as the result of loose systems of corporate governance, which allowed crooked individuals to manipulate companies, triggered a revolution. The Cadbury report recommended a much more systematic approach to appointing directors and to their rights and responsibilities, especially over the financial oversight of the company. This was followed a few years later by the Greenbury report, which suggested further refinements, particularly over the way in which executive pay was determined. These two reports were merged into a combined Code of Corporate Governance which was modified by a series of later inquiries and given semi-legislative status by being incorporated into the Stock Exchange listing rules and policed by regulators. At the same time there was a general acceptance that boards should be more diverse, include more women, younger people, more ethnic minorities, more people with disabilities.
The assessment and control of risk in financial companies was also undergoing a reappraisal. National and international regulation, globalisation and the fear of ‘contagion’ – the fall of one institution bringing down others – led to a formalising of the systems for monitoring and controlling risk. New international accounting standards were introduced, which changed the way in which assets and liabilities were to be treated and demanded more detailed reporting. ‘Gut feel’ was to be replaced by a much more systematic, formulaic and mathematical approach. Part of the drive was intended to make companies themselves think more seriously about the risks they were running and partly it aimed at a more public process so that shareholders, regulators and counterparties (the companies and individuals with whom banks and financial institutions do business) would be able to gauge the level of risk more accurately.
‘Gut feel’ had severe limitations, but in the best institutions it was never just an instinctive feeling. It had been shorthand for an experience-based approach. In the Bank, lending and other major financial decisions were subjected to several levels of scrutiny: credit committees, area boards, general managers and the Chief Executive, and often the main board of the Bank. When executives said a deal ‘did not feel right’ they were not expressing a vague dislike, but drawing on years or decades of experience. In the 1990s this was supplemented by more sophisticated analysis, but underlying it was the fact that the ‘ownership’ of the risk was always with the manager making the loan, who was likely to be in post for a long period. It was his or her responsibility to know the customer, assess the creditworthiness and see the loan repaid – with the implicit sanction that too many bad debts would damage career chances.
The Bank’s area boards also brought in outsiders, businessmen with knowledge of local industries and individual companies. This was obviously fraught with potential for conflicts of interest: how did you know whether an area board member was expressing a genuine concern over the creditworthiness of an applicant, or trying to damage a business rival? But for the Bank, it seemed to work. The whole system was driven by an ingrained culture which valued ethics and trusteeship – the acknowledgement that the money being handled did not belong to the Bank, but to its depositors and its shareholders, which the Bank called ‘proprietors’ – owners.
Halifax, in its years as a building society, would have had a very similar ethos, derived from its roots in the savings and self-help movements of the nineteenth century. Those arrangements were breaking down, even before the HBOS merger, to be replaced by a much more formal and transparent system. Professionalism had to replace amateurism. Written codes had to replace unspoken culture. Risk departments supplanted individual responsibility.
The new system also broke the direct relationship of the lending officer to the risk. At the same time the sales culture, which was reaching all parts of banks, emphasised sales performance as the principal measure of achievement. In the old days managers who wanted to get on had to prove they could bring in the business, but also knew that too many bad debts would blight their careers. In the new system risk could seem like someone else’s responsibility. For ambitious managers, sales were what mattered.
‘It seems some of them envisaged they could further their careers by creating the biggest possible loan portfolio and if the risk department turned some down they would find other loans to take their place,’ comments one retired senior bank executive. ‘Lack of continuity in career structures also meant they would probably not be around when the loan was due to be repaid. In my day the senior team also had continuing access to the composition and spread of the total portfolio of loans and how this changed over time. I considered that one of my prime responsibilities was to understand the risks we were taking on and whether the balance was acceptable. This was my/our job – not that of a risk department inside the bank or an external regulator.’
Business grandees, like Cadbury and Greenbury, and regulators like the FSA may have seen the new corporate governance and risk disciplines in terms of principle and ethics, but to professional services companies they were a new business opportunity. The major accountancy firms and international consultancies set up corporate governance and risk departments, which would help companies design their systems to be ‘compliant’ and ‘state of the art’. HBOS took expensive advice – indeed it would have been open to criticism had it not done so. Systems had not only to be comprehensive and sophisticated, but they had to be seen to be so.
In the 2007 HBOS annual report and accounts, 40 pages are given over to corporate governance, describing in detail the structure of the board and its committees, the way they are expected to work and the individuals who serve on them. A further 19 pages describe the risk management procedures followed by the Bank. Search the report for the word ‘risk’ and you come up with more than 500 references. You could get the impression that the Bank was obsessed by risk. Yet many of the thousands of words contained in these pages are bland statements of the obvious, clearly included as part of some box-ticking exercise. Under the heading: ‘Key risks and uncertainties facing the group’ for example, are the unsurprising assertions that earnings could be affected by an economic downturn and that ‘future earnings growth and shareholder value creation depend on the group’s strategic decisions’.
There follows a diagram of the ‘Three lines of defence’ against risk: first the divisional chief executives supported by the divisional risk committees, second, the whole executive structure, from the chief executive and his senior management committee, through the Group Finance Director and the Group Risk Director to eight divisional risk committees. The final defence line includes the audit committee, the divisional risk control committees and the group internal audit function. Over the whole army sits the general staff – the group board.
In an investigation of HBOS corporate banking between 2006 and 2008, the FSA uncovered significant failings in all three lines of defence.2 The picture painted of the corporate division is explored in more detail in the next chapter, but the report also exposed gaps in the general risk management framework. Corporate banking’s internal controls should have provided the first line of defence, but the FSA found that the low credit quality of the deals it was doing meant that there was a relatively high risk of default. Effective monitoring of individual transactions and the portfolio as a whole should have been important, but credit skills and processes were inadequate and key controls were ineffective – weaknesses that were pointed out in repeated control reports.
Throughout the period the corporate division was being pushed to handle greater and greater numbers of new transactions, which were increasingly complex. There were ‘continuing, significant and widespread’ weaknesses in the effectiveness of the management of the relationship managers, who initiated the deals, and the key sanctioning committees which were supposed to check and authorise these deals had less time to scrutinise each one. Rather than concentrating on reducing risk, the FSA found that the pressure to increase growth and the time taken up by a wide range of change management projects meant that less attention was paid to risk management.
As a consequence the control framework failed.
The second line of defence should have been provided by the Group Risk department but the FSA found that this failed too. The picture here is of a department lacking in resources and expertise which could not exert adequate controls. It realised that the difficult economic situation and strong competition posed threats and that its own procedures were not up to the challenge, yet it periodically assured the firm that the credit risk framework was sound and fit for purpose.
There was no group-wide framework for credit risk management. Although Group Risk recognised the need for a clear statement of the ‘risk appetite’ the company was prepared to accept, which would provide a consistent view across the Group of the maximum tolerable risk in all types of lending, what was produced was no more than a regurgitation of divisional profit targets and forecasts of the provisions which might be needed to cover dubious debts. This statement took little account of the challenges in the market where competitive pressures were leading to increased levels of risk and did not factor in the risk of an economic downturn. The FSA found that the Group Risk department failed to provide effective challenge to the corporate division, either in setting risk limits or responding when it broke these limits.
The third line of defence should have been provided by the Group Internal Audit department, which had the responsibility of checking other controls and providing assurance to the board that they were functioning properly in measuring and managing risk. But here too the FSA found a lack of business expertise and resource. The department focused on major regulatory and change projects rather than business as usual, and it was uncertain where the responsibility of the internal audit department ended and the Group Risk department began. The result was, according to the FSA ‘an underlap’ between the two departments – a gap which meant that some risks were not adequately monitored or assessed.
The FSA judged that HBOS was guilty of very serious misconduct, in that the corporate department, trading under the Bank of Scotland name, failed to comply with one of the FSA’s 11 Principles for Businesses: ‘A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.’ Between January 2006 and March 2008, the FSA found that HBOS failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems to cope with the aggressive growth, high-risk business and lending strategy it was pursuing.
Overseeing all three lines of defence and ultimately responsible legally and morally, was the board of the bank, made up of full-time executive directors including the chief executive, finance director and the divisional heads; as well as non-executive directors who were supposed to add extra skills, experience and, above all, independence. The key responsibility of a non-executive director is to challenge the executive – to rock the boat – yet in HBOS there seems to have been a serious lack of challenge.
At its beginning the HBOS board inherited some directors from both sides of the merger who were prepared to hold the executives to account, men nearing the ends of their careers who had nothing left to prove and were not afraid to contradict the chief executive or the chairman. These included Sir Bob Reid, from the Bank of Scotland board, and Louis Sherwood, who had been on the Halifax board. ‘The executive and Dennis [Stevenson] didn’t like Louis,’ one of his non-executive colleagues remembers. ‘He was continually asking blunt questions and if he didn’t get an answer he would ask it again, and again, and again. It didn’t make him popular, but every board needs a Louis Sherwood and every audit committee needs a Louis Sherwood.’ As these men retired they were replaced with younger faces. ‘They were very talented and competent business people and they were conscientious, but they did not have the experience or the confidence of the older board members and they did not ask as many questions.’
Although part-time, the job of a non-executive on the HBOS board could be very demanding. There were ten board meetings a year and numerous committee meetings. The audit committee met seven times. For each meeting there would be hours of preparation, going through mountains of complex documentation. On paper, board members also bore a heavy responsibility: they were liable under the Companies Acts for the conduct of the business and held accountable by the FSA. So far these have been theoretical rather than practical sanctions. No non-executive has been criticised by either the Department of Business, or the FSA. The posts were well rewarded. Ordinary non-executives earned £100,000–£200,000 in 2008, with Sir Ron Garrick, the senior independent director being paid £258,000 and Tony Hobson, chair of the audit committee, £230,000. Lord Stevenson, the chairman, received £815,000 and, unusually among non-executives, also received shares under a long-term incentive plan.
It is a matter of debate whether payments at this level to non-executive directors ensure that companies get high-calibre people who are properly rewarded for the large amount of work they are expected to do, or whether such large payments prejudice their independence by making them less likely to challenge the chief executive or chair. There is also a question mark over how much scrutiny non-executives are able to perform at a practical level if they are not party to individual lending decisions and do not have banking experience.
The overriding culture of HBOS was that of a retail company and many of its later non-executive board recruits were skilled and experienced retailers or marketeers. It lacked banking expertise among its non-executives until late in its life when it recruited John E. Mack, who had been Corporate Treasurer of Bank of America and Chief Financial Officer of Shinsei Bank of Japan, who joined in May 2007. Despite the resources it apparently devoted to governance and risk management, they ultimately failed to protect it and it is difficult to escape the conclusion that, despite their efforts, non-executive board members did not know what the bank was doing, even less the implications.
Yet the implications could not have been more serious and the warning signs should have been there for the board to see. According to the FSA report:
From April 2008, as it became apparent that high value transactions were demonstrating signs of stress, it should have been apparent to Bank of Scotland that a more prudent approach was needed to mitigate risk, yet it was slow to move such transactions to its High Risk area within its Corporate Division. There was a significant risk that this would have an impact on the firm’s capital requirements. It also meant the full extent of the stress within the corporate portfolio was not visible to the group’s board or auditors. In addition, while the firm’s auditors agreed that the overall level of the firm’s provisioning was acceptable, in relation to the corporate division provisions were consistently made at the optimistic rather than prudent end of the acceptable range, despite warnings from the divisional risk function and Bank of Scotland’s auditors.3
Tracey McDermott, FSA acting director of enforcement at the time, commented: ‘Banks and other firms have to manage their business by ensuring that their systems and controls are appropriate for the risks that they are running. The conduct of the Bank of Scotland illustrates how a failure to meet regulatory requirements can end not just in massive costs to a firm, but losses to shareholders, taxpayers and the economy.’
This was a severe censure; however, coming nearly four years after the event, it was far too late to influence any change in HBOS. Public criticism of the institution was also as far as the regulator was prepared to go. No individuals were named, nor were any sanctions imposed. The FSA suggested that had a fine been imposed it would have set a record, surpassing even the £17.5 million imposed on Goldman Sachs for breaches of rules. Since the horse had not only bolted, but sent to the knacker’s yard and slaughtered, there was hardly any point in making the owner pay for a new stable door.
‘The severity of Bank of Scotland’s failings during this time would, under normal circumstances, be likely to warrant a very substantial financial penalty. However, because public funds have already been called on to address the conse
quences of Bank of Scotland’s misconduct, levying a penalty on the enlarged Group means the taxpayer would effectively pay twice for the same actions committed by the firm. Therefore, to reflect these exceptional circumstances, the FSA has not levied a fine against Bank of Scotland but has issued a public censure to ensure details of the firm’s misconduct can be viewed by all and act as a lesson in risk management failings.’
Will anything be done to reform the corporate governance of banks? The signs are not hopeful. In 2009 a review led by Sir David Walker,4 a former Treasury and Bank of England official, conducted a consultation and published a report which saw very little wrong with the system which had failed to stop the collapse of HBOS, The Royal Bank of Scotland and Northern Rock. Its five recommendations amounted only to tweaking a system which was clearly inadequate. The existing code for bank boards, it concluded, combined with tougher capital and liquidity requirements and a tougher regulatory stance on the part of the FSA, provided ‘the surest route to better corporate governance practice’. It did concede some failings in bank boards, but said these related much more to patterns of behaviour than to organisation. ‘The sequence in board discussion on major issues should be: presentation by the executive, a disciplined process of challenge, decision on the policy or strategy to be adopted and then full empowerment of the executive to implement. The essential ‘‘challenge’’ step in the sequence appears to have been missed in many board situations and needs to be unequivocally clearly recognised and embedded for the future.’ How boards were to be made more assertive and challenging it did not say.