HBOS 'whistle blower' scandal reveals reporting failures

LONDON - James Crosby, the ex-chief executive of HBOS who was subsequently hired as deputy chairman of the UK Financial Services Authority (FSA), has been accused by his former head of regulatory risk at HBOS, Paul Moore, of refusing to heed warnings that the bank was "growing too quickly" and that its sales culture was "significantly out of balance with their systems and controls". In a memorandum to the Treasury Select Committee, Moore alleges his warnings were ignored and that he was forced out of his job shortly after making them. Although a KPMG investigation could find no wrongdoing on the part of Crosby, he nevertheless resigned his position at the FSA in the wake of the scandal. The incident has shown that risk managers face an uphill battle to make sure their warnings are heard and heeded by boards of directors. But for this to happen, risk reports need to be accurate and proven by risk managers.

"Op risk reporting needs to address the real issues that threaten the company. It should be focused on shareholder value and be aligned to what the board is interested in," says John Kiddy, chief executive officer of risk management vendor and consultancy Chase Cooper. "It needs to grab their attention. It also needs to address sensitivity to change. Too many reports show risks as they are at the reporting date, in our view these should also address the sensitivity of that risk score to small changes."

Although the need for better risk reporting is generally accepted, is there also a more engrained problem of risk professionals being cowed from reporting underlying risks and instead reporting what bosses wanted to hear? "I don't think so," says Peter Hill, director, GRC and operational risk, at risk management company Oracle Financial Services Software. "The reporting processes might not have been as robust as they could have been. Tying risk assessments to external loss data could have made risk and business managers more aware of the potential size of loss events."

Most operational risk managers will be unsurprised by the fact that risk reports have gone largely unheeded by senior management during the boom years, which is why the effective presentation of risk reports is so vital. "There is always the potential for opinions to be overlooked if expressed as just that," says Hill at Oracle. "To change direction, executive management needs more evidence of the risk and its potential consequences. A proposal to create a risk scenario and have it considered by senior managers in a workshop might have elicited a different outcome." Such lessons come too late for HBOS, but how can the survivors of the credit crunch address risk reporting? "By insisting on being heard; by insisting on proper systems and embedding these into the business; by not compromising on what they need to be excellent," says Kiddy.

Ensuring risk managers have a seat on the board is key to embedding a risk-aware culture within the entire organisation, including senior management. And this is something regulators, if not the organisations themselves, will be concentrating on in the upcoming round of legislation.