“A focus of a firm’s risk control framework must be an effective risk and audit committee and knowledgeable non-executives with a willingness to challenge senior management.”
Few would disagree.
The irony, however, of both the timing and content of Sants’ speech seems to have escaped him. He did not go on to say that, of course, once challenged, management should accept this and desist from the risky courses of action which were the subject of the objection in the first place. But, as the case of Paul Moore, the HBOS whistle-blower, shows, executive senior management can deal with unwelcome challenges from the risk manager by firing the risk manager.
As for timing, Sants’ statement came after Paul Moore’s revelatory evidence to the Treasury select committee in which he said: “When I was head of group regulatory risk at HBOS, I certainly knew that the bank was going too fast (and told them), had a cultural indisposition to challenge (and told them) and was a serious risk to financial stability (what the FSA call ‘maintaining market confidence’) and consumer protection (and told them).
“I told the board they ought to slow down, but was prevented from having this properly minuted by the CFO. I told them their sales culture was significantly out of balance with their systems and controls. I was told by the FSA, the chairman of the [HBOS] audit committee and others that I was doing a good job. Notwithstanding this, I was dismissed by the CEO.
“I sued HBOS for unfair dismissal under the whistle-blowing legislation…HBOS finally settled my claim against them for substantial damages in mid-2005. I was subjected to a gagging order but have decided so speak out now because I believe the public interest demands it.”
It follows that a risk manager prepared to challenge senior management does not necessarily succeed in getting the firm to change its ways. It is noteworthy that neither the audit committee of the HBOS board nor the FSA itself succeeded in getting HBOS to change its sales culture which “was significantly out of balance with their systems and controls”.
It also follows that for Hector Sants merely to exhort a risk manager to commit commercial suicide is unlikely to have any effect in practice.
It is clear that more is needed to protect risk managers when they feel bound to mount a serious challenge to the way in which a company is being run.
It goes without saying that a well-run firm would have an internal culture in tune with the spirit as well as the letter of the regulatory environment. Such a firm would naturally treat its customers fairly.
It would not need to undergo a revolution in outlook following a heavily critical visit from the FSA. In such a firm, the risk manager would be able to hang a sign on his office door saying, “Gone fishing”.
In a less well-run firm, the risk manager would to work at changing the culture. He ought to be able to enlist the co-operation of senior management. Change of that kind is essential and ought to be viewed as a long-term positive.
If it is necessary to challenge senior management there ought to be structures in place to protect the risk manager.
Those structures should exist both within and without the firm, supported by the FSA and its rulebook. To protect the risk manager internally, he ought to have a compulsory direct line of reporting to the chairman of the audit committee who is the senior non-executive director. Only then can the risk manager rest assured that his voice will be heard by the non-executive directors.
The chairman of the audit committee should have a personal obligation to the FSA under the terms of his approved person’s status, to report on the risk management work and progress to the FSA on a regular basis – at least quarterly.
No one is perfect. It could well happen that the risk manager’s attitude to a particular issue is incorrect. If there is a difference of opinion between the senior executive management and the risk manager, the audit committee and its chairman ought to be able to resolve it to the satisfaction of all concerned. But in any event, the fact of the disagreement and the way it is resolved should form part of the chairman’s report to the FSA.
On the other hand, the disagreement may not be resolved by discussion. What then? The risk manager should have access to the FSA.
Essentially, this would be a whistleblowing procedure. If he has taken the matter to the FSA under such a procedure, it is likely the risk manager will have seriously fallen out with the board and the senior management who would wish to replace him.
If he is not given some protection by the FSA’s rules from dismissal in this situation, he would be faced with the same problems as met by Paul Moore.
If senior management wants to oust the risk manager, this should not be allowed without a full hearing of the board at which he should be entitled to legal representation.
If it is decided at the meeting of the board that the risk manager should be dismissed, this should not take effect without the consent of the FSA. And before the FSA takes any decision on the matter, there must be an independent investigation by, or on behalf of, the regulator.
If the investigators are not from the FSA itself, they should be independent of both the firm and the risk manager. The firm’s auditors cannot be regarded as independent. After the investigation, if the FSA wishes not to object to the risk manager’s dismissal, the decision to take that course should be made by the regulatory decisions committee of the FSA. This is the semi-independent committee of the FSA’s board which makes decisions in the enforcement and disciplinary areas of the FSA’s jurisdiction. It is separate from the FSA’s executive management structure. Only its chairman is employed by the FSA and it has its own legal advisers and support staff.
Finally, both the firm and the risk manager should have a right of appeal to the Financial Services Tribunal.
Such a procedure would ensure that a risk manager could challenge actions that expose a firm to undue risks, confident that he can, if necessary, enlist the support of the firm’s non-executive directors and the FSA.
The company’s risk controls would be greatly strengthened as a result. Without such a procedure, Hector Sants’ call for effective challenge of senior management would remain no more than a cry in the wilderness.