Governance flaws in UK financial institutions - complacency or one-offs?

Some very interesting bits released over the weekend which should prick the ears of the UK's banking and insurance entities like a corporate governance-driven piercing gun, hot off the back of last month's Co-operative Group scandal.

Governance structures
- unchallenged by Risk for too long?

Over at RSA, one of the UK's most venerable General Insurance, a house of horrors-style drama appears to be emerging. Starting with what looked like a serious, yet relatively modest, localised valuation issue over in Ireland has developed in short order into the straw which has broken the camel's back with regards to the tenure of the Chief Executive of the entire group - all off the back of a routine audit, according to one source, and perhaps not coincidentally breaking formally as a story one day after the announcement of enormous premium hikes in the country.

Astonishingly, one of the three men suspended at the Irish unit is also one of the biggest hitters in their national industry, being the current president of the Irish Insurance Federation. He was quoted in August thus (my emphasis);

I’m very optimistic about the future. The Irish Insurance Industry is robust, well capitalised, making a significant contribution to the economy and most importantly, delivering for customers.

While it is fair to say that the knives were already out for the Group CEO, who has presided over general bad news over the last year or so (this year's profit warnings one and two for example), to actually see a FTSE 100 insurer crippled to the point of fire sales to plug capital holes by such a matter is pretty remarkable, even if the geographical source of the pain is less surprising after Quinn went down actuary-less a couple of years back.

What's more, the interim CEO (who is pulling off the much-maligned Chairman/CEO double act for now, though was Non-Exec) has sanctioned a root and branch review of governance arrangements in the firm across all markets (cited here from an analyst call), quite an undertaking in itself bearing in mind its geographical spread.

It made me revisit the published feedback to EIOPA's preparatory guidance, where I had remembered that the feedback received from RSA was pretty caustic with regards to the appropriateness of EIOPA's guidance where it seemingly went above and beyond the Directive and Implementing Measures.

Pointedly in the context of this particular failure of their internal controls, they fed back extensively on the Fit and Proper requirements (p237), most of which centred around 'less is more', and emphasised the administrative burden such activity already causes. This is supplemented on p339 with a piece against the rotation of internal audit teams, both of which look discomforting in hindsight!


The second breakout story came at the back end of last week, with the PRA seemingly ordering a FTSE 100 bank to restructure its governance arrangements by making their CRO report through to the CEO, as opposed to the CFO. Referred to as "unprecedented action", and against the one UK-listed banking entity who seemingly didn't result to buy-ins or bailouts to get through 2006-2010, I'm not sure how to read this.

One the one hand, the "Risk" job in banking institutions sometimes comes across as an add-on or a pitstop to the remit of an executive who has better things to do - indeed, one of the highest profile risk heads in the UK banking industry has recently been in a tug of war for his services in his 'real' job as a CFO/CEO-designate.

On the other, responsibility for risk has only been passed from the CFO to the CEO, which doesn't exactly feel like much of an upgrade when trying to enhance the visibility and vigour of the CRO role. Let's face it, if either of those roleholders don't like the cut of your jib as a Head of Risk, you're a eunuch, regardless of your reporting line!

The Independent go as far as this was not a sleight against the CFO in question, but more about the "principles of bank board structures". If in principle all PRA-supervised firms need to copy their neighbours to have 'appropriate' governance, will any similarly compromised insurers need to have a rethink in the next year or two?

Have we become too complacent, both as an industry and (as risk professionals) as a discipline? Is it OK for the Risk functions to rely on Internal Auditors and Regulators to retrospectively or prospectively identify and remedy flawed systems of governance, at a time where Risk functions have never been better staffed or more expensively salaried?