|"Two straws please"...|
I'm sure some of us chortled at the Chrystal Methodist headlines a couple of years ago when the Non-Executive Chair of the UK's Co-operative Bank had his numerous vices sold to the highest tabloid bidder by a rented acquaintance. I covered some of the initial fallout on here, themed mostly around reputational risk and fit and proper persons, given the exponential effects of the exposé on the ultimate failure of the Group in its form at the time.
A document covering part of Co-op's demise, specifically its Bank, was released last week by the PRA,
The PRA's Final Notice to the Co-op Bank is issued publicly, and highlights where the firm breached what were at the time the FSA's Principles for Business, replaced since the PRA/FCA divorce by the PRA's Fundamental Rules.
Included in the Final Notice on this matter was a number of matters which risk practitioners should be salivating over, given the failures which led to this punishment include
- Inappropriate culture,
- Internal control framework failures,
- Ineffective risk management policies, and, the jackpot,
- A "three lines of defence" model "...flawed in both design and operation"!
The activities demonstrating this include a woeful suite of incomplete management information, three horrendously chancy accounting interpretations benefiting the balance sheet at the expense of real-world accuracy, and a suite of defensive line failures, all of which are followed through in forensic detail.
I have sectioned my notes below for my own use, particularly given the PRA goes on something of a limb here and provide usable definitions for certain terms which I suspect many practitioners would benefit from reading. The PRA (and EIOPA) generally try to dodge requests for definitions, so while the peg is square and the hole is round, it might be as good as you get!
Definitions and expressions
- Three lines of defence - "This is a system which relies on there being an opportunity at three complementary and independent levels to identify and correct any control failures".
- Second line of defence - "Second line functions should support and challenge the management of risks firm-wide, by expressing views within a firm on the appropriateness of the level of risks being run"
- The above is supplemented by the following: "Responsibility for risk should not be delegated to risk management and control functions" - amen brother!
- Third line of defence - "Internal Audit should provide independent assurance over firms' internal controls, risk management and governance"
- Risk Appetite - "A firm's stated risk appetite is an important factor in determining whether a firm's risk and control framework is commensurate with [the] nature of its business, and should be both integral to a firm's strategy and at the heart of its risk management system" - not far off a direct quote from last year's Approach Paper on Banking Supervision (p22), though it has moved from "foundation" to "heart" in this Final Notice. I know what I prefer to build on!
- "Clearly-defined strategy" - they list "well-defined objectives, responsibilities and milestones" as expected
- Policies - "The establishment of appropriate policies [and procedures] governing the conduct of a firm's activities is an essential component in the exercise of appropriate organisation and control of a firm's business"
- "Good risk management culture" (p7) - interestingly an expression most bodies have avoided using, preferring "sound" to "good". They later go on to talk of culture more generically in terms of "right" and "inappropriate" (p33).
- Interestingly, Co-op Bank never refer to operating "3LOD" until their 2012 Annual Report (p56 for the boilerplate and clearly untrue definitions), so any deficiencies in the model before that year might be for a good reason!
- First line management oversight was seen as "inadequate" and "inappropriate" (p12)
- Their second line managers "...repeatedly voiced concerns" about headcount (p29), which weren't addressed until the back end of the period under scrutiny. Hard to think post-2007 it would be hard to justify reinforcing that area of the business, which perhaps says a lot about the entity's culture.
- Second line not monitoring adherence to policies (p29) - quite hard to conceive of nobody in the second line doing this!
- A clear distinction made more than once between "Risk Management Framework Policies" and "adequate policies and procedures" relating to operational matters (p5)
- Some of the failure to follow 'internal policies' seems to have been sponsored by the acquisition of the Britannia book - perhaps a natural by-product of M&A activity, where the cultures and modus operandi clash (p21)
- Second line criticised for not providing proper "independent challenge" - happy to see this, given the focus tends to be on second line oversight, which always feels like a bit of a jib-job.
- Third line giving the business credit for proposed remedial action in its audit reports (p31) - even taking this into account, they were rolling over around 30% of recommended actions in their reports as "overdue"!
- Head of Internal Audit reported to the Head of Risk
- An implication that one may be permitted shortcomings in one's internal control framework, providing one's culture is "appropriate" (p5).
- An interesting slant on reputational risk emerges from one of the accounting interpretations used, specifically that while assuming a particular accounting treatment (on the Leek notes in this case) which benefits the entity at the expense of counterparty might benefit the immediate balance sheet, the long-term effect on being able to raise new capital must be considered (p16)
- External Auditors using a 1-to-7 scale to assess how punitive/liberal the accounting treatments used by clients are. These assessments have bitten this particular client on the bum, given the PRA quote them in the document in the context of whether they align with a "cautious" risk taker!
Open ended questions
- Is "cautious" a realistic appetite for risk at Entity level? More importantly, if one has a "cautious" risk appetite, is one obliged to manage its capital "cautiously"?
- Management information was criticised for not being "sufficiently forward looking" - should it be (as opposed to mostly summarising positions at a point in time)?
- Is the PRA allocating resources to firms based on their Risk Appetite Statements (p13)?
- Is it possible for non-Accounting experts working in the second line to identify just how many ropey interpretations of UK GAAP/IFRS are being applied to a balance sheet? Is it plausible to leave such work to external audit firms who couldn't have a more vested interest in the grey areas of such legislation? The artificial boosting of the balance sheet listed in this notice would be subtle enough to trick an accountant or two I'd bet!
- Can quant risks be effectively managed in a separate team from the qualitative world? Appreciating there is a shockingly blurry line in Co-op Bank's approach (p29), it certainly feels like Solvency II pressures might lead to similar pressures on the staffing front, particularly for modellers and small/medium sized firms where staff may wear more than one hat.