Sir Christopher Kelly's report published yesterday confirms the media views that the Co-op was brought to its knees by a long list of mishaps, including:
- The merger with the Britannia Building Society in 2009.
- Failure by the Bank after the merger to plan and manage capital adequately.
- Fundamental weaknesses in the governance and management of risk.
- Material capability gaps, leading to a serious mismatch between aspirations and ability to deliver.
- Past mis-selling of payment protection insurance (PPI).
- A flawed culture.
- A system of governance which led to serious failures of oversight.
But what are the root causes of these lamentable failures?
The root causes are the familiar 'underlying causes' – what we now call Behavioural and Organisational Risks - identified in 'Roads to Ruin', the Cass Business School report for Airmic and our own report 'Deconstructing failure - Insights for boards'. They are depressingly familiar and include:
- Lack of board skill and experience
- Lack of strategy where one was needed
- Lack of board understanding of reputational risk
- Board unaware of important information
- Board risk blindness and groupthink
- Unwillingness and inability of Non-Executive Directors to stand up to Executives
- Failed board leadership on ethos and culture
- Culture that delayed bad news and discouraged challenge
- Risks from poorly understood complexity
- Failed change management
- Risks from inappropriate incentives
Unfortunately, as we have previously explained, the Three Lines of Defence model is flawed.
As a process it is conceptually sound, and its name sounds reassuring - as did the name of the Maginot Line. But it assumes that risk management has the tools, and risk managers the authority, to capture and deal with behavioural and organisational risks.
This assumption is wrong, whether those risks are at or below board level. Classical risk management does not have the tools systematically to find behavioural risks; and risk managers do not have the status to challenge their superiors from whom most of these risks ultimately emanate.
The problem is the old one. The board sits at the apex of a risk management structure, but who is able to manage risks that emanate from the board itself? Or as the Roman satirist Juvenal put it, “Who is guarding the guards?”
In a regulated environment, regulators are one of the few who can ensure that boards get an outside view on the risks they create. It is reassuring to see two of the UK's most important business regulators taking up the challenge.
The Financial Reporting Council has tackled the issue. Its guidance, effectively directing boards to tackle behavioural and organisational risks, is expected to come into force on 1 October. The Bank of England/PRA is not far behind. This is nimble work for which the FRC and PRA should be congratulated.
Professor Derek Atkins