Risk lessons from the FSA

The collapse of Northern Rock came as a shock to almost everyone – not least
its regulator, the Financial Services Authority. The wheels came off last
September when the Bank of England had to act as lender of last resort to keep
the bank afloat. Eighteen months earlier, an FSA risk review panel had concluded
that Northern Rock merited the lightest touch regulatory regime, expanding the
period between major risk reviews from two years to three.

Last October, the FSA commissioned its own internal audit department to
review the regulator’s supervision of Northern Rock between January 2005 and
August 2007. A summary of its report was published in March. (A more detailed
report is to be released soon, apparently when commercially sensitive details
have been removed.) While much of it contains details and conclusions that are
of most interest to the FSA as a regulator of third parties, there are also
useful lessons that internal auditors of all major organisations should take
note of.

Painful lessons
One remarkable finding is that the building society-turned-bank wasn’t actually
supervised by a team that was predominantly concerned with banks. From at least
January 2005 (the start of the review period for this report) through to June
2006, Northern Rock was under the remit of a department primarily responsible
for insurance groups. Then, up until February 2007, it was in the lap of a team
responsible for one other business – again, an insurance group. It was only from
that time on that it was supervised alongside other banks. Lesson: make sure the
supervising team has the necessary skills and experience to understand the
business for which it is responsible.

While three separate heads of department had responsibility for Northern
Rock, there was at least some continuity in terms of the manager and lead
associate responsible. However, during the period under review, none of the
heads of department met senior management at Northern Rock. Lesson: don’t place
undue reliance on the work of more junior managers and associates.

The responsible division throughout – the Major Retail Groups Division – had
been kept busy with other matters, including the Banco Santander takeover of
Abbey, the bids by Barclays and RBS for ABN Amro and the demutualisation of
Standard Life, as well as work relating to Basel II.
Lesson: if the supervising team has enough on its plate, then it is well placed
to completely miss something critical.

The FSA’s internal auditors compared the working practices of the Northern
Rock supervision team with that of teams responsible for overseeing five other
firms. They found that information packs presented to a risk review panel in
February 2006 complied with FSA requirements, so on the face of it all the
necessary information was made available to the right people. However, it wasn’t
possible to ensure that the analysis was sound because – remarkably, and
contrary to the FSA’s standard practice – there were no formal records of key
meetings. Lesson: keep notes of meetings and ensure that everyone adheres to the
same working practices.

However, the FSA’s standard practices did not require supervisory teams to
provide any serious financial analysis to the risk panel – so none was provided.
“That type of analysis might have thrown into relief key aspects of Northern
Rock’s business model,” the report says. It admits that details and peer group
comparisons relating to the bank’s ambitious growth targets, its low, narrow
margins and its reliance on wholesale markets and securitisation. Lesson: ensure
that you are actually collecting and using the data you need to understand what
the risks are.

One of a handful of issues identified by the risk review as being worthy of
“close and continuous supervision” was the impending retirement of Northern
Rock’s FD, Bob Bennett. Lesson: FDs matter, and risks arise when an FD departs.

What have you learned?
The internal auditors discovered that the supervisory team didn’t seem to have a
proper understanding of what “close and continuous supervision” actually meant.
In particular, they apparently failed to appreciate that it “entailed the
regular reassessment of the firm’s business risk profile and control risks as
new issues arose”. Lesson: there’s really not much point undertaking all that
supervision if you don’t think about the implications of your discoveries.

Regulators and internal auditors would seem to have many of the same type of
responsibilities and require many of the same aptitudes. In the case of Northern
Rock, the FSA has owned up to several critical failings that internal auditors
should learn from: it needed a more comprehensive analysis of the risks inherent
in Northern Rock’s business model; risks identified by the review panel weren’t
effectively pursued by the supervising team; there were no triggers to reassess
the necessary level of scrutiny; senior managers weren’t adequately engaged with
the supervision of Northern Rock; and there were no “challenge mechanisms” that
would prompt a divisional level review of the bank.

In short, for a regulator that is promoting the merits of risk-based
regulation, it failed in this instance to ensure that the risks were properly
assessed – and acted upon.