One of the fallouts from the financial crisis in the UK was
the demise of the Co-op Bank as part of the Co-operative movement. The UK regulators (the PRA and the FCA) investigated
the causes of the bank’s demise and issued simultaneous enforcement notices
earlier this year (here
and here). The key failures identified by the
regulators are summarised in Box 1.
One of the key points for the press was the regulators
decision to waive any financial penalties, reflecting the financial conditions
of the Coop Bank. However, from a risk
management perspective, the enforcement notice represents an interesting
catalogue of lessons in risk management for both banks and insurers:
1. Risks and
business strategy go hand in hand. It
is difficult to manage risks effectively in the absence of a clear and
comprehensive strategy for key lines of business.
2. A
‘cautious’ risk appetite statement is not enough. Business decisions still must be evidenced as
‘cautious’ in practice even if this happens on a qualitative basis.
3. The remit
of the risk function includes valuations and accounting decisions. This is particularly relevant in terms of the
challenge and governance to (changes to) assumptions associated with discretionary
features about valuation e.g. about the timing of redemption of capital
instruments.
4. Policies
are more than documents. Compliance
with policies must be evidenced. A complex and changing business reality cannot be captured
through prescriptive policies. Certain
discretions must be factored into decision making processes. The risk oversight should cover how those
discretions are applied in practice.
5. An open
and cooperative relationship with the regulators is not just about issues. It includes updating the supervisor regarding concerns about the position of senior individuals leading to
intended changes.
6. An effective risk culture is an outcome of business decisions about risk. This was one of the concerns of the
regulators. The regulator’s articulation
of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken
to address risks on a timely basis and risk and control functions carry real weight
is likely to support prudent management.’
In a nutshell, a risk culture is not end in itself but the means to support prudent
management.
The enforcement notice mentions other issues regarding the shortcomings
of the risk management oversight and internal audit.
Finally, it is worth noting that the period of time formally
considered by the regulators stretches from July 2009 – weeks before the Co-op
Bank’s merger with the Britannia Building Society – to December 2013 – when it
ceases to be a wholly owned subsidiary of the Co-op Group. I don’t think the shortcomings just materialised in July 2009.
This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed. The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.
This post is part of a series of posts on the practical lessons for risk management from enforcement cases. The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.
This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed. The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.
This post is part of a series of posts on the practical lessons for risk management from enforcement cases. The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.
No comments:
Post a Comment