In the second of our two-part Airmic special, Paul Moore, the man who blew the whistle on HBOS, talks about presenting messages to the board that it may not want to hear. His experience is a lesson to all risk managers

Bringing an unpopular message to the board is tough. Nowhere was this more clearly demonstrated than in the case of Paul Moore, the HBOS whistleblower.

HBOS, one of Britain’s biggest banks, had to be rescued by a government-backed bid in October 2008 at the height of the credit crisis as it was sinking beneath huge subprime debts. Moore was the bank’s head of risk and he claimed to have seen the problems coming years earlier. But, according to his claims, his warnings went unheeded. Instead, he was spectacularly given the shove.

Airmic has asked Moore to present at its conference this week because the association feels his message could resonate with other risk managers, and that there are important lessons to learn about the challenges of communicating risks to the board.

Clearly, in tricky circumstances such as Moore found himself in, it is vital to make a convincing case to the board. Yet Moore argues that this is exactly what he did. “You can have the best governance processes in the world, but if they are carried out in a culture of greed, unethical behaviour and an indisposition to challenge, they will fail,” he says.

Moore joined HBOS in 2002 to head regulatory risk. As far back as 2003, the FSA was worried about the bank’s internal risk management systems. HBOS’s chief, James Crosby, asked Moore to head an internal inquiry. At that stage, Moore, who’s been a partner at KPMG and worked for Marsh for a short time before joining HBOS, says that he made it clear to the board that if he was to lead the investigation, he wanted to do it thoroughly and forensically.

His investigation unearthed some disturbing signs. In particular, Moore raised concerns about the potential for the bank’s sales staff to mis-sell consumer investment products and payment protection insurance. When Moore reported about reckless lending at the bank, he was reprimanded by his bosses and eventually he was fired. Moore claims to have been severely let down by the bank’s non-executives, who failed to offer him the support or protection he needed.

Paid for silence

Insurance Times’s sister title StrategicRISK, the magzine for corporate risk managers, quizzed Moore about his experience. Did he have good relations with the board prior to his investigation and credibility at a senior level? “If I’d been in the perfect world, I would not have walked into HBOS and walked into a tornado,” he says. “I would have had several years to build relationships. But I didn’t. I was promoted into the job 14 or 15 months after I’d arrived to deal with a situation because the regulator had turned the thumb screws on.”

Lots of risk managers probably find themselves in a similar situation because it is often the case that a new person is promoted to deal with a difficult set of circumstances, he says.

Moore felt compelled, and legally obliged, to disclose his serious concerns to the FSA. HBOS’s reply to the warnings was to commission KPMG to do an independent inquiry. Meanwhile, Moore was reportedly given a six-figure sum for his silence. He feels the regulator should have done more. It was not until the height of the banking crisis that Moore broke his silence and gave evidence to a government inquiry into the failure of Britain’s biggest banks.

Moore thinks the role of risk manager needs to be strengthened and that they should be given protection against being fired if they present hazards to the board. He is pleased that some of these considerations have been taken into account in regulatory inquiries, such as the Walker Review, into the causes of the financial crisis.

“You shouldn’t have to rely purely on the emotional aspect when you’re doing the risk manager’s job. It should be based on evidence. If the evidence demonstrates something, then it shouldn’t be permitted for a chief executive on their own to dismiss somebody. It’s absolutely wrong. The decision should be overseen by the FSA, because that means that the board will not take a decision lightly; they will think carefully.”

Getting in the way

Risk managers are fundamentally challenged by the fact that their work to protect companies from disaster is often seen as meddling and an obstacle to business. “A large percentage of people who are subjected to any type of review don’t like the person who’s done the review,” Moore says. “It’s only natural, but the culture should be that it’s a good thing to have one’s tyres kicked.

“I’m not the kind of risk manager who says: ‘The answer’s no, now what’s the question?’ My mantra is cars have better brakes so they can go faster.”

Moore believes he did everything he could to present his case properly and make sure the bank’s senior managers took the message seriously. “I am absolutely satisfied that technically I did the job outstandingly well and I took every step that I could possibly think of to lay the groundwork so that it was accepted.”

The problem, he says, was that senior bosses took the negative message as a “personal affront” and weren’t prepared to take the necessary steps to rectify the situation. IT

Banking crisis survey

Paul Moore’s consultancy, Moore, Carter & Associates, conducted a survey of risk management professionals into the causes of the banking crisis. Go online to see the full findings: