The latest meltdown reveals that impartial risk control has not moved on since Enron

Once again a crisis has raised questions about the effectiveness of non-executive directors. In theory, independent non-executives are business leaders capable of putting the brakes on executive management because their pay is not tied directly to the financial performance of the company they oversee. They are the ultimate risk managers and a cornerstone of good corporate governance. But where were they when banks like Northern Rock, HBOS and RBS were irresponsibly racking up exposures way beyond what they were capable of handling?

The obvious criticism is that the non-executives did not understand the businesses they were meant to be overseeing. And they did not have sufficient influence or incentive to challenge other members of the management board. Non-executive and executive management roles are sometimes too closely linked. If they are too chummy, impartiality is compromised. Stricter rules, invented in the aftermath of past corporate scandals, were supposed to boost the power and influence of non-executives. That does not seem to have worked.

The last time the role of the non-executive was called into question was after the collapse of Enron, Tyco and Worldcom in the US. In the wake of those scandals of the early 21st century, the American authorities wrote the Sarbanes-Oxley Act (SOX) (2002), which prescribed much stricter rules on transparency and accountability. The British government in turn asked Derek Higgs, a former banker with a strong dislike of prescriptive regulation, to review corporate governance. In his report, Higgs stopped short of proposing a major regulatory overhaul as in the US, but he did recommend separating the non-executive role of chairman and the chief executive’s job, to remove conflicts of interest.

Unfortunately, neither SOX nor the Higgs review appear to have succeeded in preventing another corporate governance crisis. Why have the regulators and those responsible for corporate governance not learned from past mistakes? The main problem appears to be that maintaining the balance of power between the two leadership roles has not worked.

Whistleblower Paul Moore, the former head of regulatory compliance at HBOS, claimed he was ignored and eventually fired for raising concerns about his bank’s internal risk controls. Moore blamed the banking crisis on a failure of all of the key aspects of corporate governance and an inadequate separation and balance of power between the executive and those responsible for reining them in, which included internal control functions, the non-executives, external auditors, the regulators, shareholders and politicians.

“When I was head of group regulatory risk at HBOS, I certainly knew that the bank was going too fast (and told them), had a cultural indisposition to challenge (and told them) and was a serious risk to financial stability and consumer protection (and told them),” he said. Moore alleged the non-executive directors charged with overseeing risk management were anything but qualified.

HBOS has rejected Moore’s allegations and said they were fully and independently investigated and found not to be true. The bank also reportedly made changes to the regulatory risk function, which the FSA judged as “appropriate”.

Without real independence and influence, the risk management function, in its widest sense, cannot perform properly. As long as senior management can pressure internal risk managers they cannot hope to be objective. Moore wanted the risk department to report to a non-executive director. But unless that non-executive is also properly independent (that is, does not have any financial, professional or friendship ties to the chief executive), then the corporate world seems destined to keep skipping on the same track on the record.

Key points

The banking crisis has revealed the limitations of non-executive directors

Non-executives are not independent enough, which means they cannot rein
in executive management

Internal risk managers are not independent because they can be influenced by executive management

Risk managers need a direct reporting line to a truly independent non-executive