Donald R. Van Deventer, Ph.D.

Don founded Kamakura Corporation in April 1990 and currently serves as Co-Chair, Center for Applied Quantitative Finance, Risk Research and Quantitative Solutions at SAS. Don’s focus at SAS is quantitative finance, credit risk, asset and liability management, and portfolio management for the most sophisticated financial services firms in the world.

Read More


A Case Study in Risk Management Failure: HBOS

03/10/2009 12:21 PM

Written by: Donald van Deventer
3/10/2009 8:52 AM

Through the current crisis, we’ve been inundated with CEOs of major financial institutions saying “How could we have known that this was going to happen?” When we hear comments like that, there are really only two possible explanations for the institution’s problems–either the CEO and the Board didn’t listen, or the risk management team failed in its responsibilities to warn management. Thanks to the Financial Times, we have a detailed case study showing that management of HBOS was warned, they ignored the warning, and they shot the messenger: former head of risk management Paul Moore. For a case study in risk management failure, the memo below from Mr. Moore documents what happened at HBOS in detail. In an interesting postscript, the HBOS CEO has been forced to resign the board overseeing the FSA after an uproar in Parliament over his sacking of Mr. Moore.

Paul Moore’s memo in full

Published: February 11 2009 09:30 | Last updated: February 11 2009 09:30

Memorandum from Paul Moore, Ex-head of Group Regulatory Risk, HBOS Plc

1. My background and credentials

1.1 I was Head of Group Regulatory Risk (GRR) at HBOS between 2002 and 2005. I reported to the CFO, Mike Ellis. I had formal responsibility for the bank’s policy and oversight of executive management’s compliance with FSA regulation.

1.2 From an FSA perspective, I was the Approved Person at the relevant time for the Control Functions 10 (Compliance Oversight) and 11 (Anti Money-Laundering).

1.3 Prior to joining HBOS, between 1995 and 2002, I was a Partner in KPMG’s Financial Sector Practice in London specialising in regulatory services where I advised quite a number of FTSE100 clients on regulatory matters.

1.4 I have been involved in UK Financial Sector regulation since it began in 1986. I am a Barrister by profession.

2. Executive summary of the main points I wish to make

2.1 My evidence relates to all sections of the Committee’s Terms of Reference but is drawn specifically from, and relates specifically to, my personal experiences at HBOS.

2.2 The main points I wish to make are these:-

2.3 I believe that there are important general lessons to be learned from my personal experiences as a risk and compliance professional at HBOS and elsewhere that could assist the Committee and others in the public policy debate about what needs to be changed in the governance and regulatory system to help to ensure that the same risks are mitigated in the future.

2.4 In order to draw out the general points that need to be made, it is necessary to tell at least a part of the rather complex personal story that occurred at HBOS and I request the Committee’s forbearance with this because it draws into sharp focus the lessons about the crucial importance of really effective governance. I give a short summary of the key facts of my story at HBOS in this section (2.12 to 2.19 below) and add some further factual information that I would like the Committee to consider in section 3 below.

2.5 The key general points I wish to make are these:-

2.6 In my view, as an experienced risk and compliance practitioner, the problem in finding the real cause of the banking crisis is being made more complex than it needs to be.

2.7 I believe that we are missing the wood for the trees and that the key solutions to prevent such an event happening again are simpler than we think. In relation to policy changes, I make some short recommendations that the Committee may wish to consider in section 4 below.

2.8 But let’s start with the cause and this fairly obvious proposition: even non-bankers with no “credit risk management” expertise, if asked (and I have asked a few myself), would have known that there must have been a very high risk if you lend money to people who have no jobs, no provable income and no assets. If you lend that money to buy an asset which is worth the same or even less than the amount of the loan and secure that loan on the value of that asset purchased and, then, assume that asset will always to rise in value, you must be pretty much close to delusional? You simply don’t need to be an economic rocket scientist or mathematical financial risk management specialist to know this. You just need common sense. So why didn’t the experts know? Or did they but they carried on anyway because they were paid to do so or too frightened to speak up?

2.9 What my personal experience of being on the inside as a risk and compliance manager has shown me is that, whatever the very specific, final and direct causes of the financial crisis, I strongly believe that the real underlying cause of all the problems was simply this – a total failure of all key aspects of governance. In my view and from my personal experience at HBOS, all the other specific failures stem from this one primary cause.

2.10 In simple terms this crisis was caused, not because many bright people did not see it coming, but because there has been a completely inadequate “separation” and “balance of powers” between the executive and all those accountable for overseeing their actions and “reining them in” i.e. internal control functions such as finance, risk, compliance and internal audit, non-executive Chairmen and Directors, external auditors, The FSA, shareholders and politicians.

2.11 As I recently commented on the BBC Money Programme called HBOS: Breaking the Bank “Being an internal risk and compliance manager at the time felt a bit like being a man in a rowing boat trying to slow down an oil tanker.” If we could turn that man in the rowing boat into a man with a tug boat or even the Pilot required to navigate big ships into port, I feel confident that things would have turned out quite differently.

2.12 When I was Head of Group Regulatory Risk at HBOS, I certainly knew that the bank was going too fast (and told them), had a cultural indisposition to challenge (and told them) and was a serious risk to financial stability (what the FSA call “Maintaining Market Confidence”) and consumer protection (and told them).

2.13 I told the Board they ought to slow down but was prevented from having this properly minuted by the CFO. I told them that their sales culture was significantly out of balance with their systems and controls.

2.14 I was told by the FSA, the Chairman of the Audit Committee and others that I was doing a good job.

2.15 Notwithstanding this I was dismissed by the CEO (he wrote that it was “…his decision and his alone”). I sued HBOS for unfair dismissal under the whistle blowing legislation. Ironically, I was also the “Good Practice Manager” for whistle blowing purposes at HBOS but could hardly report my case to myself!

2.16 HBOS finally settled my claim against them for substantial damages in mid 2005. I was subjected to a gagging order but have decided so speak out now because I believe the public interest demands it.

2.17 At this point I want to stress in the strongest possible way that I am simply not interested in blame and I don’t think it really ever works. I was ultimately fairly compensated by HBOS. What I am very interested in is the future. As I wrote once at to my boss at HBOS itself what we need this crisis to do for us is “to create a watershed here so we can move on from the issues of the past (from which we can learn but not blame) to the brave new world of the future.” Although, key people at HBOS did do wrong, I am also sure that their intentions were usually good and, in a sense, they were also caught up themselves in what the Greek tragedies would call the “ineluctability of fate”.

2.18 Returning to my story: after I was dismissed and to prove just how seriously HBOS took risk management, I was replaced by a new Group Risk Director who had never carried out a role as a risk manager of any type before. The individual concerned had primarily been a sales manager and was a personal appointment of the CEO against the initial wishes of other Directors. You can’t blame her for accepting the job as it got her on the Group Management Board and shortly afterwards the main Board.

2.19 On any reasonable interpretation, this appointment could not have met the FSA’s “fit and proper” requirements for the roles of CF 10 (Compliance Oversight) and CF14 (Risk Assessment) which are as follows:-

“In determining a person’s competence and capability, the FSA will have regard to matters including but not limited to…..whether the person has demonstrated by experience and training that the person is able, or will be able if approved, to perform the controlled function.”

2.20 All these matters were reported to the HBOS Non Executive Chairman of the Audit Committee as well as the FSA. I was given no protection or support. A supposedly “independent report” by HBOS’s auditors said HBOS were right but failed even to interview key witnesses.

2.21 I believe that, had there been highly competent risk and compliance managers in all the banks, carrying rigorous oversight, properly protected and supported by a truly independent non-executive, the external auditor and the FSA, they would have felt comfortable and protected to challenge the practices of the executive without fear for their own positions. If this had been the case, I am also confident that we would not have got into the current crisis. I believe that my personal story of what happened at HBOS demonstrates this exactly.

2.22 To mix a few well known similes / metaphors / stories, the current financial crisis is a bit like the story of the Emperor’s new clothes. Anyone whose eyes were not blinded by money, power and pride (Hubris) who really looked carefully knew there was something wrong and that economic growth based almost solely on excessive consumer spending based on excessive consumer credit based on massively increasing property prices which were caused by the very same excessively easy credit could only ultimately lead to disaster. But sadly, no-one wanted or felt able to speak up for fear of stepping out of line with the rest of the lemmings who were busy organising themselves to run over the edge of the cliff behind the pied piper CEOs and executive teams that were being paid so much to play that tune and take them in that direction.

2.23 I am quite sure that many many more people in internal control functions, non-executive positions, auditors, regulators who did realise that the Emperor was naked but knew if they spoke up they would be labelled “trouble makers” and “spoil sports” and would put themselves at personal risk. I am still toxic waste now for having spoken out all those years ago! I would be amazed if there were not many executives who, if they really examined their consciences closely, would not say that they knew this too.

2.24 The real problem and cause of this crisis was that people were just too afraid to speak up and the balance and separation of powers was just far too weighted in favour of the CEO and their executive.

3. A brief factual summary of my experiences at HBOS

3.1 As Head of Group Regulatory Risk at HBOS I was required to be the Approved Person who exercises the key significant influence function for the “Controlled Function 10” i.e. “compliance oversight”. This role requires the incumbent formally to oversee the adequacy and effectiveness of the systems and controls in place around the entire HBOS Group for ensuring compliance with FSA requirements. The role is rightly regarded by the FSA as an important safeguard of the firm’s compliance with the regulatory regime.

3.2 By its very nature the role of Head of GRR requires the incumbent to challenge the HBOS Group in relation to any aspect of its systems and controls, where those systems or controls are, or may be, inadequate to ensure that the Group complies with FSA requirements. In addition, he is required to raise challenge in relation to the way in which approved persons carry out their responsibilities and, in particular, in relation to their integrity, due skill, care and diligence. Failure to raise such challenge in appropriate circumstances would not only be a dereliction of duty to HBOS but could also lead to personal disciplinary action against the incumbent by the FSA.

3.3 It follows that there is a natural tension between the need to raise legitimate challenge on the one hand, and the likely reaction of those individuals who are the subject of the challenge. There is also the risk that the individual who raises the challenge will be criticised for the style or tone of the challenge.

3.4 During my period as Head of GRR at HBOS, at the beginning of 2004 the regulatory risk profile of HBOS was higher than it had ever been; and higher than the Board’s appetite for such risk should have been. By November 2003, the FSA had assessed key parts of the Group as posing high or medium-high risks to the achievement of its statutory objectives of maintaining market confidence and protecting consumers. They wrote that they were concerned that “…the risk posed by the HBOS Group to the FSA’s four regulatory objectives is higher than it was perceived”.

3.5 The FSA also wrote in relation to the Halifax (called “Retail”) “There has been evidence that development of the control function in Retail Division has not kept pace with the increasingly sales driven operation…” and “There is a risk that the balance of experience amongst senior management could lead to a culture which is overly sales focused and gives inadequate priority to risk issues.”

3.6 My operating plan for GRR was accepted by the Group Audit Committee and the FSA. That stated that there were three prerequisites for success. These were:

•“The strength, depth and quality of our relationships and communications with the FSA. This requires much more work so that all the requisite parts of the group are working in harmony, with one strategy and a completely different level of coordination….”

•“The credibility of Group Risk functions operating as a truly effective second line of defence. This depends on the standards and policies they set, the depth and quality of the oversight they perform and the strength of the relationships they have which allow them to provide functional and technical leadership. But even more important, it will depend crucially on the FSA’s confidence in this work.”

•“The demonstrable and enthusiastic engagement of the operating divisions in the work carried out by Group Risk functions.”

3.7 It is impossible and would be inappropriate in this memorandum of evidence to set out more than the very briefest summary of the evidence of what happened during that period. It was a very busy time and the facts are very complex. Our focus was specifically to improve the regulatory standards and policies of the Bank and increase the depth and quality of the oversight my department performed. In particular we focused our attention on compliance with the FSA’a first three Principles for Business. i.e.

1 Integrity A firm must conduct its business with integrity.

2 Skill, care and diligence A firm must conduct its business with due skill, care and diligence.

3 Management and control A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

3.8 Suffice to say that given the circumstances, I was obliged to raise numerous issues of actual or potential breach of FSA regulations and had to challenge unacceptable practices and the conduct of others in fulfilling their obligations under the Principles for Approved Persons including very senior executives. Understandably and however hard we tried to be polite, fair, and evidential, the work we carried out was bound to upset some people. It was inevitable.

3.9 Just to give a flavour of some of the key facts but without providing all the supporting corroborative documentation, I can testify as follows:-

3.10 My team and I experienced threatening behaviours by executives when carrying out its legitimate role, in overseeing their compliance with FSA regulations. At this point I would just like to quote from an email I sent to Mike Ellis the CFO in June of 2004 which gives a flavour of the culture with which we had to contend in carrying out our legitimate (and required) oversight activities:-


We have spoken at some length this morning on this and more generally about the current issues in dealing with Retail. We really do have to do something…and you may wish to lead this…to change the whole tone of engagement. This is not a battle of wits but a joint attempt to do what is right for the organisation. Yes, now that people with a huge amount of external experience are now accountable in GRR for oversight, it is not surprising that the level of enquiry is going to be more detailed – that is to be expected…and actually welcomed.

Some behaviours are going to need to change, particularly the sentiment that constantly questions the competence and intentions of GRR carrying out its formal accountabilities for oversight plus the ever present need to be able to prove beyond reasonable doubt as if we were operating in a formal judicial environment. The more we adopt this approach, the more adversarial it all becomes, the more emotional it becomes, the more personal it becomes and the worse the relationship becomes. It becomes a vicious circle which needs to be broken. We need you and Andy [Hornby] to intervene here to create a watershed here so we can move on from the issues of the past (from which we can learn but not blame) to the brave new world of the future. Actually, the responsibilities for getting into the current position are held all around the organisation and not just in Retail…and I include Group Risk functions in this. What would be absolutely fatal would be if there was ever a perception – explicit or implicit – that different parts of GF&R took different views. Then you get the ”divide and rule” happening. We must all be as one and communicate as such.

We will get there but there will also be some pain in the process of change.


3.11 The CFO to whom I reported failed constantly to provide adequate support when issues arose.

3.12 He strongly reprimanded me for suggesting at a Group Audit Committee that a person with my role should be protected by having a direct reporting line to the non-executive in case they had to raise criticisms of the executive.

3.13 He (along with others apparently) strongly reprimanded for raising issues relating to a “cultural indisposition to challenge within certain parts of the firm” when reporting to the Group Audit Committee. I said – “I would not want the Committee to be under any illusion as to how strong the tensions were as GRR carried out its oversight work and I have to say that there have been some behaviours which I would consider to be unacceptable.” The KPMG Audit Partner told someone who reported back to me that he thought I had a “death wish” following this meeting.

3.14 The Company Secretary failed to minute crucial comments I made at a formal Board Meeting which I attended to report on a detailed review that Group Regulatory Risk had carried out to determine whether the sales culture at HBOS had got out of control. It had. The minute should have read

“That from a strategic perspective, very careful consideration should be given [by the Board] in the development of Retail’s operating and strategic plans as to exactly what level of sales growth is achievable, given current capacity, without putting customers and colleagues at risk.”

When I raised this with the CFO he suggested in writing that I would be wrong to request an amendment. He wrote:-


HBOS minutes are not a record of verbatim comments as this would be incredibly time consuming and repeat a lot of what is in the agenda papers and, therefore, a matter of record. We encourage open discussion at meetings and wouldn’t wish people to be speaking – just for the record. If there is something important that is said and not covered in documents of record – then it should be minuted – but I thought that the Board minute was OK. You should be under no doubt that we do and always will adopt proper procedure. I can’t comment on the Retail RCC as I wasn’t there.

If you have concerns, I suggest that you discuss the same with the Company Secretary (ie Harry Baines not his secretary Pamela) who can advise you more fully on the minuting process. The Board minutes for July were approved at the September meeting.

3.15 I was strongly reprimanded by the CFO for tabling at a Group Audit Committee meeting the full version of a critical report by my department making it clear that the systems and controls, risk management and compliance were inadequate in the Halifax to control its “over-eager” sales culture. Mysteriously, this had been left out of the papers even though I had sent it to the secretary. When I sent it out as a late paper to the distribution list for the Group Audit Committee papers, he wrote as follows:-


This really looks bad and just look at the circulation list! There was no need to attach the appendices to your report in the first instance as they have already been seen/made available to all Board members. But if you were going to do so we ought to have got it right. People will be wondering why we are circulating separately a document they’ve already seen – its looks like we’re making an issue of it when we’re not.

3.16 I was making an issue of it! The Chairman of the Group Audit Committee thanked me for tabling the full version of the report and said that he now understood how serious the issues were.

3.17 As I have said, it is not surprising with all the difficulties that there were going to be people who would be upset. In a sense, the very nature of challenge is this and openness to challenge is a critical cultural necessity for good risk management and compliance – it is in fact more important than any framework or set of processes.

3.18 Notwithstanding the difficulties we had faced, Group Regulatory Risk received excellent feedback from almost all quarters for the work it had done including:-

•The FSA were positive and said on 26 November 2004, “Our relationships with GRR in particular have been good…We are quite comfortable to rely on GRR…and that is the real test”.

•Mr Tony Hobson the Chairman of Group Audit Committee said in November 2004 that he could not “believe the turn-around in our relationships with the FSA”.

•MORI reported that the major organisational change in GRR had been effected highly successfully.

•PwC concluded in a report on the effectiveness of risk management at HBOS that “We have been impressed with the limited number of senior personnel that we have interviewed in GRR”. I was amongst those they met.

•On 30 November 2004, another main Board Director wrote “An excellent year all round building on a similar result in 2003.” On 30 November 2004, Mr Tony Hobson added to this, “Thanks for the opportunity to contribute and to see your views [on GRR]. Very helpful. It’s obviously very positive feedback for Paul and the team and I can only reiterate your positive views.”

3.19 Notwithstanding the positive feedback, as explained in section 2 above I was then summarily dismissed (portrayed as “redundancy”). James (now Sir) Crosby, the then CEO of HBOS contrary to HR policy, HBOS’s own internal ethics policy called “The Way We Do Business” as well as all other principles of fairness (let alone employment law) wrote – “The decision was mine and mine alone”.He said that I had lost the confidence of key executives and non executives but refused to explain why. I claimed that my dismissal was unfair and that I had a claim both for unfair dismissal and for a claim under s.48 of the Employment Rights Act 1996. In other words, I had a “whistle-blowing claim” under that Act for raising Protected Disclosures.

3.20 HBOS finally settled my claim against them for substantial damages in mid 2005 and I signed a gagging order at the time in our settlement agreement.

3.21 As I stated above in section 2 above, a supposedly “independent report” by HBOS’s auditors said HBOS were right but failed even to interview key witnesses. No doubt they and the FSA would rely upon this report. In relation to this report, you should be aware that, following the very first response to the report from my lawyers and me which challenged it vigorously, HBOS settled within a very short time.

3.22 As referred to in section 2 above, on my unfair dismissal a person was appointed as Group Risk Director who was an ex sales manager who had no experience of risk management or compliance. I have already referred to this in some more detail in section 2 above. This was a personal appointment of James Crosby and some might question whether this fulfilled his fiduciary duties as a Director under Company Law or Principle 2 and 3 of the FSA’s Principles for Business set out above.

3.23 My concerns on this appointment were reported to the FSA but despite the clarity of their guidance on assessing fit and properness (see section 2 above) they permitted the individual concerned to become an Approved Person. It is extraordinary in my view that the FSA permitted this, when this role is so important to the fulfilment of their statutory objectives. Maybe they felt constrained as James Crosby was a non executive director of the FSA at the time?

3.24 One final interesting but telling anecdote of my personal story relates to Charles Dunstone (founder of the Car Phone Warehouse). Charles was a non-exec director of HBOS which made good sense given their strategy of turning the bank into a retailing operation. He is clearly an outstanding business leader. But, strangely, he was also appointed to be the Chairman of the Retail (Halifax) Risk Control Committee (a divisional audit committee). He admitted to me that he was very friendly with Andy Hornby and that they met quite often socially. Of course, he was supposed to be challenging Andy Hornby. He obviously had no technical competence in banking or credit risk management to oversee such a vital governance committee. Another HBOS non-exec said to me one day of him and his role “Well, they got that appointment wrong, didn’t they”. Even more extraordinary than this, Charles Dunstone himself admitted to me and my colleague one day words to the effect that he had no real idea how to be the Chairman of the Retail Risk Control Committee!

3.25 This just shows how little real regard HBOS had for the importance of the non-executive roles. It is also probably in breach of Principles 2 and 3.

4.Some recommendations for policy analysis and development

4.1 A very short summary (and not yet fully thought through) of the list of some of the policy points which arise out of my experience which need to be debated are as follows:

4.2 Remuneration and performance management of exec…e.g. regulatory sign off, bonuses held in a trustee account over longer time frames to ensure short termism does not take hold

4.3 A more detailed policy and rules which allows the FSA to test the cultural environment of organisations they are supervising e.g. tri-annual staff and customer survey. There is no doubt that you can have the best governance processes in the world but if they are carried out in a culture of greed, unethical behaviour and indisposition to challenge, they will fail. I would now propose mandatory ethics training for all senior managers and a system of monitoring the ethical considerations of key policy and strategy decisions within the supervised firms.

4.4 Much more formal qualifications and competencies for risk managers and compliance professionals so that only fit, proper and competent people can be appointed as CF10, CF11 and 14 – Compliance Oversight, Anti-Money Laundering and Risk Assessment. These roles are becoming as important as CFO role and need something like the ICA / Institute of Actuaries to regulate their training and competence.

4.5 Regular formal independent audit of risk management, compliance and internal audit functions to keep them honest – and to make them feel they will be backed up / protected if they do their jobs properly and cause a bit of inevitable friction.

4.6 Risk management and compliance with at least an equally weighted reporting line to a non-exec with sufficient time and profile to balance the executive. The non executive need to be “executive” in relation to their primary accountability of overseeing the executive. No person responsible for a key internal control function can be dismissed without a full and minuted meeting of the non-exec and the incumbent must be given a right of reply. The FSA should formally approve such decisions.

4.7 Much much more focus on competence and independence of non-executives e.g. register of non-work social meetings, pre-appointment investigation of “links” / potential conflicts of interest e.g. cross-board connections..I’m on your remuneration committee if you’re on my audit committee, pre-appointment record of reasons why a person is competent for a particular committee.

4.7 Much more involvement of the regulators in the terms of reference of the statutory auditors – the level of cost associated with formal independent audit is inadequate and needs to be radically increased. How can a firm like HBOS be audited for £5m or less?

4.8 Much more rigorous and prescription of the regulation of affordability and suitability requirements for the sale of credit products…to prevent ordinary people who cannot resist the temptation of getting into excessive debt.

4.9 Further development of Whistle Blowing rules to make sure that those who raise legitimate issues are not just “bought off” with shareholders money….the case should be reviewed by the regulator and action taken if necessary to ensure those responsible cannot get away scot-free.

4.10 Much much better pay for senior regulators so that the FSA can recruit the best – pay twice as much, get four times as much done at eight times the quality.

5. A final observation

5.1 One final observation I would make about the HBOS disaster is this; wasn’t it actually Sir James Crosby rather than Andy Hornby who was the original architect of the HBOS retailing strategy? At first this was good in that it purported to be a “Customer Champion” strategy. The problem was that a reduced margin strategy is predicated on the need for improvements in cost control and at the same time massive increases in sales. It is now clear that this disastrous “grow assets at all costs” strategy was what led to HBOS’s downfall and humiliating demise by the forced acquisition by Lloyds.

5.2 Sir James is still the Deputy Chairman of the FSA and advises the government on how to solve the mortgage crisis. Some might now also question what his “contribution to financial services” has in fact been when this will have led to millions of people in excessive debt, 10,000s who will lose their jobs and many more whose balance sheets have been impacted by the precipitous fall of the HBOS share price – apart from the reduction in competition in the retail financial services market threatened by the new Lloyds Group?

5.3 Shouldn’t the Committee be asking him to testify?

February 2009


Donald R. Van Deventer, Ph.D.

Don founded Kamakura Corporation in April 1990 and currently serves as Co-Chair, Center for Applied Quantitative Finance, Risk Research and Quantitative Solutions at SAS. Don’s focus at SAS is quantitative finance, credit risk, asset and liability management, and portfolio management for the most sophisticated financial services firms in the world.

Read More