Working In Uncertainty

The Risk Manager people want to work with

by Matthew Leitch, first published 25 February 2009.


Let's begin by looking at what is clearly not the best way for a risk manager to be perceived: as an obstructive Mr No, always critical and never helpful.

The case of HBOS

In February 2009 a row concerning risk management at banking group HBOS re-ignited. It seems that in 2004 or 2005 (depending on which news report you read), Paul Moore, the head of regulatory risk at HBOS, was sacked (or was it ‘made redundant by a restructuring’?) by the CEO at the time, Sir James Crosby. Apparently, Moore had complained that the business was running too much risk because sales growth was too fast and attention to risk was insufficient, and had raised concerns about treatment of customers and the culture within the business.

Moore seems to have been angry about this and complained to the regulators that he had been replaced by someone with no relevant professional qualifications and no previous experience in risk regulation and that things were not right. His allegations were investigated by the FSA and by KPMG at the time and, although nobody denies the point about professional qualifications, the company line was that Jo Dawson, the replacement (who appears to have come in at a more senior level than Moore), was a very senior banker with lots of experience.

Recently, members of parliament have been looking into affairs at HBOS because it is now part of the Lloyds group and state owned after its credit crunch rescue. Paul Moore wrote a letter making his allegations again and in response to this and some criticism from others Sir James Crosby resigned from the role of deputy Chairman of the FSA, while admitting no wrongdoing.

A few days later a former HBOS technical specialist from Moore's team, Anthony Smith, contacted the BBC to support Moore's points. Smith said that after Moore left the dominant culture was one of sales. He said that Jo Dawson's deputy had a background in call centres and was more interested in employee of the month awards and balloons on desks than with the possible impact of redundancies. Smith claimed that on one occasion he wrote a report on a regulatory risk problem and was told he could not be so direct. The issue took months to resolve but he thought it could have been dealt with immediately.

Along with these various allegations there are some clues as to the personalities involved. Smith said that after Moore left the regulatory risk team was kept more separate from the rest of the business and attempts were made to soften communication between the regulatory risk team and ‘the business’. That suggests that relationships were seriously broken.

KPMG's investigation gathered comments from un-named sources about Paul Moore, the former risk manager, saying that although he was perceived as ‘strong’ his ability to work with colleagues was doubted. (It's difficult to know how seriously to take these comments because this is a classic character assassination. It's hard to wash the mud away when someone says you are good technically but somehow lack social skills. If you complain then the mud slinger says ‘I told you he was defensive.’)

One of these un-named sources said that in one meeting Moore's behaviour ‘ranged from prickly to ranting to extraordinary to outrageous’. For all we know this could have been the meeting at which Moore was sacked, but whatever the reality, the point is that Moore's enemies attacked him over his relationships with colleagues in ‘the business’ and after Moore left ‘the business’ continued to show its dislike for the regulatory risk team.

Can we learn from HBOS?

Given the massive losses recently announced by HBOS, I suspect most people are somewhat sympathetic to Paul Moore, the risk manager who lost his job (though it was failing with market risk, not regulatory risk, that was the main cause of the losses). It's quite plausible that he was regarded unfairly as a negative character who did not support the business but instead was intent on holding it back.

It happens. I remember some years ago working with a partner at PricewaterhouseCoopers who was also the ‘risk management’ partner for his unit, responsible for checking through risky business opportunities to see if the firm should bid for the work. On one occasion a senior employee with a strong sales drive who should have known better presented a silly money making idea that was obviously far too risky. When the risk manager advised against bidding the salesman was angry and muttered to me about ‘obstructiveness’, imagining that I would be sympathetic. I made no comment, still stunned that such a stupid scheme had got so far.

On the other hand, the regulatory risk team should surely have realised that their working relationships with the rest of the business had degenerated into useless conflict.

Relationships matter to risk managers and it seems that having a role based on passing judgement on business proposals can lead to bad relationships, with the risk manager perceived as an unhelpful blocker.

Moore gave evidence to a Treasury Select Committee three times, going into considerable detail and quoting documents he copied while working at HBOS. These documents show that he made efforts to build good relationships with the rest of the business, understood the themes that were contentious, and was concerned about the rivaly that had developed. However, the actions he proposed were increasingly rigorous reviews and vague remedies like ‘robust action plan’ and ‘careful thought’. He behaved more like an FSA reviewer or the Big 4 partner he had once been, concentrating on ‘challenging’ instead of showing people how they could treat customers better and comply with regulatory requirements in the most efficient and convenient way.

Two suggestions

1) Suggest improvements to business ideas

Risk managers who frequently suggest smart ways to revise business ideas so that inherently risky, ambitious things can be done safely will become sought after individuals. The role/personality/character I would like to suggest is Mr How. In other words, risk managers should be more than people who say ‘yes’ or ‘no’; they should be people who can suggest ‘how’ as well.

For example, if a highly risky scheme for sales growth is put forward then risk experts should be able to put together an assessment of this and explain why, and they should be able to suggest smart changes to the plan that will reduce the downside risks, expand the upside, and do it all in quick, practical ways. Their suggested improvements don't have to be perfect to present people with a more attractive course of action than they started with, but the suggestions do need to be smarter than just saying ‘Grow sales more slowly’.

Instead of resenting the risk manager, people should want to invite him/her to their meetings to benefit from those good ideas. Mr How is very different, and much more popular, than Mr No – the risk manager who just passes judgements – and you can imagine how differently Mr How is treated.

Eventually, the good ideas might get a life of their own as people start to anticipate what the risk manager's suggestions would be. Imagine the chairman of a meeting to discuss a business plan saying ‘Unfortunately Matthew can't be at our meeting today because his diary is packed, but after all our years together I think we all know what he would be saying to us if he was here. More flexibility!’

2) Adjust rewards and penalties rather than giving a Yes/No

The idea of expressing ‘risk appetite’ with limits is a big part of the risk manager's problem. It can lead to awkward, relationship-damaging situations such as these:

  • A business unit is close to its limit and now wants to do another deal. The new deal is a good one with low risk and good returns but, unfortunately, it takes them over the limit and the risk manager (or his/her system) says ‘no’. Business managers cannot understand how such a good deal is unacceptable, but the risk manager is just implementing policy.

  • Following on from this situation, another deal is suggested. It is smaller and less attractive in every way. The risk manager says ‘yes’ because it doesn't take them over their limit. Business managers now can't understand why a poor deal was preferred to a much better one.

  • A new type of business is identified that offers significantly better returns than previous types, though at somewhat greater risk. Unfortunately, risk appetite statements drawn up before this exciting discovery state that the level of risk involved is too high and therefore the business cannot be taken. The problem is that the risk appetite statement was agreed at a time when rewards were assumed to be in a lower range.

As most people know, there is no single, fixed limit of ‘acceptable’ risk that applies regardless of circumstances. If the rewards are greater we will usually tolerate more risk. The mistake is to follow guidance that contradicts this obvious truth and involves setting fixed, absolute limits on risk that apply regardless of incentives.

An alternative is for the risk manager to run a system that factors risk into decisions without involving fixed limits.

In the financial services industry it is now common to calculate ‘risk adjusted’ performance measures. In effect, a business's performance numbers are penalised if the business is running high risks. That means that business unit leaders wanting to turn in good performance figures have an incentive to seek better combinations of risk and reward.

One of the common problems leading to the current ‘credit crunch’ and recession was people receiving sales commission on deals that subsequently went bad and lost a lot of money. Obviously it is better to reward people for their contribution to profits than for their contribution to sales, but this benefit needs to be weighed against the extra data and time needed for the calculations.

The way profit is defined for this purpose also needs to chosen carefully. Ideally, people should be rewarded for realised profits rather than paper profits based on current valuations. In some businesses that would imply holding back commission for years while awaiting the ultimate outcome of a deal, so it might be more acceptable to pay some of the commission earlier but hold back a ‘retention’ against future losses.


Risk control specialists are valuable people doing a job that's needed, but to be successful they need to be respected by others in their organizations. Earning that respect involves a number of things. I suggest, in addition to the qualities typically mentioned, that they should focus on helping people do things in risk-smart ways, and use risk adjustments to factor risk into decision making rather than enforcing risk limits.

Made in England


Words © 2009 Matthew Leitch. First published 25 February 2009.