The collapse of Northern Rock came as a shock to almost everyone – not least its regulator, the Financial Services Authority. The wheels came off last September when the Bank of England had to act as lender of last resort to keep the bank afloat. Eighteen months earlier, an FSA risk review panel had concluded that Northern Rock merited the lightest touch regulatory regime, expanding the period between major risk reviews from two years to three.

Last October, the FSA commissioned its own internal audit department to review the regulator’s supervision of Northern Rock between January 2005 and August 2007. A summary of its report was published in March. (A more detailed report is to be released soon, apparently when commercially sensitive details have been removed.) While much of it contains details and conclusions that are of most interest to the FSA as a regulator of third parties, there are also useful lessons that internal auditors of all major organisations should take note of.

Painful lessons
One remarkable finding is that the building society-turned-bank wasn’t actually supervised by a team that was predominantly concerned with banks. From at least January 2005 (the start of the review period for this report) through to June 2006, Northern Rock was under the remit of a department primarily responsible for insurance groups. Then, up until February 2007, it was in the lap of a team responsible for one other business – again, an insurance group. It was only from that time on that it was supervised alongside other banks. Lesson: make sure the supervising team has the necessary skills and experience to understand the business for which it is responsible.

While three separate heads of department had responsibility for Northern Rock, there was at least some continuity in terms of the manager and lead associate responsible. However, during the period under review, none of the heads of department met senior management at Northern Rock. Lesson: don’t place undue reliance on the work of more junior managers and associates.

The responsible division throughout – the Major Retail Groups Division – had been kept busy with other matters, including the Banco Santander takeover of Abbey, the bids by Barclays and RBS for ABN Amro and the demutualisation of Standard Life, as well as work relating to Basel II.
Lesson: if the supervising team has enough on its plate, then it is well placed to completely miss something critical.

The FSA’s internal auditors compared the working practices of the Northern Rock supervision team with that of teams responsible for overseeing five other firms. They found that information packs presented to a risk review panel in February 2006 complied with FSA requirements, so on the face of it all the necessary information was made available to the right people. However, it wasn’t possible to ensure that the analysis was sound because – remarkably, and contrary to the FSA’s standard practice – there were no formal records of key meetings. Lesson: keep notes of meetings and ensure that everyone adheres to the same working practices.

However, the FSA’s standard practices did not require supervisory teams to provide any serious financial analysis to the risk panel – so none was provided. “That type of analysis might have thrown into relief key aspects of Northern Rock’s business model,” the report says. It admits that details and peer group comparisons relating to the bank’s ambitious growth targets, its low, narrow margins and its reliance on wholesale markets and securitisation. Lesson: ensure that you are actually collecting and using the data you need to understand what the risks are.

One of a handful of issues identified by the risk review as being worthy of “close and continuous supervision” was the impending retirement of Northern Rock’s FD, Bob Bennett. Lesson: FDs matter, and risks arise when an FD departs.

What have you learned?
The internal auditors discovered that the supervisory team didn’t seem to have a proper understanding of what “close and continuous supervision” actually meant. In particular, they apparently failed to appreciate that it “entailed the regular reassessment of the firm’s business risk profile and control risks as new issues arose”. Lesson: there’s really not much point undertaking all that supervision if you don’t think about the implications of your discoveries.

Regulators and internal auditors would seem to have many of the same type of responsibilities and require many of the same aptitudes. In the case of Northern Rock, the FSA has owned up to several critical failings that internal auditors should learn from: it needed a more comprehensive analysis of the risks inherent in Northern Rock’s business model; risks identified by the review panel weren’t effectively pursued by the supervising team; there were no triggers to reassess the necessary level of scrutiny; senior managers weren’t adequately engaged with the supervision of Northern Rock; and there were no “challenge mechanisms” that would prompt a divisional level review of the bank.

In short, for a regulator that is promoting the merits of risk-based regulation, it failed in this instance to ensure that the risks were properly assessed – and acted upon.