The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have produced their report ‘The failure of HBOS plc (HBOS)‘. Whilst the report is focussed on the financial risk management within HBOS, it is worth considering this document to consider whether there are any lessons in it for other areas of operational risk management, specifically Business Continuity.
The report states that ‘there was no process for defining risk appetite, beyond high-level industry sector limits’. The IRM defines risk appetite as ‘the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives’, yet organisations struggle to clearly state and implement their risk appetite. Take for example a medium-sized entrepreneurial business; the business will have grown and will continue to grow through taking risks as it expands, yet may be risk averse in terms of the resilience of the physical infrastructure. How can this be attitude be articulated and embedded into organisational culture, particularly given that ISO 22301 requires businesses to ‘set risk criteria taking into account the risk appetite’?
Within HBOS, the report has observed that ‘risk management was regarded as a constraint on the business rather than integral to it’. I suspect that this is something that we, as business continuity and risk management practitioners, contribute towards. Even organisations such as the BCI are focussed on the more ‘negative’ aspects, stating that business continuity is about enabling an organisation ‘to stay on course whatever storms it is forced to weather’. It is only at the end of the second paragraph on the page explaining ‘What is BC?’ that the BCI suggests ’embedding BC into your business is proven to bring business benefits’, without giving any clarification as to this claim.
By focussing on the negatives (the fires, floods, supply chain failings and IT disasters) rather than the opportunities (such as clarification of strategy and objectives, understanding of the needs of stakeholders, identification of key products/services and processes, collation and interpretation of data, business opportunities and reducing insurance premiums), it is unlikely that risk management will be regarded as something that is integral to the success of the business.
Selection of Business Continuity/Risk Management Staff
The Telegraph reports that ‘the bank appointed group risk directors with little experience in the area’, however, this is better clarified in the report, which states that it is “is possible for non-specialists to rely upon the skills of more technical staff in areas such as risk until they have built up the requisite knowledge”. This is frequently the case with Business Continuity, where already busy individuals may be given the additional responsibility of maintaining the BC arrangements. It does not matter that these staff may be new to Business Continuity. However, it is critical that they are adequately trained and supported by ‘other senior individuals in the organisations, until they have built up sufficient knowledge to be able to assess the relevance, accuracy and robustness of the detail provided.’
The HBOS report highlights a staff members stating that ‘… I sat through Board meetings, and I didn’t witness much challenge on many aspects of the business’, and that there was ‘unwillingness to create dissonance’. The report also goes onto to conclude that there ‘is substantial, albeit circumstantial evidence to suggest that effective challenge from the Board was limited, particularly around the key risks faced by the Group’.
Again, lessons can be learned from these points; Crisis Management structures should enable full debate and challenge, with all members of the teams feeling that they are able to contribute effectively.
I have not yet fully digested all 407 pages of the report in detail, but it is clear from a quick scan that there are lessons in here that can be applied to Business Continuity and wider risk management.
Written by Helen Molyneux