A case study examining what went wrong at Royal Bank of Scotland

A variety of structural problems with Royal Bank of Scotland’s (RBS) risk management function, including growing complexity, changes at the top, lack of influence and old fashioned greed, contributed to the bank’s failure, according to a recent case study.

These in-built quandaries were compounded when the financial crisis hit, said the report from the Chartered Institute of Management Accountants (Cima) and Airmic which examined current practice in risk management.

There were two changes to chief risk officer in the run up to the banking crisis of 2008 which clearly complicated matters at a crucial period for the bank, claimed the report. Furthermore CEO Fred Goodwin’s opinions on risk management went unchallenged. There were few risk management committees sitting below board level and those that did lacked influence over board decisions, continued the findings.

To add insult to injury an aggressive risk culture permeated down through the organisation. This was characteristic of many of the large banks which tried to exploit risks to generate massive returns.

On paper RBS’ risk management structures looked strong. The bank had a well staffed risk function, which more than doubled in size to 4,250 staff in the two years to 2006, prior to the financial crisis.

It signed up to the “three lines of defence” risk management model, in which managers are the first line, handling day to day operational risks, the second line is group level responsible for administering the risk framework. Finally, internal audit, was meant to ensure controls were properly applied.

Ron den Braber who worked as a pricing and quant analyst at RBS in 2003 was worried that the bank’s models were underestimating the exposure to credit risk. When his bosses failed to listen to his message, he left the bank. This is a scenario familiar to many risk managers in the financial world who lost their jobs for speaking truth to power in the run up to the banking meltdown.

Risk management at RBS was too compartmentalised, according to the case study. It meant portfolio risks aggregated across the silos and developed unchecked.

As well, divisional CEOs were too focused on short term targets that encouraged them to take risks.

Fundamentally, the bank relied too heavily on its complex models to justify risk taking rather than listening to basic judgment calls about the businesses overall objectives.

Sir Fred Goodwin’s successor as CEO, Stephen Hester, identified this as a critical problem in his evidence to members of the Scottish Parliament investigating the crash. “What was missed was obvious to all. That’s not to say that things hidden in drawers should not be risk managed, that’s an incredibly important part of any bank. [But] It wasn’t detailed risks that made RBS weak; it was the big macro imbalances.”

Key judgements on RBS' risk management

External regulations can encourage 'box-ticking', not proper risk management

Internal control bureaucracies can create a false sense of security around risk

Organisational culture is crucial to embedding appropriate attitude to risk

Financial modelling offers many answers around risk but human judgment is a key component for managing it

In complex groups, the real danger is aggregate, compound risks

Effective scrutiny falls down if risk management committees sit beneath the board in the governance hierarchy