I gave a nervous laugh. The headhunter asked me if I would like my first non-executive director role, joining the board of Northern Rock. It was October 2007, a few weeks since the first run on a UK bank for 150 years. Struck by an uncharacteristic sense of adventure, I did indeed agree to serve on the Northern Rock board for the next year, becoming Chair of the Audit Committee, through the various bids, nationalisation and the rebuilding of its business model.

Northern Rock was a highly successful and fast growing UK bank that predominantly offered domestic mortgages. It financed itself by a mix of retail deposits, wholesale borrowing, asset-backed bonds and securitisation of mortgage portfolios. In September 2007, as the credit markets tightened, it found itself unable to raise enough on the wholesale and securitisation markets to cover the mortgages that it had already issued, and so turned to the Bank of England for support. This was leaked to the BBC, who reported it in such a fashion that a run developed almost immediately. The subsequent £12bn cash outflow ensured that the bank would need long term help, becoming nationalised four months later.

Much has been written what went wrong at Northern Rock, particularly now that we are at the 10 year anniversary. Very little, perhaps understandably, has been heard from those inside the business. So with the benefit of 10 years distance, I thought I would list the lessons I learnt from the sad demise of Northern Rock.

1. Retail banks lend long and borrow short

Some say that this was Northern Rock’s problem. It relied too heavily on wholesale market funding, and not enough using retail deposits from savers. However it is not as simple as this. Half of the wholesale funding was more than 1 year maturity, whereas the bulk of the retail deposits were effectively on demand (hence the £12bn cash outflow in the run). Few banks could withstand the liquidity drain from a run, however well funded they are.

 2. Don’t rely on the Regulator

There was a lot of fuss at the time about relative blames of the Tripartite regulation of the Treasury, Bank of England and Financial Services Authority (FSA), but in practice they all missed the systemic risk incurred by the credit crunch on Northern Rock. The FSA even wrote1 on 14 September 2007 (the day the run started);

Northern Rock is solvent, exceeds its regulatory capital requirement and has a good quality loan book.”

The Bank of England, under the academic Mervyn King was still worrying about the ‘moral hazard’ of bailing out Northern Rock as the bank was failing. That was a bit like calling off the fire fighters because the householders shouldn’t have let their house catch fire in the first place.

In my experience on the board, after the run, the FSA was still singled-mindedly pursuing its ‘Treating Customers Fairly” campaign with the bank even as those customers were fleeing out the doors with all their savings. The FSA gave me an exit interview as I was stepping down from the board, but didn’t ask a single question about the run and its lessons.2

Regulators like to establish rules and processes and then operate within these limits. They are not generally blessed with great insight or entrepreneurial understanding, so they cannot be relied on to protect their target industries or customers. They do however have a knack of closing the door shortly after all the horses have bolted.

3. Don’t rely on the auditors

Why didn’t the auditors identify the risks in the Northern Rock business model? In practice, auditors very rarely find the ‘big holes’ in the accounts. These are usually found by management eventually, or events reveal them as here. This is true from Enron to Northern Rock to Tesco.

Auditors review the accounts. Their job is not to challenge the business model. They reviewed the Going Concern statement, but they failed to challenge the underlying assumptions in Northern Rock as, just like others, they saw an extreme credit crunch as highly unlikely. Even if they had, it’s hard to imagine that they would have qualified the accounts for what seemed such an unlikely risk. This is why auditors hardly ever get sued for their role in business collapses.

4. Sometimes the risk is hidden in plain sight

The 2006 Northern Rock Annual Report stated that, whilst it had £8bn of assets maturing in the next 3 months, it had £33bn of liabilities maturing, giving a liquidity gap to be filled of £25bn. An ING analyst report3 in 2006 noted;

“The inability to fund cheap wholesale funding given its huge reliance on the market to fund its expansion would impact our outlook negatively.”

In 2007, the Bank of England admitted4 that most banks’ reliance on wholesale funding had risen in recent years.

It may have taken hindsight to spot it, but Northern Rock’s liquidity risk was clearly and publically stated. I have since gone into two companies that had massive derivative black holes that were clearly laid out in their Annual Reports, but no-one noticed them.

5. Think the unthinkable

All the risk models in the world are useless if what happens was not envisaged to be possible. Nobody in Northern Rock, nor anywhere else in authority, seems to have believed that a credit crunch would lead to an implausible freeze, where even banks wouldn’t lend to each other. The repeated mantra was that a crunch would instead lead to a ‘flight to quality’, and that would be fine as Northern Rock’s paper was rated highly.

In 2006, the FSA was explicit5, asking that management; “takes severe but plausible scenarios into account…”.

Hector Sants, then CEO of the FSA, said1 later;

No reasonable professional would have anticipated the complete closure to them of all reasonable funding mechanisms…I think that the set of circumstances …were highly unusual…”

Academics call this underestimation of ‘thick tailed’ – or ‘black swan’ – events. A 1 in 100 year event has a high probability of happening once in your lifetime. There have even been two world wars in the last hundred years. It is too easy to dismiss a risk as implausible or a very rare event. Rare events do happen and usually more frequently than people expect. Every risk model should work through how the business would react and survive every highly, unusual and implausible, event.

When evaluating a company’s ‘risk appetite’, it is worth asking the question whether there is a 1 in 100 year event that could destroy the company. As an investor you would need to accumulate your share of those risks. Say you invest for a pension over 20 years in 10 companies that are willing to tolerate a 1 in 100 chance of a terminal threat. You, as an investor, would then have the likelihood of two of those companies suffering a catastrophic event in your pension pot.

Of course, hindsight gifted politicians and media with the clear knowledge that it should have been obvious to the Northern Rock Board that its model was fatally flawed. It wasn’t however obvious to the participants at the time because they, like almost everyone-else, blinded themselves to the extreme risks.

6. Risks are multiplicative not individual

People have a tendency to think about risks in isolation. However, this assumes that the risks are completely independent, whereas in practice the worst events happen when two risks crystallise at once, either randomly or because one risk tends to increase the likelihood of another.

In Northern Rock’s case the freezing of the wholesale markets caused a liquidity problem, but this could possibly have been handled by the Bank of England support facilities. However the proposed use of these led to a leak that caused a loss of confidence among savers. The former problem became multiplied by the second.

The typical business risk model has one axis for probability of a risk happening and one axis for resulting financial impact. But this static model is woefully inadequate if more than one risk can occur at a time, particularly as the result may well be multiplicative – much more dramatic even than the sum of the two independent risks.

7. The reassuring herd

Northern Rock was an outlier. It did things differently to other banks. Its retail deposits in 2006 were 27% of its total funding, against 49% at Bradford & Bingley and 43% at Alliance & Leicester. Northern Rock was taking a 25% market share in new mortgages and growing its balance sheet much faster than others.

Instead of querying how its model was so uniquely successful, Northern Rock argued that its excess reliance on such funding would only be appropriate for a growing bank and so that’s why others didn’t follow. There doesn’t seem to have been much challenge to this circular thinking.

I’m not arguing for businesses to follow the herd all the time. However, it ought to be an immediate amber light for risk when one business is doing things radically different to others, even if that appears highly successful for a long period.

8. Success is intoxicating

Northern Rock was growing rapidly and its share price reflected this. Large salaries and bonuses were being awarded to executives. Who would be a Cassandra against this success? Businesses need a certain paranoia when they are very successful to ensure that this performance doesn’t contain the seeds of its own destruction. When very successful businesses falter, it can happen very quickly, as shown by the whole banking system, Enron, Worldcom, Polly Peck and so on.

9. Group-think is a powerful drug

The Board considers that Northern Rock is a well-controlled, risk-averse business that continues to adopt a prudent stance in the management of risk.” 6

Although Northern Rock did have reasonable business controls, it was in fact taking on massively more risk than it appreciated at the time. But management believed what they were saying at the time.

You can’t underestimate the tendency of people to adopt group-think, and accept conventional wisdom. This is particularly true when things are going well. There was no evidence to prove that a severe credit crunch was very unlikely. The fact that there hadn’t been such a credit crunch since the 1930’s meant that people believed it couldn’t happen (as opposed to believing that it was a 1 in 80 year event). There was no evidence that a credit crunch would lead solely to a flight to quality. It’s just that the more people said it, the more it was believed.

The Treasury Select Committee report1 made much of the Northern Rock CEO not being a ‘qualified’ banker. This was irrelevant as the CEO understood banking very well. There is no evidence that having taken some exams twenty years previously would have made him address risk differently. The issue was that there was too much conventional wisdom being accepted as proven fact in mass group-think, and far too few people anywhere were ever sceptical or open minded enough to challenge it.

10. A very powerful Chief Executive is dangerous

This is pretty well acknowledged in corporate governance now, but it needs reiterating. It is not just that you end up with too much power in one person, but that it tends also to attract ‘yes men’ to the business, who may not be of the highest quality. If you then layer on great success and high rewards to this, group-think and lack of challenge is almost guaranteed.

11. Don’t always believe the answer, especially if you don’t ask the right question

I have lost count of the times in my life that I have received a reassuring answer to a question, only to later realise that the answer was misleading because the question wasn’t quite right or too vague. When I tried to understand the liquidity position at Northern Rock, I was told that the average mortgage lasted only three years. It seemed a little low, but I accepted that. It was only much later that I realised that this referred to the average length of a mortgage package. In reality, an average mortgage lasts something like seven years, but during this period it may be switched between deals (such as a particular rate fix), so the answer I got was very misleading even if technically accurate.

Sometimes it takes the same question asked several times in different ways to be sure that you have got the whole truth. Sometimes you are just not told the whole story. Northern Rock underreported its mortgage arrears, claiming them to be half that of the industry. In fact it was treating many arrears as being rescheduled over the remaining life of the mortgage, effectively increasing the size of the mortgage rather than being classified as being in arrears7.

12. Organisation matters

Internal audit and risk teams are major protections for a company in understanding their risks. However, reporting lines can frustrate this. One of the major governance improvements over the last few years has been raising the profile and importance of such teams. But they must be heard at the right level (usually the Audit Committee) and without operational management acting as a filter. At Northern Rock, the Treasury Risk team reported into the Treasury function, not Group Risk. This meant that the Group Risk team was not in a position to offer a robust challenge to Treasury.

13. Once public, stories have a life of their own

The run started after the BBC ran a high profile story about the Bank of England’s support for Northern Rock. Robert Peston, the journalist, claims that he handled it in a responsible way. This may be true, but the prominence of the story on the BBC was such that it emphasised to the public that this was a major event, much more so than anything he actually said. He got the story from a leak. It’s difficult to imagine anyone benefited from this leak. Some think that it came from the Labour government itself, anxious to show the country how it was having to bail out irresponsible bankers. If so, it back fired, because once out, the leaker couldn’t control how it would be reported, and it became almost certainly a much more dramatic event than anticipated.

14. Get it in writing

This is advice more for executives that are involved in difficult situations. When asked to do something that you are not sure is right, somehow make sure that there is a written/email reference to it, even if you do the writing. If something is not quite right, the instructions are far more likely to be given verbally than in writing. When Northern Rock had been underreporting its mortgage arrears, on investigation there was nothing in writing confirming that senior management knew about it.

My conclusion

There are many lessons from any corporate failure, but the best ones are not generally those identified by politicians and the media. Sadly, the real lessons are also rarely understood by corporate regulators either, as they tend to be most sensitive to the clarion calls for action from those politicians and commentators. Rarely do you see corporate failures analysed to provide governance insights. I have listed some cultural and practical lessons I learnt from what really happened.

Ten years on, I have kept to another, more personal, lesson. Being a non-executive director on a bank is an extremely difficult, detailed and risk-prone job. I escaped from the Rock, vowing that I wouldn’t ever serve again on the board of a bank. There are easier ways to earn a living.


1 ‘The run on the Rock’ – Treasury Select Committee, January 2008

The FSA did in fact hold an Internal Audit inquiry into its own conduct, which looked at its own internal processes rather than understanding why the bank failed.

3 ‘Northern Rock. The train has left the station’ – ING September 2006

4 Bank of England Financial Stability Report – April 2007 Issue No 21

5 Letter from the FSA to Northern Rock – 9 October 2006

6 Annual Report Northern Rock 2006

7 Two Northern Rock directors were subsequently fined by the FSA for this.

Image by Alex Gunningham from London, Perfidious Albion (UK plc)