I’m not wearing red because I’m being interviewed by you today. I’m usually in red. It just so happens that I like the colour too,” says Chit Ghee Yeoh, director of internal audit at Metro Bank. On the ground floor of the bank’s Holborn headquarters, tellers in blue vests and red ties diligently attend to customers.
These wardrobe choices might seem like an irrelevance, but they’re far from it. Metro, the first new retail bank in Britain for more than a century, has built itself from scratch and cementing its brand and values is a top priority. The red, blue and white of the bank’s logo are a telling nod to the stars and stripes of the founder Vernon W Hill II’s home country: the US – a country where customers are placed on a pedestal. This is Metro Bank’s strongest suit. From its convenient opening times (Metro is open seven days a week and long hours, 8am to 8pm, Monday to Friday) to its pet-friendly policy, everything is geared towards giving the customer the best service possible. You can even open an account faster than elsewhere, it promises – the bank prints cards on site within 20 minutes.
Making this work requires significant buy-in from employees, who have to feel they are part of something greater than themselves. To that end, when new recruits arrive at the headquarters they must join their new colleagues in a conga line around the office. “It sounds excruciating, but it’s unifying because you know that everyone’s done it. I’ve done it. We all have. That’s just the fun aspect of it,” says Yeoh. This collegiate induction is part and parcel of fostering an inclusive culture at Metro. And in the commercial world, and in banking especially, getting culture right is fundamental.
The PPI misselling that cost banks billions in fines, for example, was born of cultures that incentivised the wrong behaviours and put profits before customers, says Yeoh. “It wasn’t an accident. Employees had aggressive sales targets and tactics and so customers were sold products they didn’t even need in the first place. If when I sit in audits I see anything that might potentially point in that direction, it would be called out because it’s our job to do so. But Metro is just not set up in that way. If you come in to open a current account, we won’t even offer you a credit card unless it’s something you express an interest in. It’s a very different mindset.”
From an internal audit perspective, then, assessing how and when employees are rewarded is crucial in assuring that bad behaviours don’t take root. “I can point to the fact that we have a really transparent performance management process. I can audit that to see if it’s still transparent and whether we have fair incentive packages that aren’t linked to performance,” adds Yeoh.
Monitoring incentives is one thing, but formally auditing something as pervasive yet intangible as culture across an organisation is quite another. It’s a puzzle that internal audit is only now beginning to solve. The Chartered IIA’s research report published last year (www.iia.org.uk/culture) shed light on how boards and audit committees can best use internal audit as they develop their thinking around how to improve ethical conduct. But speak to any two heads of internal audit and you’ll get two different answers about how best to approach this area.
“The people in a company live and breathe culture, so how do you build that into an audit? It’s tricky and I have not done a full culture audit because I don’t think that’s the right way to do it. In the same way that risk management and governance gets built into the audit, I’m looking at culture in different ways,” says Yeoh, who adds that cultural assessments are woven into many of the audits her team conducts. “We did a mortgage review in which we listened in on calls, and one of the attributes we looked at was whether the customer got the right outcome and whether they were put under pressure in any way. That’s not a cultural audit per se, but, inevitably, we are assessing the culture in doing that. The challenging bit is gaining sufficient evidence and how you report it, because that audit will invariably be about providing assurance in a specific area.”
Any auditor in the banking sector will be aware that the Chartered IIA has opened a consultative review of its financial services code that was published three years ago. Its introduction coincided with Yeoh joining Metro (the bank is now six years old, but previously had a two-person function that outsourced much of the audit work to a professional services firm).
Yeoh says the timing was fortunate as it allowed her to build a new team with a reporting line to the board and which is fully compliant with the code. This essential guidance is now up for review and while no substantive changes are expected, getting feedback on how the code might be updated to serve the profession better is essential. Indeed, not all banks are created equal and being a relative newcomer comes with its own set of challenges.
“There is a question of what proportionality means in the code,” says Yeoh. “We’ve been in existence for six years, so the first and second lines are on a maturity scale and the business is growing rapidly. Therefore, providing annual assurance of the risk and control framework is challenging. So guidance on coping with that specific challenge would be welcome.”
However, there are also major advantages to being the new kid on the block. For one, Metro doesn’t have the same legacy issues that still dog most of its competitors. Another advantage is that its internal audit team could be built from the ground up, something that Yeoh says took at least a year to achieve because she needed to find people with the right subject matter expertise and who shared the company’s vision.
“We have to comply with regulations, but where those regulations have a detrimental effect on customer experience we have to find a balance,” she says. “The key was that the team had to be a cultural fit for the bank, otherwise it wouldn’t work – the audit findings raised would not be acceptable because they would be seen as blocking business and not customer-friendly. The only way we could successfully do that and manage the risks of the bank was by finding people who understood the business.”
One such example of regulations conflicting with customer service is financial crime and anti-money-laundering rules requiring full background checks on customers before deposits can be accepted. Typically this means customers must wait at least four days before they can begin banking. But Metro sourced a partner that can complete all of these checks online almost instantaneously, meaning customers can walk out with their new debit card and cheque book within minutes.
Of course, financial crime is a primary business risk for any bank, as are liquidity and credit risks. Lenders must be sure they hold enough regulatory capital on hand so they can reimburse customers in the unlikely event that they go bust. They must also be confident they are lending to creditworthy customers and securing loans against commensurate collateral.
For these reasons Yeoh says she hired the right people with the requisite skills into her team, which, not including herself, today comprises six people: one of whom is a credit expert, another an IT auditor and a third who understands regulatory and prudential reporting risks. The remaining three have more traditional accounting and auditing backgrounds.
Cybersecurity, unsurprisingly, is another key risk for Metro. However, rather than hiring cyber expertise into the audit function, Yeoh decided to outsource elements of cybersecurity to a third party. She adds that she is conscious that “this does not mean we outsource the responsibility for the risk” and that any findings must be acted upon.
And then there’s people risk. In a bank whose selling proposition is doing things differently, putting the customer first and avoiding the mistakes of its competitors, bringing the right people into the business and maintaining its culture is all important. Yeoh believes that, as head of internal audit, it’s necessary for her to be involved in monitoring the recruitment process – whether it be into “stores” (the bank’s
term for its branches), contact centres or top management.
“We are a young bank and we see how the other banks are paying for their past behaviour,” says Yeoh. “We want to create a legacy that’s positive. If you bring people in the right way, ensure they are culturally aligned and want to be a part of the culture here, you have a greater likelihood of the outcome being the right one. I could point to all the various controls that we have in place that protect our culture, but first and foremost it’s about the people. They are the business.”
This article was first published in Audit & Risk January/February 2017.