Barings to Credit Suisse: Why Governance Bypass Keeps Killing Banks

In August 1994, Barings Bank's internal audit department completed a review of Barings Futures Singapore. The report identified a critical control weakness: Nick Leeson controlled both the front office and the back office. Trading and settlement in the same pair of hands. The auditors recommended immediate separation of duties. The report was circulated to senior management in London.

Management did not act on the finding. Leeson was generating profits — or appeared to be — and the segregation-of-duties violation was left in place. Six months later, Barings collapsed with GBP 827 million in losses, roughly twice its available trading capital. The bank was sold to ING for one pound.[1]

This was not a failure of risk identification. The risk was identified. It was documented. It was escalated through the proper channel. What failed was the governance mechanism that was supposed to act on it.

That was 1995. Thirty years later, the same failure mode is still destroying banks. The names change. The loss figures grow. The pattern is identical.

The Pattern: Identified, Escalated, Ignored

I have studied 179 major bank failures across six decades as part of the EON Industry Loss Database. The single most frequent failure mode — more common than model failure, more common than concentration blindness — is what I call governance bypass: a risk is identified within the institution, escalated through established channels, and then suppressed, overridden, or simply not acted upon by the people with the authority to do something about it.

The pattern has three variants: direct suppression, cultural suppression, and structural absence. In every variant, the information existed inside the institution. In every variant, the governance structure failed to convert identification into action. And in every variant, the post-mortem investigators found a paper trail showing that someone, somewhere, had raised the alarm.

Direct suppression: HBOS and the firing of Paul Moore

In 2004, Paul Moore was appointed Group Head of Regulatory Risk at HBOS. He identified that the corporate banking division under Peter Cummings was pursuing an aggressive commercial real estate and leveraged lending strategy that was creating dangerous concentrations. Individual loan approvals were bypassing normal credit processes. Growth targets were overriding risk limits.

Moore documented the concern. He escalated it to the Board. The Board's response was not to investigate the risk. It was to remove the person who had identified it. Moore was dismissed in 2005. The official reason was restructuring. The actual reason, as Moore later testified to a Parliamentary inquiry, was that his risk identification work was inconvenient.[2]

HBOS collapsed. Corporate banking division losses exceeded GBP 10 billion. The emergency rescue merger with Lloyds TSB was required to prevent a disorderly failure. Peter Cummings was banned by the FSA.[3]

The identification function had worked. The governance structure around it was configured to suppress rather than escalate.

Cultural suppression: Wells Fargo and the ethics hotline that nobody heard

At Wells Fargo, the internal warnings were not subtle. From 2006 through 2014, nearly half of all EthicsLine complaints related to sales integrity violations — employees manipulating or misrepresenting sales to meet targets. By the end of 2009 alone, the bank had received 667 EthicsLine cases and 242 related terminations connected to gaming of sales incentive programmes. Over the course of the scandal, 5,300 employees were fired for sales integrity violations.[4]

Those 5,300 terminations were treated as individual HR events — employee misconduct — rather than as what they actually were: a systemic risk signal that the business model itself was generating fraud. Employees who reported concerns through the ethics hotline were fired. Bill Bado, a banker in Pennsylvania, called the ethics hotline and emailed HR in September 2013. He was terminated eight days later.

The Shearman & Sterling independent investigation found that Carrie Tolstedt, head of the Community Bank division, and her leadership team were aware of the problem but were unwilling to change the sales model or recognise it as the root cause. They actively resisted scrutiny from corporate risk management and the Board.[5]

The cumulative cost: approximately $7–8 billion in direct fines and settlements, including a $3 billion DOJ settlement in 2020 and a $3.7 billion CFPB penalty in 2022 — the largest in CFPB history. The Federal Reserve imposed an asset-growth cap in 2018 that remained in place for seven years.

The governance structure absorbed the complaints rather than escalating them. The risk was identified thousands of times. It never reached anyone with the authority or willingness to change the business model.

Governance override: Credit Suisse and Archegos

The Credit Suisse Archegos case is the most comprehensively documented example of governance bypass in recent history, thanks to the Paul, Weiss Special Committee report commissioned by the Board.[6]

The internal risk warnings were persistent and escalating. By July 2020, Archegos had over $600 million in net scenario exposure — more than 240% of its $250 million scenario limit. By the following week, that figure had jumped to $828 million, 330% of the limit. From that point on, Archegos remained in breach of its scenario limits virtually every week until its March 2021 default.

In February 2021 — one month before the collapse — scenario analysis predicted stress losses in the range of $1.4 billion under two scenarios. Risk managers intended to ask Archegos for additional margin to reflect the increased credit risk. They were prevented from doing so. Dynamic margining was blocked because it was deemed not to be in the interests of the bank by those managing the client relationship.

The loss was $5.5 billion. The Paul, Weiss report concluded that the business was focused on maximising short-term profits and had enabled rather than restrained Archegos's risk-taking. It identified a culture where commercial considerations consistently overrode risk management.[7]

Structural absence: the risks nobody was looking for

Some governance bypasses occur not because warnings are suppressed but because the governance structure has no mechanism to surface them. Credit Suisse's Mozambique hidden debt scandal is the clearest example. Bankers arranged $2 billion in loans to Mozambican state entities — loans involving military-connected borrowers, kickback payments, and secrecy requirements. Red flags were embedded in the transaction structure. But no event-driven trigger, no new-product approval process, and no structured risk assessment existed to catch the transaction before it closed.[8] The governance bypass occurred through structural absence. The cost: $475 million in coordinated global settlements across the SEC, DOJ, and FCA.

Silicon Valley Bank exhibited a different form of structural absence. The CRO departed in April 2022 and was not replaced until January 2023 — eight months during the most consequential monetary policy shift in a generation. Interest rate risk in the banking book was accumulating in plain sight: a $91 billion held-to-maturity portfolio with unrealised losses exceeding $15 billion, more than total equity. Risk reports continued to circulate. Active re-identification did not occur. The bank collapsed in approximately 36 hours, the largest American bank failure since Washington Mutual.[9]

The Deeper Evidence: 75 Alerts and Nobody Investigated

Societe Generale's Jerome Kerviel case remains the most striking illustration of how governance bypass compounds through normalisation. Between June 2006 and January 2008, internal control systems generated at least 75 separate alerts flagging anomalies in Kerviel's trading activity. The alerts came from accountants, risk-control officers, and compliance staff. They included transactions that appeared to settle on a Saturday, trades with unnamed counterparties listed as "pending," and trades exceeding authorised limits.[10]

The bank's risk monitoring unit attributed the anomalies to software glitches. Staff did not conduct in-depth investigations when warning flags were raised. The peak unauthorised exposure reached EUR 49.9 billion — more than the bank's entire market capitalisation. The loss was EUR 4.9 billion.

Seventy-five alerts. Each one individually rationalised. Each one adding to a cumulative normalisation of deviance where the breach became the baseline. Sociologist Diane Vaughan, studying the Challenger disaster, described this pattern precisely: the gradual process through which unacceptable practice becomes acceptable as the deviant behaviour is repeated without catastrophic results. No fundamental decision is made to do evil. A series of seemingly harmless decisions incrementally move the organisation toward catastrophe.

This normalisation appeared at JPMorgan's Chief Investment Office in 2012, where VaR limit breaches were resolved not by reducing risk but by changing the model. The US Senate Permanent Subcommittee on Investigations found that after a four-day breach was reported to top bank officials, CIO employees pushed through approval of a new VaR model that overnight dropped the reported risk by 50%. The model was implemented without a truly independent review and without the standard parallel run. The loss: $6.2 billion.[11]

It appeared at Lehman Brothers, where the CRO was first marginalised and then replaced for raising increasingly urgent warnings about leverage and mortgage exposure. Information about the Repo 105 programme — used to temporarily remove assets from the balance sheet at reporting dates — was confined to a small executive group, never shared with the risk function or the Board. The largest bankruptcy in US history followed: $613 billion in assets.

And it appeared at UBS, where Kweku Adoboli's unauthorised trading persisted for over three years despite systemic weaknesses identified by the FSA, including a trade capture system where trades could be booked to internal counterparties without sufficient details. The RCSA process had not identified that its control framework assumed trade authenticity rather than tested it. The loss: $2.3 billion, a GBP 29.7 million FSA fine, and an accelerated strategic exit from large parts of investment banking. This occurred after UBS's $37 billion structured credit losses, after the Swiss National Bank bailout, and after a comprehensive risk management overhaul.

What Makes Governance Bypass So Persistent

The BCBS Working Paper 45, published in 2025, reviewed lessons from bank failures and supervisory practices. Its key finding is frank: since banks' qualitative weaknesses — flawed risk management and business models — were root causes of bank failures, quantitative regulatory requirements alone are insufficient. The paper acknowledges that impediments to effective action persist, limiting both the will and ability to act.[12]

This is the core of the problem. Governance bypass persists because the forces that drive it are structural, not accidental:

Revenue protection. Standard Chartered's compliance function identified the sanctions risk in $250 billion of Iranian transactions. Senior management overruled them because the business was commercially important. Cost: $667 million in penalties across five regulators accumulated over seven years. The risk identifiers were overridden by the revenue generators.
Career risk asymmetry. The person who identifies an uncomfortable risk faces career consequences. Paul Moore was fired. Lehman's CRO was replaced. Wells Fargo's whistleblowers were terminated. The governance structure must make it safer to identify risks than to suppress them. At most institutions, it does the opposite.
Compliance theatre. A documented record showing that identification occurred — when it has not — is more dangerous than no process at all, because it provides false assurance. Credit Suisse's bottom-up risk templates went unchanged for three years. SVB's risk reports continued to circulate while active re-identification had stopped. The process existed. It had stopped functioning. Nobody noticed, because the documentation looked the same either way.

Every governance structure looks adequate on paper. The real test is what happens when the process produces a finding that someone does not want to hear.

What Good Looks Like: Four Structural Defences

The EON methodology addresses governance bypass through four reinforcing mechanisms, each designed to ensure that risk identification findings reach the people who can act on them — without being filtered by the people who generated them.

First, three forms of independence. Structural independence means the Risk Identification Lead and CRO function do not report to the business. At no point should a business unit head have the authority to overrule, modify, or suppress a risk identification finding. Operational independence means the risk identification process can operate without requiring business unit cooperation to function — independent access to data, systems, and information. Intellectual independence means the people conducting risk identification are free to reach conclusions that the business does not agree with, protected from career consequence by the governance structure above them.

Second, a Risk Identification Lead with mandate. This role — the operational heart of the process — carries the authority to record risks in the central inventory regardless of business line objections, with escalation to the CRO and ultimately the Board. The role requires clear mandate from the CRO, visible support from the Board Risk Committee, and a willingness to have uncomfortable conversations with senior people. This is the structural answer to Paul Moore's dismissal: you cannot fire the messenger if the messenger's mandate comes from the Board.

Third, a principal risk report drawn directly from the inventory. The Board Risk Committee receives a comprehensive risk report at each meeting — all material risks with current scores, trend direction, risks approaching or breaching appetite, new or emerging risks, and process performance indicators showing whether the identification process is functioning. Every data point is traceable. Every score has a documented basis. The CRO and Risk Identification Lead have standing access to the Board Risk Committee without requiring CEO permission. That access is rarely used. Its existence changes behaviour.

Fourth, event-driven triggers that force re-identification. Six categories of event trigger immediate risk identification updates outside any regular cycle: material loss events, significant external environment changes, new business or product entries, acquisitions or restructurings, material control failures identified by internal audit, and material outsourcing arrangement changes. Critically, material events at peer institutions must be treated as triggers. When Bear Stearns's two hedge funds collapsed from CDO exposure in June 2007, that was a direct, unambiguous trigger for every institution holding similar positions. Bear Stearns itself treated it as an isolated subsidiary event. It collapsed from the same concentration risk nine months later. When Commonwealth Bank of Australia received a record AUD 700 million AUSTRAC fine in 2018 for failing to report over 53,000 suspicious transactions, that should have triggered re-identification at every institution running similar transaction monitoring technology. National Australia Bank failed to ask the question. AUSTRAC brought civil penalty proceedings against NAB in 2020 for analogous gaps.

What To Do Monday Morning

Audit your escalation paths. Trace the last three material risk findings from your risk identification process. For each one: where did the finding go? Who received it? What action was taken? How long between identification and action? If any finding was modified, softened, or deferred between identification and Board receipt, you have a governance bypass vulnerability.
Test your independence. Can your CRO present a risk finding to the Board Risk Committee without the CEO's prior approval? Can your Risk Identification Lead record a risk in the inventory over the objection of a business unit head? If the answer to either question is no, your independence is structural in name only.
Review your event-driven triggers. List the three most significant risk events at peer institutions in the past twelve months. For each one, ask: did we conduct a formal re-identification exercise as a result? Did we ask the specific question: what aspects of our risk landscape share the structural characteristics that produced that failure? If neither happened, your trigger framework is not functioning.
Check for normalisation. Pull your limit breach reports for the past year. How many breaches were resolved by changing the limit rather than reducing the exposure? How many were approved as temporary exceptions and then renewed? Each one is a data point on a normalisation curve. If you cannot show a declining trend, the deviance is becoming the baseline.
Protect your identifiers. Ask your front-line risk assessors one question, anonymously: have you ever identified a risk and then softened the language or reduced the score before submitting it, because you believed the unvarnished version would create problems for you? If the honest answer is yes, your intellectual independence is compromised. The governance structure must make it safer to identify risks than to suppress them. Build anonymous reporting channels that feed into the risk identification process — not into HR — and ensure they are reviewed by the Risk Identification Lead.

Sources & References

Board of Banking Supervision, Bank of England, "Report of the Board of Banking Supervision inquiry into the circumstances of the collapse of Barings," HC 673, 18 July 1995. gov.uk
House of Commons Treasury Committee, oral evidence session, 10 February 2009 (Paul Moore testimony, Q1604–Q1672). House of Commons Treasury Committee, "Banking Crisis: Reforming Corporate Governance and Pay in the City," Ninth Report of Session 2008–09 (HC 519), 15 May 2009, paras 53–63.
FSA, "The Failure of HBOS plc," November 2015, Chapter 5. FSA Final Notice to Peter Cummings, 12 September 2012.
Wells Fargo Board of Directors, "Sales Practices Investigation Report" (Shearman & Sterling LLP), 10 April 2017. Full report (PDF)
DOJ press release 20-146, 21 February 2020 ($3 billion settlement); CFPB Consent Order, 20 December 2022 ($3.7 billion penalty). justice.gov
Paul, Weiss, Rifkind, Wharton & Garrison LLP, "Report of the Special Committee of the Board of Directors of Credit Suisse Group AG on the Supply Chain Finance Funds and Related Matters" (Archegos), 29 July 2021. SEC Filing. sec.gov
SEC Charges Archegos Capital Management, 27 April 2022. Approximately $10 billion net losses across counterparties. $5.5 billion loss to Credit Suisse alone.
SEC press release 2021-213, 19 October 2021: "Credit Suisse to Pay Nearly $475 Million to U.S. and U.K. Authorities to Resolve Charges in Connection with Mozambican Bond Offerings." sec.gov
Federal Reserve, "Review of the Federal Reserve's Supervision and Regulation of Silicon Valley Bank," April 2023. SVB 2022 10-K: $15.2 billion unrealised losses against $16.0 billion shareholders' equity. CRO vacancy April 2022 to January 2023.
Societe Generale, "Mission Green Report" (Report of the General Inspection), 12 May 2008. 75 alerts between June 2006 and January 2008; peak unauthorised exposure of EUR 49.9 billion. societegenerale.com
US Senate Permanent Subcommittee on Investigations, "JPMorgan Chase Whale Trades: A Case History of Derivatives Risks and Abuses," 15 March 2013. senate.gov (PDF)
BCBS Working Paper 45, "Lessons on supervisory effectiveness — a literature review," Bank for International Settlements, 2025. bis.org (PDF)