Why a regulated firm's incident review is more revealing than its annual report

If I want to understand how a regulated firm actually works, I do not start with the annual report. I start with the last twelve months of incident reviews. They are usually shorter, less polished, less rehearsed, and considerably more informative.

The annual report is the firm telling its shareholders a story about itself. The incident review is the firm telling itself a story it cannot escape. The honesty differential is enormous.

Most regulated firms produce three categories of incident. Operational, conduct, and regulatory. The first is a system going wrong. The second is a person doing something they should not have done. The third is a notification, expected or unexpected, to a regulator. The reviews for each have a distinct flavour, and a firm with good internal hygiene treats all three with the same writing discipline.

What I look for in an operational incident review is the time stamps. A firm that captures the time the issue began, the time it was detected, the time it was escalated, and the time it was resolved is a firm that has thought about detection. A firm that records only the time it was resolved is a firm that does not yet know how long it was unaware of a problem. The detection gap matters more than the resolution time. It is the part the customer notices.

In a conduct incident review, I look for the language used about the individual involved. A firm that writes about its own employees with care, in language that holds them to account without dehumanising them, is a firm that is going to be able to recruit good people into senior roles. A firm that writes about its own employees as if they are external counterparties to be managed is a firm whose senior people will leave at the first opportunity. The review is the document. The culture is the writing.

In a regulatory notification review, I look for the chronology between internal awareness and external notification. The gap is rarely zero, because there is almost always a triage step before a firm tells a regulator. The interesting question is what the gap is for, and whether the firm is honest about it. A clean notification process documents the gap as a deliberate choice, with a named decision-maker and a written rationale. An unclean process leaves the gap undocumented and hopes the regulator will not ask. Regulators ask.

The aggregate document worth reading is the quarterly incident summary that the chief risk officer takes to the board. A firm that aggregates incidents by root cause and reads patterns across them is a firm that is learning. A firm that aggregates incidents only by team and asks for accountability without root-cause analysis is a firm that is punishing learning. Both look like governance. Only one of them produces improvement.

My single working test, if I am evaluating a firm I do not yet know well, is to ask whether I can read the last quarter's incident summary at the same time as the management accounts. The two together tell me more about the firm than any prospectus could. If the firm declines to share the summary, that is also useful information. It tells me how the firm thinks about its own honesty.