At MetricStream's recent GRC conference in London, Paul Moore, the HBOS whistle-blower, aired his views on the merger of three subjects.

At MetricStream's recent conference in London on governance, risk and compliance or GRC, Paul Moore, the HBOS whistle-blower, aired his views on how the three subjects belong together.

The famous exposer of wrongdoing once worked at HBOS, the retail arm of the Halifax. Having exposed wrongdoing there, he testified to the House of Commons Treasury Select Committee, submitting 20,000 words' worth of expert opinion.

He began by saying that he did not believe that the so-called '3 lines of defence' in compliance were effective, instead proposing a much heavier regime to insert some objectivity into the way the leadership of companies is checked. The '3 lines' are, as is well-known, business operations (i.e. line managers making decisions about compliance risk); overseeing functions that draft policies and procedures; and 'independent assurance providers' such as internal audit. Moore believed that all executive branches at companies had what he called 'an aversion to challenge.'

He also alluded to his time as a partner at KPMG when he specialised in regulatory services, saying: "I thought KPMG was one of the best places to work, but at the moment we haven't got statutory auditing right. GRC (internal control functions) should not report to the executive! Only to non-executive directors. They must have much stronger protection against removal. There must be full minuted meetings with the non-executive, with representation rights and the need for subsequent regulatory sign-off.

"By the way, there is no such thing as a non-executive director - they're not directors because they haven't got the time to do the things they do.

"Most disasters are caused by reliance on self-serving statements by top managers. You need GRC to [provide] that independent corroboration. After all, self-serving statements carry almost no weight in a court of law."

The GRC conference featured many experts who thought that compliance functions ought to be represented at the highest level at financial firms. They - and Paul Moore - singled out one company especially for praise in this area: Kaiser, the funder of MetricStream, which recently put its chief compliance officer on the board. Moore was less glowing in his assessment of the typical relationship between 'G, R and C' at firms.

"Risk think they're more important than compliance and internal audit think they're more indepedent than anyone else. No! They should work together because they do the same thing. There's currently a lot of politics between G, R and C.

"I believe in a director who looks after the whole of GRC, who is not subject to the control of the executive - a non-executive director who solely represents GRC, and not the head of the audit committee either. The IIA and the other statutory auditor bodies 'don't particularly like it' when they hear this."

Moore added that, in his view, GRC should "own the assessment of culture," meaning the nebulous culture of compliance on which the Financial Conduct Authority is increasingly keen. He did not, however, think that there was any substitute for face-to-face information-gathering: "People lie in electronic surveys because nobody believes in their confidentiality."