Banks have three strains of protection for managing threat — after which regulators are the fourth line of protection. In the case of Silicon Valley Bank, all 4 failed. If banks need to handle threat higher, one good place to start out is ensuring a Chief Risk Officer is in place and a board-level threat committee is in place. And the individuals on that committee ought to have actual expertise in managing enterprise threat.
Here we go once more. Banks must have the perfect threat administration. But no matter safeguards had been in place didn’t stop Silicon Valley Bank from failing, destroying over $40 billion in shareholder worth, and forcing unprecedented authorities intervention to guard depositors.
Banks use the “three lines of defense” mannequin for threat administration and governance. The first line represents the choice makers. At SVB this would come with the treasurer, CFO, and CEO, who all inexplicably determined to tackle bet-the-bank period threat to earn an additional half a % in yield. They invested in long-term Treasuries and mortgage-backed securities to spice up earnings, however that created a major period and liquidity mismatch with the Bank’s deposits.
The second line of protection, led by the chief threat officer (CRO), gives company oversight and ongoing monitoring to make sure threat exposures are inside prudent threat limits. Internal audit represents the third line of protection, accountable for offering assurance that inner controls are efficient. Ultimately, the SVB board of administrators has accountability for the security and soundness of the general Bank. Any one in all these threat administration and oversight features may have, and may have, prevented the collapse of SVB. But all of them failed, resulting in the primary financial institution run within the digital age and the second largest financial institution failure in U.S. historical past.
As a former CRO who has served on private and non-private company boards, together with as chair of the chance and audit committees, I’m upset and saddened by what looks like an avoidable catastrophe. What went mistaken, what are some open questions, and the way can we do higher?
First, banks want an empowered CRO who should not solely have the correct abilities and sources, but additionally enough independence and authority. SVB didn’t have a full-time CRO for many of 2022, a important interval when huge funding losses mounted. The earlier threat chief stepped down in April 2022 and a brand new one was appointed in January 2023. Who was accountable for threat administration for eight months?
Second, banks want a board threat committee that may carry out important oversight features like setting threat urge for food, reviewing stories, and guaranteeing compliance. The SVB board had six committees, however its threat committee was the one one with no chair in 2022. Moreover, not one of the threat committee members had deep threat administration expertise. This is identical criticism that JP Morgan acquired with the “London Whale” incident. While an audit committee monetary skilled should meet particular necessities, there isn’t any such standards for administrators who serve on threat committees. Relevant expertise could embody serving as CRO, chief credit score officer, chief compliance officer, or equal. During a important interval, SVB didn’t have a CRO or threat committee chair. Regulators require banks over $50 billion in property to have a CRO and a board threat committee. SVB had over $200 billion in property. What occurred to its threat governance construction?
Third, banks should use analytical fashions to evaluate all varieties of strategic, monetary, and operational dangers – and reply accordingly. At SVB, these fashions would have raised pink flags on the Bank’s strategic dangers from its concentrated enterprise mannequin and deposit base. These fashions would have additionally quantified huge asset/legal responsibility mismatches in each period and liquidity. For instance, on the finish of 2021 SVB’s threat mannequin confirmed that for a 200 foundation level enhance in charges, the Bank would undergo a $5.7 billion decline in financial worth of fairness. This key threat metric elevated 332% from a yr earlier. The Fed raised charges 425 foundation factors in 2022 and SVB’s funding losses worn out its $15 billion in tangible fairness. One could argue that nobody anticipated charges to extend so quickly. But because the Fed repeatedly signaled its coverage to extend charges to struggle inflation, SVB maintained a threat profile that was an outlier amongst banks. What was the Bank’s threat urge for food for strategic and monetary dangers?
Fourth, SVB had an obligation to supply public threat disclosures. For market threat, which incorporates rate of interest threat, the important thing part is Item 7A within the annual 10-Okay report. Item 7A gives info on how charge adjustments would impression web curiosity earnings and financial worth of fairness. In SVB’s 2021 10-Okay report, this part confirmed that rising charges would profit earnings however harm fairness (i.e., short-term achieve, long-term ache). Astonishingly, within the 2022 10-Okay report the Bank solely confirmed that rising charges would profit earnings. But the quantitative evaluation of how charges would impression fairness was excluded. Why did the audit committee and exterior auditor approve the omission on fairness sensitivity?
Finally, policymakers want to carry banks accountable for fulfilling regulatory necessities. SVB was regulated by the Federal Reserve, FDIC, SEC, CFPB, and different businesses. In the aftermath of the 2008 international monetary disaster, and the implementation of Dodd-Frank, these businesses put in place stringent necessities for board governance, threat administration, capital adequacy, liquidity protection, and stress-testing. While the stress-testing necessities had been rolled again for mid-size banks in a 2018 legislation, the Federal Reserve nonetheless had the correct to use them to any financial institution with over $100 billion in property. What does the sudden collapse of SVB say in regards to the adequacy of financial institution regulation and supervision?
While a lot stays unsure round what precisely went mistaken with SVB and why, we no less than know the correct inquiries to ask. These questions will doubtless underscore the significance of getting a robust and unbiased CRO, certified administrators on threat committees, clear threat urge for food and mitigation methods, applicable threat disclosures, and efficient regulatory oversight. As these questions get answered via SVB’s autopsy, the query different banks ought to be asking themselves is whether or not they would reasonably have these questions raised throughout inner board and administration conferences or throughout related autopsies.