Unless you’ve been living under a rock, you’ve probably heard of the Silicon Valley Bank (SVB) collapse on March 10, 2023. For several days afterward, you couldn’t watch an hour of news coverage without hearing something about SVB, sending financial markets in the United States into a full-on panic and triggering a heightened sense of fear about a global financial system collapse.
Since then, many have offered public thoughts, advice or commentary. I’ve been hesitant to speak out because I’m not in the Financial Sector and have never been employed in such. I figured my viewpoints would be ill-informed at best. But now that we are a few weeks out from the Federal Deposit Insurance Corporation (FDIC) takeover and I’ve reviewed the facts, I’m ready to break my silence. Because the story of the SVB collapse isn’t financial, it’s all about ineffective risk management. Focusing on SVB’s missed opportunities and unseen warning signs enables us to learn from this event and, hopefully, prevent ourselves from being next.
A Perfect Storm
SVB saw deposits significantly increase early in the pandemic as many of their clients made record profits supporting the world in the shift to remote work. As SVB’s total deposits nearly doubled between 2020 and 2021, the United States had historically low interest rates. This led SVB to invest funds in a financial portfolio to provide growth for members and shareholders. However, this portfolio, composed mostly of seemingly stable and low-risk US Treasury bonds, proved to be anything but.
Although US treasury bonds are generally considered low-risk, two critical threats impact their value: interest rates and maturity. This is why portfolio diversification is vital. Treasury bonds are long-term investments, generally with a maturity period of 10 years, which means capital is not readily available if needed. Further, if the Federal Reserve raises interest rates, as it did during the pandemic to combat inflation, these bonds significantly reduce in value.
As the federal interest rates grew, it became more expensive for people to borrow money, and thus less venture capital was available. This uniquely impacted the many startup companies that were customers of SVB, many of whom are contenders for this diminishing venture capital. This economic contraction meant those startups might not be able to complete fundraising rounds, leading to, you guessed it, increased withdrawals by SVB account holders.
With account holders withdrawing deposits at a record pace and the value of their investments falling, SVB entered a liquidity emergency. Their only option was to liquidate a significant amount of their investments and suffer a loss – to the tune of over $2 billion. Upon announcing this on March 8, 2023, panicked account holders rushed to withdraw their funds, further adding to the liquidity problem. Then, their stock price dropped from $266.86 per share to $106.04 per share by market close on March 9, 2023. The next day, the FDIC took over operations at SVB – right in the middle of the day.
The Warning Signs
No Chief Risk Officer
A bank heist has always been a criminal favorite for a big payday. But in today’s world, physical branch robberies are not the only threat banks must account for. In our modern hyper-connected, globalized world, threats and risks grow and change daily, making maintaining a clear view of the bank’s actual risk posture harder than ever.
One of the biggest follies an organization can make is looking at different types of risks as unrelated. Frequently organizations will have “Enterprise Risk Management”, “Cyber Risk Management” and “Privacy Risk Management” programs running independently of one another. These silos lead to unnecessary complexity and reduce risk transparency across the organization, leaving unseen risks lurking in the background.
For these reasons, many financial institutions appoint a Chief Risk Officer (CRO) to oversee centralized Risk Management for the entire organization. The CRO is responsible for providing vital feedback on the risk posture of ongoing and intended business activities and how it relates to the organization’s accepted risk tolerance. They are the human safeguard meant to prevent excessively risky behavior. And at SVB, the CRO position had been vacant for 8 months before the bank’s collapse.
Warnings from the Federal Reserve
SVB has an Audit Committee chartered with overseeing compliance activities through internal and external assessments. However, relying on compliance alone as a measure of security is short-sighted and ignores the actual risk to the organization. According to the Wall Street Journal reporting, the Federal Reserve raised concerns about SVB’s risk management in 2019, four whole years before the bank’s collapse. Again in 2020, SVB’s risk management controls were found unsatisfactory by the Fed for a bank of their size. SVB was instructed to take corrective actions or face potential enforcement measures. Clearly, “compliance as usual” wasn’t sufficiently mitigating their risk.
After the collapse, Michael Barr, the Vice Chairman of the Federal Reserve, testified to Congress “the risk model was not at all aligned with reality.” During this hearing, Vice Chairman Barr also testified that the Fed demanded structural fixes at SVB as early as November 2021 and, by 2022, had gone so far as to prohibit SVB from undertaking any mergers or acquisitions because of their poor management.
Where Do We Go From Here?
Reviewing the events that led to the collapse of Silicon Valley Bank feels like Deja Vu. In 2008, similar large financial institutions chose extremely bullish risk appetites to pursue profits while neglecting to implement proper risk treatments. And that was eerily reminiscent of the Enron scandal of 2001 – which was significant enough to spur US Congress to pass the Sarbanes-Oxley (SOX) Act of 2002. Are we doomed to repeat this cycle?
Not if you’re a Risk Insider like me, someone who sees risk differently. Taking a holistic approach to risk management, centralized around your business priorities, allows you to sift through the complexity, surface unseen risk, and prioritize mitigation efforts. To do this, you must:
- Break down silos when it comes to risk management. Why have 3, 4 or more separate risk programs when all risk is an organizational risk? Ensure you have a complete view of your entire organization’s risk posture by managing risk in a single pane of glass
- Tie all risk modeling to business functions so that we know what exactly will be potentially impacted if a risk is realized
- Move away from traditional “check-box” compliance approaches. No regulation, mandate or standard can ever remove risk
- Implement as much automation as possible. We live in a world of Application Programming Interfaces (APIs) for everything. Why are we still working out of PDFs and Spreadsheets? Why are we asking our systems administrators for screenshots when we can automate this?
In today’s world of innovation, connection and disruption, an organization’s risk management function MUST be able to react in near real-time. This is where having a centralized system of record with robust automation comes in handy, with all risk data up-to-date and aligned organizationally.