More analysis is yet to be done on the underlying causes of the recent failures of Silicon Valley Bank (SVB) and others. So far, the leading candidates are:
- Concentration of uninsured deposits subject to “flight risk”;
- Excessive interest rate risk;
- Relying on the “held to maturity” classification for a substantial majority of its investment portfolio (especially mortgage-backed securities) and the “accumulated other comprehensive income” (AOCI)1 opt-out election for regulatory capital purposes, leading to a strategic mischaracterization of the organization’s actual capital and liquidity resources;
- Lack of an independent Chief Risk Officer (CRO) for an extended period of time;
- Lack of banking expertise on the board of directors’ risk committee;
- Concentration of customers in the private equity/venture capital industry; and
- Reduced regulatory oversight, including requirements for less frequent and less stringent capital, interest rate risk, and liquidity stress testing.
All that said, a historical analysis provides clear insight into what banks such as SVB should have been doing all along.
‘Lessons Unlearned’ from the Global Financial Crisis
On October 21, 2009, the Financial Stability Board2 and its Senior Supervisors Group released their Report on Risk Management Lessons from the Global Banking Crisis of 2008.3 There are some eerie parallels between what we “learned” in 2009 and what we see happening today. Six of the 10 lessons from the crisis had to do with liquidity, and how supervisors and banks assessed the state of banks’ liquidity risk management practices in 2009.
- Board direction and senior management oversight: Firms are generally undertaking adjustments to increase board and executive engagement and to strengthen the resources, stature, and authority of risk management. However, it is not yet clear whether these changes have significantly contributed to risk management cultures and governance.
- Articulating risk appetite: Supervisors at the federal banking agencies are seeing insufficient evidence of board involvement in setting and monitoring adherence to firms’ risk appetites. Risk appetite statements are generally not sufficiently robust. Such statements rarely reflect a suitably wide range of measures and lack actionable elements that clearly articulate firms’ intended responses to losses of capital and breaches in limits.
- Risk assessment, aggregation, and concentration identification: Self-assessment responses suggest that the identification of risk concentrations is an area of weakness. Federally insured financial institutions should be looking to automate identification of concentrations by counterparty, product, geography, and other risk factors.
- Stress testing: Firms report enhancements to and increased use of stress testing to convey risk exposures to senior management and boards, though significant gaps remain in their ability to conduct firm-wide tests. Also, the credibility of extreme but plausible scenarios, despite recent events, remains an issue for some firms.
- Valuation practices and loss recognition: The loss of confidence among creditors, counterparties, and clients in the valuation practices of federally insured financial institutions for certain assets during the crisis contributed directly to the withdrawal of funding and other liquidity drains. Many firms are reviewing the oversight of their valuation functions and working to increase the rigor of processes associated with, for example, enforcing uniform pricing across the firm, validating valuation models, and escalating valuation disputes. Nonetheless, substantial work remains for ensuring adherence to sound industry standards for valuation practices and loss recognition.
- Liquidity risk management: As a result of lessons from the crisis, federally insured financial institutions are making meaningful progress toward improving funding and liquidity risk management practices, but supervisors at the federal banking agencies and managers of some federally insured financial institutions acknowledge that substantial work remains to align fully with enhanced industry standards.
Common Risk Management Issues
The FSB 2009 report also identified sound risk oversight as a differentiating factor when it came to survival during the crisis. As a result, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) requires bank holding companies with more than $50 billion in total assets to have an independent risk committee of the board of directors and a CRO that reports directly to the risk committee and the CEO. The risk committee is charged with overseeing the operation of the bank holding company’s global risk-management framework. While other Dodd-Frank provisions were amended in the Economic Growth, Regulatory Relief, and Consumer Protection Act in 2018, this requirement remains in effect.
Treliant has worked with a number of firms that wanted to improve their risk management functions. Some of these engagements were undertaken in response to self-identified deficiencies and weaknesses, while others were in response to regulatory directives to remediate issues identified by regulatory examinations. In our work, we have noticed financial institutions of all sizes struggling with many of the same issues, including:
- Insufficient oversight: The board risk committee does not provide sufficient independent oversight over all risk exposures facing the organization, whether due to management dominance, reporting deficiencies, and/or pro forma meeting agendas that focus narrowly on certain “key risks,” such as credit risk.
- Skewed balance: The risk committee’s efforts to balance enterprise-wide strategic growth targets (whether organic and/or through mergers and acquisitions) place greater weight on near-term earnings per share (i.e., operating efficiencies) at the expense of a fully staffed and more effective three-lines-of-defense model such that, over time, the organization outgrows its risk management infrastructure.
- Lack of expertise: The committee does not have sufficient expertise regarding the full panoply of risks facing the organization to appropriately oversee the interconnectedness of such risks and, therefore, does not exercise sufficient “credible challenge” to management across the broad spectrum of risk.
- Ill-defined appetite: The committee has not adopted a risk appetite statement that is comprehensive and detailed enough to provide clear guidance to management, both in terms of risk identification and risk aggregation.
- Overoptimistic bias: There is a culture of presenting good news to the board and senior executive management such that the tolerances for key risk indicators (KRIs) and key performance indicators (KPIs) are set at levels that result in “green” indications of low risk even amid stressed economic environments.
- Limited data: Information systems often are not robust enough to provide comprehensive and timely measures of aggregated levels of interconnected risk exposures.
- Poor reporting structure: The CRO does not report directly to the risk committee and/or is not sufficiently independent of senior executive management.
- Inappropriate culture: The risk culture of the organization suppresses the scope of the independent risk management (IRM) function, whether in terms of first-line managers failing to take “ownership” of first-line risk management functions and/or limiting IRM to an advisory role.
- Limited empowerment: The CRO lacks the right stature in the organization relative to first-line functions to adequately monitor and test first-line risk assessments and control effectiveness.
- Inadequate resources: In seeking operating efficiencies, the IRM function remains chronically under-resourced, whether in terms of information systems and/or staffing and is in constant catch-up mode.
While further deep dives into the root causes of recent bank failures will provide more detail on what went wrong, it does seem that some of the same “lessons learned” identified by supervisors following the Great Recession of 2007 and the related banking crisis are relevant today. Importantly, experience has shown that organizations that have strong risk management cultures are better equipped to be more nimble in responding to changing market conditions.
1 Includes, but is not limited to, adding back net unrealized holding losses on available-for-sale securities, accumulated net gains (losses) on cash flow hedges, and accumulated defined benefit pension and other postretirement plan adjustments to Tier 1 capital.
2 The Financial Stability Board (FSB) is an international body that promotes global financial stability by coordinating the development of regulatory, supervisory, and other financial sector policies and conducts outreach to non-member countries. Embedded in the FSB’s structure is a framework for (i) the identification of systemic risk in the financial sector, (ii) framing the policy actions that can address these risks, and (iii) overseeing implementation of those responses.