Treliant Takeaway…Material Risk Management, Governance, and Internal Audit Deficiencies Highlighted in Fed’s Release of SVB’s Supervisory Documents

Monitoring, Testing, and Audit Regulatory Compliance and Operations

Silicon Valley Bank Review – Supervisory Materials

  • Source: federalreserve.gov

Treliant Takeaway:

While there are many factors that contribute to a Bank’s failure, including SVB’s, the existence of appropriate and effective risk management, governance, and internal audit frameworks is critical to ensuring your institution has an informed and proactive risk posture and where the continuous understanding, anticipation, and consideration of risk is fundamental to all decision making.

Banks must understand the regulatory expectations for risk management that is relevant to their size, complexity, and risk profile and invest in, build, and mature their programs accordingly. An effective risk and compliance framework should be sufficient in identifying key areas of weakness and remediating material deficiencies promptly, in advance of regulatory examination. A strong risk and compliance framework will go a step further and be able to anticipate and inform risk-based decisions and strategies based on a comprehensive view of the institution’s risk exposure, risk appetite, and capacity to support certain risk taking.

Treliant’s Regulatory Compliance, Mortgage, and Operations Solutions (RCMOS) practice is led by practitioners that have built, led, evolved, and matured the risk and compliance frameworks, governance, and internal audit programs of banks of all sizes, business models, and risk profiles and interfaced with all prudential regulatory agencies on these matters. Our team can help ensure that your risk, compliance, and audit programs are effectively designed, implemented, and tailored to the unique needs of your institution. With enhanced scrutiny on these programs, now is the time to make sure that your risk, compliance, and audit programs do not run afoul of regulator expectations.

Highlights:

The Board of Governors of the Federal Reserve System recently took a surprising step and released documents in connection with the regulatory supervision of Silicon Valley Bank (SVB) and Silicon Valley Bank Financial Group (SVBFG). As part of the release, the Board stated that “These documents include supervisory material that is confidential under the Board’s regulations. Due to the exceptional nature of these events, including the failure of SVB and the extraordinary response required by the Federal Reserve, the Board has determined that release of this information is appropriate, as the substantial public interest outweighs the need to maintain the information’s confidentiality.”

The public has thus been allowed unprecedented access to the results of supervisory examinations of the bank, including material and repeat deficiencies identified, leading up to its failure. While there are eight supervisory letters included as part of the release that were dated from 2019 – 2022, two in particular, issued in mid-to-late 2022, were specifically related to the Bank’s risk management, governance, and internal audit program:  functions specifically established to enable the Bank to anticipate, prevent and mitigate significant risks.

In summary, SVB’s risk management, governance, and internal audit programs were deemed to have not been adequately designed, not be working effectively, and were subsequently ineffective in fulfilling their mandate to protect the institution.

Some highlights from the letters are as follows:

SVBFG and SVB Governance and Risk Management Target Supervisory Letter, May 31, 2022

The review identified three Matters Requiring Immediate Attention (MRIAs) related to the following:

  • Board Effectiveness:
    • “The board did not provide effective oversight of the Firm’s LFI transition plan implementation or the foundational risk management program execution.”
    • “The board and board committees have not held senior management accountable for executing a sound risk management program, nor sufficiently challenged management on the content of the risk information reported to the board to achieve effective oversight.”
    • “Senior management performance evaluation and compensation programs are not linked to the Firm’s risk management objectives. Risk management deficiencies, identified by independent risk functions or through regulatory examinations, have not been meaningfully considered in the Firm’s incentive compensation program.”
    • “The second line independent risk function either lacks or has not effectively used its authority and stature… Both the Risk Committee and Audit Committee rely heavily on the Chief Executive Officer (CEO) for assessing the CRO’s and Chief Auditor’s (CA) performance rather than the feedback being provided directly from the Committee Chairs.”
  • Risk Management Program:
    • “The current risk management framework is not comprehensive, does not incorporate coverage for all risk stripes, and does not address foundational enterprise level risk management matters, such as issues management and escalation.”
    • “The lack of an effective risk management framework and policy has resulted in inconsistent core risk management activities and ultimately a reactive/patched, rather than holistic/integrated, approach to risk management.”
    • “Risk management framework weaknesses have resulted in inadequate risk monitoring and reporting to senior management and the board. The framework, policies, and standards do not clearly define ownership, reporting, escalation, and approval of risk limits. The current framework for risk appetite statement (RAS)-level breaches is broad and does not indicate who is responsible for reviewing and approving the business risk owner’s remediation plan.”
    • “The management level risk committee structure does not deliver on foundational risk management committee practices. In the current structure, the Firm’s risk management committees are advisory in nature, do not make decisions, are not required to have charters, and do not include a clear path of escalation for all risk stripes.”
  • Internal Audit Program:
    • “IA did not hold SVB senior management accountable despite indicators of an ineffective risk management program.”
    • “IA exhibited a slow and reactive approach to testing the Firm’s LFI readiness transition plan, risk management programs and functions, and integration of acquired entities…”
    • “IA does not provide sufficient information to allow the Audit Committee to fulfill its oversight responsibilities, nor is IA’s reporting consistent with other large complex institutions or Audit Committee reporting guidance set forth under Supervision and Regulation Letter 13-1 Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing.”

SVBFG and SVB Internal Audit Target Supervisory Letter, December 27, 2022

The review identified additional issues with the design and effectiveness of the Bank’s Internal Audit Program, beyond the MRIA’s issued in the May 2022 Supervisory Letter. These included:

  1. Internal audit risk assessment:
    • “The IA risk assessment process does not effectively analyze the Firm’s key risks and risk management functions. While there is a quantitative methodology that drives the risk assessment, the analysis supporting the numerical scores is limited, lacks transparency, and is often informal.”
  2. Audit Universe:
    • “IA does not effectively identify all auditable entities within the audit universe.”
    • “IA’s Audit Manual does not sufficiently address how auditable entities are captured at the department level, the process/activity level, or at another aggregated organizational level.”
  3. Continuous Monitoring:
    • “IA has not established processes for updating the Audit Plan or Staffing as emerging risks or significant organizational changes are occurring.”
    • “Continuous monitoring processes do not effectively escalate emerging internal controls issues, nor does it adequately cover cross-business line processes or shared services. IA’s continuous monitoring processes makes limited use of data analytics – this hinders the timely identification of factors that should prompt updates to the Audit Plan or IA staffing.”
  4. Audit Execution:
    • “IA’s planning and scoping processes do not provide sufficient oversight.”
    • “IA’s testing practices are inconsistent and lacks clarity when relying on other control functions. While the IA Policy allows leveraging off first and second line control testing, there are no defined criteria to determine when to leverage versus when to retest. Also, the examination noted examples where the testing sample sizes were not aligned with industry standards.”

Ready to Talk?

We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.

Reach an Expert