Early GRC Lessons From SVB
Life comes at you fast, a point that many tech companies and banks are contemplating today thanks to the collapse of Silicon Valley Bank. Unfortunately this sorry debacle also raises many issues for the larger community of risk managers, regulatory compliance officers, and auditors, so let’s take a look.
As I write these words on Sunday, banking regulators have rolled out an emergency loan program to keep SVB depositors whole. That’s helpful to the depositors, but we still don’t know exactly how SVB’s plight started, or how many other banks might face similar predicaments come Monday morning.
Instead, we have legions of corporate executives and board directors startled at a risk they hadn’t anticipated, wondering, “Could this happen to us? What precautions should we take to assure that it doesn’t?”
That’s the real issue here for compliance, audit, and risk professionals. A risk most people hadn’t foreseen has struck, swiftly and widely. That sort of thing drives corporate leaders bananas, and compels regulators to take action. GRC professionals would do well to acquaint themselves with what happened here and what’s likely to happen next.
Let’s begin with a one-paragraph review of what we do know. Silicon Valley Bank spent years issuing loans at low interest rates. Then, within the last year, it had to start offering higher interest rates on savings accounts, to remain competitive in a world where the Federal Reserve had been raising rates. So the income from SVB’s assets (the loans) couldn’t keep pace with the costs of servicing SVB’s liabilities (the savings accounts). That means the bank was under-capitalized. Customers saw that state of affairs and got scared. They began pulling out their savings, which made SVB even weaker, until the bank failed on Friday.
Now come the questions, fast and furious.
What are my immediate concerns here?
The good news for most compliance and risk professionals is that the SVB crisis will not disrupt your company directly. Unless your company is a depositor at SVB or a bank with a balance sheet as precarious as SVB’s, you can observe things from a distance for lessons to learn, rather than crises to respond to.
One immediate lesson: the importance of vendor risk management. Put yourselves in the shoes of those SVB customers, waking up last Friday to find that their bank — perhaps the most important vendor relationship a small, growing company can have — was unavailable. Imagine the questions they asked themselves:
- How did this happen to us?
- What can we do for access to cash now?
- How can we preserve our liquidity and stability over the longer term?
Those are not questions you want to ask yourself in the middle of a crisis. They are questions you want to anticipate before the crisis, by understanding your vendor relationships and the risks that might happen should your most important relationships go haywire.
For example, even a cursory vendor risk analysis would identify your bank as a top tier relationship that needs attention. True, we don’t normally question whether a mid-sized bank such as SVB will collapse overnight; but you might perform an audit of your cash management function, to identify risk mitigation practices such as using brokered deposits or keeping three months of operating cash at a separate bank.
SVB even provides an example of fourth-party vendor risk: Rippling, a payroll processor that used SVB for banking services. When SVB failed, Rippling couldn’t process payroll for its customers — including companies that weren’t SVB customers at all. (Rippling moved to JPMorgan for banking services over the weekend, and fronted its own capital to cover costs until the transition finishes.)
So the more you can develop vendor risk management capabilities, such as scenario-planning and deep analysis further down the supply chain, the better. Then consider mitigation steps that might be warranted to reduce whatever weaknesses you find.
How did SVB collapse so quickly?
First, there is plenty of evidence to suggest SVB did not unravel quickly. On the contrary, critics say, the bank’s woes had been piling up for months and were staring out at us from the 10-Q all along.
What happened was that nobody paid attention to those red flags (see vendor risks, above; nobody challenging their own assumptions) until last week. Then everyone panicked, and that panic was magnified thanks to social media.
The Wall Street Journal has an excellent article recounting how SVB customers, their venture capital backers, and other business partners all engaged in a collective freakout last week, tapping furiously on their phones to fire up fintech apps and execute wire transfers as quickly as possible. An analyst on Twitter posted a thread about the new pressures that social media brought to bear on SVB — pressures that didn’t exist during the financial crisis of 2008, when Twitter, fintech apps, and iPhones were still in their infancy. He concludes with this point:
But the reality is, the banking industry has to start adding this “social media risk” into their frameworks and find a way to get ahead and control the narrative, to avoid this type of situation from happening again.
— professorstam.eth (@ProfessorStam) March 12, 2023
That analyst is right. As we’ve said many times before on this blog, social media isn’t a risk unto itself, as much as it magnifies or accelerates the risks you already have. In SVB’s case, social media did both. Twitter, Slack, and other open communication channels allowed people to dissect facts they didn’t quite understand, and rush to a judgment that made matters worse.
Banks and other companies would be foolish to ignore that reality. How we incorporate “social media risk” into risk management frameworks, I’m not quite sure — but that is a puzzle corporations will need to solve someday, and the sooner the better.
What do regulators do next?
Regulators and lawmakers will have their hands full in coming weeks, pointing fingers of blame for this particular mess and trying to figure out what rule changes or enforcement actions are necessary to prevent future messes.
First, we’ll hear about whether Congress should revisit the Dodd-Frank Act yet again. The original law, passed by Democrats in 2010, imposed annual stress tests on banks to suss out which ones might be at risk of collapse under adverse economic conditions. Republicans amended the law in 2018 to eliminate stress tests for mid-sized banks such as SVB.
It’s not clear that stress tests as originally envisioned by the Dodd-Frank Act would have prevented SVB’s meltdown — but the absence of them didn’t help, and it’s entirely possible that other mid-sized banks might come under stress. Plus, the Dodd-Frank Act also constrained banking regulators’ legal ability to arrange single-firm bailouts, and perhaps that needs fresh attention too.
Second, we’ll hear about whether accounting rules should be revisited to bring more clarity, more quickly, in the financial assets that banks and other firms hold in their balance sheets. Let’s remember, that’s how all this started: with SVB holding a bunch of mortgage-related assets on its balance sheet that weren’t actually worth the reported value.
So how can accounting rules be improved to report the fair market value as quickly and accurately as possible? Expect people to ask the Financial Accounting Standards Board that question. How can auditors be compelled to bring even more skepticism to financial assets, and raise alarms more quickly? Expect people to ask the Public Company Accounting Oversight Board that question.
Third will be questions about enforcement. This is where the Securities and Exchange Commission is likely to enter the picture, because we already have rumors that some venture capitalists were shorting SVB stock before fueling that social media-induced panic to pull funds from the bank; and SVB executives were selling shares and reaping executive bonuses before the bank collapsed, too.
The SEC has talked for a long while now about the importance of compensation clawbacks and insider trading risks, even when executives use 10(b)5-1 plans for scheduled stock sales. Well, SEC, this is your big chance.