The Web of Risks Wrapped Around SVB
Chief risk officers and board risk committees have one more lesson to learn from the collapse of Silicon Valley Bank. The lesson is buried in the notion that SVB collapsed after “a good old-fashioned bank run.” That’s not quite what happened, and what did happen says a lot about flawed risk management.
By now you’ve probably heard how people describe a bank run: a bunch of depositors stampeding toward the door all at once, to get their money out of the building before it collapses — and since everyone rushes the door at the same time, nobody gets out.
Except, is that really the right metaphor for what happened in the last days of SVB?
Because from what I’ve read, depositors at SVB were communicating with each other on WhatsApp, Twitter, and other communication apps. They talked themselves into a panic that they’d be the last ones left at SVB, and would lose their money. So everyone fired up their fintech apps and transferred their deposits elsewhere: a staggering $42 billion transferred out of the bank on Thursday, March 11. Then, blammo! SVB collapses.
In that case, the apt metaphor here isn’t people stampeding toward the door; it’s everyone punching holes through the wall so they can jump out of the building. That’s what those fintech apps allowed people to do: sever their business with SVB completely and immediately.
So do you see what happened there? SVB always had the strategic risk of a collapse thanks to rising interest rates. But its embrace of new technology changed the velocity of that strategic risk. Digital transformation — that concept everybody loves; that shift every business does need to make — altered the nature of the other risks SVB already had.
That’s the disconnect chief risk officers and board-level risk committees need to watch for.
The Risk of Overlapping Risks
Indeed, the more you look at SVB’s debaculous demise, the more you see a dizzying pattern of overlapping risks, each one affecting the other. That’s a trap that could snare any company, bank or otherwise. Boards need to be aware of those dynamics, and risk managers need to be aware of how those risks could push each other into a danger zone.
Let’s start with those strategic risks mentioned above. As we explored in a prior post about SVB, one cause of the collapse was the bank’s decision to hold large amounts of securities based on low-interest rate loans. As interest rates rose last year, those securities declined in value, and SVB’s unrealized losses on those assets began to pile up.
That’s known as interest rate risk, and it’s not news. All banks face some degree of interest rate risk. Most are wise enough to purchase hedging instruments to keep that risk at acceptable levels. Silicon Valley Bank went the other way. It actually cut its interest rate hedges throughout 2022, even as the Federal Reserve began its campaign of raising interest rates.
Here we can ask our first question about overlapping risks: Why would SVB do that? Why would executive management at any company cut costs (in this case, purchasing hedges) in a way that increases its strategic risk?
One possible answer is money. Perhaps SVB executives wanted to keep costs low so they could reap more compensation. We can’t say that for sure right now, but already plenty of critics are pointing to insider stock sales and last-minute cash bonuses as evidence. Expect regulators investigating SVB to dwell on this question at length.
The rest of us, however, should appreciate the larger question here: Does your company have a flawed incentive compensation structure that might drive executives to act in ways that increase the company’s strategic risk?
We also have that matter of digital transformation. I’m all for companies embracing the powers of new technology, but they cannot do that in a risk management vacuum. It isn’t enough simply to worry about a new technology’s cybersecurity or privacy compliance risks, or to ponder how IT might affect your revenue and cost structure. Someone at the company also needs to consider how new technology might alter the strategic risks you already have.
Go back to SVB. The bank was charging down a foolish strategic path. It had also (like every other bank and company) embraced digital transformation. My question is whether anyone at SVB understood that digital transformation would accelerate the velocity of the bank’s strategic risks.
We had technology risk, compensation risk, and strategic risk all swirling around each other like clouds. That’s plain to see in hindsight; the trick is to see it with foresight.
Getting Risk Oversight Right
For companies that do want to stay ahead of such a complicated risk environment, they need to answer two questions. First, who on the board should oversee this stuff? Then, once you’ve defined that group on the board, who within the company can work with them to understand the specific issues that might be afoot?
For a long while now, I’ve been a fan of board-level risk committees. Audit committees already have a full plate overseeing the financial audit and internal control; and the full board should focus its time debating strategy and emerging risks. Some other group within the board still needs to oversee all the “other” stuff, such as defining a risk appetite or understanding how one risk might affect another.
What should that risk committee’s charter look like? Ironically, Silicon Valley Bank’s own risk committee’s charter is a good example to study. I especially liked this section, which drives to that overlapping risk issue I mentioned earlier:
The Committee has oversight of the Company’s risk management across all major risk categories, including capital, liquidity, credit, market, operational, compliance, strategic, and reputational risk. The Committee shall monitor and understand changes to the risk profile of the Company across those risk categories, with a focus on the most significant risks faced by the Company and shall escalate to the Board any matters of concern for discussion and potential action.
Of course, despite the thoughtful language in the committee’s charter, SVB still, ya know, died. Which brings us to another issue: there aren’t enough qualified, competent people to serve on these risk committees.
At SVB, the risk committee chairman was Roger Dunbar until he stepped down from the board in April 2022. Dunbar had also been chairman of the whole board, which seems like a wise way to bring a broad perspective to the risk committee. The committee’s new chair, Kate Mitchell, also seems to have solid credentials.
Then again, let’s remember that SVB’s risk committee met a whopping 18 times in 2022, and the chief risk officer role at the bank was vacant for eight months of that year. Was the committee swamped with criticism from bank examiners? Were they too busy to demand that a new CRO be hired immediately? Was the committee banging its fist on the table to management loudly enough to convey the urgency here?
From the outside, we have no idea. But it all underlines the importance of a strong, competent risk committee that leads management, rather than vice-versa.
We also have the question of who within the company then works with that risk committee. Obviously a chief risk officer or head of internal audit is ideal. Indeed, the web of overlapping risks that brought down SVB demonstrates how important those roles are for the modern corporation. You need a strong, independent voice within the company who can analyze risks with competence, and then bring those concerns directly to a committee of the board that can then ask management to address those concerns.