Banks have three lines of defense for managing risk — and then regulators are the fourth line of defense. In the case of Silicon Valley Bank, all four failed. If banks want to manage risk better, one good place to start is making sure a Chief Risk Officer is in place and a board-level risk committee is in place. And the people on that committee should have real experience in managing enterprise risk.
Here we go again. Banks ought to have the best risk management. But whatever safeguards were in place didn’t prevent Silicon Valley Bank from failing, destroying over $40 billion in shareholder value, and forcing unprecedented government intervention to protect depositors.
Banks use the “three lines of defense” model for risk management and governance. The first line represents the decision makers. At SVB this would include the treasurer, CFO, and CEO, who all inexplicably decided to take on bet-the-bank duration risk to earn an extra half a percent in yield. They invested in long-term Treasuries and mortgage-backed securities to boost earnings, but that created a significant duration and liquidity mismatch with the Bank’s deposits.
The second line of defense, led by the chief risk officer (CRO), provides corporate oversight and ongoing monitoring to ensure risk exposures are within prudent risk limits. Internal audit represents the third line of defense, responsible for providing assurance that internal controls are effective. Ultimately, the SVB board of directors has responsibility for the safety and soundness of the overall Bank. Any one of these risk management and oversight functions could have, and should have, prevented the collapse of SVB. But they all failed, leading to the first bank run in the digital age and the second largest bank failure in U.S. history.
As a former CRO who has served on public and private corporate boards, including as chair of the risk and audit committees, I am disappointed and saddened by what seems like an avoidable disaster. What went wrong, what are some open questions, and how can we do better?
First, banks need an empowered CRO who must not only have the right skills and resources, but also sufficient independence and authority. SVB did not have a full-time CRO for most of 2022, a critical period when massive investment losses mounted. The previous risk chief stepped down in April 2022 and a new one was appointed in January 2023. Who was in charge of risk management for eight months?
Second, banks need a board risk committee that can perform essential oversight functions like setting risk appetite, reviewing reports, and ensuring compliance. The SVB board had six committees, but its risk committee was the only one without a chair in 2022. Moreover, none of the risk committee members had deep risk management experience. This is the same criticism that JP Morgan received with the “London Whale” incident. While an audit committee financial expert must meet specific requirements, there is no such criteria for directors who serve on risk committees. Relevant experience may include serving as CRO, chief credit officer, chief compliance officer, or equivalent. During a critical period, SVB didn’t have a CRO or risk committee chair. Regulators require banks over $50 billion in assets to have a CRO and a board risk committee. SVB had over $200 billion in assets. What happened to its risk governance structure?
Third, banks must use analytical models to assess all types of strategic, financial, and operational risks – and respond accordingly. At SVB, these models would have raised red flags on the Bank’s strategic risks from its concentrated business model and deposit base. These models would have also quantified massive asset/liability mismatches in both duration and liquidity. For example, at the end of 2021 SVB’s risk model showed that for a 200 basis point increase in rates, the Bank would suffer a $5.7 billion decline in economic value of equity. This key risk metric increased 332% from a year earlier. The Fed raised rates 425 basis points in 2022 and SVB’s investment losses wiped out its $15 billion in tangible equity. One may argue that no one expected rates to increase so rapidly. But as the Fed repeatedly signaled its policy to increase rates to fight inflation, SVB maintained a risk profile that was an outlier among banks. What was the Bank’s risk appetite for strategic and financial risks?
Fourth, SVB had an obligation to provide public risk disclosures. For market risk, which includes interest rate risk, the key section is Item 7A in the annual 10-K report. Item 7A provides information on how rate changes would impact net interest income and economic value of equity. In SVB’s 2021 10-K report, this section showed that rising rates would benefit earnings but damage equity (i.e., short-term gain, long-term pain). Astonishingly, in the 2022 10-K report the Bank only showed that rising rates would benefit earnings. But the quantitative analysis of how rates would impact equity was excluded. Why did the audit committee and external auditor approve the omission on equity sensitivity?
Finally, policymakers need to hold banks accountable for fulfilling regulatory requirements. SVB was regulated by the Federal Reserve, FDIC, SEC, CFPB, and other agencies. In the aftermath of the 2008 global financial crisis, and the implementation of Dodd-Frank, these agencies put in place stringent requirements for board governance, risk management, capital adequacy, liquidity coverage, and stress-testing. While the stress-testing requirements were rolled back for mid-size banks in a 2018 law, the Federal Reserve still had the right to apply them to any bank with over $100 billion in assets. What does the sudden collapse of SVB say about the adequacy of bank regulation and supervision?
While much remains uncertain around what exactly went wrong with SVB and why, we at least know the right questions to ask. These questions will likely underscore the importance of having a strong and independent CRO, qualified directors on risk committees, clear risk appetite and mitigation strategies, appropriate risk disclosures, and effective regulatory oversight. As these questions get answered through SVB’s post-mortem, the question other banks should be asking themselves is whether they would rather have these questions raised during internal board and management meetings or during similar autopsies.