The Fed’s Report on Silicon Valley Bank: Key Risk Takeaways

All bank board members and executive committees should carefully read the Federal Reserve’s recent findings on Silicon Valley Bank. SVB’s governance and risk management practices came under fire in the Fed’s report, which paints a picture of a fast-growing bank on the verge of breaking into large bank supervision with immature risk management capabilities.

While it’s easy to “Monday-morning quarterback” the outcome of SVB’s collapse, the narrative of growth, complexity and risk outstripping a bank’s ability to manage its risk seems like a recurring theme.

Clifford Rossi

Today’s banking outlook looks risky in many areas, including liquidity, interest rate, counterparty, consumer, and commercial real estate. In this volatile environment, banks should take a hard look at their risk management frameworks, through objective self-identification of weaknesses in governance, process and controls and other key areas of the risk identification, measurement and management lifecycle.

Fed’s Findings on SVB’s Governance and Risk Management

SVB was a bank that had bet its fortunes on the promise of being the lender of choice to venture capitalists and tech firms. For a while, that approach seemed to be working. Between 2017 and 2022, SVB was on an asset growth trajectory for the ages. Indeed, in the five years preceding its demise, SVB’s assets grew 316%, with the majority of that coming in the period between 2019-2021.

However, as the Fed cited in its postmortem assessment of SVB, the bank was eventually undone by the immaturity of its risk management practices, particularly since they were misaligned with the firm’s growth. The Fed conceded that it was slow to react to SVB’s risk management deficiencies, claiming that it was aware as early as April 2020 that the bank’s risk management “lacked authority, tools and resources to appropriately monitor and test controls.”

Part of the problem was that that warnings the regulator issued SVB lacked teeth. Across 2021 and 2022, the Fed issued red flags to SVB in the form of a series of “matters requiring attention” (MRA) and matters requiring immediate attention (MRIA) notations. However, while both offer time frames for resolutions, neither MRAs nor MRIAs prescribe specific solutions, and banks don’t actually face fines or penalties unless they are given a consent order.

What’s more, by the time the MRAs and MRIAs had been issued, the die had already been cast. The risks were baked in by then, and SVB’s board, management and risk teams were ill-equipped at sorting out the rot building up inside the walls of its risk management function. No one in management understood the gravity of the massive interest rate and liquidity risk exposures that the bank had built up.

In one of its MRAs, the Fed claimed senior management and the CRO at SVB failed to realize that the bank’s efforts taken to improve risk management did not meet the Fed's enhanced prudential standards (EPS) for capital and for liquidity.

Blame was also assigned to the bank’s board of directors. SVB’s board “lacked large bank experience” and was found to have failed in their duties to establish “appropriate risk management."

The Fed called the board out directly for effectively going through the motions of complying with the regulator’s EPS findings, rather than proactively managing risk. As it will always be for every future bank failure, this lack of board oversight and experience was poison for SVB.

During the most critical period for SVB, its risk management function was managed by a committee of its senior risk officers – including many who were new to the bank. In short, SVB’s risk management group seemed one ill-equipped to handle even a low level of risk, let alone a combination of skyrocketing growth, unfounded interest rate risk concentrations in long-duration assets (without appropriate hedging), massive sectoral deposit concentrations and excessive reliance on uninsured deposits.

Can SVB’s example, though, be used to elevate risk management for your bank?

Takeaways and Tips for Improving Governance and Risk Management

There are many lessons to be learned from SVB.

First, boards must be proactive in overseeing risk. Taking a passive role on challenging management’s assessment of risk management can only lead to problems down the road.

During that assessment, bank boards need to ask whether the maturity of risk management is commensurate with the complexity and growth of the firm. Banks operate in a highly dynamic environment and the risk management capabilities required for a $50 billion firm are vastly different from those of a $200 billion bank.

A key part of the board’s assessment must be to ask what real authority the CRO possesses. Is he or she heavily involved in bank strategy and key risk decisions or is the position merely window dressing? I’ve been at large banks where fast growth was allowed by regulators only because the banks had made a significant investment in ERM, only to find out later the second line had virtually no authority. Two of those firms went out of business in 2008.

A second takeaway is don’t rely on consultants to fix your risk management and governance problems. The Fed flagged this too as an issue – and I’ve seen too many instances of a team of consultants piling into a bank, making recommendations that seem good on the surface but in the end are only skin deep.

Hire the right people to begin with and you can avoid large consulting fees while building a team that has a deep understanding of the underpinnings of the business and risk management infrastructure.

A bank must also never wait for an examination to surface problems. Build a culture of self-identification of risks and process and control weaknesses without fear of retribution; otherwise, you’ll wind up playing defense and finding it difficult to get out of the regulatory penalty box.

Lastly, take the time to leverage or build tools to evaluate the maturity of your risk management process. Ironically, I did this at Washington Mutual when I landed there in 2007; while we built out a detailed risk management maturity scorecard, by that time it was too late.

Parting Thoughts

SVB represents a great “crash-and-burn” case study for boards to use in conducting a focused examination of their bank risk management and governance capabilities.

Boards need to approach identification of risk management deficiencies from the perspective of treating the bank as an airplane. Would you rather conduct a major repair at 30,000 feet, or on the ground before takeoff?

Clifford Rossi (PhD) is the Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.