Skip to content

Oversight is coming: Time for US banks to beef up risk management.

Three major US bank failures in three months herald one thing for the banking sector – increased regulatory scrutiny and supervision. First Republic Bank joined Silicon Valley Bank (SVB) and Signature Bank by collapsing on May 1, 2023, just days after the Federal Reserve released a report regarding SVB’s failure and a clear message of its own role: We need to be more assertive.

The report doesn’t shy away from SVB’s failure to effectively manage its risks – indeed it opens with “Silicon Valley Bank failed because of a textbook case of mismanagement by the bank.” That said, the Fed appears to have taken a candid look at itself. The report lists four key conclusions, and after an opening salvo aimed at SVB, the Fed identifies three takeaways regarding its own supervisory and regulatory approach.

Let’s take a look at:

  • Key risk management issues highlighted in the report
  • Potential future action from the Fed
  • Takeaways and actions you can evaluate today

Key risk management issues

The Federal Reserve’s report includes a Risk Management Gap Assessment, pictured below, which taken as a whole implies that risk management was a low priority at SVB. Let’s examine a few statements directly from the report, as well as some of the key items in these tables, across the themes of risk culture and perception, risk appetite, and tools and processes (click for full size):

fed-reserve-gap-assessment-svb-1 fed-reserve-gap-assessment-svb-2

Image source: Review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank (2023)

On risk culture and perception

The Fed’s report opens with a direct and somewhat blistering statement on risk management at SVB:

“Moreover, the board put short-run profits above effective risk management and often treated resolution of supervisory issues as a compliance exercise rather than a critical risk-management issue. Compensation packages of senior management through 2022 were tied to short-term earnings and equity returns and did not include risk metrics.”

Let’s unpack the report’s opening statement. Seeing risk management as a compliance exercise, and in this case a reactionary one, is a pernicious perspective on risk management. It makes it clear that SVB’s board of directors and management team did not understand – or chose to ignore – the value that risk management provides when it is aligned with achieving business objectives. Business objectives and risk management are not opposites; they are symbiotic.

The compensation issue statement is all-too familiar – a failure to acknowledge risk management in compensation arrangements can threaten the long-term viability of the organization. The board approved the incentives, and senior management were not compensated for managing the banks risks. So, they didn’t. (Or apparently only to the extent needed to marginally satisfy the regulator.)

“In April 2022, SVBFG made counterintuitive modeling assumptions about the duration of deposits to address the limit breach rather than managing the actual risk.”

This highlights something so fundamental about why we do risk management. The intended outcome of risk management is not to get a “good scorecard.” It’s to understand your risks so you can take appropriate action. Any risk can be made to look “acceptable.” Erroneously changing assumptions, risk ratings or tolerance levels doesn’t change how the risk might actually affect achievement of your objectives. If anything, it makes things riskier by the false belief it no longer needs active management.

“SVB did not take sufficient steps in a timely fashion to build a governance and risk-management framework that kept up with its rapid growth and business model risks. An SVB director, for example, told supervisors in 2022 that controls always lag growth.”

Sure, it’s rare for risk and control management to get out ahead of growth, or even be in lock step. However, this appears to be justification for being behind the 8-ball and focusing its attention elsewhere. In the case of SVB, this lag proved fatal.

“The full board of directors did not receive adequate information from management about risks at SVBFG and did not hold management accountable for effectively managing the firm’s risks.”

While the report does go into some detail, this gap in risk culture and awareness is fairly obvious on the surface. It’s missing the challenge culture required to hold management accountable. A strong risk framework supported by well implemented tools and reporting can provide an effective flow of key information to the board, and managements’ ability to provide it. In short, the board lacked proper visibility into the risk posture of SVB – and apparently did not seek it either.

The report also acknowledges that it’s not just SVB that made missteps in risk management:

“Instead, supervisors maintained the ‘Satisfactory-2’ rating given the strong financial performance of the firm at the time and the lack of realized risk outcomes from the risk-management weaknesses, a backward-looking perspective.”

This reminds me of the adage when conducting risk assessments: “But it hasn’t happened before.” It should serve as a reminder that by its definition risk management is always forward looking. You can improve your risk management today – but what about the risks you’ve already taken that haven’t yet materialized? This is where key risk indicators can be instrumental as a predictor of risk events.

On risk appetite

“SVB’s internal risk appetite metrics, which were set by its board, provided limited visibility into its vulnerabilities.”

“As EVE [Economic Value of Equity] was not part of the risk appetite, there is no evidence that the full board was aware of the status of the EVE metric or that it was breaching limits for years.”

These statements read like a disconnect between the board and management, their understanding of the business model, its drivers, and the uncertainties that could influence those drivers. This highlights the importance of identifying the appropriate risks and tolerances specific to your business model. It should be a wake-up call to all risk managers: Are we monitoring the risks that matter most to our business model? Do we fully understand what those metrics should tell us?

“Enterprise risk-level risk tolerances are not cascaded down to the line of business for all key applicable risks.”

This is something we commonly see in Protecht’s implementations when working with a client to quantitatively define their risk appetite statement (RAS) and associated KRI metrics: Do the metrics align with risk reporting generated by the business and the RAS established by the board? This reinforces SVB’s disconnect between the board, senior management and staff in Line 1.

On tools and processes

There is an interconnected web of absent or half-baked tools and processes listed in the report’s gap analysis. To summarize:

  • Issues Management lacks mechanisms to track and report throughout the enterprise.
  • Inconsistent application of risk taxonomies.
  • Risk and control inventories not mapped back to the banks internal framework.
  • Enterprise-level tolerances not cascaded down to business lines.
  • An immature Risk and Control Self-Assessment Process.

These, among others, all have a link to one gap in the report:

SVB does not currently utilize a centralized GRC tool to manage and report on risk assessments across the enterprise [Gap 10].

We admit we are biased, but it seems incredible that for a bank holding over $210 billion in assets under management, SVB did not have a centralized risk and compliance GRC platform solution. Implementing a GRC tool doesn’t lead to or create a good risk culture. That’s why it’s important to partner with experts who not only understand GRC systems, but who are demonstrated leaders in the discipline of risk management.

What about the Fed?

The Federal Reserve didn’t turn a blind eye to how it fell short of its mandate. Its own three takeaways related to supervision were:

  • Supervisors did not fully appreciate the extent of the vulnerabilities as Silicon Valley Bank grew in size and complexity
  • When supervisors did identify vulnerabilities, they did not take sufficient steps to ensure that SVB fixed those problems quickly enough
  • The Board’s tailoring approach in response to the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) and a shift in the stance of supervisory policy impeded effective supervision by reducing standards, increasing complexity and promoting a less-assertive supervisory approach

Throughout the report, the Fed call out issues for consideration on their future supervisory or regulatory approach. These include:

  • Supervisors may enhance their identification and understanding of risks, or risks related to novel activities, of the banks they supervise – such as SVB’s concentration risk in its customer base and uninsured deposits
  • Identified failures in risk management, governance or other concerns about resilience might cause supervisors to impose additional requirements, such as stricter capital or liquidity requirements until those failures are remediated in order to focus management attention on critical issues
  • Imposing requirements for stronger incentive programs with compensation linked to effective risk management
  • Implement behavioral science approaches in supervision to identify institutional blind spots, such as those observed (in hindsight) at SVB
  • Strengthen regulatory processes, which might include shorter runways for banks transitioning to another portfolio

These may not all materialize immediately, but I think it’s safe to say that stricter supervision is on its way.

Conclusions and next steps

Here are a few actions for banks and credit unions in the US to consider in preparation for potentially increasing oversight:

  • Review alignment of risk appetite and tolerances – Banks (and other financial institutions) are required to have risk appetite statements, but in our experience they are not always objective, nor cascaded effectively. This can lead to critical risk information that is not escalated or overlooked, and to risk posture being clouded by vague metrics like “considerable” and “excessive”.
  • Educate – Get your board and management aligned on good risk practice. This includes shifting the hearts and minds on the perception of risk and risk management, as well as how to bring the processes to life. Protecht recently released risk management educational courses for boards and line-1 managers.
  • Invest in ToolsGood GRC systems cut across all risk processes, enabling the alignment and aggregation of risk information from the bottom up, while also enabling cascading from the top down. This can provide decision makers – up to and including the board – with the information they need to discharge their risk responsibilities.
  • Plan for Growth - If you are in a high growth phase or approaching a change in size, give yourself a runway. If it wasn’t on your supervisor’s radar before, it probably is now. Start with a risk and controls self-assessment (RCSA) and develop a proactive transition plan so you aren’t caught out by potential changes in enforcement.
  • Review incentive programs – Consider whether your executive compensation is aligned with demonstrated effective risk management, not just good financial performance.


Ready to get started? Start with our eBook on Risk Appetite to learn how to take and accept the right amount of risk, and find out how our Protecht ERM risk management solution is especially optimized to help banks and credit unions deal with their risk and compliance challenges and obligations.