We’ve covered the failure of Silicon Valley Bank in more detail in our previous blog, and there are certainly some issues raised there that are specific to banking. However, some of the risks that led to the collapse can apply to any organization: concentration and interest rate risks.
Customer concentration risk
One of the factors that played into SVB’s downfall was that it primarily catered to a single customer demographic. I’m not proposing there is anything inherently incorrect about that. At a strategic level, many businesses pursue specific markets and excel in their niche by catering to that market.
What may have been a failure of SVB is forecasting changes in their primary demographic’s behavior, the effect that these changes would have on the bank, and planning ahead for that contingency.
Here are some questions you can ask about your own concentration risk:
- What or who are our key demographics? What is the distribution or breakdown? Marketing or product teams may be the existing custodians of this information.
- What are the critical behaviors they exhibit that affect our operating model?
- What are the external factors that might shift their behaviors? An alternative or complementary process is to consider the ‘worst’ behavior shift, and then identify the factors that might cause that shift.
- How likely are those external factors to occur?
- If those behavior shifts were to occur, what would the impact be on our operating model?
When doing this analysis, you should consider what would happen if the relative size of each of those demographics change. Maybe a 50/50 split among two main demographics doesn’t pose a threat, while an 80/20 split might. Once the analysis is complete, you might be satisfied with the level of risk – perhaps you aren’t particularly concentrated in one demographic, or you might be diversified where a negative shift in one demographic is offset by a positive shift in another.
During this process you might identify one or more severe but plausible scenarios – those that are unlikely to happen but may be fatal (or severely impact achievement of objectives) if they do.
The next step – and the input into your ERM framework – is the identification of key metrics and the setting of tolerances. This may be across two dimensions, the external factors you identified as triggers, or the size of particular demographics. Setting triggers on the external factors might provide early warning signals so you can take action. Setting triggers on the size of demographics is designed to reduce your overall exposure, and can be more proactive in changing marketing, product design and related processes that can help shape the composition of your demographics.
Perhaps the biggest challenge with concentration risk is that it can be hard to see (and convince others to think about) when times are good. A fast-growing demographic might represent an amazing short-term opportunity. Good risk management is about balancing risk and reward.
Other types of concentration
While the focus above has been on customer demographics (the key drivers for performance in most organizations), it can be applied to other areas. This can include:
- Vendors – You may have an overreliance on a vendor whose failure would cause major disruption to your operations. This is particularly relevant to large vendors who provide a suite of services.
- Assets - A reliance on a single type of major asset (such as infrastructure, IT hardware etc) could become problematic if they suffer a systemic failure such as a product flaw during production.
- Geographic – While this is a typical concentration risk for financial firms (such as insurer and credit provider exposures to damage property or changes in property values), it can also apply to non-financial firms. Natural disasters or other localized events may have a higher impact on organizations that don’t have secondary locations or a distributed workforce.
These types of concentrations can be identified by mapping your processes and linking these required resources (vendors, assets, facilities or locations, etc.) to those processes, providing better insights into those concentrations.
Interest rate risk
One of SVB’s failures was the impact of interest rate changes on the balance sheet and performance of the bank. In their case, interest rate risk was related to their concentration risk – a change in interest rates affected the VC market, reducing deposits while also affecting the value of their assets.
Interest rate risk isn’t only for banks. The good news is that even if it isn’t included in your ERM processes today, there’s a good chance it is being managed. The CFO or equivalent is probably doing some level of sensitivity analysis on how forecasted business performance looks based on interest rate changes. Given what has happened to SVB, we recommend verifying that it is sufficiently robust. A few questions to consider:
- Does the sensitivity analysis consider interest just on assets and liabilities?
- Does it consider how other parts of the operating model will change?
- Does the sensitivity analysis consider how business decisions may change based on the interest rate changes?
- How does that sensitivity analysis inform decisions today?
This analysis may identify a level of interest rate that would force the organization to change its strategy or modify its decisions. Often once that level of interest rate is reached, it is too late. You may want to choose a source that predicts interest rate changes to enable more risk-informed decisions ahead of time. If you are operating in multiple jurisdictions, you may need to track multiple interest rates.
If it turns out that interest rate risk isn’t being managed in your organization today, it might be a topic to raise with the Executive, Risk Committee or Board to verify whether they require this level of assurance or insight given the organizations operating model.
Once you’ve assessed the level of existing analysis in your organization, you might integrate this into your ERM processes in two ways:
- Document the sensitivity analysis as a formal control over financial risks, with related assurance activities if it is considered a key control
- As one or more key risk indicators linked to interest rate changes – ideally a forecast view
Conclusions and next steps for your organization
We’ve focused on two specific risks that SVB faced, and how any organization might consider these risks. Importantly, we recommend identifying key risk indicators or metrics to operationalize your ability to respond to these risks and act ahead of time – rather than wait for the ticking time bomb to go off.
To find out more about setting key risk indicators, watch our free on-demand Risk Metrics and Key Indicators webinar. This webinar explores what enterprise risk metrics and key risk indicators (KRIs) are and how they add value to your business in the context of your wider Enterprise Risk Management framework.