Does SVB’s Failure Presage the Development of ERM v3.0?

Written by: Michael D. Cohn , CPA, CISA, CGEIT, CERP , Drew V. Coveney , CIA ,

The recent Federal Deposit Insurance Corporation (FDIC) takeover of three financial institutions demonstrates clear weaknesses in risk management practices. Pundits, journalists, members of Congress, and bankers themselves have pointed to numerous causes for SVB, Silvergate, and Signature’s failures. Some are symptoms, some are observations, and some are irrelevant sound bites. All point back to what we believe is a simple root cause: The enterprise risk management (ERM) function failed to identify a franchise-ending threat and keep the institution safe. This is the second time in five years this has occurred, the first being the pandemic event. Both the pandemic and bank run are known threats and within the threat topology for a financial institution. Why are our ERM programs not delivering on their business objectives?

Point 1: ERM v3.0

The next generation of thinking, what we refer to as ERM v3.0, needs to be launched with nonnegotiable governance reforms. Best practices should include:

1. Roles and Responsibilities: The CRO should report directly to the board of directors, similar to the chief audit executive. Clearly defined roles and responsibilities must be documented for key stakeholders in the risk management process, including the board of directors, senior management, risk managers, and other staff members.
2. Board Approved Risk Management Policy: A risk management policy outlines the organization’s approach to risk management, including its risk appetite and tolerance levels, risk assessment methodologies, risk monitoring and reporting requirements, and the roles and responsibilities of key stakeholders.
3. Establish Risk Management Committees: A Board-level risk management committee or addition of risk management to an existing Board committee is required to oversee the organization’s risk management practices. An enterprise-wide risk management committee is also required and should replace siloed credit, market, and operational risk committees. These committees should meet regularly to review the organization’s risk positions.
4. Implement a Risk Assessment Framework: Develop a risk management framework that identifies and assesses the organization’s risks, including operational, financial, strategic, and compliance risks. The framework should include a methodology for assessing the likelihood and impact of risks, as well as risk mitigation strategies. Low likelihood/high impact assessed threats require emerging risk monitoring.
5. Implement a Risk Monitoring and Reporting Framework: Implement a risk monitoring and reporting framework that enables the organization to track and report on its threats. This framework should include regular risk assessments, risk monitoring activities, and reporting requirements.
6. Develop an Incident Response Plan (IRP): Develop an IRP that outlines the organization’s approach to managing both internal and externally originated disruptions. This plan should include procedures for identifying, mitigating, and recovering from risks, and identify external partners (i.e., social media consultant, legal counsel, and law enforcement) in advance.
7. Conduct Regular Risk Management Training: Provide regular risk management training to staff members to ensure they understand their roles and responsibilities in the risk management process and are equipped to identify and manage risks effectively. Front line managers are taking the risk and own the control processes.

Silicon Valley Bank had no official chief risk officer for 9 months ahead of the collapse.

Point 2: Scenario Planning

Scenario planning for smaller institutions should be a standard tool for financial institutions of all sizes to identify capital at risk. ERM v3.0 will include this capability even for smaller institutions. A key element is to identify and test the institution’s resilience to different market conditions and events. Here are some best practices for risk management scenario analysis:

1. Identify Relevant Scenarios: Identify scenarios that are relevant to the organization’s risk profile that could impact the bank’s financial performance, such as economic downturns, interest rate changes, or credit losses.
2. Use Multiple Scenarios: Develop multiple scenarios to test the organization’s resilience to a range of potential events and outcomes. These scenarios should be based on different assumptions and should cover a range of severity levels.
3. Involve Key Stakeholders: Involve key stakeholders in the scenario analysis process, including risk managers, business managers, and senior executives. This will help ensure that the scenarios are relevant to the bank’s risk profile and results are meaningful.
4. Use Historical Data: Use historical data to inform the scenarios and to test the bank’s model and performance under similar market conditions in the past.
5. Conduct Stress Tests: Conduct stress tests to assess the resilience to extreme scenarios that are unlikely but will result in a high impact. Threats with this risk profile are the most frequently ignored and confused with black swan events. This will help management identify potential vulnerabilities and develop contingency plans.
6. Regularly Review and Update Scenarios: Regularly review and update the scenarios to ensure that they remain relevant to the risk profile and reflect changes in the market environment.
7. Integrate Scenario Analysis into Decision Making: Integrate scenario analysis into the decision-making processes, including capital planning, risk appetite setting, and strategic planning.

We are not suggesting institutions model black swan events, but rather consider likely and unlikely events that have high impact.

Point 3: Augment KPIs With True KRIs and Emerging Risk Indicators

What is an Emerging Risk Indicator? An emerging risk indicator (ERI) is a type of risk indicator that helps organizations identify potential new risks that may arise in the future. ERIs are used to monitor and track trends or developments that could potentially lead to new risks, and they can help organizations stay ahead of the curve by identifying and mitigating risks before they become significant issues. While KRIs are designed to identify and monitor known risks, ERIs are designed to identify and monitor emerging risks that may not yet be fully understood or appreciated. Examples of ERIs may include but are not limited to:

1. Technology Trends: New technologies such as artificial intelligence or blockchain can create new risks that may not be fully understood. Monitoring trends in technology can help organizations identify and mitigate these risks.
2. Economic Trends: Economic trends, such as changes in interest rates or market volatility, can create new risks or impact existing risks. Monitoring economic trends can help organizations anticipate potential new risks.
3. Social (Media) and Political Developments: Changes in social or political environments can create new risks, such as changes in consumer preferences or geopolitical risks. Monitoring social and political developments can help organizations identify and mitigate potential new risks.
4. Regulatory Developments: Changes in regulations or new regulations can create new risks or impact existing risk profiles. Monitoring regulatory developments can help organizations stay ahead of potential new risks.

Point 4: Evaluate Tools and Techniques

Evaluate the frequency and nature of monitoring tools and techniques used to identify interest rate risk (IRR) and liquidity concerns. A recent Bank Director survey identified respondent concerns about interest rate risk (91%) and liquidity (71%) had increased markedly over the past year. If these concerns have increased and banks are failing due to these concerns, why do bankers continue to practice the same risk management monitoring activities at the same frequency as before when so many banking activities now occur in real or near time (e.g., payments, account opening, and loan approval)?

Some banks still monitor interest rate risk and liquidity on a quarterly basis. If a potential franchise-ending activity was looming, bank executives should desire access to IRR and liquidity monitoring reports on a higher frequency. These same banks performing quarterly monitoring are using nationally averaged data to create assumptions and analyzing “check the box” scenarios to evaluate IRR and liquidity instead of data that is specific to their unique organization.

Bankers must evaluate if the monitoring tools and techniques and the frequency of analysis are designed to understand the bank’s unique IRR and liquidity positions efficiently and effectively. The control environment should be enhanced to easily identify potential and forthcoming IRR and liquidity events, so the C-Suite can develop a gameplan to navigate these risks. As the banking space evolves to meet the needs of its customers, so should these very important activities. In a digital data age, we need access to more data more frequently because in some cases, quarterly reporting with “check the box” scenarios might be too little, too late.

Summary

ERM v3.0 requires a commitment not to repeat the mistakes of the past. Rightsizing the program to fit the complexity of the bank does not mean we ignore key principles or wait for the regulators to tell us what to do. Would a bank of any size be more resilient if the top threats are better communicated with increasing transparency with all constituents (including depositors, borrowers, and employees)? If the communication included results for a new set of KPIs, KRIs, and ERIs would front line managers be more equipped to identify early trends? And can ERM v3.0 offer an opportunity for new risk managers to sharpen their skills and lengthen their career with the bank as the war for talent rages on? With the right processes in place, we think so.

If you’re looking to overhaul or even just discuss your current ERM function, reach out to our ERM team at Wolf & Company.