Another bank collapse in the US. Why were risk management lessons not learned?

With hindsight, any financial institution’s failure is easy to investigate. However, the challenging task is anticipating risk and taking appropriate mitigating action before the risk crystallises.

In the past 15 years, there have been many high-profile failures such as Lehman Brothers, Bear Stearn, Northern Rock during  the GFC crisis in 2008, the losses to the hospitality, airlines, travel and automobiles industries during COVID-19 in 2020-2021 and now at the beginning of 2023 in a form of Silicon Vally Bank. Over the last two decades many regulations have been implemented to protect against financial insolvency, but failures are still happening. This an indication of gaps in regulation, inadequate risk management or a combination of both.

It is essential to recognise that risks arise from exposure to future events that can disrupt the institution and the role of the risk team is to anticipate risks, forewarn management and take advance action. The collapse of Silicon Valley Bank is a classic case of misjudging the risk or even missing the risk altogether.

During and after COVID-19, it was challenging for banks and insurance companies to adjust their asset and liability positions when interest rate was low. However, the situation worsened with the Russia-Ukraine war that led to rising inflation and subsequent rise in interest rates. Any duration mismatch between assets and liabilities followed by a sharp movement from low to high interest rates created a hole in the balance sheet. This is exactly what happened with the Silicon Valley Bank who made large investments in the government bonds where with the rise in the interest rate, the value of bond assets decreased created assets and liability mismatch leading to liquidity issue. A bank can take investment decision based on their strategy and projected profitability, however, the risks need to be managed.  In this case, the risk remained exposed as the bank could have employed liquidity contingency planning scenarios to understand the sensitivity of their liquidity risk profile to various shocks [1]. Also, the bank did not have interest rate hedge on their bond portfolio at the end of 2022 [2], either it expired or was terminated, the exact reason is not known.

Also, the bank didn’t anticipate the combination of interest rate and liquidity risk shocks it would occur together [1].

One lesson learnt is that a single scenario in isolation may not be severe enough to necessitate action, which is why multiple scenarios and correlations between risks need to be taken into account to understand the full picture. No one could have predicted the full sequence of events that culminated in the collapse of Silicon Valley Bank. It began with COVID-19, followed by a fall in interest rates during 2020 & 2021, then the Russia-Ukraine War that began in February 2022 which led to a rise in inflation followed by a hike in interest rates and then lastly in 2023, mass customers’ withdrawal of money from the bank. It is indeed a very scenario.   

But why is this happening?

Some of shortcomings in the risk management practices discussed above and bank not re-appointing the Chief Risk Officer in 2022 is an indication of poorer enterprise risk management (ERM) practices. ERM is an essential component that integrate risk management practices across the organisation including supplementing risk based capital. A better ERM managed organisation minimises the capital requirement and tightly cover all risks.    

However, the challenge is ERM is not well embedded in many organisation that leaves spaces for risks to slip through. SVB seems to be sailing on the same boat where ERM were not tightly defined and covered. Another challenge with the existing ERM framework is that the decisions are left to the decision maker but not forced. For example, if the bank does not have a Chief Risk Officer, neither Board nor CEO is forcing the decision to appoint a CRO. Similarly, during the early days of 2020 when COVID was still spreading, many of the institutions were watching the situation without any action taken till the time risk crystalised . The decision was not forced. This has problem with the ERM framework where mandatory decisions are not forced but left open.   There is a lot to learn from aviation industry.  

The aviation industry has progressed very well in managing its risks; they have reduced the accident rates from 0.144 fatalities per 100,000 in 1989 to 0.019 in 2008, with improvements of 77% (World Economic Forum, 2010). The aviation industry improved in quick decision-making skills from pilots, undergoing flight simulator training to prepare for an emergency, aggregation of aviation data across the Industry, involvement of regulators in the strengthening of safety mechanisms, post-accident analysis, and feedback mechanism from the frontline crew, etc.

There is a lot to learn from the aviation industry in the corporate world that has made the riskiest transportation into the safest mode of transportation. There is no need to reinvent the wheel and take the learnings with required modifications. The key areas that can be learned are from development required to improve human factors, simulation of disaster, aggregation of safety data, the role of regulator, post-accident analysis, and feedback mechanism from front line crew.

The human-related factors in CROs can be improved by applying a similar technique like Aeronautical Decision Making (ADM) process , which will help in enhancing decision-making skills and personal characteristics. A CRO should evaluate his team’s capabilities, experience, and educational qualifications throughout the risk evaluation of the organisation. He should apply his judgment based on scenario analysis and stress testing to make intelligent decisions. He should also not succumb to the stakeholder’s pressure diluting risks. Similar to flight simulation for pilots, there could be a similar simulation for CROs in the financial services. An artificial scenario like the 2008 economic crisis, Enron failure, and sudden fall in stock price (dot com bubble) can be created for CROs to better prepare. The post-accident analysis is a secret behind the tremendous improvement in safety records; the financial industry can learn from its failures. Such post-corporate failure investigation should be made mandatory, and a copy of such report should be tabled with the relevant Board for improvement and strengthening training program.

What next?

Many failures have been analysed after they occurred. It is easy to work on the available data and pinpoint what exactly went wrong, but have we learnt the lessons? The future is uncertain, and the skill of risk managers will be measured by how many adverse risks have been averted and not by how many have been analysed. There seem to be some gaps in regulation and ERM framework that need to be plugged in to improve the stability of financial institutions.  

A few messages are emerging quite clearly. Firstly is to not ignore rare scenario on the pretext that it may not happen. Secondly, there is a stronger need to improve risk culture and to strengthen the ERM framework. Finally, a wider embrace of automation in risk management is the need of the hour.

Learning from aviation sector to be included in the corporate risk management to avoid reinventing wheel.

References

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.