The recent implosion of Silicon Valley Bank (SVB), First Republic and Signature Bank was the biggest series of bank failures since the financial crisis in 2008, leaving many concerned about the integrity of the banking system. While the details surrounding these recent failures may differ, the post-mortem reveals that they were all rooted in risk management missteps at the organizational level. Within the banking industry and beyond, those involved in the management and governance of public companies can learn from these mistakes and have a greater appreciation for the importance of risk governance and oversight to the long-term viability of their enterprise.
The Importance of Risk Management
The recent bank failures underscore the increasing importance of industry-specific risk management expertise. As we saw in 2008, uncommon lending practices to customers with higher risks resulted in the collapse of the entire financial services industry. Today, we are seeing a pattern emerging of banks with concentration risk in terms of their customer base (SVB's focus on tech start-up companies and First Republic's focus on wealthy individuals) and high-risk currencies (Signature's acceptance of crypto deposits). This has created an elevated percentage of uninsured deposits that exposed these banks to significant liquidity risk and ultimately resulted in their collapse. The common thread between 2008 and today is a lack of risk management expertise within these organizations to be able to anticipate and react in a timely manner to emerging risks created by rapidly changing market conditions.
On paper, most organizations appear to have the appropriate risk management governance structure in place through the establishment of a chief risk officer (CRO) and a board risk committee. However, the spirit of this structure may be lacking. For example, many risk committees do not have sufficient overall risk management expertise (2.5 years of experience on average), including expertise in complex risk areas like liquidity, credit, operational and market. Instead, priority is placed on individuals with specialized business expertise (e.g., capital planning and management), leaving organizations exposed to emerging risks created by a constantly evolving market. We also saw a clear example of this with SVB, which went eight months without a CRO during a critical period prior to the bank's collapse. Risk management can't be a “check the box” exercise; rather, it requires the right expertise and knowledge in the roles to be successful.
Three Lines Model
Coming out of the last financial crisis, we saw the rise of the “three lines of defense” model, which was highly adopted by financial services organizations. In this model, the business (first line) is responsible for managing its own risks and executing controls.
The second line is established as an oversight function to challenge the first line and usually consists of risk groups such as financial, information technology, legal and compliance, operational, strategic and human resources/talent management. The second line often includes more specialized groups to provide oversight of model risk, market risk, credit risk and liquidity risk, among others. The CRO usually oversees this second line, and their organization challenges the decisions that are made by the business.
The third line is the company's internal audit function. They are responsible for ensuring that the first line's controls are designed and operated sufficiently to prevent and mitigate the risks identified and managed by the second line.
It's unfortunate that 15 years after the 2008 banking crisis, we are seeing organizations repeat some of the same governance mistakes that led the economy to the brink. First-line management often views risk management and controls execution as a separate, secondary burden they “must” perform in addition to their day-to-day responsibilities. The second line often lacks the adequate industry-specific risk management expertise to sufficiently challenge the first line and be able to identify and communicate relevant risks and potential impacts to company leadership. They may also lack the authority to enact change. The third line often executes a static audit plan driven by coverage over a specified period, rather than a dynamic risk landscape, resulting in significant efforts focused on areas that do not address the most critical risks of the organization.
The future-ready organization has a “risk aware” culture in which the first line has risk management and controls execution built into the fabric of their daily activities. It is imperative that the first line, who often best understand the business, have an appreciation for why risk and controls are important, so they think about what could go wrong as the market is changing. This culture is enabled by a second-line risk function consisting of individuals with the general and specialized risk management expertise needed to help the organization keep pace with risk and market changes. The third-line internal audit function operates on an agile auditing plan, utilizing dynamic risk assessments that allow them to adapt and redirect their efforts to ensure that the control environment is designed and operated effectively. This will prevent and mitigate both the current and emerging risks that are most relevant to the organization.
As regulators focus on what changes may be needed considering recent bank failures, the need for strong risk management within an organization and the potential consequences when such management is not in place will be a focus area for years to come. The Federal Reserve Board and FDIC are being questioned for their inability to prevent these failures and have not yet determined how to change their current requirements to prevent similar failures in the future. As such, it is more imperative than ever that organizations take it upon themselves to evaluate their risk functions and three lines models to ensure they are prepared to address emerging risks.
Jill Agudelo is leader of the risk & compliance practice at CrossCountry Consulting.