Auburn professor says the collapse of Silicon Valley Bank is all about failed risk management…

The “sudden” failure of Silicon Valley Bank earlier this month is a stark example of untethered risk-taking without a formal and effective risk management framework in place, according to an Auburn University Harbert College of Business faculty member who states that the bank’s vulnerabilities for failure should have been flagged and remedied years earlier through straightforward risk management measures. 

Damion McIntosh, a recognized expert in financial institution regulation and a senior lecturer in finance at Auburn, explains what led to the bank’s collapse and how such calamities can be avoided in the future. McIntosh argues bank executives, the board of directors and regulatory surveillance professionals alike need to be held accountable for the actions they took or failed to take. 

What are your thoughts about the collapse of SVB being a risk management failure, as it is being reported in the media? 

McIntosh: The collapse of SVB is a classic lesson in risk management gone wrong ­­— or more precisely, risk management asleep at the wheel. That became clear when SVB depositors withdrew tens of billions of dollars from the bank over a two-day period amid concerns about the bank’s liquidity, prompting the Federal Deposit Insurance Corporation, or FDIC, to quickly step in to take over the institution and guaranty depositors would immediately be able to access all their money — even those deposits well above the $250,000 limit current regulations require.

As experts investigate all the details, it is safe to say the failures in risk management at SVB are as many and as varied as those responsible for the decisions made —or not made — that contributed to this collapse. 

But in the rush to assign blame — and there’s plenty to go around — we’d do well to first take a close look at the first-stage origins of the core mismanagement of risk that ended up taking SVB down.

When we do, we will find that the problems that led to this bank’s collapse were identifiable and predictable literally years before the recent run on SVB’s deposits. What’s more, this closer look will also reveal that the bank’s vulnerabilities for failure could have been — and I’d argue should have been — flagged and remedied early on through straightforward risk management measures.

How does the concept of risk management apply to banks, a sector some might assume is supposed to be low risk?

McIntosh: Let’s be clear, risk in business is not an inherently bad thing. We need to recognize that, in order to make money, any business must take risks on many, many levels. That’s how business works regardless of sector, industry or location. We certainly don’t want to chastise banks simply because they are taking risks. 

But untethered risk-taking is extremely dangerous, especially for a bank. When banks take risks without a formal and effective risk management framework in place that is also closely tied to a strong governance framework, that’s a recipe for disaster. It appears that’s exactly what’s happened here.

What constitutes a “formal and effective risk management framework” when it comes to banks, and why does it matter?

McIntosh: To begin with, we need to look at the five components of an effective risk management framework. Banks need to have systems in place to adequately identify, measure, monitor, control and report their risk exposures. SVB’s risk management framework was clearly deficient since it is evident that it did not effectively manage the bank’s exposure to its funding risk, asset/liability mismatch risk, interest rate risk, funding liquidity risk and market liquidity risk. The bank’s governance framework (board of directors, executive management, internal audit, risk management) also failed to ensure that its risk management framework was adequately executed. Let’s talk about some of SVB’s risks that were evident:

1. Funding risk relates to the size, source, pace and characteristics of the deposits a bank takes in to fund their operations. In a robust risk management framework, a bank will profile their deposits and depositors — not all deposits carry the same level of risk. Some fall under the FDIC depository guaranty of $250,000 while some are much larger and, technically, not guaranteed. Importantly, in the case of business banks, the length of time those large deposits can be expected to remain in the bank are also critical factors in a depositor profile along with the size of withdrawals when they do occur.

2. Mismatched risk results from poorly matching the duration or maturity of assets and liabilities. When it comes to banks — which take in deposits that can be withdrawn without notice and use a large portion of that money to invest for long periods of time — the risk of not having adequate cash on hand when depositors demand it needs to be profiled and assessed on a regular basis.

3. Interest rate risk pertains to the impact on the market value of a bank’s investments resulting from fluctuations in interest rates. So, a bank is always looking ahead to the benchmark interest rate the Federal Reserve would likely set to determine the potential impact a potential change rate change would have on the market value of its investments. This risk is critical to decisions on the types and maturities of assets in which a bank invests and the liabilities — i.e. deposits — that fund those assets. This risk intensifies during periods when the benchmark interest rate set by the Federal Reserve changes frequently and by large margins as is currently the case.

4. Funding liquidity risk is the risk that a bank may not have the cash when depositors choose to make their withdrawals — regardless of the reason. In these cases, a bank has two options — either find the cash needed from the liability side of their balance sheet by borrowing more money or generate that cash by selling some of their assets. Each decision has repercussions that need to be assessed and managed appropriately.  This risk is easily intertwined with mismatch risk and so both must be managed together.

5. Market liquidity risk refers to the likely loss a bank may suffer from selling assets at a worst-off price because of its desperation for cash and to avoid further losses. When long-term financial instruments such as treasuries or bonds are forced to be sold before maturity, banks have to accept the current market value of those assets rather than their full-face value. In these instances, the current value of these assets can be far below what they would be worth if kept to maturity.

All these risk categories appear to have been in play when it comes to SVB, as further analysis is likely to show. 

Where should we start as the dust begins to clear and attentions turn to making sure this kind of bank failure doesn’t happen again?

McIntosh: One thing I’ve noticed in coverage of this bank failure is how little attention has been paid so far to the first category of risk outlined here — funding risk — as compared to the others. Why does this matter? Because, in my opinion, the failure to accurately assess funding risks is one of the most consequential errors SVB management and their board of directors made over the past three years that helped fuel the bank’s eventual demise. It all started there. It was the sleeping giant.

That means the source of this decline was really on the oft-overlooked liability side, not so much the asset side, as many are focused on. It was the types of deposits, the concentration of deposits and the rapid growth of those deposits that did them in. 

Back in 2020, SVB began accepting tens of billions of dollars over a very short period at favorably low fixed rates — effectively 0%. The bank turned around and invested those funds in long-term financial instruments, the value of which fluctuate over time based on myriad factors beyond their control. 

The problem with this funding scenario is that it failed to take into account the unique set of economic circumstances at work when they began their geometric growth in deposits and how those factors could change. In short, they failed to recognize that the vast majority of these new deposits were “fickle deposits,” as they are called. These large deposits — sometimes amounting to millions and even billions of dollars — were dramatically different from the much smaller deposits most individuals and businesses typically make. Many of these deposits were from venture capitalists, private equity firms, start-ups and other emerging companies that were being “parked” for relatively short timeframes — sometimes for only a few months.  

What would having a robust risk management framework in place have afforded them? 

McIntosh: I can’t say whether they didn’t recognize or chose to ignore these early warning signs — I wasn’t in the room. But a formal and effective risk management framework would have prompted questions like “Who are these depositors? Are they core depositors who are likely to leave their money in our bank for a long period of time? Can we count on them to keep their money with us should we face challenging times? In what industries do they operate? What is the likelihood of any serious risk happening in those industries that might cause them to come and pull their funds immediately and in what magnitude? Will others follow them with withdrawals of their own? And if they do pull their deposits, what will happen to our balance sheet if we try to replace them with other depositors? Can we reasonably expect we could quickly replace deposits this large even if we wanted to? From where and with what ease could we tap other sources of liquidity/funding if we needed it?”

They would have stress-tested the impact of the answers to all these questions on their bank’s financial health and developed what-if scenarios and clear sets of actions in advance of taking in these deposits. An effective risk management framework would have identified all those risks, measured all those risks, monitored all those risks over time and implemented tools designed to control them. Importantly, the board of directors would have been apprised of the resultant risk profile so that appropriate operational and strategic decisions could be made. 

That’s what a depositor profile does — it provides the insight and objective reasoning required to make sound asset/liability management decisions. Perhaps SVB would have capped deposits or slowed the rate of their acceptance had a robust risk management framework — complete with depositor profiles — been in place. 

Again, we don’t yet know how diligent the risk management function was at SVB back when this unprecedented growth in deposits began, but we do know that the role of Chief Risk Officer at SVB was vacant for much of the past year. That fact alone should have been a huge red flag.

You mentioned that a “governance framework” also plays a key role in all this. Can you explain what that is and why it matters? 

McIntosh: This is where the final aspect of a sound risk management framework comes in — reporting. Had the risk function done all that it should have, SVB’s executive team would have reported their findings to the board, and the board would see all these numbers, they would interrogate them and ask the management team how they intend to prepare for the various scenarios identified. Had effective risk management policies been in place, that internal audit would have reviewed the adequacy of risk controls and reported on any excesses in risk limits/thresholds to the board. That puts ultimate accountability directly in the hands of the board of directors.

Is there anything you can say about the role of the board in preventing such a collapse? 

McIntosh: We need to first remember that, as a separate legal entity, the SVB Board of Directors doesn’t work for the management of the bank, it works on behalf of the bank’s shareholders. They perform an oversight function. How well they did their job in the case of SVB is, of course, open to question since SVB’s shareholders and some of the bank’s unsecured bondholders will likely lose everything.

What are your thoughts about the board and accountability? And what about current regulations? Did they work as intended?

McIntosh: Shareholders and unsecured bondholders should really be holding the board of directors accountable, and we’re already seeing this with the recent filing of a class action lawsuit being filed against the parent company of SVB, its CEO and its chief financial officer. I'm hoping the judiciary process will see that the accountability to shareholders falls squarely on the board here for their actions/inactions.

As for whether current regulations worked as planned or if we need stricter rules, I wouldn’t say the regulations failed, but that the details concerning which banks were subject to them were not as properly defined as they could be. The problem is with the term “systemically important financial institution,” which is typically interpretated to apply simply to the size of the institution without taking into consideration aspects of the bank’s interconnectivity or any potential contagion risks across the tightly interconnected global financial industry that might result from its failure. 

What does SVB’s failure mean to the viability of regulations in place today? 

McIntosh: In the end, the issue behind SVB’s collapse is not essentially a regulatory one. But certain clarifications of our current regulations should be considered: 

• • • While we must avoid — as much as possible — rushing to make reactionary changes to such important regulations, we do need to be proactive in better defining what “the presence of systemic risk” means and categorize financial institutions accordingly before their failure. 

This is far from unprecedented. In fact, this is exactly the reasoning used by the FDIC, Federal Reserve and U.S. Department of the Treasury when they agreed to exercise the “systemic risk exception” of the Federal Deposit Insurance Corporation Improvement Act of 1991, or FDICIA, in making their decision to cover SVB’s uninsured deposits.  

• • • Another factor for consideration is that the risk-based (variable) deposit insurance structure adopted by the FDICIA back in 1991 levies insurance premiums on banks based on their risk profiles while simultaneously establishing a set maximum (fixed) deposit insurance payout that is not sensitive to the bank’s funding risk.  

Here’s the dilemma: The majority of deposit accounts at a given business bank typically exceed the $250,000 limit, meaning a high percentage of these banks will have uninsured depositors who are more likely to withdraw 100% of their funds when triggered by uncertainty compared to smaller depositors who are fully protected by FDIC deposit insurance and, hence, are considered by them to be safe.  

That’s because a bank’s funding risk (deposit profile) is linked to the probability of a liquidity issue prompting a run on that bank. This tells us that a single, fixed maximum payout applicable to all types of deposit accounts — regardless of the deposit account’s characteristics — may not be the most appropriate methodology. A deposit payout structure that is tiered and tied to the risk profile of the depositor and integrated into the calculation of their corresponding deposit insurance premium may be much better suited to assuring depositors and minimizing the occurrence and impact of potential bank runs.

The lesson to be learned here is that the first step in executing an effective risk management framework for banks and other deposit-taking institutions is to institute a robust deposit profiling process and ongoing supervisory depositor tracking methodology. 

After all, that’s where SVB’s problems began in the first place.