Assessing Risk Management Readiness

As recent events have shown, even large, sophisticated banks can fail. These failures have been the result of risks which generally are managed within bank treasury groups: market and liquidity risks. For these banks, decreased market values of high-quality assets, paired with excessive levels of uninsured deposits, was a fatal combination.

There are a number of proactive tangible steps that boards and management teams can take to evaluate and enhance their institutions’ current market and liquidity risk management practices, beyond first-tier risk management.

Let’s start with measurement. Virtually all banks calculate base case balance sheet interest rate and liquidity risks. They need to measure the short-term effects on net interest income, along with the effect on market values in both rising and falling rate scenarios. They should particularly scrutinize portfolios that require behavioral assumptions for cash flows: non-maturity deposits, loan commitment facilities and mortgage-based assets.

This is where banks frequently fall short in not creating sufficiently stressed scenarios. They view extremely stressed scenarios as implausible — but implausible scenarios do occur, as demonstrated by the pandemic-driven economic shutdown. And yet, considering every possible extreme scenario will lead to scenario exhaustion and balance sheet immobilization.

What to do? One approach is to reverse the process and ask, “Where are potential exposures that could hurt us in an adverse scenario?” Use large, rapid movements up and down in interest rates, changes in yield curve shape like inversion or bowing, customer actions that drain liquidity, and market situations which affect hedge market liquidity and valuations. These scenarios create stresses based on known relationships between market events and balance sheet responses along with the effects of uncertain customer behavioral responses in these environments.

From these scenarios, the bank would know the market value and net interest income effects on investments, loans and known maturity liabilities. On non-maturity deposits and undrawn amounts in committed loan facilities, the bank must rely on assumptions of how these items would behave in various scenarios. One starting place for setting these assumptions is the outflow rates provided in the liquidity coverage ratio rules, which can be used for base assumptions, followed by scenarios with variations around these starting levels of outflow.

Measurement may be the most straightforward element of managing balance sheet risks. Once the bank puts measurements in place, they must communicate, acknowledge and act on them. Each of these elements present an opportunity for breakdown that executives should evaluate.

Effective communication is the responsibility of both treasury and risk management teams. In normal operating times, treasury develops information and risk management challenges this information. Risk management must then interpret the results for executives and the board. This interpretation role is useful in normal operating environments, but critical in stressed environments; risk management amplifies treasury’s message to ensure timely and appropriate actions.

Effective balance sheet risk communication must be accurate and timely. These communications include two critical components:

  • They are layered. The first layer shows the status of compliance with policy limits. The second layer provides a narrative of the current balance sheet situation, operating environment, projected earnings and range of potential risks. Unfortunately, the second layer often is presented as a compendium of everything that has been calculated and analyzed — but this compendium of information should occur in a third reference layer.
  • They are designed for the intended audience. Asset/liability committee, executive management and the board each should be receiving a different form of communication that aligns with their decision-making role.

Acknowledgement and action both must occur outside of the treasury group. Executive management and the board must absorb the risk situation and act accordingly. There is one word that captures the likelihood that a bank will effectively acknowledge and act on a risk situation: culture. An effective risk culture is one where all parties strive to optimize returns within agreed risk parameters while looking to eliminate or mitigate risks where possible.

There are signposts of effective risk management that a bank can evaluate and act on now. Management teams and the board should be looking at their current risk management practices and determine:

  • Are the measurements correct?
  • Is the information on risks communicated in ways that are digestible by each intended audience?
  • Are policy limits comprehensive and aligned with risk levels required to support business activities?
  • Do risk management groups have unfettered access to all information, as well as regular interactions with key board members?
  • Is everyone working collaboratively towards optimizing long-term risk adjusted returns?

If the answers to all these questions are “yes”, then the risk management function seems to be effective. If not “yes,” use the markers described above as starting guidance on moving toward effective risk management.

Lessons Gleaned From Bank Failures

The postmortem regulatory reports on the failures of $209 billion Silicon Valley Bank and $110 billion Signature Bank are an emphatic reminder of the consequences of poor risk management.

Among the specific circumstances that contributed to their closures in spring 2023 is how their boards and management teams failed to effectively manage several core banking risks, including interest rate, liquidity and growth, according to reports from the Federal Reserve and the Federal Deposit Insurance Corp. The official reports confirm recent media reporting that indicated surprisingly lax risk management practices at the banks, both of which were some of the largest in the country. Community banks that may see themselves as having little in common with these large institutions can still glean insights from the reports — and perhaps, avoid their fates.

Santa Clara, California-based Silicon Valley Bank’s “rapid failure can be linked directly to its governance, liquidity, and interest rate risk-management deficiencies,” the Fed wrote. And the FDIC found that New York-based Signature Bank had weaknesses in “liquidity contingency planning, liquidity stress testing, and internal controls” that figured “prominently” in its failure.

Interest Rate Risk
“While interest rate risk is a core risk of banking that is not new to banks …, SVB did not appropriately manage its interest rate risk,” the Fed wrote. 

The bank’s interest rate risk (IRR) policy — which detailed how the bank would manage and measure interest rate risk — was vague. It didn’t specify which scenarios to run, how to analyze assumptions, how to conduct sensitivity analysis and it didn’t define back-testing requirements. The bank used “the most basic” IRR measurement available, despite its size.

Still, its models indicated the bank had a structural mismatch between repricing assets and deposit liabilities; as early as 2017, it identified breaches in its long-term IRR limits, the Fed wrote. But instead of addressing the “structural mismatch” between longer duration bonds and demand deposits, the bank adjusted its model to get better results.

“I lose count of the number of cognitive biases that got activated in their process — from confirmation bias and optimism bias to so much else,” says Peter Conti-Brown, an associate professor of financial regulation at The Wharton School at the University of Pennsylvania. “It is the most common story ever told: When you make big goals, you then try to rough up the ref so that you can get the outcomes you’re seeking. The ref in this case is basic bank accounting.” 

Additionally, Silicon Valley executives also removed interest rate hedges that would’ve protected it from rising rates, a move the Fed attributes to maintaining short-term profits instead of managing the balance sheet. 

“That’s more casino behavior than it is prudential behavior,” says Joe Brusuelas, chief economist at RSM US LLP. “It’s throwing the dice at a casino.”

Liquidity Risk
Both banks had an unusually large percentage of accounts that were over the $250,000 deposit insurance threshold, the withdrawals of which acutely contributed to their failures. 

“Uninsured deposits are considered higher risk as they are more prone to rapid runoff during reputational or financial stress than insured deposits,” the FDIC wrote. But Signature’s management didn’t develop a funds management policy or a contingency plan, in part because they didn’t believe those customer deposits would become volatile. 

“[Signature’s p]resident rejected examiner concerns about the stability of uninsured deposits as late as noon EST on March 10, 2023,” the FDIC wrote. New York regulators closed the bank on March 12. “[M]anagement’s lack of a well-documented and thoroughly tested liquidity contingency plan and its lack of preparedness for an unanticipated liquidity event were the root cause of the bank’s failure.”

Both management teams had assumptions around their deposit base that “just weren’t true” Brusuelas says. He adds that bank management teams now should reexamine their analytical framework around their liquidity risk management and strengthen governance policies and limits around their deposit mix.

The FDIC wrote that funds management practices should lay out how a bank will maintain sufficient liquidity levels, how it will manage unplanned or unanticipated changes in funding sources — like a number of large accounts withdrawing and how it will react and withstand changes in market conditions. The practices should also incorporate the costs of the backup liquidity or source of the liquidity, both of which may change under market stress.

Backup liquidity is crucial in times of stress. Silicon Valley Bank didn’t test its capacity to borrow at the Federal Reserve’s discount window in 2022; when the run started, it didn’t have appropriate collateral and operational arrangements in place to meet its obligations. 

“The fundamental risk of too much growth too fast is a failure of diversification,” Conti-Brown says. “Rapid growth comes [from] a sudden influx of funding … that goes into a small number of asset classes.” 

Both reports discuss how already-weak risk management was further exacerbated when the banks experienced rapid growth; risk management and control policies failed to increase in sophistication as deposits and assets grew. And neither bank seemed to revisit the appropriateness of risk management, governance and internal audit policies nor whether their boards had experience levels commensurate with the institutions’ new sizes as they grew.

Silicon Valley Bank’s growth “far outpaced the abilities of its board of directors and senior management,” the Fed wrote. “They failed to establish a risk-management and control infrastructure suitable for the size and complexity of [the bank] when it was a $50 billion firm, let alone when it grew to be a $200 billion firm.”

The reports make a compelling argument that active and constant risk management plays an important role in the long-term financial solvency, success and continued operations of banks. Boards and executives at institutions of all sizes can learn from the risk management failures at these banks and revisit the appropriateness of their risk management principals, policies and models as the economy continues to shift. 

“The goal of risk management is not to eliminate risk,” the Fed wrote. “but to understand risks and to control them within well-defined and appropriate risk tolerances and risk appetites.”

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago June 12-14, 2023.