Although a lot of work is going into improving the resilience of financial services firms, recent events including the fall of Silicon Valley Bank and the current finance sector situation in the European markets are hard proof that there is still much do. What happened and what can be done to prevent such severe disruptions and improve the path to recovery?
The story of a recent operational resilience scenario
The financial services sector has been recently marked by several significant operational resilience scenarios. On March 10, 2023, Silicon Valley Bank (SVB) suffered a bank run and a capital crisis, leading to the second-largest failure of a financial institution in US history since the 2008 financial crisis. The unprecedented speed at which depositors were able to withdraw their money through online banking, fuelled by panic tweets and social media, caused a confidence crisis that the SVB couldn’t weather until the close of the market. Other tech lenders such as First Republic, PacWest Bancorp, and Signature Bank were impacted, but their relatively small size meant that their disruption did not have a significant systemic impact on the financial services sector. This has however raised concerns about the safety of money in banks in Europe and the UK, adding to the global financial instability that the world is witnessing. Another example of operational resilience scenario is the current Credit Suisse’s situation after their acknowledgement of “material weaknesses” in the bank’s internal controls over financial reporting and risk assessments.
Failing to address gaps in operational resilience and risk management
These events have highlighted the importance of risk management and operational resilience in the financial services sector, particularly given the increasing reliance on online banking and social media. They have also raised many concerns about the situation of banks today, adding to the instability caused by aggressive increase in interest rates in the past year to “fight inflation”.
The lack of a Chief Risk Officer (CRO) at SVB between April and December 2022 is concerning. The role of a CRO is crucial in reporting to the board of directors about exposure to financial, regulatory, operational, competitive, or other risks faced by a firm, advising the board on measures to minimise or manage these risks, or being accountable for any failures in implementing the decided measures.
The absence of a CRO raises the questions about how the board of directors obtains visibility on the firm’s risk profile and who is accountable for risk oversight? Additionally, it appears that all board members of SVB lacked risk expertise, which may have led to an inadequate understanding of the right questions to ask.
The events mentioned above indicate failings in risk and resilience governance, particularly in calculating the risk model of the banks and understanding the sensitivity of their liquidity risk profile. SVB particularly concentrated on the highly volatile market of tech ventures, with long-term Treasuries and low-yielding assets. It seems to have failed in accounting for the degree and, maybe most importantly, the speed by which depositors would withdraw their money.
Was the bank’s operating model adapted to the bank’s important business services?
Finally, during these uncertain times, issues in risk and resilience controls and procedures were quick to manifest in the face of the financial market turbulence. These issues raise questions about the types of reviews and controls that are being performed by banks and the role that the banks’ culture play in eroding customer trust.
Lessons learned
- Adequate risk and resilience oversight, provided by expert personnel, is essential to navigate emerging threats and ask the right questions for the resilience of the bank
- It is essential to ensure that the bank's operating model is adapted to its important business services
- It is crucial to perform reviews and controls to identify potential issues and risks, and the role of the bank's culture in eroding customer trust should be examined.
- Contingency planning scenarios must be continuously performed to ensure preparedness for unexpected events
The way forward for your operational risk and resilience maturity
Many questions remain to be answered following current situations, and more than ever, firms need to act and be better prepared. At Wavestone, we’ve been supporting clients since 2019 in:
- Designing and enhancing Risk Governance and Oversight models across the three lines of defence
- Assessing their operational resilience capabilities including governance and controls in order to identify gaps and remediation plans (Operational resilience self-assessment)
- Supporting financial services firms be prepared to face and recover from emerging threats (Organising a crisis exercise)
- Embedding an operational resilience culture across their organisation (Developing your resilience culture)