Although a lot of work is going into improving the resilience of financial services firms, recent events including the fall of Silicon Valley Bank and the current finance sector situation in the European markets are hard proof that there is still much do. What happened and what can be done to prevent such severe disruptions and improve the path to recovery?

The story of a recent operational resilience scenario

The financial services sector has been recently marked by several significant operational resilience scenarios. On March 10, 2023, Silicon Valley Bank (SVB) suffered a bank run and a capital crisis, leading to the second-largest failure of a financial institution in US history since the 2008 financial crisis. The unprecedented speed at which depositors were able to withdraw their money through online banking, fuelled by panic tweets and social media, caused a confidence crisis that the SVB couldn’t weather until the close of the market. Other tech lenders such as First Republic, PacWest Bancorp, and Signature Bank were impacted, but their relatively small size meant that their disruption did not have a significant systemic impact on the financial services sector. This has however raised concerns about the safety of money in banks in Europe and the UK, adding to the global financial instability that the world is witnessing. Another example of operational resilience scenario is the current Credit Suisse’s situation after their acknowledgement of “material weaknesses” in the bank’s internal controls over financial reporting and risk assessments.

Failing to address gaps in operational resilience and risk management

These events have highlighted the importance of risk management and operational resilience in the financial services sector, particularly given the increasing reliance on online banking and social media. They have also raised many concerns about the situation of banks today, adding to the instability caused by aggressive increase in interest rates in the past year to “fight inflation”.

The lack of a Chief Risk Officer (CRO) at SVB between April and December 2022 is concerning. The role of a CRO is crucial in reporting to the board of directors about exposure to financial, regulatory, operational, competitive, or other risks faced by a firm, advising the board on measures to minimise or manage these risks, or being accountable for any failures in implementing the decided measures.

The absence of a CRO raises the questions about how the board of directors obtains visibility on the firm’s risk profile and who is accountable for risk oversight? Additionally, it appears that all board members of SVB lacked risk expertise, which may have led to an inadequate understanding of the right questions to ask.

The events mentioned above indicate failings in risk and resilience governance, particularly in calculating the risk model of the banks and understanding the sensitivity of their liquidity risk profile. SVB particularly concentrated on the highly volatile market of tech ventures, with long-term Treasuries and low-yielding assets. It seems to have failed in accounting for the degree and, maybe most importantly, the speed by which depositors would withdraw their money.

Was the bank’s operating model adapted to the bank’s important business services?

Finally, during these uncertain times, issues in risk and resilience controls and procedures were quick to manifest in the face of the financial market turbulence. These issues raise questions about the types of reviews and controls that are being performed by banks and the role that the banks’ culture play in eroding customer trust.

From a systemic perspective, regulators were quick to reassure the public about the stability of the financial system in response to recent events. Federal regulators in the US reassured investors that the banking system is "capable and resilient," while EU financial experts emphasized that the type of regulation and stress tests required were stringent. Similarly, the Bank of England released a statement stating that "the UK banking system is well-capitalized and funded and remains safe and sound."

However, from the banks' perspective, the gaps in defining an adequate risk model were the result of a combination of external events and internal corporate oversight, governance, and poor controls. Despite the existence of formal risk policies, they were not fully embedded in the ways of working of the banks. A vacuum of risk leadership, as evidenced by the lack of a CRO at SVB, and the effectiveness of operational controls are examples of issues that need to be addressed. The absence of the CRO for the best part of 2022 is being examined by the Federal Reserve as part of its investigation into the bank’s failure. It is essential to ensure that risk management practices and risk policies are not just theoretical, but fully integrated into the banks' operational procedures.

Lessons learned

  • Adequate risk and resilience oversight, provided by expert personnel, is essential to navigate emerging threats and ask the right questions for the resilience of the bank
  • It is essential to ensure that the bank's operating model is adapted to its important business services
  • It is crucial to perform reviews and controls to identify potential issues and risks, and the role of the bank's culture in eroding customer trust should be examined.
  • Contingency planning scenarios must be continuously performed to ensure preparedness for unexpected events

The way forward for your operational risk and resilience maturity

Many questions remain to be answered following current situations, and more than ever, firms need to act and be better prepared. At Wavestone, we’ve been supporting clients since 2019 in:

  1. Designing and enhancing Risk Governance and Oversight models across the three lines of defence
  2. Assessing their operational resilience capabilities including governance and controls in order to identify gaps and remediation plans (Operational resilience self-assessment)
  3. Supporting financial services firms be prepared to face and recover from emerging threats (Organising a crisis exercise)
  4. Embedding an operational resilience culture across their organisation (Developing your resilience culture)

Although firms and regulators have done a lot of work to address risk oversight & governance weaknesses, resilience gaps, there is evidently still much to do. The recent events described here should serve as wake-up call to trigger a review of corporate governance and risk management strategies and their effective implementation. Many initiatives, like EU’s DORA (check out our article on Decrypting DORA) and the UK’s Outsourcing and third-party risk management expectations, are increasing scrutiny on controls (especially IT risks and controls), but evidently firms should not limit resilience to a compliance exercise but rather look to continuously improve their operational resilience capabilities in the face of increasing new threats.