Critical risk management lessons from SVB's demise

What was Silicon Valley Bank and what did it do?

SVB was founded in 1983 by two financiers to meet what they perceived as a gap in funding for tech startups in California. From the beginning, it was much more open to startups than conventional banks in its willingness to lend to these fragile borrowers. It established a close relationship between the bank’s key people and the Venture Capital community, underwriting their deals, lending and taking deposits of surplus cash.

It ran events to help startups make contact with VCs and build relationships with other tech investors. In turn, it was commonly recommended by VCs to their clients as the bank in which to place their newly raised VC money.

Over the years its reputation grew in the tech world, and more recently it built overseas operations which had a similar focus. Very low interest rates fostered its growth and it tripled in size between 2019 and 2022, so that by 2023 total assets amounted to $209 billion, with $175bn in deposits.

Eventually, by some reckoning, it was handling finances for half of America’s startups.

A failure in risk management

The bank was run with a very different culture from mainstream banks, to the extent that some of the most senior executives worked from home, sometimes in very distant locations. Despite being the 16th-largest bank in the US with $209 billion in assets by the end of 2022, it was still too small to be deemed a systemic threat, so was subject to less severe compliance checks by the Fed or to some of the Basel rules on liquidity. Hence its inherent risks were not taken as seriously as would otherwise have been the case. In fact, investment giant BlackRock was invited to do a risk analysis in 2020 and subsequently reported that SVB failed 11 out of 11 tests. SVB declined to ask the Black Rock team to follow up its findings. To make it worse, SVB had no Risk Manager for eight months up to January 2023.

The bank’s unique risks derived from firstly its client base, secondly where it placed its funds, and thirdly its failure to hedge. Hence when its traditional banking model of borrowing short and lending long came under sudden pressure, it led to an even more sudden collapse.

SVB’s limited number of clients included relatively few wealthy individuals and less than thirty thousand corporates, concentrated in the tech industry and VCs. Or as one insider put it, a small number of investors who ‘exhibit herd-like mentalities’, leaving it vulnerable to sudden, massive withdrawals. And it was narrowly focused on services to risky, collateral-light tech startups which provided little cover for rapid asset realization. Moreover, it also invested in VC funds backing tech startups and as a limited partner – similarly locked-away assets, difficult to realize at short notice.

In fact, seeking return and security in an era of extraordinarily low interest rates, as more money flowed in than it could lend, SVB invested a large part of its deposits in long-dated (‘safe’) government bonds (Treasuries) and mortgage bonds to get the best returns, most bought at peak prices.
The crunch came as interest rates were rapidly increased, driving down bond prices and giving rise to a dangerous unrealized loss. Thus Treasuries yielded less than 1% in 2020, compared with a current yield of more than 3.5%. The final and disastrous vulnerability was that these investments were not hedged against the massive interest rate changes.

Increasing the vulnerability to sudden withdrawals, since most of the deposits exceeded $250,000, the limit covered by the Federal Deposit Insurance Corporation, nearly 90% of deposits were uninsured.
 

Unrealized losses, unrealized risk

SVB was facing the danger of unrealized losses, due to rising rates adversely affecting the value of fixed interest investments. This was coupled with longer-term dangers of rising rates (payable to short term depositors) potentially exceeding lower rates of return (on longer-term investments), raising the prospect of the bank having to sell some of the assets to make up the difference, thereby crystallizing the losses.

Unrealized losses were addressed in financial statements but not reflected directly in the SVB balance sheet, since the accounts were allowed to value these government bonds at their maturity value, as if they were being held to maturity (HTM). This effectively hid the dangers lurking if there was a sudden need to sell to provide liquidity following, for instance, a withdrawal of deposits.

What brought the roof in was the Chief Executive’s announcement on Wednesday 8 March of a plan to raise $2.25bn, mainly in shares, to compensate for $1.8bn of unrealized losses on some investments arising from recent interest rate rises by the Federal Reserve. In fact, the total unrealized losses had now risen to nearly $16bn, more than its equity value.

After the announcement, the share price collapsed, so the Chief Executive called an urgent meeting of the bank’s VC clients to ask them to stay calm, as the bank was in good shape to carry on.

Unfortunately, it had the opposite effect. VCs started advising their clients to withdraw funds (good Treasury management to diversify providers), which prompted a run on the bank. The next day $42bn, one fifth of its deposits, was withdrawn within hours.

By Friday, the Federal Deposit Insurance Corporation (FDIC), recognizing that the bank wouldn’t have the liquidity to cover the anticipated withdrawals, stepped in to close it. SVB was bust and the VCs were blamed for killing their own relationship bank.

Good risk management is all about what is yet to be realized. Failure to assess risks, perform sensitivity to potential risk, and mitigate what may unfold left SVB with unrealized and uncontrolled risk. SVB failed to take action against its inherent risks. Were these even tabled?   It’s risk management 101. 
 

The fall out of risks becoming reality

Tech startups, often with little cash on hand, were suddenly faced with regular outgoings such as payrolls to pay, but their deposits were locked away. Concerned landlords started demanding new letters of credit, failing which, leases would be terminated.

There were attempts over the weekend by the FDIC to find a buyer, but no takers emerged in the short time available, as a solution had to be found before the start of business on Monday. Notwithstanding the fact that their withdrawal of funds had precipitated the crash, there was intense lobbying by VCs for the state to provide cover to stave off what they described as a mortal threat to the tech industry and innovation, particularly in the context of the competition in this sector between the US and China.

The geopolitical threat may have tipped the balance, but the authorities decided that they would deem the event to be a systemic threat, and they ended up offering a guarantee to all depositors including those with balances over $250K. The quid pro quo was that shareholders and bondholders were wiped out, and the cost was to be covered by a ‘special assessment’ on banks generally.

The UK arm was bought by HSBC.

In the days that followed, notwithstanding the protection now offered to all depositors, there were massive transfers of deposits from smaller regional banks to the largest banks, effectively consolidating the position of the small number of biggest banks, the opposite of policy objectives following Dodd-Frank.

The FDIC was aiming to sell SVB’s remaining assets as soon as possible, and in the non-bank world, the big private investment firms started looking to acquire the parts of the SVB portfolio that might fit with their own plans.
 

Questions to ask and lessons to be drawn

At an FT webinar towards the end of the week, a panel of experts considered the lessons to be drawn from the crash, and their conclusions included the following:

• This was terrible balance sheet management, and the absence of a Chief Risk Officer for many months was gross incompetence on the part of management.
• The risk management function was not powerful enough. The traders make the business, leading to a tendency for banks to break their own rules.   
• The accounting rules didn’t reflect reality. This was not a liquidity problem but a fundamental issue of solvency resulting from misunderstanding the maturity transformation risks.
• SVB was the go-to bank in Silicon Valley; no-one will replace it.
• Fair or not, it was only natural that the VCs should look after their own interests first, even if their actions were what caused the downfall of the bank.
• SVB was systemic, even though it was categorized as non-systemic.

Clearly the immediate problem was defective risk management. In the absence of a Risk Officer, existential risks were identified too late. A key takeaway is the importance of integrated risk management. For example, the inherent risk of moving interest rates was further heightened by the lack of hedging in place. SVB accounted for bonds at HTM, but a further look at sensitivity would have integrated the cash flow risk being placed on deposits held.  

Risks have to be linked to form an integrated and holistic view of their potential impact, and thereby controls to mitigate. Looking at risks in silos only allows you to focus on the trees. Only by looking at the full picture of integrated risks do we see the entire forest, and therefore get a true picture.
 

Risk management failure can be catastrophic

For organizations to make risk decisions with confidence, the integrated risk environment demands an agile and holistic approach. 

For a complete understanding of your risk position, it's essential to consider all risks and how they may affect the organization as a whole. This requires a system that allows for the management and monitoring of all risks simultaneously, one that is easy for the rest of the business to engage with, so that non-GRC staff can also log events and support risk managers.

Amid new regulatory standards emerging for operational resilience, this becomes even more critical. Operational resilience is all about identifying and scenario testing what could potentially harm your consumers. If SVB had integrated good operational resilience and controls, they would have seen this coming a lot sooner than they did. Learn more about FCA-mandated operational resilience in the UK here, or read up on APRA’s emerging requirements in Australia here.