Board members with risk management experience are important — but a company also needs a chief risk officer.
With the collapse of Silicon Valley Bank (SVB) dominating the headlines and the impacts reverberating through the banking industry, the incident has brought to the forefront several key ways in which the company’s board fell short of managing risk, ultimately precipitating the crisis at hand. Moving forward, there are important governance lessons that boards — both in the banking industry and more broadly — should take away from recent events and steps they should take to proactively manage their exposure to risk.
Lessons to Learn
First and foremost, board members cannot serve as a substitute for key executives. Case in point: The chief risk officer (CRO) position at SVB was left unoccupied for the better part of the past year, a period when board risk committee meetings more than doubled to 18, according to company records. CROs play a crucial role in the well-being of a financial institution and are the key operational resource for the risk committee. By failing to fill such a critical role in the management of enterprise risks, SVB left itself vulnerable to a situation exactly like the one that ultimately unfolded.
The chain of command for risk approval, management, mitigation and oversight needs to be prioritized. The management at each step must have more experience in these core risks than those seeking approval — a very simple best practice. Once the issue reaches the board’s risk committee, these risks should be prioritized based on the most significant threats to the organization. For SVB, this fundamental process broke down at the CRO level and was exacerbated by the lack of risk experience on the risk committee.
Additionally, boards should bear in mind that risk committees should be led by at least one individual who is a seasoned risk management professional. This professional must have prior experience identifying, assessing and managing risks inherent in a company’s business across the full economic cycle. Supplementally, this demonstrates a need for a breadth and depth of risk management experience in the boardroom.
Large banks with $50 billion or more in consolidated assets are required by law to maintain a risk committee that reports directly to the bank holding company’s board. After the financial crisis, an amended version of the Dodd-Frank Wall Street Reform and Consumer Protection Act was passed, stating that risk committees must include at least one member with experience in “identifying, assessing and managing” risk exposures of large financial firms. However, experienced risk professionals are hard to find on the boards of the top 15 commercial and investment banks. Among the 15 banks with risk committees, members have an average of only 2.4 years of experience in a risk-related function as a chief credit officer, CRO or similar role. By contrast, members of their audit committees have an average of 9.5 years of experience as a CFO, a corporate accountant or in a capital management role. Unfortunately, the recent bank failures highlight the weakness of the banks’ board-level risk committees, which often lack risk management expertise.
Market participants also need to recognize that regulators are not the front line of defense when it comes to risk management oversight. Rather, this responsibility should fall to experienced members of the company’s risk management organization and on the risk committee of the board. Unlike the audit committee, enterprise risk management does not have the benefit of consistent oversight from a third party. Regulators should not be expected to replace management and the board’s responsibility to effectively manage and oversee the company’s risk appetite, exposure and mitigation activities.
SVB’s collapse was primarily a result of the bank failing to properly assess and manage risk and the board’s failure to recognize the magnitude of risk exposure created by investment decisions during a period of rapidly rising interest rates. It’s important that boards learn from this experience and proactively take steps to ensure their risk committee and risk management team are not set up to fail. By assessing the missteps in this incident, boards can emerge stronger and more informed. Documents show that the Federal Reserve raised concerns about risk management at SVB starting at least four years before its failure. In January 2019, the Federal Reserve issued a warning to SVB over its risk management systems, according to a presentation circulated last year to employees of SVB’s venture capital arm. The Federal Reserve also issued a “matter requiring attention,” a type of citation that is less severe than an enforcement action. Regulators are supposed to make sure the problem is addressed, but it is unclear if the Federal Reserve held SVB to that standard in 2019. Over time, the central bank issued numerous warnings to SVB, suggesting the bank’s problems were on the radar of the Federal Reserve, the bank’s primary federal regulator. A central bank review of its oversight of SVB is due by May 2023.
This should be a learning moment in many ways. As the various parties pursue their claims, transparency in what took place is essential to educating all functions in this chain about where and when the warnings signs were evident and how the right structure, tools and people can be put in place to avoid unnecessary disasters.
Simply having authority and improved tools and resources is not likely to be effective if those on the front lines don’t see the need for the tools’ existence or the culture isn’t one of compliance. There can be disagreements in type of risk, magnitude of impact and the urgency of how a new or developing risk should be addressed, but there has to be identification and resolution. This is best accomplished with tools to foster those discussions on a regular and recurring basis. Learning from the failures of others can be a powerful way to get all parties on a similar (if not the same) page. Seeing others fined billions for known failures — and thinking about how that would impact your organization — can be very motivating.
This article was originally published on DirectorsandBoards.com. John Olert is co-author of this article. He is a former chief risk officer at Fitch Group and managing partner at Continental Insights.