Silicon Valley Bank (SVB) Failures in Risk Management:
Why ERM vs GRC
By Steven Minsky | May 5, 2023
Silicon Valley Bank (SVB) was closed by regulators and reminded us of the recession associated with Lehman Brothers and Washington Mutual Bank in 2008. Some are quick to conclude rising interest rates and COVID-driven disruptions are to blame. As an Enterprise Risk Management expert, my conclusion is however that it is about SVB negligence. We will see shareholder lawsuits and regulators pick over the bankruptcy proceedings as they do their post-mortem. I predict by next year they too will conclude that it was a failure in risk management. Here is why:
In my 18 years as CEO of LogicManager, I have observed a pattern that for every corporate mishap, cybersecurity breach, corporate fraud, or non-compliance finding, experts within the company attempted unsuccessfully to escalate their concerns six months or more prior to the mishap. This pattern demonstrates that these risk events are fully preventable with a quality ERM platform and associated ERM best practices as a cross-functional program. Failing to implement an ERM program under these circumstances is negligence. Following the Great Recession, regulators began requiring enhanced disclosure about risk and corporate governance. The courts put protection in place at the Federal level for organizations adopting an ERM program to receive credit for the effectiveness of their programs.
SVB Collapse Highlights Importance of Forward-Looking Risk Assessments through ERM
The collapse of SVB is only sudden and unexpected when one limits themselves to using the traditional linear approach to governance that looks at the past and compares it with the present, like “Mark to Market” valuations to obtain a daily appraisal of a company’s current financial situation based on current market conditions versus yesterday.
However, those who follow the risk-based principles of Enterprise Risk Management, know the importance of instead looking to the future with risk assessments. ERM seeks to identify possible risks by asking forward-looking questions like “Will the market be the same in 9 months from now? What are the observations of front-line employees? What have they seen change?” ERM programs and their platforms engage employees across the enterprise holistically to explore control weaknesses and gaps in monitoring for forward-looking scenarios that were not anticipated by the current GRC controls and testing.
For those who take a forward-looking approach to risk, it is evident that SVB did not practice ERM for most of 2022. Instead, they continued investing as they had from 2020-2021, driving through their rearview mirror of asking “Is today like yesterday?” Despite clear market shifts towards higher interest rates, SVB sampled quarterly with no further action, assuming their controls were sufficient. If SVB had instead looked forward as Enterprise Risk Management principles tell us to do, they would have seen that a recession was looming and inflation would not be transitory. However, the evidence was inconclusive so their strategy continued unchanged.
When the lobbying records of those who criticized the Federal Reserve for increasing interest rates and enforcing regulations for safety and soundness transparency are revealed, I believe that SVB lobbyists will be on the list, advocating for the status quo to continue so they could milk their current strategy for a little longer. I suspect that if you dig into Credit Suisse, Silvergate Capital, Signature Bank, and FTX you will see a similar pattern of negligence due to poor Enterprise Risk Management. Companies may use a rearview approach of GRC to selectively find and present information that supports their current practices, rather than adopting a forward-looking approach of Enterprise Risk Management (ERM) to proactively identify and address potential risks and adapt as the market and their customer’s behavior evolves.
To dive into this deeper, let’s examine the difference between ERM and GRC tools. A GRC tool will validate that reports were generated, the applicable tests were conducted, and that relevant rating agencies, lawyers, investment bank analysts, and external auditors’ work was completed on time and within budget all as it was expected based on rules, controls, and tests that were written years before under a pre-pandemic economy. An Enterprise Risk Management assessment would not have focused on the past and their company’s reliance on auditors, rating agencies, investment banker analyst firms, lawyers, and such. Instead, it would have focused on uncovering and connecting related factors, such as when SVB had a gap of 9 months last year without a Chief Risk Officer and a dozen other red flags that will soon be revealed in various news reports and regulatory investigations. Through a traditional GRC approach, these red flags were explained away as out of scope. However, all of these red flags are simply “risks” that could have, should have, and would have been uncovered as part of a robust ERM program analysis and reporting package.
Now you may be thinking how can I learn from SVB? Read on to learn 5 actionable steps you can take.
Five Things ERM Programs Should be Doing Now to Prepare for 2024 and Beyond
1. Know your Third Party risks:
Many organizations rank their vendors based on how much money they spend with them. However, organizations with a strong Enterprise Risk Management (ERM) program take a more comprehensive approach. They evaluate their vendor and partner communities to identify the third parties they depend on the most and map them to the business risks, controls, and testing that rely on them. These organizations use various parameters to categorize their vendors and partners, including the financial or regulatory impact that vendors can have on their organization. For instance, banks and insurance carriers with robust ERM programs realize that investment research consultants and credit rating agencies, although they may have a relatively small spend, can have a significant impact on their investment portfolios if conflicts of interest, bias, or fraud go undetected. This impact could be greater than all of their other vendors combined.
Listen to this Chief Risk Officer tell his story of using risk assessments to cross-check their credit rating agency, and demonstrate to their regulators their safety and soundness to become number one in their industry.
For example, SVB had a Moody’s A1 issuer rating and KPMG signed off on SVB’s bank’s audit just 14 days before it declared bankruptcy. Interestingly, KPMG was also the auditor for Signature Bank, another US bank that collapsed with a clean report just 11 days prior. A risk assessment of these vendor ratings clearly showed concentration risk in an industry highly volatile to a rise in interest rates.
However, this begs the question, with all those reputable companies attesting to SVB’s strength, what did they miss? External auditors, rating agencies, and investment banker analyst firms are protected by free speech and have a financial stake in the companies they report on. Their opinions, such as “Audit Opinions” and “Credit Ratings,” are based on the information provided to them, and they cannot be held liable for errors and omissions. Unlike Enterprise Risk Management, they do not conduct their own risk assessments or collect third-party information to expose risks. Their role is to verify and fact-check what the company reports and ensure they have appropriate controls. This role is important in corporate governance and complements the role of the Chief Risk Officer. However, it should never replace it.
2. Know your partners and follow the money trail:
Taking a risk-based approach allows you to identify potential risks in your partnerships and take proactive measures to protect your organization. For instance, intermediaries like tax collectors, payroll providers, and debt collectors hold money on behalf of their clients and rely on the return on holding the spread while aggregating the money. By performing enterprise risk assessments, you can identify such risks and put in place control measures, such as requiring contractual terms that require vendors to hold the money in escrow, so that in case of vendor failure, your organization remains protected. For example, instead of avoiding a collection agency due to their financial instability, organizations can work with them by ensuring that the money collected on their behalf is held in escrow.
Learn from successful organizations with strong Chief Risk Officers and Enterprise Risk Management programs. By taking a risk-based approach, they have been able to mitigate potential financial risks associated with third-party vendors. One such success story involves a company that used ERM to require their debt collectors to put the money they collected into an escrow account. This mitigated the risk of losing money if the collection agency went bankrupt. This approach was more effective than a traditional GRC approach and helped the company weather the downturn of the Great Recession.
3. Bridge department silos when doing Vendor Due Diligence Analysis and Assess Your Risk Maturity:
When you are thinking about due diligence to determine risks that a vendor brings to your organization, ERM brings a broader view of “What job does this vendor perform for my process?” You can outsource the activity to the vendor but not the risk. SVB may be a bank that you do not do business with, but have you done due diligence on the vendors that your top-tier vendors depend on? You may have far more concentration risk in your 2nd tier and third tier of your vendor eco-system than you may be thinking about. In the case of SVB, they held the money of most venture capital-backed and equity-backed companies. When SVB was frozen, all the salary money for 85% of your tech vendors was also frozen. Imagine the contagion there. Have you evaluated the risk that a venture capital-backed or equity-back vendor can bring to your organization? Their investor decisions to exit when the going gets rough and sell to the highest bidder who may see that tech company as an opportunity to triple the fees overnight knowing that companies need more than a year to migrate off a platform and sometimes more for the core systems. The SVB scenario is a wake-up call for your ERM platform and program to know other dimensions of your vendor and partner ecosystems.
To better understand your risk management program’s vulnerabilities and areas that need improvement, take the Risk Maturity Model Assessment. The RMM can help you identify gaps in your risk management framework and prioritize areas for improvement. It can also provide a baseline for measuring the effectiveness of your risk management program over time.
4. Ensure Vendor Compliance and Avoid Unwanted Associations:
In order to protect your brand and avoid unwanted associations, it’s important to ensure that your vendors are in compliance with relevant regulations and ethical standards. This means not only understanding who your vendors rely upon but also knowing who they do business with. Do they violate Russian sanctions or have Russian Oligarks as their investors? You should also investigate where their venture capital or equity capital comes from and whether they are a supplier to an entity that could be contrary to your company’s values. In these times of the See-Through Economy, even a beloved brand like Southwest Airlines could rely on outdated technology leaving your employees stranded on holiday or show up in support of political causes that may not align with your customers’ values. By taking proactive steps to ensure vendor compliance and carefully vetting potential business partners, you can protect your company’s reputation and avoid any unwanted surprises down the line.
5. Improve Cybersecurity and Reduce Costs at the same time with a Holistic ERM Approach:
Most organizations are in the process of planning a cost-cutting initiative by simply requiring each division and operating department to reduce costs by 10%. In organizations without robust ERM programs, this results in layoffs followed by wasteful spending. Interestingly like Reese’s peanut butter cups, oftentimes two great things coming together have a much better outcome than each operating separately in a silo. For example, something that ERM does and that GRC cannot is to create a new program called “Spend Risk Management” to bring the expertise of two or more governance skills together to produce a better result. ERM is a holistic discipline that sees hand-offs between departments and governance areas as a likely gap area for risks to go undetected. With ERM it is a straightforward exercise to combine the job of vendor due diligence and the job of security access rights reviews to reduce costs without creating vulnerabilities. Yes, GRC does vendor questionnaires and a separate module does SOC2 certification reviews. However, GRC keeps them totally separate modules and even two different separate software from different companies, perhaps even purchased and bolted together under one brand. This is GRC at its finest. So let’s see how a practical example of this holistic approach works. A SOC2 audit only covers a limited subset of the product part of a company. It excludes all the business systems which also hold customer-sensitive information. Therefore the GRC tools do not cover these systems.
However, ERM applies the same principles of SOC2 to all customer-sensitive systems, identifying areas of risk for breaches or ransomware attacks. An ERM approach does not treat these as separate, and so it leverages the same controls and testing frameworks and therefore applies these much more robust control frameworks to the business side according to the tiered priority of risk management. Using ERM allows for transparency in vendor capabilities beyond the scope of SOC2, identifying overlap between vendor solutions and making cost-saving recommendations. Additionally, because an ERM platform is comprehensive in terms of Access Rights Reviews it finds and coordinates unused user licenses at the time of renewal, resulting in cost savings. Not only will morale and productivity be improved with the risk-based approach of ERM, but important bench strength and business operating controls will be documented so that staff shortages and turnover of the Great Resignation does leave you vulnerable.
Learn From SVB’s Failure by Implementing an ERM Program to Proactively Identify Potential Risks and Areas for Improvement
I can assure every organization that uses a comprehensive ERM solution (not GRC) that they too can prevent non-compliance penalties, class-action, or other legal actions that cause damage to their reputations and result in financial loss. How can Enterprise Risk Management software do this? I am known in my industry for this statement, ”Enterprise Risk Management is all about the Known Unknowns.” These root cause risk elements are fully knowable at least 6 months or more in advance with Enterprise Risk Management.
How can I make such a statement? In every case, the root cause of a risk event that will cause damage to an organization is scattered across their companies. Each of these risk elements are separated by company silos and levels obscuring the meaning and significance of the information. Sometimes this information is buried within key partners. However, when these pieces are brought together, they form a comprehensive and unmistakable roadmap of the impact, likelihood, and ability of the organization to control the outcome.
Enterprise Risk Management people, processes, and systems can help any organization eliminate the possibility of being penalized by their regulator and prevent class-action lawsuits from their shareholders or damage from their activities if they simply follow the ERM guidelines and use LogicManager software to do so.
About the Author: Steven Minksy
Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.