Silicon Valley Bank Collapse: Move Beyond Check-box Risk Assessment and Compliance

The bank’s depositors primarily consisted of startup firms that received significant investments in cash, as technology was in high demand during the pandemic.

What went wrong?

The bank had placed a large bet on Treasury bonds when interest rates were low, and these bonds carried substantial interest rate risk. The bank’s quest to ride the yield curve for income was very much in focus, and it invested a significant amount of deposits in the held-to-maturity (HTM) portfolio, where the investments would not have to be marked-to-market. However, the available-for-sale (AFS) side of the portfolio is subject to reporting unrealized gains or losses due to changes in the valuations of those assets that remain on the balance sheet. As interest rates rose quickly in 2022, the value of those assets declined, and the bank was therefore forced to sell its AFS assets at a loss, igniting the stampede to withdraw deposits once the word got out. SVB’s liquidity risk management practices were deficient, and there was a lack of risk management oversight by the board and the risk management team.

Lack of risk controls

According to several sources, BlackRock’s consulting arm warned Silicon Valley Bank (SVB) in early 2022 that its risk controls were “substantially below” its peers. SVB hired BlackRock in 2020 to analyze the potential impact of various risks on its securities portfolio, later expanding the mandate to examine the risk systems, processes and people in its treasury department. They gave a risk control report in January 2022 with a “gentleman’s C”, finding that SVB lagged behind similar banks on all 11 factors considered and was “substantially below” them on 10 out of 11. SVB listened to the criticism but rebuffed offers from BlackRock to do follow up work.

Inadequacy of regulatory reforms and oversight

While some commentators had warned about the bank’s rising vulnerabilities, regulators failed to notice its clear risk-control flaws and losses disclosed in its Securities and Exchange Commission filings. This highlights the importance of tightening banking rules and ensuring a culture of regulatory oversight and regular supervision to prevent similar collapses in the future. The failure of regulators to act has led to a financial crisis and a federal-government bailout, with depositors facing potential losses.

Compliance is not a fad

Compliance is usually seen as a chore. Many businesses view risk and compliance as a necessary inconvenience to appease regulators rather than an integral part of their growth strategy. Compliance measures, such as policies, controls, and processes, are often seen as burdensome and hindering progress. Business units may view compliance as a tedious task to complete quickly rather than recognizing its significance.

Moving beyond check-box risk assessment and compliance

When companies adopt a check-the-box approach to risk assessment and compliance, it can result in a narrow perspective focusing solely on meeting the minimum standards required for passing audits. This limited viewpoint may cause teams to overlook critical security and resiliency issues that could pose a greater risk to the organization. While this approach may achieve short-term goals, it may also leave vulnerabilities undiscovered and create obstacles for future audits.
To effectively manage risk, banks must transform the role of their compliance departments from being advisory to taking a more proactive approach. Compliance teams must expand their responsibilities beyond providing advice on legal and regulatory requirements and become co-owners of risks, providing independent oversight of the control framework.

Given the situation, the compliance function should expand its role and take up active ownership of the risk-and-control framework.
The compliance function’s responsibilities should include:

• Offering practical perspectives on how laws, rules, and regulations apply to different business areas and processes and translating them into operational requirements.
• Establishing standards for risk materiality, such as defining material risk, and tolerance levels, and linking them to risk appetite.
• Developing and managing a comprehensive risk identification and assessment process, including creating a comprehensive risk inventory, using objective risk-assessment scorecards, and employing a risk-measurement methodology.
• Developing and enforcing standards for an effective risk-mediation process that addresses the root causes of compliance issues instead of just treating the symptoms.
• Creating tailored training programs and incentives that align with the realities of each job or work environment.
• Ensuring that the front line effectively implements the processes and tools developed by compliance.
• Approving clients, transactions, and products based on predefined risk-based rules.
• Conduct regular assessments of the overall compliance program.
• Understanding the bank’s risk culture, strengths, and potential shortcomings.

People, Process, and Technology

Compliance and risk management is no longer considered a mere obligation for businesses, as the risks, challenges, and regulatory changes they face have increased. A consolidated, systematic framework for compliance management is crucial for organizations to avoid penalties, security breaches, reputational damage, and business failure. To ensure effective safeguarding, the compliance management process should encompass all three aspects of people, process, and technology.

To ensure effective compliance, developing internal policies that align with industry best practices is important. By establishing a culture focused on high standards, your team will be motivated to strive for excellence in quality. To achieve this, create policies that comply with established compliance management standards, and integrate them into a comprehensive compliance plan. Encourage every employee to view compliance as an integral part of their key responsibilities rather than just a routine business process.

Final Thoughts

Achieving a balance between the three components of a compliance management program may appear daunting, but it can be accomplished with VComply, a GRC platform. By implementing an efficient compliance management framework, you can plan, protect your organization from severe penalties, and enhance your reputation in the industry.

Discover what makes VComply a top G2 high performer in the GRC platform category. Book your demo now and explore its robust capabilities.