The following is an article published in the latest issue of Enterprise Risk Magazine (Summer 2023) starting on page 16. This article was authored by Michael Rasmussen, Analyst & Pundit at GRC 20/20 Research, and William Gonyer of Group697.

The latest banking crisis in North America has put potential failures regulation, governance and risk management back in the spotlight crisis is back.

Springtime often becomes a metaphor for change, new growth and transformation. While change and transformation tend to be the by-product of dissatisfaction with behaviours and patterns that are no longer tenable to the present situation, sometimes this change is also involuntary in its nature – an uncomfortably forced evolution that imposes progress on us. Springtime this year has pushed forward a mass sobering for the banking industry. After riding a wave of ultra-low interest rates and high market liquidity, a domino effect of events has brought on the failure of several major regional American banks, marking the greatest shake-up of the global financial system since the financial crisis of 2007-08.

As the age-old adage goes, “there is nothing new under the sun.” The driving factors that led to the collapse of Lehman Brothers, Bear Stearns, Wachovia and Washington Mutual are almost identical to the key drivers of the bank failures within Silicon Valley Bank (SVB) and Signature Bank this year – a gross failure of governance and risk management, the exception being First Republic.

Situational awareness

The interconnectedness of organisational objectives, risks, resilience and integrity requires 360° situational awareness of governance, risk and resiliency. Organisations must see the intricate relationships and impacts of objectives, risks, processes and controls. It requires holistic visibility and intelligence regarding risk and resiliency.

Organisations such as banks and other financial institutions take risks all the time. Still, the failure to monitor and manage these risks effectively in an environment that demands agility can lead to a tinder box of potential catastrophe. Too often, risk management is seen as a compliance exercise and not truly integrated with the organisation’s strategy, decision-making and objectives. It results in the inevitable failure of governance, risk and compliance (GRC) and risk management, providing case
studies for future generations on how poor GRC management leads to the demise of organisations.

The collapse of SVB is one of the most blatant cases of this. For example, SVB failed to institute some of the most basic risk management practices by industry standards. Starting from the end of 2019, SVB deposits grew from $61 billion to $189 billion by quarter 4 of Interest rates at the time were so low that these deposits were treated as free money at ~25 basis point cost average. SVB then used these inflows to increase loans 100 per cent to $66 billion and push far beyond average industry risk parameters with its held-to-maturity (HTM) securities portfolio, ramping what was mostly agency mortgage holdings from $13.5 billion at quarter 4 of 2019 to $99 billion at quarter 4 of 2021.

SVB’s big problems were with its HTM portfolio. The bank increased its security portfolio by 700 per cent, buying in at a generational top in the bond market and buying $88 billion of mostly 10 plus year mortgages with an average yield of just 1.63 per cent. In the absence of adequate interest rate risk management, this resulted in massive unrealised losses when the Federal Reserve began hiking its benchmark interest rates.


SVB’s HTM securities had mark-to-market losses as of quarter 3, 2022 of $15.9 billion, compared to just $11.5 billion of tangible common equity. Due to lobbying for deregulation by SVB, as well as other midsized banks such as Signature Bank (of which Barney Frank of Dodd-Frank was a board member), regulators did not require SVB to mark its HTM securities to market. However, internally they should have been doing this anyway, as well as running risk models against changing rates.

The deregulation that enabled their increased risk tolerance came as a result of Congress passing the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), also known as the Dodd-Frank Reform Act. The act was signed into law in May 2018, and it raised the asset threshold for systemically important financial institutions (SIFIs) from $50 billion to $250 billion, effectively reducing the regulatory burden on many midsized banks such as SVB and First Republic.

On top of this, due to the Federal Reserve Bank’s interest rate hikes, SVB saw accelerating deposit outflows (-6.5 per cent YTD in January), a mix shift away from non-interest accounts and skyrocketing interest costs (money markets now yield 4 per cent), as well as increased burn rates from the bank’s venture clients resulting in customer deposit drawdowns. As SVB’s funding costs continued to reset higher, SVB was faced with a massively high negative carry cost on its HTM portfolio, largely a fixed-yield securities portfolio.

But SVB’s greatest failures extend to the top – its leadership. The Federal Reserve’s review described SVB as “textbook case of mismanagement” and further described a failure of oversight and accountability of senior leadership by the bank’s board of directors. Only one member of SVB’s board had previous banking experience. The practices and procedures used by SVBs risk management team raises serious questions on their competencies based on evident gaps in their risk management frameworks. SVB’s risk management team “failed to establish a risk-management and control infrastructure suitable for the size and complexity of SVBFG when it was a $50 billion firm, let alone when it grew to be a $200 billion firm”, said the review. SVB had 31 identified unaddressed “safe and soundness supervisory warnings” more than triple the average number of peer banks. Furthermore, the bank was also left without a chief risk officer for 7 months in 2022, a departure that may demand an explanation. The discoveries made by the Federal Reserve and Treasury Department regarding the bank’s risk management practices only beg more questions outside of the obvious conclusions: SVB failed to institute an adequate asset liability committee, erroneously focused on short-term profits, and neglected long-term associated risks.

Bad timing

The relaxing of Dodd-Frank also came at exactly the worst time. It happened almost a year before the beginning of the Federal Reserve’s tightening cycle and at the natural end of an era of economic expansion that was later disrupted by emergency monetary intervention measures during the global COVID-19 pandemic. Midsized banks could now take on greater risks, and they did so during a time of irregular economic factors of expanded emergency liquidity.

First Republic’s portfolio arguably could have withstood the fluctuations. However, First Republic lost more than half of its deposit base amid SVB’s collapse, pulling the bank into a critical territory and ultimately leading to its collapse and takeover by JP Morgan and the Federal Deposit Insurance Corporation (FDIC). This marked the second-largest bank collapse in US history after Washington Mutual in 2008.

First Republic’s traditional savings and loan business model was arguably sound. It catered to wealthier clients in the tech
sector, targeting the employees at companies like Apple, Alphabet and Meta. First Republic even had a branch inside of Facebook’s headquarters. But First Republic’s failure was purely panic induced. Even with paper losses on lowinterest loans and its interest rate risk mismatch, the bank could have survived if it didn’t have to rapidly fund withdrawals by depositors seeking higher returns on deposits elsewhere, as well as outflows triggered by panic amid the failure of SVB. As a result, the bank was forced to rely on government lending facilities at rates that exceeded its income in an attempt to ride out the storm. First Republic’s problems are almost reminiscent of Bailey’s Building and Loan in Frank Capra’s 1946 film It’s a Wonderful Life, only in this not so wonderful life the townspeople did not temper their panic and rally around their community bank.


The recent failure of these regional banks will likely trigger a new wave of regulations and guidelines as well as a reversal of the changes made to regulatory frameworks for midsized banks in 2018. Regulators need to consider that with the increased scale of the financial system, midsized banks that may be only regionally important can still pose a significant systemic risk as supervisory authorities do not have the resources to monitor their activities and should not underestimate the propensity for mismanagement. Asset thresholds for enhanced prudential standards for SIFIs should be reversed from $250 billion to $50 billion. Regulators and organisations with large deposits also need to consider the concept of dual fiduciary duty.

In the case of SVB, a bank of choice for many venture capital firms and venture-backed companies, the burden of large deposit risk cannot fall solely on the bank. Venture capital firms, while exempt from many of the regulations and compliance burdens of hedge funds and other asset managers, were arguably negligent in managing their cash risk for their limited partners and thus somewhat complicit in the risk concentration of SVB. The leading practice of asset managers is to hedge cash risk through treasuries. A venture capital firm’s responsibility to its investors must extend to its cash risk within its portfolio companies.

Too often, regulators and bank managers alike continue to make policies solely in the vacuum of a crisis. Policy developed in the vacuum of a crisis is inherently inadequate, as it usually only accounts for remedying the causation and symptoms of the present crisis. Supervisory authorities need to consider expanded guidelines for bank governance and leadership, and the policies set by leadership for financial institutions should meet qualification standards. All bank board members should be certified by supervisory authorities such as the Office of the Comptroller of the Currency (OCC), FDIC and Financial Industry Regulatory Authority (FINRA) for a minimum qualification standard.

Cost of failure

While The US Department of the Treasury and Federal Reserve have taken responsibility for inadequate supervisory measures of these troubled midsized banks, financial institutions now need to realise more than ever that increased legal risk tolerance does not equate to acceptable risk tolerance. Banks must institute more sophisticated internal risk frameworks that factor in significantly higher stress tests for implied volatility.

Major money centre banks are forced to adhere to a wide range of scenarios for long-term resilience, but midsized and even small banks need to develop their own internal frameworks beyond the demands of compliance that mirror the top of the industry at scale, even if it comes at the cost of profits because the cost of a bank failure is far greater than neglecting profits made unsustainably. Banks that are currently undergoing pressure should consider seeking to consolidate with peer banks before they are forced into consolidation, liquidation or shotgun acquisitions. Well-structured asset-liability committees and audit committees
should become a universal practice for banks of all sizes.

The conclusions of the Federal Reserve’s review of SVB implicitly stated that two of the three critical weaknesses of the bank were governance and risk management. The further conclusion of the review was that while SVB was compliant, compliance alone was inadequate because the regulation and the supervisory frameworks were inadequate in preventing the bank’s failure. The second and third largest bank collapses in US history have set the stage for a new wave of regulation to reinforce neglected gaps in global financial services from the United States, European Union, United Kingdom, the Commonwealth and beyond.