In the last few weeks, US banks Silvergate, Signature, and the Silicon Valley Bank (SVB) collapsed, while First Republic Bank required a $30bn bailout from larger Wall Street Firms. Meanwhile, in Europe, the Swiss bank Credit Suisse has been bought by rival UBS.
Each of these banks was in a different position, and no single factor caused these banks to get into trouble. However, these recent events provide some essential takeaways for risk and communications managers.
(Note that between starting this piece on Friday and finishing it on Monday, Credit Suisse had gone from being ‘in difficulty’, to being taken over by UBS. The situation in the global banking sector is highly volatile, and more could have changed by the time you read this, but the takeaways below are unchanged.)
Risk Management vs. risk management
I have a lot of time for Norman Marks, who writes thoughtfully on risk management and is way ahead of me when it comes to audit and governance. So I enjoyed reading his take last week, which he ends as follows.
“I am not sure that I would blame the external auditors. After all, the financial statements were probably correct, and we are not talking about a failure of the system of internal control over financial reporting.
You can call this a failure of risk management if you like.
Any corporate, even personal failure could be called that.
I think its more a failure to perform by the CEO and the rest. Poor decisions were made.”
Was Silicon Valley Bank a failure of risk management? https://normanmarks.wordpress.com/2023/03/14/was-silicon-valley-bank-a-failure-of-risk-management/
And while I agree with Norman, there’s a distinction I want to make that’s been bothering me for a while which lies at the heart of some of the issues with SVB. The distinction is between audit, governance, and compliance work, which I’ll capitalize as Risk Management, and the practical management of risk (no caps).
In the case of SVB, there was no Risk Management failure that we are aware of: everything was in good shape, and they were complying with appropriate regulations. (Although arguably, this was only because rules had been relaxed over the last few years. See Forbes for more.)
Here, I agree with Norman.
However, from a practical perspective, this was a massive failure to manage risk. Recall the core issue with SVB was that it has most of its money tied up in long-term bonds, essentially stranding this cash and putting it out of reach in the short term. However, they needed ready cash because:
1 – Startups (their main customer base) are cash hungry
2 – The short-term interest they had to pay out was more than the interest from the long-term bonds.
3 – Venture funding dried up in 2022, so less new money was coming in.
You can argue about whose fault these conditions are, but the fundamental issue is that these conditions didn’t occur overnight, so being caught upside down cash-wise is poor management. The bank was without a Chief Risk Officer from early 2022 until January 2023, and perhaps having a CRO in place would have helped. Still, practical, day-to-day risk management should be front of mind for everyone in the leadership team, not just left to the CRO to worry about.
So I agree with Norman that this is poor management by the CEO and leadership team, but this is also a failure to manage risk.
My first takeaway is that there are two kinds of risk management: governance and compliance (Risk Management, capitalized) and practical (risk management). Both matter.
This takes us to Credit Suisse, who apparently had neither…
Don’t Trust, Do Verify
Credit Suisse was in difficulty on two fronts. First, they were also seen as being short of cash, and depositor withdrawals threatened a bank run, requiring the Swiss central banks to step in. So far, so similar to SVB – poor practical risk management left them vulnerable. However, Credit Suisse has a second, more enduring problem with its Risk Management. In fact, if you search online for ‘Credit Suisse rogue trader’, you’ll get multiple stories from the last 15 years, and I quoted one of these stories on March 3rd.
In its statement, Finma criticized the Swiss bank for its approach to risk management. Credit Suisse used employees who managed relations with Greensill to handle warnings, Finma said, which represented a clear conflict of interest as they were “not independent.” The bank also relied on Greensill founder Lex Greensill himself and his answers for its own statements, Finma concluded.
Credit Suisse made “partly false and overly positive statements” to Finma about the claims selection process and the funds’ exposure to certain debtors, according to the regulator.
As early as 2018, both media and Finma representatives were asking questions about the Greensill funds, the regulator said. There were “many critical observations, too few appropriate reactions,” according to Finma.
(Then there was the illegal spying conducted at the behest of the former CEO, but that’s just good old-fashioned breaking the law, not a compliance failure.)
So despite all the talk of compliance, governance, and oversight, even industries like banking – industries that are supposed to be heavily regulated and scrutinized – get away with egregious breaches of the rules. Moreover, the fines and legal action taken against institutions have little effect, given the repeat offenses.
So the second takeaway is to not trust the results of an audit or regulatory filing at face value: you have to do your own checks. Don’t trust, do verify.
Communications matter
For all of its problems, SVB’s position wasn’t necessarily unsalvageable. In the weeks before its collapse, the bank took steps to generate additional cash, including a $21bn sale of securities and a $15bn loan. These steps should have provided sufficient cash to help it overcome the imbalance between its cash needs and what was tied up in long-term bonds.
However, their communication of what was happening seems to have contributed to the rapid loss of confidence. Three significant issues stood out to me:
1 – The recapitalization plan they announced seemed to scare markets instead of reassuring them. This was a straightforward messaging failure.
2 – They believed they were in a ‘quiet period’ while the securities offering was underway and could not make any public statements about what was happening. As Axios put it: https://www.axios.com/2023/03/10/how-silicon-valley-banks-rescue-plan-backfired
- “Because SVB was now in the middle of a securities offering, it considered itself to be in a “quiet period” where it couldn’t communicate anything substantive to depositors, investors, or the press beyond what was in its SEC filings.
3 – SVB CEO, Greg Becker, has initiated a plan to sell $3.6mn of shares in January which, although perfectly legal, raised concerns that the CEO knew that the bank was in trouble. (See Blomberg for more.)
There was no easy way for SVB to explain its cash shortage; no matter how they spun it, depositors and the markets could have reacted as they did.
But it’s important nonetheless to think about how challenging these kinds of communications are, particularly when the difference between avoiding and causing a crisis comes down to the statements you make. My friend Bill Coletti calls these inflection points’ critical moments’: periods where adverse circumstances are building up, but there’s still an opportunity to do the right thing and avoid a crisis. Or to cause one if you do the wrong thing.
SVB was definitely in a critical moment in the run-up to its collapse, and again, there may not have been any good way to announce its recapitalization plan. But the poor communications, the optics of a CEO selling off shares before a warning is issued, and their harsh interpretation of what could and couldn’t be done in a quiet period let the narrative run away from them.
The third takeaway is that communications matter and need to be thought through carefully.
After all…
Perception Beats facts
I’ve often been asked about what matters most in a crisis: doing the right thing or saying the right thing.
Of course, both matter, but simply saying the ‘right thing’ doesn’t mean much unless you’re being sincere and telling the truth.
However, perception matters enormously, particularly when the details of what’s actually happening are hard to see. People can easily judge if a fire is under control or not, but it’s much harder for them to tell if a bank is adequately capitalized.
As Axios summed it up in the story above:
“the only real up-to-date information that depositors had about the health and viability of [SVB] was the plunging share price — and the ever-growing number of stories of other depositors pulling their deposits.”
So the final takeaway is that no matter how effective your response or carefully crafted your message is, people’s perception is often all that counts.
Not Done Yet
This piece is meant to share general takeaways from what’s happening in the banking sector, takeaways that can assist risk and crisis managers from all sectors, at all times.
So keep these four takeaways in mind if you get into trouble but, it’s worth noting that we’re not out of the woods yet as Credi Suisse has shown. The US Fed is developing plans to back-stop other bank collapses (see Bloomberg for more.) And now there’s pressure on the Fed and other central banks to reverse rate increases which might help banks but won’t slow inflation.
As with most real crises, there’s no easy solution here, and we aren’t done yet, so take some time to think about how these events can affect you, your supply chain (both physical and digital) and make plans accordingly.
Good luck out there
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.