Skip to Content

Boardroom: The Missed Risks

Articles Matt Kelly Jun 12, 2023

Corporate boards received quite the jolt in March, when Silicon Valley Bank (SVB) collapsed seemingly out of the blue. Fingers were pointed, regulators interceded, and immediately everyone wondered whether SVB was only one symptom of some new, deeper malaise across the business landscape. 

Spoiler: There have been more bank failures, the most recent being First Republic. But what if the malaise was simply bad management? Nothing new about that.

For example, SVB’s collapse came about because of the bank’s decision to hold large amounts of securities based on low-interest-rate loans. As interest rates rose in 2022, those securities declined in value, and SVB’s unrealized losses on them began to pile up. That was a poor strategic choice — and management made it. That introduced the risk of a bank run. 

Then again, strategic risks are only the first layer of the SVB onion. The bank also met its demise because depositors talked themselves into a panic on social media and then fired up their fintech apps to transfer their money elsewhere. A staggering $42 billion in deposits fled the bank on March 11. SVB died the next day.

Think about what really happened there. SVB embraced digital transformation of its operating processes (like so many organizations have done, we should note), but that embrace of new technology altered the velocity of its strategic risk: The bank run happened more quickly.

Here lies the true lesson for boards, in the banking sector and beyond. SVB had an overlapping web of strategic, technology, and even compensation risks that swirled around it until it toppled. Boards need to see through that fog, to perceive the existential threats to the organization — and then guide the business around them.

“Prompt, emerging action is something that needs to be triggered at appropriate times,” says Eric Young, a long-time compliance officer in the banking world and a board director of several nonprofit groups, and now with Guidepost Solutions. “That just has to happen.”

Needed: Better Risk Committees

One obvious idea is for the board to have a dedicated risk committee: some group separate from the audit committee, tasked with considering issues around technology, liquidity, credit, operational, strategic, and reputational risk. That risk committee should also assure that the company has practices and controls in place to keep those risks at acceptable levels.

The good news is that many large companies now have such risk committees, and risk committees are especially prevalent in the banking world. The bad news is that many smaller, non-bank organizations still don’t — and even if the board does have a risk committee, that group still needs to exercise oversight.

“Boards can only make decisions based on the best available information they have at the time,” says Christa Steele, currently a board director at Tanimura & Antle and a former bank CEO. In SVB’s case, she says, “I do think perhaps there was too heavy a dependence on management expertise rather than on board oversight.”

That’s a valid point. SVB’s risk committee met 18 times in 2022, up from only seven meetings in 2021; clearly the board was doing something. At the same time, however, SVB’s management cut almost all its hedges for interest rate risk (which would have offset the strategic risk of those unrealized losses) and the bank went without a chief risk officer (CRO) for eight months.

So even while SVB’s risk committee was meeting constantly, crucial issues around risk management were still festering. Why?

In SVB’s case, that question may be answered by the numerous regulatory investigations now underway. For other organizations, Young says the question is whether management is driving the board, or the board is driving management. If management is leading the board by the nose, the organization could end up with executives more interested in quick profits than in long-term, risk-aware growth. 

“I always go back to culture,” he says. “You need the right board and the right pounding of the fist, especially in other industries with lighter regulation — that’s going to be critical.”

What would those indicators of poor culture be? Young looks for red flags such as past-due audit findings or regulatory examinations. “That’s an early indicator of poor culture because management doesn’t care,” he says. “That’s management believing it can pay a fine and move on with business as usual.” 

Steele advocates for knowledgeable, competent board directors — especially for banks and financial firms, with their unique set of financial reporting and liquidity risks. (For example, in the banking world loans are assets, while deposits are liabilities.)  “We must train our financial institution directors on the intricacies of risk pertaining to investment, credit, and compliance and how they relate to liquidity, operations, capital adequacy, and all the other buckets of risk that exist,” she says.

Meanwhile, Within the Organization

A strong, competent board risk committee is still only half of the equation. That committee still needs a strong, competent risk management executive inside the organization, both to identify emerging risks and to work with the risk committee to address those issues. Whether that executive is a CRO or a CAE, several conditions need to be in place for him or her to succeed.

  1. Can the CAE bring reports to the board without management interference? We all know that some CEOs or chief financial officers will try to influence reports that might raise difficult questions. That’s especially true for strategic risks or misconduct risks — but those are also the risks that turn dire quite quickly, as SVB demonstrates. As Young says, you need "a loud, independent voice" for the CRO.
  2. Does the risk or internal audit function have the capacity to contemplate strategic or interlocking risks? If that team spends all its time testing and documenting internal controls over financial reporting (ICFR), or doesn’t have enough auditors on staff, that might leave no time to assess strategic risks.
  3. Does the risk or audit team have the right risk framework in place? Is the team prepared to ask questions about, say, how a new compensation plan might drive executives to take different risks, or how a new technology might change the way customers interact with the business? Those issues are very different from an ICFR or operational audit they might demand very different policies and procedures to evaluate them.

As for SVB, the full story of its demise will be chronicled by a host of regulatory investigations, civil lawsuits, and Congressional probes, probably with a Netflix mini-series to boot. The rest of the corporate governance world should simply understand that this was a swift collapse far too few people saw coming. Which should scare corporate boards the most.

Matt Kelly

Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management.