Silicon Valley Bank: A case study into how firms should approach operational resilience

In the aftermath of the banking failure of Silicon Valley Bank (SVB) in March of 2023, it becomes crucial to delve into the events that preceded the collapse, identifying key factors and drawing valuable insights. This case study focuses on the bank’s failures which triggered one of the most substantial bank failures since the global financial crisis of 2008. By examining the circumstances leading to SVB’s downfall, we can gain a deeper understanding of the risks faced by financial firms today. This case study aims to highlight the importance of applying these learnings and developing robust frameworks that effectively mitigate risks in the banking industry.

Timeline of Events:

SVB was a preferred bank for the tech sector because the organisation supported startup companies that not all banks would accept due to higher risks. With rising inflation rates, SVB’s startup depositors were struggling to get additional financing from venture capital and elsewhere. So, they needed to draw on the deposits they had at SVB.

When interest rates rise, existing bonds paying lower interest rates become less attractive, causing their price to drop below their initial par value in the secondary market.

SVB had invested a large amount of bank deposits in long-term U.S. treasuries and agency mortgage-backed securities. When the tech start-ups and companies started to withdraw their cash, SVB had to find that cash. So, SVB had to sell its low-yield treasury bonds quickly and at a loss to try and meet capital requirements. The result was SVB incurred a huge loss.

There are meant to be safeguards in place where banks are examined and regulated so they don’t engage in highly risky behaviour, such as relying almost exclusively on deposits from companies within a single industry, or not diversifying their investment portfolio. SVB’s collapse highlights the importance of financial management and its necessity, especially within a recessionary environment.

How Firms Should Approach ‘Operational Resilience’:

Operational resilience is defined by the FCA as “the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption.”

The four major steps of building operational resilience are:

  1. Identifying important business services;
  2. Mapping the resources, people, processes, technology, and facilities necessary to deliver service;
  3. Testing ability to remain within impact tolerance through Scenario Testing, and;
  4. Reviewing Testing and process.

Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets.  An operationally resilient financial system is one that can absorb shocks rather than compound them.

Operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and/or risk to market integrity, threaten the viability of firms and cause instability in the financial system.

Covid-19 provided a clear example of the kind of severe but plausible events firms need to consider within their operational resilience framework. The disruption caused by Covid-19 showed why it is crucial for firms to understand the important business services they provide, and to invest in their resilience to protect themselves, consumers and markets.

Strong operational resilience capabilities are especially vital in times of elevated cyber risk, as operational resilience deficiencies may lead to customer data breaches, critical business service disruptions and potential consumer harm.

The Operational Resilience Framework:

In March 2021 the FCA (PS21/3 ), PRA (PS6/21 ) and Bank of England  (BoE) (collectively known as the Supervisory Authorities) finalised their changes to Operational Resilience regulation. These conclusions were reached after their 2018 discussion paper and 2019 consultation paper, with the new regulations being implemented in March 2022. These Regulations apply to:

  • Banks;
  • Building societies;
  • PRA-designated investment firms;
  • Insurers;
  • Recognised Investment Exchanges;
  • Enhanced scope SM&CR firms, and;
  • Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011.

These Regulations also apply to other entities under PRA’s and BOE’s umbrella.

These new rules are designed to protect consumers, the wider financial sector and UK economy from the impact of operational disruption, such as the Coronavirus pandemic and the recent financial market turbulence.

The proposed requirements and expectations from firms and Financial Market Infrastructures require firms to:

Identify vital services and assess their impact beyond commercial interests. Setting Impact Tolerance for each service is crucial. They must then ensure continuity within this tolerance during potential disruptions.

FCA Expectations:

The following outlines what the regulator expects firms to have practicable after 31 March 2022 and by no later than 31 March 2025:

  • Performed mapping and testing so that they can remain within impact tolerances for each important business service;
  • Made the necessary investments to enable them to operate consistently within their impact tolerance;
  • Conducted “lessons learnt” exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible;
  • Developed internal and external communication plans for when important business services are disrupted;
  • Prepared self-assessment documentation.

Applying Lessons Learned from the SVB Incident

Steps that may ensure operational resiliency:

  • Regularly monitor third-party financial risks, and diversification – This includes monitoring financial health, credit ratings, and liquidity to confirm they have adequate resources to support their operations and manage their debts. Another way to mitigate risks is to spread banking relationships across different banks. By doing so, businesses and banks can avoid having all their funds tied up in a single bank, reducing the impact of potential future bank failures. Of course, that means a careful risk profile of each bank should be carried out.
  • Monitor the compliance attitude of their third-party vendors – This is to ensure that they remain compliant with industry-specific and jurisdictional regulations on financial and operational risk management for banks. Identifying vendors with a history of non-compliance or ethical issues. With banks, continuously monitoring them for compliance and compliance related risks.
  • Thoroughly evaluate their third-party vendors’ risk management practices, including internal controls, IT systems, and business continuity plans – The regular assessments and evaluation helps identify and mitigate potential operational risks and business operations disruptions like SVB’s case.
  • Closely monitoring factors such as their third parties’ ESG attitude and adverse media – By regularly monitoring reputational risks and negative news associated with third-party vendors, businesses can minimise the potential impact of third-party risks on their own reputation.
  • Reviewing third parties’ insurance coverage, financial statements for cash flow and ascertaining cash reserves to weather potential disruptions or crises – Cash reserves help ensure businesses have the necessary resources to cover operating costs and meet their financial obligations to vendors, suppliers, and customers, even if they experience a temporary cash flow shortfall.
  • Develop and maintain a business continuity plan – A business continuity plan outlines the steps that the businesses will take in the event of a crisis and minimises the impact on the business’ operations and customers.

How can Complyport Help?

At Complyport, we are your partners in building robust and digitally enabled solutions to strengthen your Operational Resilience capabilities. Our comprehensive range of services are designed to support your journey towards Operational Resilience and regulatory compliance. Here’s how we can assist you:

  • Operational Resilience Programme Support
    • Initiation and implementation of advanced operational resilience strategies
    • Operational Resilience Impact Assessment to identify potential gaps
    • Expert guidance in defining risk scenarios and optimising continuity strategies
  • Ongoing Operational Resilience Support
    • Ensuring compliance with regulators’ requirements
    • Detailed report as a roadmap to achieve regulatory compliance
    • Health-check and progress assessment for sustainable resilience methodologies
  • Third Party Risk Management Services
    • Effective management of outsourcing and third-party risk
    • Evaluation of practices against regulatory requirements
    • Remediation assistance
  • Efficient Day-to-day Operational Processes
    • Comprehensive operational process management
  • Operational Resilience Assurance
    • Demonstrating to stakeholders the effectiveness of your operational resilience framework
    • Independent assurance report with a granular view on control effectiveness

For tailor-made services that align with your company’s needs, get in touch with Complyport. Let us be your trusted partner in achieving operational resilience excellence and meeting regulatory expectations. Contact us today at thomas.salmon@complyport.co.uk