The speed of Silicon Valley Bank’s collapse was scary. It was clear that business continuity thinking did not happen as recently as Q3 2022. Some blamed the collapse on the chief risk officer vacancy. Others blamed it on the ill-considered transparency offered by the CEO on March 9. Regardless, the bank, its board, and its leadership team had not prepared for an effective response and crisis communications strategy. Business continuity works to prevent and respond to disruption as part of a broader operational risk and enterprise risk management effort. Monitoring key controls that prevent disruption is essential to enable a timely response and deliver effective communications to all involved. A key point is that controls include business impact analysis, plans, and exercises, as well as controls owned by the business and other risk disciplines.
A Case for Integrated Risk Management
In the case of SVB, controls related to financial risk models and liquidity risk, as well as monitoring market and customer behaviors should have been essential. But by looking at controls individually, the bank failed to connect the dots. If it had integrated risk management thinking, leaders could have discussed how key controls were failing, what key risks were materializing, and how to bring the team together to reassure markets, investors, and customers.
Wasn’t This Situation the Purpose of Operational Resilience Legislation?
The U.K. introduced operational resilience legislation to prevent systemic financial industry disruption domestically, which influenced legislation in other countries (including the U.S.). Weren’t these “op res” regulations supposed to keep this from occurring? Yes… and no. Operational resilience thinking, which brings customer pain into the center of an organization’s resilience efforts, focuses on the disruption to internal processes and resources. For most organizations, it doesn’t bring different risk disciplines together to identify all the controls and strategies that could lead to insolvency, including plausible scenarios where the customer causes the disruption. Again, this situation demonstrates the need for the people, process, and technology to connect the dots through integrated risk management.
What is Business Continuity’s Role in a Bank-Run Crisis?
There are four points to consider when answering this question:
- Business continuity (and operational resilience) will continue to maintain responsibility to help the organization understand its vulnerability to disruption and work to make it more resilient. It’s true that much of the focus is on disruption caused by a loss of process capability and dependent resources. But because business continuity engages so many parts of an organization – especially those elements of the organization’s go-to-market strategy – business continuity professionals are well-positioned to identify areas where controls seem to be missing or failing. To borrow a message from the U.S. Transportation Security Agency, “If you see something, say something.”
- When done well, business continuity helps the organization understand the market, their customers, and their expectations, regardless of circumstance.
- A core element of a leading business continuity program is a strong response capability, often called crisis (or incident) management. Crisis management isn’t just for responding to a natural disaster or cyberattack. It can be used for any type of incident – large or small – to manage the impact and speed the organization’s return to normal.
- An extension of crisis management is crisis communications. Business continuity professionals often partner with their marketing and communications peers to understand key audiences that require engagement throughout a crisis, how best to reach them, and what to say based on different scenarios
Without inside information, it’s hard to comment on how SVB’s business continuity program aligned to the first three bullet points. But the speed of SVB’s collapse is evidence that these three areas were lacking. Regarding the fourth point, however, the crisis communications were visibly flawed. SVB leadership issued a somewhat technical response – in the form of a PDF – via its website regarding its response and the need to raise capital. This raised two issues:
- Although transparent regarding the situation, the response labeled the viability of planned response strategies with caveats like “potentially” and “probably,” which did not inspire confidence.
- The SVB leadership response was posted on its website. Despite widespread stakeholder discussion and debate regarding the impending crisis on social media platforms such as Twitter (perhaps even sparking the bank run), there was very little coordinated communication on social media from SVB.
Leading crisis communications is all about:
- Communicating with all audiences
- Creating a clear and appropriate message
- Engaging with the correct audience via the means that resonates best (e.g., social media)
Who’s to Blame?
Should this be a wake-up call for business continuity? Clearly this situation reinforced the need for better crisis communication. But this crisis could not have been prevented by business continuity alone. Business continuity had a role and likely should have done more, especially on the crisis communications front, but this was more likely a wake-up call for an integrated risk management approach. Failure to connect-the-dots led to SVB’s demise. So, who’s to blame? The candidates include:
- The Federal Reserve (which sets interest rates)
- The VCs (which started the run on capital)
- California regulators
- A blogger named Byrne Hobart (who raised the issue)
- External audit
- Silicon Valley Bank
You decide.
For more on operational resilience, download our e-book, Operational Resilience: Navigating the Global Regulatory Landscape, and check out Riskonnect’s Business Continuity & Resilience software.