A Risk Professional's Survival Guide. Rossi Clifford

      The origins of SifiBank go back 200 years when First National Bank and Trust of Baltimore (FNBTB) was founded by the son of one of the signers of the Declaration of Independence. The bank grew over the next 170 years largely through organic growth as opposed to merger and acquisition. The bank had for nearly two centuries operated under very conservative business standards that kept it largely out of financial trouble even during a series of major and minor financial panics, including the Great Depression.

      In 1987, the bank underwent a change in CEO and president when the bank itself was bought out by a rival institution with less name brand recognition. That institution recognized the value of FNBTB and embarked on a strategy to opportunistically grow the bank by purchasing weak but well-known thrifts that had large retail footprints in markets complementary to FNBTB. Over this period FNBTB tripled its size in terms of total consolidated assets across all subsidiaries and it was during this period that SifiBank was born. By 2014, total assets of the bank had grown to $1 trillion, making it one of the largest financial institutions in the world and number three by asset size in the United States.

      The chairman and CEO of SifiBank was an icon in banking, credited with turning a number of sick banks into financial powerhouses largely based on heavy cost-cutting, and a strategy of creating a financial supermarket that would find broad appeal cutting across different customers and product segments. The theory was that by offering a full service array of products and services to all types of consumers, corporations and even sovereign clients, the bank would be able to diversify its revenue streams and expand its markets better than any peers. While it began as a United States–only institution, by the 1990s it had branched out into several countries in Europe and Asia. Today, revenue from its foreign branches accounts for less than 10 percent of SifiBank’s revenues. While the strategy of a “universal” bank lived up to its promise of delivering significant growth for its shareholders, it also came with significant risks. The holding company structure became unwieldy as it established hundreds of subsidiary units to take advantage of tax regulations, accounting rules and other legal benefits from these structures. However, this complex web of various subsidiary organizations led to a fragmentation in management and oversight of the company, making it extremely difficult to get a holistic perspective on the operating units and risks each posed to SifiBank.

      Mergers and acquisitions accounted for 80 percent of the growth of SifiBank over the past 30 years. When a prospective acquisition target was identified, SifiBank’s M&A team ran the financials to ensure the acquisition had accretive value to the overall firm. Importantly, left out of that financial analysis was the cost of integrating different origination, financial, accounting, servicing, and risk information systems across platforms and subsidiaries. Eventually, SifiBank was forced to maintain 10 different operating systems for financial management and reporting. In some cases it was nearly impossible to roll up a consolidated view of a particular class of assets as data and metrics oftentimes did not align across businesses. For mortgages, SifiBank originated loans primarily from three commercial bank subsidiaries of SifiCommercial Bank, a thrift subsidiary consolidated from several it bought during the thrift crisis and a finance company that catered to subprime borrowers. It used one definition of mortgage default based on the Mortgage Bankers Association definition for its banking entities, but used different definitions for both its thrift and finance company units. Beyond this problem the bank experienced significant difficulties in aggregating its exposures and was plagued by a host of data accuracy and reporting issues. These system issues, while ignored during the M&A decision-making process, had come home to roost for SifiBank. By greatly impairing its ability to understand the kinds of risks it was taking on across the firm in a timely fashion, this infrastructure problem played a major role in limiting the bank’s reaction to the growing asset bubble forming in the housing market in the mid-2000s. Something more subtle and pervasive within SifiBank would ultimately result in the near death of the company in the aftermath of the financial crisis of 2008. Specifically, this was the company’s focus on growth, the lack of a risk culture, and weak governance during that period.

      SIFIBANK ORGANIZATIONAL STRUCTURE AND OVERSIGHT GOVERNANCE

      SifiHolding Company is a publicly traded company that was headed by the CEO who also held the title of Chairman of the Board of Directors in the years leading up to the financial crisis. This consolidated power of having both the CEO and chairman titles along with this individual’s unique personal stature in the industry afforded him an ability to run SifiBank in a fashion that met with little opposition to the direction he sought for the company.

      The board was composed of 10 members, all handpicked by the CEO and all well-known friends or associates. Two members had some related background in financial services – specifically, having been CEOs of an insurance company and investment company – and no one on the board had any direct risk management experience. The board met quarterly for one day each time and in addition to holding a meeting of the full board to review important issues it also broke up into several committee sessions. Among the committees it had were audit, operations and human capital, legal, and finance.

      The CEO believed in having a small management team reporting to him and this meant that only the presidents of SifiBank, SifiThrift, SifiFinancial, SifiInvestment Bank, SifiAsset Management, the CFO, General Counsel, General Auditor, and Head of Human Resources had direct access to the CEO. The CEO had handpicked the presidents as well and all had track records for achieving aggressive product objectives.

      At this time the bank had only created the role of Chief Risk Officer two years before the crisis and this was largely a corporate oversight role. In fact at times, the role of the CRO and General Auditor seemed to overlap, creating significant confusion and concern by management that the bank was carrying too many risk oversight staff at a time when margins were thin. The CRO reported into the CFO, leaving an additional layer of management between the senior risk officer of the company and the board. The board did not hold executive sessions with the CRO separate from the CFO or CEO.

      Furthermore, risk management activities were spread across the business, operations and audit functions in a decentralized model. As a result, the SifiBank board would pick up risk management issues in piecemeal fashion and only as management decided what was important to elevate to the board. A decentralized risk management function has its own merits over a risk management structure within the corporate center; however, it can lead to a number of governance issues that the firm must understand. In the case of SifiBank, the board of directors delegates development of credit and other major risk policies to the CRO. But since the CRO does not have any responsibility over managing the risk exposure of an individual line of business, a delegation of authority policy would need