On March 8, 2023, Silicon Valley Bank (SVB) announced a $1.8 billion loss from the sale of securities to cover a decline in clients’ deposits. The following day, SVB’s stock dropped 60% and the bank saw a historic $42 billion in withdrawal requests. Twenty-four hours later, SVB was under the control of U.S. banking regulators and concern turned into panic across the banking sector.
More recently, the cyberattack on Change Healthcare raised the issue of counterparty risk in a different sector. Provider organizations—especially those that had become predominantly reliant on Change Healthcare for health plan payment processing—experienced serious cash flow issues.
Both the SVB and Change Healthcare incidents brought to the fore significant new risks that were at least in part driven by rapidly evolving technological change. An April 28, 2023, report by the Federal Reserve responding to SVB’s collapse noted how “social media enabled depositors to instantly spread concern about a bank run, and technology enabled immediate withdrawals of funding.” The Change Healthcare cyberattack was the most dramatic example to date of a problem that is growing quickly across the healthcare industry, as cyber criminals seek access to data-rich health records. U.S. Department of Health & Human Services data shows a 93% increase in large data breaches the healthcare sector from 2018 to 2022 and a 278% increase in large data breaches involving ransomware over the same period.
Lessons learned over the past year
The SVB collapse and Change Healthcare cyberattack have taught several important lessons:
- The risk of contagion is real. The problems of one organization can quickly spread across an entire sector. In the case of SVB, instability and uncertainty led to a flight to safety, as both corporate clients and consumers shifted their deposits into what the Federal Reserve describes as “systemically important institutions,” leaving regional banks scrambling to reassure clients of their financial health.
- Not all risks can be anticipated. The Federal Reserve report on the SVB collapse notes that “as risks continue to evolve, we need to…be humble about our ability to assess and identify new and emerging risks.”
- Solutions take time to implement. Major relationships with a bank, a payment processing platform, or any other significant counterparty can not be shifted overnight. It can take weeks—or even months—to identify a new partner and implement the processes and technologies needed to transfer data and funds. Existing clients of the new partner can experience impacts as well if a major in-flow of new clients strains the partner’s ability to service its accounts.
- Risk diversification must be a priority. These events are generating a “hyper focus” by boards, C-suite executives, and finance and treasury professionals to diversify risk within their major counterparty relationships and create formal counterparty risk policies.
- Not all risks can be fully mitigated. Having a balance sheet that can weather the storm if a risk materializes is of paramount importance. Measuring and monitoring counterparty risk should be part of a broader, systematic approach that balances risks and resources across the organization.
Measuring counterparty risk
While one of the lessons learned is that not all risks can be anticipated, there are focus areas specific to different sectors that, even within a rapidly changing macroeconomic environment, will help provide a fuller view of risk. Using the banking sector as an example, key focus areas include:
- Market risk outlook. This outlook combines debt ratings and long- and short-term counterparty risk metrics, along with an understanding of country risks for banks not headquartered in the United States.
- Capital and asset resiliency. This focus area evaluates the quality of bank assets and liabilities to measure balance sheet strength throughout the business cycle.
- Growth and profitability. Here, the overall performance of the banking partner is measured to understand the systemic importance of the institution and how well it is positioned for long-term growth.
- Loan portfolio. This focus area measures the mix of loan exposure, highlighting commitments to various industries and the breakdown between consumer and corporate debt.
Representative metrics for each of these four focus areas are provided in Figure 1.
Figure 1: Metrics for Measuring Counterparty Risk
Focus Area | Representative Metrics |
Market Risk Outlook | • Bank Credit Default Swap • Long-Term Debt Rating • Moody’s Long-Term/Short-Term Counterparty Risk Rating |
Capital and Asset Resiliency | • Tier 1 Capital (%) • Total Debt to Assets • Coverage Ratio |
Growth and Profitability | • Net Income • Market Capitalization • Efficiency Ratio |
Loan Portfolio | • Total Loan • Residential Real Estate Loans • Credit Card Loans |
Staying focused on the challenges of today and tomorrow
Comprehensively measuring counterparty risk can give early insights into troubled situations that could lead to severe business disruptions. Within the banking sector, the focus for 2023 was on banks effectively managing risk through an elevated rate environment. As we move through 2024, the challenges might look significantly different. With uncertainty around the path forward for the U.S. economy, mixed signals on bank financial performance, and a highly contested election shaping up for the end of the year, there will continue to be a heightened focus on effectively managing a bank group to ensure business resilience and continuity in times of stress. Just last month, the failure of Philadelphia-based Republic First Bank was a reminder of the continued pressures on the banking industry.
Beyond the bank financial worries of the past year, the recent disruptions related to the Change Healthcare cyberattack have brought a new focus to the technological resilience of core services partners. Organizations should be digging deeper into the cybersecurity investments of their key partners and investigating the outside technology that is leveraged by these partners.
In all cases, organizations should be asking how and to what extent they should be diversifying risk in counterparty relationships. Both known and unknown risks will continue to emerge. Managing counterparty risk must be a comprehensive and ongoing exercise to both evaluate and mitigate against that risk.