Stress testing is not new and has been used as a risk management technique for many years, particularly so in the engineering and construction world. Financial institutions have also used it, to gain insight into their exposures under stressed market conditions. Supervisory institutions use it to evaluate systemic risk. Most recently, the European supervisors announced that they are going to carry out an EU-wide forward looking stress testing exercise based on common guidelines and scenarios. However, as noted in recent international reports, the outcomes of the technique have fallen short of reality.

Underestimate

The problem is that human beings tend to underestimate events with very low probability of realisation (if that were not the case then the lottery would not exist). This means we really can not do without structured stress testing and in view of recent events it is clear that the moment has come to develop a new stress testing framework. In particular, we need to ensure understanding of extreme risks and the preparation of actionable responses.

Example

A standard stress test is comparable to a 'what if…then' analysis: What if I win the lottery? Then I receive 1mil euro.
Envisioning what can happen is not sufficient though. It is necessary to move to a 'what if…then… so what…hence' approach: What if I win the lottery? Then I receive 1 mil euro. So what? I invest all the money in the stock market, which I might loose. Hence I’ll invest only half in the stock market.

The positive example above illustrates a simple truth, as in many cases big failures arise from strategies which had great potential. It also shows that the actions to be taken are linked with the risk appetite we all intrinsically have.

A new framework

A new framework for stress testing needs to be linked to the risk appetite of an institution, which is an input in how far scenarios need to be stressed. As senior management is responsible for setting the risk appetite, senior management will have to formally agree with the stress tests and the follow-up actions. It is possible that in some cases no actions are taken, implying that management understands the risks and is willing to assume them.

To make sure that senior management can take such responsibility, it is necessary for stress testing to be performed with a holistic approach. The business and risk management need to co-operate in the stress testing programme. To ensure that inappropriate products ever see the market and to gain proper insight into the behaviour of these new initiatives (such as new product development) under stressed conditions, stress tests need to be performed before embarking on the new initiative and not, as it is currently often the case, after its implementation.

The new framework should therefore cover the internal environment of an institution at all levels, from the strategic, through the tactical, to the operational level.

Implementation challenges

The development of such a framework will encounter many challenges. At the strategic level it will be necessary to define a clear risk and response strategy and align it to the business strategy. The response strategy will outline how the institution will cope with extreme events should they materialise, with particular attention to balancing costs and benefits of prevention versus cure.

At the tactical level, both business and risk scope (such as what types of portfolios and risks will be included) have to be clarified, and integrated risk metrics have to be defined. In addition, an intervention model will have to be set in place. The intervention model should specify the actions to be taken when particular extreme events materialise, such as cutting risk exposure or raising extra capital.

The operational level will have to deliver the integrated risk metrics, supported by high quality data. The metrics and source of data will have to be agreed and accepted upon by both the business and risk management in order to assure buy-in into the process by all functions of the organisation so as to make it truly holistic.

Finally a successful framework will require a consistent monitoring and reporting of the risk metrics across all businesses and risk classes and regular validation.