Scenarios, stress testing and credit risks
Here Tony and John explain how operational risk software can manage scenarios, stress testing and credit risks.
Taken from: Mastering Risk Management
A typical description of scenario analysis and stress testing is the identification and analysis of the potential vulnerability of a firm to exceptional but plausible events. Other descriptions mention a combination of events which have a low probability of occurrence, but are realistic.
Stress testing is generally described as the shifting of a single parameter. In a risk context, this can be taken to refer to either the occurrence of a single risk, such as internal fraud or a system failure, or to the movement of a macroeconomic factor which may affect or does affect the firm as a whole, such as a significant increase in interest rates or a significant equity market downturn.
By contrast, scenario analysis is about simultaneously moving a number of parameters by a predetermined amount, based on statistical results, expert knowledge and/or historically observed events. Alternatively, scenarios can be described as multiple stress tests all occurring within a reasonably short period of time.
In reality, firms use both approaches in order to ensure a comprehensive analysis. For the sake of brevity, the term ‘scenario’ will be used in the article to cover both stress testing and scenario analysis. As has been explained, stress testing is simply a special case of scenario analysis, in which only one parameter changes.
Risk scenarios are much more than credit risk
Most firms create scenarios around credit risk. These often refer to a macroeconomic downturn causing an increase in customers not paying their bills. However, there are many events that can significantly affect a firm. Although some of these events may also happen within a macroeconomic downturn, the impact of two or three strategic events occurring even in the best of times can have a dramatic effect on the possibilities of a firm’s survival.
Prepare for the extreme event
A firm can prepare itself by adopting a variety of defensive approaches. Many of these are good risk management and should already exist. However, scenarios test risk assessments and risk appetite and it is vital that the defensive approaches are also tested. These defensive approaches should be in place and used during normal times so that they are part of the normal way of doing business. They will be essential during a period of stress.
Strong risk culture
A strong corporate culture of business risk awareness is an important part of risk governance and scenario management. It is particularly important in times of stress and market extremes.
Integrated risk management
The benefits of an integrated risk management approach also come to the fore during times of stress. While it is always helpful for senior management and the board to be aware of the firm’s overall risk profile it is particularly important when the firm is suffering extreme events. Linking together product risk, credit risk, liquidity risk and risk in a scenario will enable a firm to be more effective in its defensive manoeuvrings.
Informed decision making
An emphasis on informed management decision making and good information flow is almost too obvious to state. However, particularly during times of stress, decisions can be made ‘on the hoof’ and without full information. If a culture of informed decision making and robust communication up and down the firm is embedded in everyday business practices, it is more likely to continue during times of stress.
Risk appetite
Knowing and understanding the firm’s risk appetite and its thresholds may also help the firm reduce the impact of a stress event. Although it is very likely that the firm’s risk appetite will be exceeded during a period of stress, there is more likely to be a defined escalation procedure and understanding of the sensitivities of the firm’s risk profile if consideration is given to the risk appetite.
If a firm does have a developed risk appetite, it is more likely that it will have a full set of risk and control self-assessments and a realistic view of the risk and control profile of the firm. Challenges to the assessments and the resulting profile need to be made during normal times for this particular defensive approach to be valuable. If such challenges form a routine part of the firm’s governance, the resulting information is much more likely to have the confidence of senior management and therefore to be used in a period of stress.
Business process improvement
Continuous business process improvement can also be an effective defensive structure to protect the firm against difficult times. A corporate mindset which is flexible is essential at such times. By continuously seeking to challenge the firm’s business processes, its control environment will have been subject to significant testing and should therefore be in good shape.
Problems with scenarios…
The financial crisis of 2007/9 and the global pandemic of 2020/21, the kind of events for which scenarios might have been thought to have been designed, exposed a number of issues. This was partly because, with few exceptions, there is no agreed scenario methodology. One exception is Lloyd’s of London, which publishes realistic disaster scenarios to establish a common basis for estimating underwriting risk to a 99.5% degree of confidence.
Too short a timeframe
After the financial crisis, it emerged that a number of scenarios used by firms related to relatively normal events such as might happen every 1 in 10 or 1 in 20 years. This is probably unsurprising, since it is much easier to focus on events of which you are aware or which may occur within a career lifetime. This is known as availability bias.
Another flaw was to assume that scenarios have short durations, affecting no more than, say, one quarter’s earnings. While this may be true of a relatively benign scenario, it is highly unlikely to be true of an extreme scenario.
Outcomes too modest
Another issue is that scenarios often do not produce sufficiently large enough loss numbers. They usually produce large numbers, but availability bias – the experience of those devising the running of scenarios – means that they often fail to produce sufficiently large ones. Before the attack on the World Trade Center in September 2001, it would generally have been thought that a fall in equities of 40% could not have occurred at the same time as interest rates falling to a 50-year low, let alone happening at the same time as two world-class buildings being destroyed. But they did. Indeed, it is reported that six months before the attack the CIA had rejected the scenario of the twin towers being destroyed, let alone the other events occurring. As we have said before, scenarios demand a fertile imagination and a willingness to suspend disbelief.
Another reason for the failure to accept sufficiently extreme outcomes is that very large outcomes are not believed to be credible by the business. This is easily managed by involving senior management and business management in the scenario development process.
While scenarios generally do produce large loss numbers they can also, counter-intuitively, produce relatively small numbers. This happens when certain controls are assumed to have failed during a scenario, but more vital and key controls are given fuller and more comprehensive attention. This may well lead to a lower than expected level of loss, if the key controls are then assumed to operate at their most effective and efficient level.
Not involving the business
Scenarios often tend to be performed as a mainly isolated exercise by risk management, in the misguided belief that senior management is too busy and will not be interested in them. Even in firms where scenarios are used as part of the firm’s normal management process, they are frequently undertaken within business lines and are not part of an overarching programme covering the whole firm.
If scenarios are linked to the business objectives of the firm, through for example the risk and control self-assessment, senior management often willingly gets involved in them, because the scenarios can help them understand the sensitivities to what are often their personal objectives set during their performance appraisals.
Mechanical, point-in-time
Scenarios have also often been conducted as a mechanical and point-in-time exercise, with little thought for the reaction of the board or senior management to the unfolding scenario. In reality, as scenarios unfold, management takes action over a period of time (which could be as long as 18 months) to mitigate the effect of the scenario on the firm. This point is often overlooked. In addition, a mechanical and point-in-time approach does not tend to take account of changing business conditions or incorporate qualitative judgements from different areas of the firm.
Failure to re-assess historic data
Firms which use historical events for scenario development and generation assume that very little change is required to the details of the historical event in order to forecast future risks. The rapid downward and upward equity market movements of 2008 and 2009 are a good illustration. The movements of the equity markets in the 1920s and 1930s were thought to be an overly extreme base against which to test scenario assumptions. Actually, they required updating for the very different communication capabilities and investor skills and practices which exist in the world today. It is also worth noting that the rapid recovery of the equity markets in 2020 during the global pandemic surprised most people.
It’s too severe
How to get to severe (but not too severe) scenarios can also be a challenge. For example, if three separate one-in-20-year events are considered and combined into a single scenario, in theory, there is a one-in-8000-year chance of that scenario occurring. However, this ignores the fact that dependencies often exist in scenarios.
Reputational risk ignored
Finally, many firms do not consider or capture reputational risk. This is despite the fact that many scenarios will inevitably contain a significant amount of reputational damage and that loss of reputation can be life-threatening.
…And how to do them better
Scenarios should be reviewed on a regular basis so that they can be adapted to changing market and economic conditions, as well as the changing risk profile of the firm. As new products, especially complex ones, are launched, the scenarios should be reviewed in order to identify potential risks and to incorporate the new products within the scenarios. The new products may even require additional scenarios to be developed, for example if a new product is launched in a country in which the firm has not previously operated.
The identification of risks which correlate, for example supply risk and production risk, or equity risk and interest rate risk, should be enhanced and how those risks aggregate should be considered. In addition, correlations between risks are often underestimated. It is either forgotten or ignored that correlations frequently break down under stress, and that different, probably unforeseen, correlations emerge.
Feedback effects across industries or markets, whether positive or negative, should also be considered, as should appropriate time horizons, rather than simply looking at the one-off effect of a scenario. For instance, the failure of Lehman Brothers in 2008, which could have been treated simply as the failure of a major counterparty, led to a significant feedback effect across the liquidity markets.
In our next blog Tony and John talk about scenario governance.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information contact us today on sales@risklogix-solutions.com