Professional Documents
Culture Documents
Testing Risk Resilience
Testing Risk Resilience
As in the earlier financial crisis, the failures reinforced the need for stress testing.
Stress tests are exercises financial institutions perform to test their resilience to
adverse economic conditions.
Stress tests alone could not have saved the banks, as they are only one of several
essential elements for prudent risk management. The banks’ failure to prepare for
interest rate changes resulted from a combination of deficiencies. However,
adequate stress testing could have helped the banks identify mounting risks.
Since the financial crisis, some banks have incorporated or enhanced stress testing
into their risk management processes. The tests have proven particularly useful in
helping organizations navigate through macroeconomic uncertainties resulting from
the COVID-19 pandemic, inflation, and rising interest rates.
Stress tests boil down to answering a short, yet difficult
question: What would happen to the organization’s risk
indicators in an economic crisis?
As stress testing has grown more complex and regulated, internal audit is assessing
aspects such as how stress test programs are implemented and their
macroeconomic and business hypotheses. As other industries incorporate stress
testing in their daily risk operations, they can learn lessons from the banking industry.
The type of risk modeled (i.e., credit, market, liquidity, or operational risk).
The levels at which the tests are run. Tests could range from simple portfolio
analyses to complex institutionwide simulations.
To be efficient, some banks leverage this regulatory framework when they implement
their internal stresstesting programs. Moreover, both regulatory and internal
exercises often use variations of existing regulatory models, such as the internal
ratings-based model for credit and interest rate risk in the banking book for interest
rate risk. Internal audit can help organizations use stress testing in three key areas:
governance, information systems, and analytical models.
All material aspects of stress testing should be documented. Policies and procedures
should reflect the organizational arrangements, tools, data architecture, and
methodological analyses supporting the final and competing hypotheses and
scenarios. Although striking a balance between agility and traceability can be
challenging, internal audit can recommend documentation practices and facilitate
collaboration among different departments.
Do policies and procedures cover the entire life cycle and tools of the
organization’s stress-testing program?
How do the stress-testing results compare with external regulatory and sectorial
benchmarks?
Second, the MIS computes the macroeconomic scenario’s impact on the portfolio
and risk metrics. The system summarizes data to provide senior management and all
the areas involved with an overview of the results for each scenario. This requires
defining a report structure and relevant KRIs to provide senior management with
complete, accurate, and meaningful information for decision-making.
A good understanding of the data architecture will help internal audit determine the
frequency and scope of the audits. If stress tests rely on daily operations or the MIS,
the audit steps should be more efficient. However, if the organization has a separate
risk engine or relies on manual inputs, the audit plan needs to address them.
Can the MIS produce timely and reliable results, even under stressed
circumstances?
Statistical and mechanical models link the behavior of KRIs (e.g., probabilities of
default of their clients’ level of collections) to the economic conditions. These
analytical models can range from simple correlation analyses to complex credit risk
models based on historical data.