In response to the global financial crisis of 2008, the U.S. government enacted regulatory reforms requiring banks to perform an in-depth review of the risks in their businesses. Among the regulations, banks had to conduct stress testing and scenario analysis each year. These tests involved performing a “what-if” analysis of how their balance sheets, net income, capital cushion, and other key financial metrics would evolve if an economic stress occurred.
Since then, stress testing has helped banks greatly improve their skills at identifying, quantifying, and managing risks. That has enabled them to provision capital to absorb losses arising from systematic risk events.
But stress testing isn’t just for banks. The negative economic impact of the COVID-19 pandemic reveals the need for organizations to be prepared to respond to economic shocks. Organizations and audit functions in other industries can learn from the banks’ processes to implement stress testing in their business.
The Banks’ Experience
For banks’ capital-planning exercise, internal audit provides assurance that current, new, or changing processes are functioning as designed and controls are in place to mitigate risks. Auditors also identify improvements to enhance the accuracy of the results of stress tests.
Within stress-testing exercises, internal audit must review the entire end-to-end process — rather than individual components — to assess compliance with regulatory and board expectations. Companies must provide a summary of internal audit’s findings in their capital plan submissions to the Federal Reserve Bank.
The dynamic nature of capital, risk, and stress management poses unique challenges for internal auditors at banks. Auditors often must learn new systems, review complex loss and forecasting models, track remediation in real time, manage multiple engagements, and work on a timed schedule. Such requirements make planning imperative for these audits.
Any Organization Can Stress Test
Regardless of industry, internal audit can ensure that stress testing encompasses sound foundational risk management, effective loss and resource-estimation methodologies, a granular capital impact assessment, and robust internal controls and governance.
Assess Risks Within Scenarios U.S. publicly listed companies report “risk factors” in their annual 10-K Securities and Exchange Commission filings. This information details the most significant risks to the company such as major industrial accidents, cyberattacks, or employee malfeasance. By quantifying those risks and modeling their impact into the organization’s financial outlook, risk managers can provide insights into its vulnerabilities to key risks. However, organizations often view these risks in silos, which can lead them to miss today’s more complex, interconnected risks.
Organizations can greatly enhance this exercise by focusing on the scenario that may evolve and by reviewing the impact of a cluster of interrelated risks within that scenario. Risk managers then can focus on scenarios that may impact the business most severely.
Estimate the Impact of Tail Events A common risk management practice is modeling broader everyday market variables such as gross domestic product, inflation, or business-specific variables. Scenario analysis then focuses on whether core risk factors are likely to develop in the future.
Risk managers usually disregard low-likelihood “tail” events, preferring to focus on those events that are more plausible in their experience. They assume that in such extreme scenarios, teams can rally together to sustain business operations. However, COVID-19 is highlighting how seemingly low-probability events can add together to create a highly probable event with material impact.
Thinking about one-off events, such as a natural disaster or pandemic, can greatly enhance the versatility of a stress-testing exercise. The same is true of events that may have a more extreme outcome such as a large drop in revenues or staff reduction. In looking at such events, organizations can develop a deeper understanding of the impact these shocks could have on their business. That insight would enable them to allot resources to continue business operations under stress.
Model the Risk Mitigation Impact While it’s a good start to have a more in-depth review of potential business risks and plan for risk mitigation strategies, corporate boards can benefit from modeling the impact of those strategies on continued operations. Risk mitigating responses, such as reducing dividends and selling business assets, can develop into their own risks over the long term.
For example, during the pandemic, selling business assets may seem to be a quick way to recapitalize a business. However, those sales may have their own idiosyncratic impact that may show up only after the stress has subsided. Modeling the impact of such measures in response to the original stress event can give senior management more confidence in the exercise’s robustness.
Internal audit can be part of a cross-department initiative that assesses the impact on different interests such as employees, competitors, suppliers, regulators, and customers. Discussing how risk scenarios may impact each team and running reactions through models are ways auditors can help the business devise an organizationwide strategy.
Integrate Results With Strategic Planning The usefulness of stress testing will be limited if its results aren’t linked to strategic planning, capital allocation, and other business management decisions. A variety of senior management executives should participate to ensure testing has a meaningful impact. Performing an integrated risk measurement and planning exercise can quantify the amount of capital the organization would need to absorb stress and sustain operations.
Stress Testing Audits
Just like their counterparts at banks, internal auditors in other industries can help set up a stress-testing exercise. They also can provide assurance that the processes are being executed as intended.
Internal audit should consider several factors when setting up its audit plan:
- Well-defined objectives, oversight, and governance. Stress-testing frameworks should be designed with clear and well-documented objectives, and a governance structure that must be reviewed and approved by the board.
- Material risk capture. Testing should identify and quantify material risk that is relevant to the business. The risk-identification process should be comprehensive and consider both tangible and intangible risks.
- Resourcing. Staff members who are involved in stress testing should be well-trained and possess advanced skills. They should have sufficient oversight to provide guidance of their work.
- Challenge and review. Models, results, and the framework should be subject to independent challenge and periodic review.
- Technology and systems. Modeling and forecasting of stress and risks require robust systems and IT infrastructure. Such exercises deal with large amounts of data that need to be stored and processed appropriately.
Making Testing Sustainable
A well-planned audit can enable senior management to rely on internal audit’s ability to identify weaknesses in the stress-testing process, both from a stability and regulatory compliance perspective. Moreover, the audit can elevate material issues that may warrant management’s attention. By addressing the deficiencies internal audit uncovers, process owners and risk managers can make stress testing more sustainable.