What Is Stress Testing in Risk Management

Stress testing is a common risk management process that helps to confirm that a planned business strategy can hold during specific scenarios. Many industries perform their own versions of stress testing, and they all might look a little different.

As an example, the aviation industry may perform stress testing on components for their aircraft to determine how they might perform after prolonged use, while a company in the healthcare industry might make use of stress testing to evaluate its preparedness and response capabilities to a pandemic outbreak.

One industry that must undertake stress testing is the financial industry. While it is important to understand that stress testing in risk management is not unique to this sector, we will explore the practice and its importance within the context of the financial industry in this blog.

What is stress testing?

In the financial sector, stress testing is a risk management practice in which highly sophisticated computer simulations employ hypothetical scenarios to predict the outcomes of certain events. Stress test scenarios can range in levels of severity from events that affect just the institution up to a full financial crisis with far-ranging national or international ramifications.

Why do we need stress testing in risk management?

Stress testing is needed as it helps a team to understand the current situation and set-up of the company and any decisions or changes that need to be implemented to guarantee success in the future. No one can predict precisely what might happen, and there are any number of factors that could change an outcome.

The outbreak of war, a new pandemic, changes to supply chains, or even poor weather conditions could all potentially play their part in disrupting the wider financial market. Since stress testing scenarios are strictly hypothetical, they allow financial institutions to fully explore potential losses or situations without actually risking assets. Once weaknesses have been revealed, steps can then be taken to minimise and nullify them. Companies and financial entities can then proceed with the knowledge that they are adequately protected should that scenario come to pass.

What protocols do financial institutions have to follow for stress testing?

Many financial authorities require the institutions under their jurisdictions to undertake specific stress testing in specific risk models. This then allows the institutions to measure the risk exposure for these particular scenarios.

Though we shall discuss stress testing across several authorities and jurisdictions within the UK, this article does not cover the full scope of demands for regulatory reporting and adherence. Individual firms should show due diligence to establish which regulatory bodies govern them and all tests expected of them.

Basel III

Most banks and financial institutions are required to adhere to the Basel III regulatory accord. This was devised by a consortium of central banks from 28 countries in response to the 2007-8 financial crisis. The latest addition to the framework, Basel III Endgame, was agreed upon in 2017 with the regulations due to take effect in mid-2025.

Banks and building societies in the UK

While Basel III serves as the international standard, many countries also develop their own stress tests for their banking institutions. In the UK, the Bank of England has authority as the central bank to require other banks to conduct stress tests. The Bank has plans to carry out a desk-based stress test in 2024 and has published a statement outlining their intentions for the test.

Though not every financial institution is a bank, some are still required to undergo stress testing to confirm that they are resilient enough to withstand severe economic downturns. These include building societies and some insurers.

Banks and building societies that are not required to take part in concurrent stress testing may still have to run scenarios to identify key risks. The Prudential Regulation Authority (PRA) published two such tests. They serve as a severity benchmark and template to support any internal capital adequacy assessment process (ICAAP) the institutions may already have in place.

Insurers in the UK

Insurers also need to ensure that they have effective measures in place, though this may be different from the stress testing banks are expected to undertake. The PRA also requires insurers to undertake reverse stress testing practices as part of their own risk and solvency assessment (ORSA) process.

Additionally, the PRA runs stress tests for specific insurance sectors. The next stress tests for the life insurance and general insurance sectors are due to run in 2025.

Protocols change across countries and jurisdictions. For more information about current regulations and expectations for resilience in financial services, check out C2's free ebook below.

What are the most common types of stress testing?

Stress testing involves running targeted simulations to establish any vulnerabilities that may exist. These simulations are not generated at random and can commonly be divided into one of three types, each with its own benefits:

1. Historical stress testing

Historical data from a past event is used to inform the scenario. For example, a bank may use the data they gathered during the 2008 financial crash to perform a historical stress test based on a similar scenario. They may use this to refine risk strategies covering areas such as liquidity, credit risk, and capital adequacy, all of which might be affected by a future crisis.

This benefits banks as they are being informed by real data collected from their performance in a historic incident, so they should be able to clearly see where they require improvement. In turn, they can then refine risk management strategies for future financial downturns that may arise.

2. Hypothetical stress testing

Unlike historical stress testing which uses real data, hypothetical stress testing makes use of invented data spawned from a theoretical future event. For example, an investment firm may conduct a hypothetical stress test using a scenario where geopolitical tensions have caused a sudden 30% drop in the stock market. This predicts and assesses the firm's ability to manage portfolio risk, the sudden withdrawal and loss of clients, and a volatile market.

Hypothetical scenarios allow institutions to prepare for unlikely but not impossible events. This allows them to have a strategy in place should these worst-case scenarios come to pass, hopefully allowing them to retain clients and maintain a relatively stable business during seasons of turmoil.

3. Stylised stress testing

A stylised stress test could make use of either historical or hypothetical data in its set-up, but it primarily tests a more specific scenario than one that might be used in the above testing. For example, a financial institution might perform a stylised stress test to simulate a major cyber attack against its online banking platform. This produces a highly controlled and simplified scenario where the firm can hyper-focus on the resilience of its cybersecurity measures and response protocols.

The benefit here is clear: stylised stress testing allows for detailed analysis and improvement of very specific targeted risks. This allows firms to have suitable plans in place for their most high-risk and potentially catastrophic scenarios and processes.

5 examples of stress testing

With those three types of stress tests established, let's take a look at some of the broader examples of stress testing that firms may choose to use as part of their risk management practices.

1. Operational risk

The scenario dictates a major operational error in a financial institution's transaction processing system. The purpose of the scenario would be to assess the impact of operational failures on transaction accuracy, customer satisfaction, and regulatory compliance.

The scenario would aim to test three key areas:

• Transaction integrity: To evaluate the systems in place to ensure all transactions are processed accurately.
• Customer impact: To assess the potential for erroneous transactions that would affect customer accounts and trust.
• Regulatory compliance: To ensure compliance with regulations from governing bodies that mandate accurate and timely transaction processing.

This stress test is performed to ensure that potential operational errors leading to significant financial losses are identified and mitigated before they can cause damage. Robust testing helps to identify weaknesses and improve the operational controls that prevent errors.

2. Reputation damage

This scenario could involve an increase in negative publicity as a result of high-profile fraud committed by an employee. A stress test is required to evaluate the potential impact on customer trust and the effectiveness of crisis communication strategies.

The scenario would test the following areas:

• Crisis communication: To test the institution's ability to quickly and effectively communicate both internally with relevant parties and externally to the public.
• Customer retention: To assess strategies to maintain customer trust and mitigate account withdrawals or closures.
• Brand protection: To evaluate measures to protect the brand's reputation in the wake of negative publicity.

Reputation is a critical part of the financial industry. This stress test ensures that robust crisis management strategies are in place to ensure that communication is quick and timely and that the correct protocols are activated swiftly during and after a crisis.

3. Technology failure

As reliant as we all are on technology, a critical IT infrastructure failure — such as a major server crash or a network outage, just like the recent Crowdstike global IT outage — can be catastrophic to a financial provider. A stress test evaluates the institution's ability to maintain operations and ensure business continuity in the event of tech failures.

The following aspects would be tested:

• System redundancy: Assess the effectiveness of backup systems and redundancy protocols.
• Incident response: Evaluate the speed and effectiveness of the institution's response to IT failures.
• Customer impact: Test the communication strategies for informing customers about service disruptions.

Stress tests in this scenario help to ensure that financial firms have the necessary backup systems and response plans to maintain operations and minimise customer impact during technology disruptions.

4. Cybersecurity breach

As suggested above in the stylised stress testing type, financial organisations need to stress test to mitigate the effects of a cyber attack that could lead to data breaches and system downtime. This will evaluate the institution's cybersecurity defences and incident response capabilities.

Such a test could cover the following three aspects:

• Threat detection: Assess the effectiveness of systems in detecting and responding to cyber threats.
• Data protection: Evaluate the measures in place to protect sensitive customer data.
• Recovery plans: Test the institution's ability to recover from cyber-attacks and restore normal operations.

These tests are imperative for financial institutions since they handle vast amounts of sensitive data. Stress testing for cybersecurity breaches ensures that institutions have the power and means to protect this data while responding efficiently and effectively to cyber threats, thus maintaining customer trust and regulatory compliance.

5. Regulatory changes

In the finance sector, authorities often introduce new compliance standards and regulatory guidelines that must be followed. Stress testing potential regulatory changes allows institutions to assess their ability to adapt to new regulatory requirements and maintain compliance.

These stress tests may include:

• Process adaptation: Assess the impact of regulatory changes on existing processes and systems.
• Compliance measures: Evaluate the institution's readiness to meet new regulatory standards.
• Cost analysis: Analyse the financial impact of implementing new compliance measures.

Regulatory environments are continually evolving in the financial industry. Stress testing allows institutions to prepare for new regulations, ensuring that they can adapt to new processes, maintain compliance, and avoid penalties and sanctions from governing bodies.

Manage your compliance and testing with C2's Meridian BCMS

Financial institutions need to conduct stress testing to ensure that they can respond to any threat that might come their way. Stress testing is a useful practice because it can be customised and shaped to fit any scenario and outcome. With companies throughout the financial sector required to perform stress tests, they need to ensure that they have good software to help them create the robust testing framework and outcomes they need.

C2's Meridian BCMS has a built-in exercise and testing module. Streamline your exercise management to create, schedule, and communicate details of exercises quickly and efficiently. Our software also provides a clear, auditable trail of all activities and decisions to aid your company's compliance readiness and ensure that you are always aligned with the latest industry regulations.

Book a demo today and find out how Meridian BCMS can help your stress testing requirements.