Stress Testing & Scenario Analysis: October 2011

Stress Testing & Scenario Analysis
October 2011
Mick Campbell Stephen Boyd

2011 Deloitte LLP. Private and confidential.

The Agenda
1 2 3 4 5
Setting the Scene The Fundamentals An approach to stress testing and scenario analysis Using loss data to challenge stress testing and scenario analysis Working Scenario
Setting the scene - Stress, what stress?
Presentation title
Recovery in the US?
in Europe?
How about Asia?
Thoughts from the other side...
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
The credit risk view: Credit is a system whereby a person who cant pay gets another person who cant pay to guarantee that he can pay Charles Dickens
On a more serious note......key findings from a recent Deloitte survey of ARROW and SREP visits relating to stress testing and scenarios:
The FSA has challenged the both the design and use of stress testing and indicated that often stress testing models and results are not understood by the Board. Key recommendations for Firms include: Establish suitable stress scenarios (both macro-economic and firm specific) which equate to 1 in 25 year events (referencing the FSA anchor scenario where needed); Provide an appropriate level of challenge regarding the key assumptions underpinning the stress scenarios; Ensure the integrity of the models; Obtain a complete and full analysis of the stress testing results, including the validity of management actions. Some Firms are developing formal stress testing policies and scenarios which can be used for a range of purposes including the effect of stress scenarios across funding shortages, capital reductions, reduced profitability and operational risk issues.
The Fundamentals
Presentation title

The Fundamentals
What is stress testing and scenario analysis?
Stress testing
Identifying how risk profiles respond to shifts in economic variables or risk parameters
Scenario analysis
Assessing the resilience of financial institutions and the financial system to severe but plausible scenarios
We will use these terms interchangeably today for simplicity!

10

The Fundamentals
Operational risk common challenges familiar?
Operational risk is subjective! How can we base our capital on something like this? Will the capital numbers ever become stable? Whenever you ask a business questions about their Risk SELF Assessment, the next time you see them, they have changed it Management want the lowest number possible we have the answer before we start and have to retro fit the scenario!
11

The Fundamentals
How can stress testing and scenario analysis help?
Complements other risk management techniques Adds a broader perspective to the risk profile Helps management gain a view of the complete risk profile The regulators favour it, and want it to be used to inform business decisions
......but very little prescription

12

The Fundamentals
Stress testing and scenario analysis for operational risk the challenges!
Applying another subjective process to a subjective process! Articulating the value for stakeholders in participating in the exercise can be difficult! People have a perception that they know what the key sources of risk is and can find it hard to change their view without evidence
13

A Typical Process
Using the existing Operational Risk Management Framework

Operational Risk Management Framework Risk & Control Assessment
Scenario Design
Scenario Execution
Is coverage complete? Would the controls be effective?
What are the top risks? What are the key controls?
Where have the material losses been occurring? What is happening in the industry? Are the any themes? Where has exposure been deteriorating What are the key measures and limits? What is outside of the Boards Appetite?
Loss Data Collection
What is the loss history? How much has this cost competitors? Is coverage complete? Are triggers set appropriately? Is there adequate predictive KRIs Is there appetite calibrated correctly? Are the limit complete & accurate?
Key Risk Indicators
Operational Risk Appetite
14
An approach to stress testing and scenario analysis
15
Presentation title

A potential approach
Operational risk an approach to developing stress testing and scenario analysis
Work Shop 1
Scenario Creation Scenario Approval Stress Numbers
Work Shop 2
Mgmt Action Review Mgmt Action Numbers
Modelling & Structure

Analysis Reporting
Communication Plan
Base
Comms
Review
Business plan review; Risk Register Review; External Loss Data Review; Large Exposure identification; Reverse stress; FSA requirement review; and Concentration review.
Balance sheet, P&L and Capital Plan review; KRI triggers review; and Mgmt Action validity and impact
Model creation / integration Key financials analysis; Capital Analysis; Risk Appetite and Capacity Review; KRI review; and Report structuring
Internal Communication strategy & plan; External communication strategy & plan; and Ongoing Review requirements
Snr Mgmt / Board Sign Off
16

What Does Good Look Like?
The key components of an effective stress testing & scenario analysis framework
Top Down Objectives Stress Testing Toolkit Scenario Design All objectives and outputs agreed and documented with appropriate methodology. Toolkit comprises MYST, RST and sensitivity tests. MYST results used to inform RST scenarios. Multiple scenarios are considered, covering a range of likelihoods; account for current and future business context. Templates Guidelines are in place for collection of quant and qual data, along with documented process and procedures
Governance process is fully Governance documented with clear responsibilities allocated throughout the process Stress testing reporting used to inform potential future performance plans; and supports management actions.
Reporting
includes description regulative and Scenarios competitive environments. Clear list of Description variables quantified. Outputs from models are cross checked from alternative sources; user guidelines have been documented Proactive and reactive mgmt are fully documented; Actions aligned to Recovery and Resolution Plan
All relevant staff trained, all staff Comms and educated about stress testing process; Training outputs are shared across firm. Management actions and future plans rely on stress test output
Models
Use Test
Mgmt Actions
17
Regulatory requirements understood Regulatory and met. Internal experts are identified Compliance who keep abreast of reg changes.

The stress testing toolkit Reverse Stress Testing Companies require to have thought through what different scenarios could make their business model unviable including from a reputational perspective and what mgmt actions they could put in place to try and mitigate the impact of the scenario. Use Test The FSA want to see that stress testing is being used by the firm to think about its business strategy; validate the Risk Management Framework; set limits and thresholds for Risk Appetite and KRIs; and integrate with existing models.
18
Multi-year stress tests Firms should consider scenarios that evolve over a few years for example, 35years. This can be achieved through alignment with the Long Term Strategic Plan.
Management Actions Firms need to provide evidence that all management actions, and their impacts, are credible. There should also be evidence of how the management action would be triggered e.g. MI review, KRI breach etc.

Reverse Stress Testing The Challenge

Other terminology you might have heard of... Test-to-destruction Stress-to-failure Break-the-Bank Business model stress test
The 'breaking' point of a firm may also be reached before a firms regulatory capital and liquidity resources are exhausted and therefore a breach in capital or liquidity regulatory limits is not necessarily the only 'fail' point of a firm. Some examples of indicators of a business model failure include:
Loss of confidence by customers
Loss of appetite from shareholders
Loss of confidence by auditors and regulators
Exhaustion of capital and liquidity resources
Collapse of a particular sector
Counterparties are unwilling to transact with the firm or seek to terminate existing contracts
Shareholders no longer have the appetite to provide capital to the firm
Auditors and regulators no longer recognise the firm as a going concern
Breach of regulatory ratios and unable to raise new funding required
The customer base no longer exists or is diminished resulting in a key failure of the overall business strategy
Outcome = Business Failure
Any of these events, stand-alone or in combination, could lead to the overall failure of a business
19
Using loss data to challenge stress tests and scenarios establishing fact from fiction
20
Presentation title

The Fundamentals
Operational risk capital must cover the unexpected or tail risks
The shape of the body of the distribution gives insight in the variability of the yearly volume of operational losses
The tail of the distributions is determined by low frequency high impact losses => The larger percentiles can be benchmarked against large industry loss cases
21

Analysis of external loss data is the starting point for identifying and assessing tail risks through scenario analysis
In June 2004, BNP Paribas, a French bank, reported that was ordered to pay a $46.13M (38.11M EUR) fine in a ruling upheld by France's Cour de cassation to settle charges filed by the Conseil de la concurrence (French Competition Council) that it had participated in an anticompetitive pact with other banks involved in the property loan sector.
In March 2005, ABN AMRO Inc, a US investment bank and subsidiary of ABN AMRO Holding NV, reported that it agreed to pay $278.4M to settle a class action suit related to the company's role in underwriting telecommunications company WorldCom Inc issue of corporate bonds Enron went bankrupt in 2001 and Barclays was accused of contributing to Enron's bankruptcy by helping it hide its true financial condition through financial structures. To settle the litigation, Barclays agreed to pay Enron $144M and in return Enron would allow the bank's $310M of claims to go forward in the bankruptcy case.
22

Example 1: Card services A risk managers perception of the operational risks she is facing
Cards business is all about managing fraud riskthat is what we do!

23

Example 1: Card Services factual data shows an entirely different risk profile
24

Example 1: Card Services A view on the tail risk The risk managers perception Factual data
25
A Working Scenario
26
Presentation title

A Working Scenario
Cyber Security Recent Press Coverage
27

A Working Scenario
Cyber security incident details
8.33 AM A traders computer was running slowly and called the IT help desk to see if they could help. 8.45 AM - The IT helpdesk checked the traders machine and noticed a series of unusual and suspicious background processes that were utilising a large amount of CPU: covert_data_collect, covert_data_send, cover_tracks. A ticket was left open and the IT helpdesk started to investigate further.......
28

A Working Scenario
Questions for consideration
1) Identification and activation: If the user hadnt identified the initial issue how would it have been identified? Once identified, how would the incident be escalated? How and by whom would the incident be investigated? How widespread might this issue be and how do we know? What response plans would be initiated? How could the malicious program have been installed?
2) Access and assessment What methods/access points could be used to facilitate an external security breach? How likely is it that someone would break in this way? Who is responsible for assessment of the risk? How do we differentiate between normal levels of attack and concerted attack? Without considering specific risks, would some methods give greater access than others? Would detection and escalation paths be any different?
29

A Working Scenario
Cyber security incident details
9.27 AM Internet investigation suggested that several other trading organisations had been targeted by a sophisticated attack that used a cover software program (financial news desktop tool) to install a series of malicious components that were designed to harvest sensitive data and send the information to a remote location. 9.37 AM The IT helpdesk checked the traders computer and found the financial news desktop tool was installed. After checking other traders machines it was found that 80% of machines where infected. 10.44 AM Head of trading reports to Compliance that sensitive competitor trading information has suddenly appeared in their inbox.....
30

A Working Scenario
Impact Analysis risks, motivations, and actions
3) Risks and vulnerability: What information is at risk? What could they find? How secure is this data, and what controls might stop them? What is the likelihood of successful access? What is the immediate impact of this issue? What might the longer term impacts be? Do the regulators need to be informed and if so what is the process for this? Could other operational risks be heightened because of this action? Can we estimate the overall impact to us? Could other operational risks be heightened because of this action?
4) Motivation: What other motivations could lead to someone breaching our information security and how would that change the risks and impact? 5) Actions: How would we react to such an event / what plans are in place / who is responsible? How would we know what had been done? Who undertakes the risk assessment? Who within the organisation needs to be told? Who will manage the internal/external communications? How would we try and mitigate the impact at the time?
31

A Working Scenario
Mitigation & wrap-up

1. Recap of the various intrusion methods we discussed What mitigating actions can be taken now to reduce the likelihood of intrusion? Are we confident and practiced in the steps to take should the intrusion occur? 2. Recap of the individual risks/sub-scenarios and impacts What mitigating actions can be taken now to reduce the impact of an intrusion? Are we confident that our sensitive information is adequately protected? 3. General Questions Any other IT risks / scenarios that have emerged that should be assessed? Any further connected issues to this scenario which need addressing?
32
Speaker details
Mick Campbell Director Deloitte LLP Email: micampbell@deloitte.co.uk Tel: 0141 314 5899 Mobile: 07900 607 601
Stephen Boyd Manager Deloitte LLP Email: sboyd@deloitte.co.uk Tel: 0141 304 5613 Mobile: 07827 843444
33
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. 2011 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Member of Deloitte Touche Tohmatsu Limited

Stress Testing & Scenario Analysis: October 2011

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Stress Testing & Scenario Analysis: October 2011

Enviado por

Direitos autorais:

Formatos disponíveis

Stress Testing & Scenario Analysis

Mick Campbell Stephen Boyd