The Risk insights Explorer is a uniquely adaptable solution for undertaking top-down risk assessments and strategic scenario modelling. In addition to the flexibility built-in through the use of each organisations own risk taxonomies, the Explorer can be configured to support the identification of risk interconnections with trends, emerging (upstream) risks, or programme life-cycle stage analysis.
Reverse stress testing consists in identifying a significant negative outcome and then identifying the causes and consequences that could lead to such an outcome. In particular, a scenario or combination of scenarios that threaten the viability of the institution’s business model is of particular use as a risk management tool in identifying possible combinations of events and risk concentrations within an institution that might not be generally considered in regular stress testing.
SYSC20 introduced rules on reverse stress testing, which require a firm to identify and assess events and circumstances that would cause its business model to become unviable. This chapter also requires the firm’s senior management or governing body to review and approve the results of the reverse stress testing exercise. This should help the firm’s senior management to identify the firm’s vulnerabilities and design a strategy to prevent or mitigate the risk of business failure.
The reverse stress testing requirements are an integral component of a firm’s business planning and risk management under SYSC.
In policy statement 09/20, “Stress and Scenario Testing Feedback on CP08/24 and final rules”, the Financial Services Authority introduced reverse stress-testing requirements for firms to identify and assess scenarios most likely to cause their current business models to become unviable.
The benefits of reverse stress testing are:
- Helping firms to understand key risks and scenarios that may put business strategies and continuance as a ‘going concern’ at risk; and
- Providing management and regulators with qualitative information on the potential vulnerabilities faced by the business so that they can identify appropriate actions that should be taken to manage such risks.
The key messages for firms are summarised as follows:
- Board and senior management should actively engage in stress and scenario testing, taking ownership and responsibility for establishing an effective stress testing programme and infrastructure in the firm.
- Senior management should take a key role in implementing the firm’s stress testing programme by being actively involved throughout the process, including in scenario selection.
- Senior management should take action as a result of stress testing and integrate stress testing outputs into the firm’s decision-making process.
- Firms should establish a stress testing programme covering all relevant levels of its business, all risk types and over a range of severities.
- Stress and scenario testing should be undertaken on a forward-looking basis, with sufficient use of firm-wide stress testing helping firms to identify risk concentrations, assess interdependencies and understand second-order effects.
- Firms should establish a robust stress testing infrastructure with appropriate IT systems and resources in place. The infrastructure should be periodically reviewed by senior management for its continued effectiveness.
- Firms should have clearly documented policies and procedures to enable effective implementation and maintenance of the stress testing programme, which should be periodically reviewed by senior management.
The Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses have been designed to help people develop a relaxed attitude to danger. They follow the principle “what you don’t know can’t hurt you” and turn completely dark and opaque at the first sign of danger. This prevents you from seeing anything that might alarm you. This does, however, mean that you see absolutely nothing, including where you’re going.
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.
“How long does it take you to prepare one of your speeches?” asked a friend of President Wilson.
“That depends on the length of the speech,” answered the President. “If it is a ten-minute speech it takes me all of two weeks to prepare it; if it is a half-hour speech it takes me a week; if I can talk as long as I want to it requires no preparation at all. I am ready now.”
Great short content actually takes longer to produce than long content. At Risk Insights we sweat the small stuff whether it’s the image used, its’ timing or duration, the words and language, the music. We hope we get it right and the end result is a video that’s like a delicious amuse-bouche; an expression of our creativity and showcase of our development, and a tasty morsel best devoured in one bite.
The Risk Insights survey consists of 10 to 20 interviews with executives and leaders from across the risk function as well as different management levels and covers all units that directly interact with risk, as well as selected units that have only indirect exposure to risk.
Risk Managers are assumed to be at the leading edge of their profession if they provide quantitative measures of both probability and impact, and combine them to give an overall measure of risk. The most common such measure is to multiply your measure of probability of the risk with your measure of the impact of the risk as shown below:
Probability impact matrix with risk score
The example shows a risk that has been assessed as ‘medium probability’, ‘medium cost impact’, generating a ‘risk score’ of 15. A risk rating such ‘15’ will have no absolute meaning, (it would be inappropriate to conclude that such a rating is fifteen times more important than rating of 1).
While risk matrices are viewed by some as useful for ranking risk in order of significance (the bigger the number, the greater the risk), it can be irrational when applied blindly. Some advise caution, concluding risk matrices do not necessarily support good (e.g., better-than-random) risk management decisions, while others have described the PIM approach as hiding more than it reveals and that it can be a dangerous waste of time.
Unfortunately much risk analysis involves going through the motions to assign numbers without actually doing much thinking about what lies under the hood.
The correct treatment of risk requires both the impact and probability dimensions to be considered, and that focusing attention on those risks ranked as ‘riskiest’ by a multiplied figure of these two dimensions is dangerous. Indeed, the effect of low probability, high-impact risks will be quite different from that of high probability, low-impact risks, even though individually the risks can the same product term (impact x probability). It is important to consider such consequences when setting contingencies since, as would be expected, low probability, high impact risks require greater contingency than likely, low impact risks.
Just as the flap of a butterfly’s wing in the Pacific can supposedly lead to a storm in Chicago, Risk management experts have long argued that complex, tightly coupled systems inevitably break down.
In his 1984 book Normal Accidents: Living with High-Risk Technologies, Charles Perrow, visiting professor at Stanford University who specializes in the inherent risks of complex systems, argues that disasters in complex, tightly coupled systems are inevitable for three reasons:
People make mistakes, Big accidents almost always escalate from small incidents, Many disasters stem not from the technology but from an organisational failure.
Nor can engineering redundancy eliminate the risk, he wrote, because the redundancies add more complexity to the system, lead to a shirking of responsibility among workers, or to pressures to increase production speed.
In a survey of 250 companies’ chief information security officers, McKinsey found that on average, few believe their companies are prepared: the typical security executive gives his company a C or C- grade on six of seven key measures institutions are using to reduce the potential for cyber attacks. Only in incident response and testing did they give themselves a C+. And most CIOs told McKinsey they don’t put their company’s most sensitive data on an IT cloud.
As long as human behavior is coupled with free enterprise, it is unrealistic to expect that market crashes, manias, panics, collapses, and fraud will ever be completely eliminated from our capital markets. The best hope for avoiding some of the most disruptive consequences of such crises is to develop methods for measuring, monitoring, and anticipating them. By using a broad array of tools for gauging systemic exposures, we stand a better chance of identifying “black swans” when they are still cygnets.
Measuring Systemic Risk in the Finance and Insurance Sectors
Monica Billio, Mila Getmansky, Andrew W. Lo, and Loriana Pelizzon