Designing Operational Scenario Tests That Build Proactive Risk Intelligence
How to leverage a scenario testing program to be prepared for any eventuality.
For many treasury and finance professionals, the possibility late this summer that the U.S. government might default on its debt emphasized the importance of preparing for all kinds of possible futures. Now the risk of default is looming large once again—and this is only one of many recent events to raise executives’ alert to threats outside their control.
From all the fallout of the Covid-19 pandemic through to the narrowly avoided government shutdown at the end of September, we have been operating in an era of constant systemic disruption. Living through these unpredictable situations has proven, time after time, that organizations in every industry need to strengthen their risk and resilience programs to account for scenarios that might once have been considered too obscure to plan for.
Shifting from reactive to proactive risk management enables an organization to anticipate disruptions and implement the necessary mitigation strategies to reduce the impact of those events. A significant component of this shift is ramping up a scenario testing program to better understand the potential impact of any disruption that might happen.
Financial Services Paves the Way for Scenario Testing
The first U.S. companies to face a regulatory requirement to perform scenario tests were the big banks. The Dodd-Frank Act Stress Test (DFAST) and Comprehensive Capital Analysis and Review (CCAR) regulations from 2010 set the requirement that large, systemically important banks must develop scenario and stress testing programs. Scenario testing programs analyze risk scenarios and simulations, which can cover a wide range of risk factors, events, and interdependencies. Stress testing, by contrast, focuses on a few key risk drivers, events, and impacts. Scenario testing is more probabilistic and quantitative; stress testing is more deterministic and qualitative.
All these tests are designed to determine whether banks have adequate capital to withstand adverse situations, and whether they have proper measures in place to protect customers and shareholders. More recent financial services regulations—such as the operational resilience requirements that have been put forth in Britain by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England (BoE)—also call for scenario testing.
Institutions that comply with these regulatory requirements end up with an adequate prediction of their preparedness for an economic shock against their balance sheets in the short term. However, the rules apply primarily to large, systemically important financial institutions (SIFIs), and they do not require tests to project the long-term effect that a sustained shock may have on dependent organizations or on those entities’ ability to adjust operationally. Further, the financial services industry’s stress tests require such a large commitment of time and resources that they simply would not be feasible or, frankly, useful for unregulated organizations.
That said, businesses in non-regulated industries need to ensure that their financial counterparties can withstand shocks, particularly if they rely heavily on debt financing. Without access to capital, they might not be able to make payroll, which would bring operations to a screeching halt.
Scenario testing offers significant benefits to organizations that are not SIFIs. It can help them identify where there may be gaps in their risk-mitigation initiatives or contingency plans, as they must understand the prospective impact of a catastrophic shock on their ability to operate and serve their customers. Through scenario testing, organizations can reveal which third parties support large swaths of their core operations. This enables them to implement effective mitigation strategies and avoid disruption by understanding, simulating, responding to, and preparing for the worst.
Scenario testing can also clarify how a catastrophic shock to a company’s largest lenders and holders of capital might impact its day-to-day operations. To achieve these insights, the organization must deeply understand which financial providers are critical to its operations, as determined by the institutions’ risks and how interwoven their services are to the organization’s core business functions.
Companies that are fueling growth through debt must also determine where they rely on liquid capital to function. An organization that relies primarily on one institution should seek out secondary or tertiary lenders—and sometimes even more alternatives—to ensure that it can mitigate the potential impact of a disruptive event. Some companies may opt for a different capital strategy to stay liquid. Organizations should approach operational stress tests in a way that evaluates capital flows and identifies the banks which support the organization and its third parties. Relying on partner banks to be stable because they perform DFAST and CCAR tests is not adequate; organizations need to have their own ability to pivot away from problems, both operationally and financially.
So, how should non-regulated entities implement scenario testing to ensure that they can withstand shocks and deliver on their brand promise through any disruption?
Implementing Operational Scenario Testing
At their core, scenario and stress testing enable organizations to evaluate impacts and responses under realistic conditions so that they can make data-backed strategic decisions. The process of scenario testing is all about understanding how your business operates, how it could break, and how it might be put back together. Scenario testing provides visibility into the potential impacts of possible events on important business services, which enables your organization to initiate workflows that address resilience gaps proactively.
However, this visibility does not happen automatically upon deploying a new piece of software. Tests are only as good as the internal and external information that is fed into them. The first step in launching a scenario testing program is to map your entire operational ecosystem, including business processes and business services along with third-party and supply-chain workflows.
Start by identifying the core services and products that your organization provides to customers; this mapping will look different for each organization. Next, conduct interviews across the organization—using either a top-down or bottom-up approach—to map the role of each of the organization’s business processes in delivering those products and services. Map applications that contribute to each process, and define the third-party criticality levels for each process. Once you have fully mapped your organization’s internal processes, extend the mapping out to supply chains and banking partners, down multiple tiers.
When the mapping is complete and you have a thorough understanding of how your organization—and its suppliers and funding providers—operate, you are ready to begin testing and trying to “break” processes so that you can understand how to put them back together.
Assess what data you have gathered through the business-process and supply-chain mapping, in order to determine whether you fully understand your organization’s operational ecosystem. Scenario and stress tests can provide actionable outputs only when they have enough data inputs. If you identify data gaps, ask further questions until you have the complete picture. Note that you can identify gaps in your data by doing scenario testing ‘lite,’ through tabletop exercises or by harnessing scenario-testing technology, just using core data. This pared-down approach can show you which processes are dependent on other processes and how those dependencies impact core product or service delivery.
Also note that you should perform operational scenario and stress testing in harmony with financial and market liquidity stress testing, as risks do not often exist in silos and multiple risks can compound on one another. Scenario testing with adequate data can provide predictability in the outcome of the stress test, and stress tests can provide a holistic picture of the potential impact of particular scenarios. For example, a stress test can highlight whether a hurricane would knock your business out of service for two weeks. By leveraging historical data in testing such a scenario, you can achieve data-driven analysis that supports real-time decision-making should the scenario become reality. It won’t happen on day one, but you can eventually be prepared for a wide range of scenarios if you use the right data inputs.
Since scenario testing utilizes tangible examples of business disruptions, those scenarios that have already happened to another organization, or that have a high likelihood of happening, can help key stakeholders better visualize the potential impact of a disruption. You can customize the scenario tests to your unique needs to see how your sites might be impacted. This approach can help encourage investment in whatever systems or solutions are necessary to proactively mitigate risk, and can effectively demonstrate your organization’s preparedness to relevant parties.
Choosing the Right Data
The output from your organization’s scenario- and stress-testing models will be only as good as the data input into the system. Thus, data aggregation needs to be an ongoing business priority so that you consistently have the best, most up-to-date information available for your proactive risk assessments.
You can choose among many different external data points, and you should always look to incorporate as much external information as possible. One area of focus should be historical disruptions in your industry; evaluate the impact of those disruptions on the business and services of organizations that are a similar size to your own. Similar businesses often break in similar ways, so looking at organizations that are like yours can help ensure your stress testing provides accurate insights into which proactive mitigation strategies could prevent negative outcomes for your company. And although the exact same scenario is unlikely to happen again, using available data on organizational losses can help to better inform your strategy.
Leveraging data from similar organizations is particularly relevant in the cybersecurity and information security spaces, as threats in these areas are emerging every day across various industries. Using available data can help you understand how a certain scenario affected a similar organization and how it has materialized within that business.
Scenario and stress testing help not only to proactively mitigate risks, but also to develop a better understanding of certain events’ potential impact and a plan for what to do if they ever happen. There is a plethora of publicly available data that spans different risk events. You will have to decide how much external data you want to bring into your analyses, versus how much proprietary data you want to use.
You Ran Your First Test … What’s Next?
There is no one-size-fits-all approach to scenario and stress testing; the tests should be run as often as you find value in them. The frequency should depend on your organization’s business continuity and operational resilience posture. The success of your business continuity and operational resilience program will rely heavily on the types of scenarios that you are running. For example, a stress test like CCAR is extremely intensive and time-consuming, and even a big bank cannot run this type of test more than annually if it is looking to meaningfully use whatever results come out of the tests.
If you can run the same scenario test multiple times, changing the inputs and variables and tracking those results over time, you will be better prepared ahead of an imminent event, in addition to being able to accurately predict event consequences and evaluate “what if” scenarios. However, you shouldn’t run scenario tests just to run them—make sure you are doing them in a manner that provides intelligent and actionable insights for your risk management program.
When organizations reach a level of maturity where they can run scenario tests across their entire operational ecosystem, trying to break various aspects of their production or financing or that of supply-chain partners, we might see regulations like CCAR or DFAST—with high complexity and depth—come into effect for businesses outside the financial services sector. Like many risk management initiatives, this would likely begin with regulations on banks, which would force them to develop adequate methodologies and to trickle down their improved risk management practices to non-regulated organizations.
Meanwhile, the outputs from stress testing can help risk professionals make a better case to their key internal and external stakeholders for securing investment in high-risk areas of the business. Ultimately, this will result in strengthened operational resilience, which in turn will enhance the company’s ability to drive sustainable growth. As we all know, customer trust is key, and downtime for an organization can result in a loss of that trust. Companies that remain resilient can better absorb the shock of disruptions and set themselves apart from competitors.
Driving growth and competitive differentiation is a key objective for most executive leadership teams and stakeholders, but resilience requires investment. By demonstrating how scenario and stress tests will generate return on investment (ROI), you can receive the required buy-in. And with the necessary buy-in, you can shift to truly proactive risk management and operational resilience.
Taking a Risk-based Approach to Scenario and Stress Testing
Risks will only continue to increase in frequency and severity. While you may consider some potential disruptions to be too obscure to test for, your organization needs to be prepared for whatever comes its way. By understanding how the business operates and performing scenario and/or stress testing to see where it might break in certain circumstances, you can make the case to stakeholders for risk management improvements and secure the investment needed to strengthen the company’s risk management posture.
Ultimately, it is not a matter of “if” the next disruption will happen, but “when”—and scenario and stress tests can help you better prepare, while ensuring that your organization has the right data to make agile decisions and deliver on its brand promise through any disruption.