Implementing an Effective Stress Testing Program for Risk Management Governance and Regulatory Compliance

Banks across the globe are preparing for new governance-related requirements on stress testing, which represent the latest regulatory efforts to improve banks’ risk management frameworks and the responsibilities of their senior management. From an enterprise-wide perspective, the regulators are requiring institutions to design and implement a comprehensive stress testing program and management controls with clear objectives and operational owners, and recommended actions for contingency planning.

Figure 1. The core requirements of the stress testing regulations are aligned across regions¹

Source: Moody's Analytics

Under these frameworks, when regulatory expectations are not met, the regulators may consider a series of remedial actions, including but not limited to asset disposals, changes in the banks’ dividend policies and/or inability to pay dividends, mandatory issuance of new equity, leverage and growth limitations, and the mandatory conversion of contingent convertible debt (CoCos)².

Effectively, regulators want banks to use stress testing as a part of their business management process – not only for regulatory compliance³ – which represents a significant challenge in terms of data, systems integration, and workflow coordination. When designing a stress testing framework, this requirement provides a strong incentive for further integration of data management, stress testing analytics, and reporting into an enterprise-wide stress testing platform.

The Bank of England Prudential Regulation Authority (PRA) is introducing an annual stress test to assess banks’ resilience, monitor the UK financial system’s stability, and enhance capital and risk management practices at banks. This framework will be a core component of the capital and liquidity standards of the Bank of England and facilitate granular, high quality data to the regulator for ongoing supervision.

The SS6/13 supervisory statement provides banks with an overview of the regulatory expectations for the stress testing program. Section 3.4 of this statement covers requirements in terms of governance and the involvement of an institution’s senior management:⁴

“The PRA expects a firm’s senior management and governing body to be actively involved and engaged in all relevant stages of the firm’s stress testing and scenario analysis program. This would include establishing an appropriate stress testing program, reviewing the program’s implementation (including the design of scenarios) and challenging, approving and taking action based on the results of the stress tests. The PRA expects firms to assign adequate resources, including IT systems, to stress testing and scenario analysis, taking into account the stress testing techniques employed, so as to be able to accommodate different and changing stress tests at an appropriate level of granularity.”

In Moody’s Analytics view, the best policy guidance from the Federal Reserve (the Fed) that speaks to governance and frameworks for stress testing is the supervisory letter SR 12-7. This policy sets expectations in terms of governance for those institutions subject to the Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act Stress Test (DFAST) requirements. The regulatory expectation on stress testing is that the results of a stress testing program should be clear, actionable, well supported, and commensurate with the complexity and size of the organization.

“As noted under the new fifth principle of the final guidance, a banking organization’s stress testing framework will be effective only if it is subject to strong governance and controls to ensure that the framework functions as intended. Strong governance and controls also help ensure that the framework contains core elements, from clearly defined stress testing objectives to recommended actions. Importantly, strong governance provides critical review of elements of the stress testing framework, especially regarding key assumptions, uncertainties, and limitations. A banking organization should ensure that the stress testing framework is not isolated within a banking organization’s risk management function, but is firmly integrated into business lines, capital and asset-liability committees, and other decision-making bodies.”

In addition, the Office of the Comptroller of the Currency (OCC) has also released a proposal that would require banks with more than $50 billion in assets to form new risk governance structures, aligned with the Federal Reserve requirements.

“Banking organizations must design and implement comprehensive compliance and risk governance programs for the Volcker Rule, Dodd-Frank liquidity risk management standards, capital planning and stress testing, the changing derivatives regulatory landscape as well as other important legal and regulatory developments. The Federal Reserve and FDIC apply similar risk governance principles to large state banks and all three U.S. banking agencies apply some or all of these principles, over time, to mid-size banking organizations.”

Although the relevant European authorities (i.e., EBA, ECB⁵) have not published guidance for any new governance requirements specifically applicable in cases of a stress test, the Capital Requirements Directive IV (CRD IV) does introduce clear corporate governance arrangements and mechanisms for European banks that affect the design and implementation of a stress testing program.

The CRD IV rules concern the composition of boards and their function and role in risk oversight and strategy in order to improve their effectiveness. In addition, the market consensus is that an additional set of specific requirements on corporate governance for stress testing programs would be introduced in the near future if a regular stress test is requested by the European Central Bank (ECB) and/or European Banking Authority (EBA).

The status and the independence of the risk management function at institutions are also enhanced under the CRD IV. For example, the CRD IV states that supervisory authorities will scrutinize the banks’ governance arrangements, their corporate culture, and the ability of their management body to perform its duties. Further, supervisory authorities are required to play an important role in monitoring the risk governance arrangements of banks, which affects the stress testing governance programs at institutions.

Regarding remediation actions when minimum capital levels are not met by the banks under supervision, the CRD IV already prohibits banks from making distributions of dividends in relation to Common Equity Tier 1 capital to an extent that would trigger a breach of their combined buffer requirement. Under this scenario, institutions will also have to submit a capital conservation plan to their competent authorities. This is consistent with the stress testing-related remediation actions in other jurisdictions.

In addition, the Capital Requirements Regulation (CRR) states that the EBA is expected to develop draft regulatory standards for the methodologies used by the competent national supervisory authorities when assessing risk. In Moody’s Analytics view, the EBA will have to submit those standards to the European Commission by the end of 2014 (likely after the ECB releases the results from the Comprehensive Assessment – AQR and EBA stress tests). Therefore, more specific stress testing governance guidance may be published at that stage, especially if a regular stress testing exercise is established for ongoing monitoring and as an early warning indicator to minimize banking crises in Europe.

Governance has become a key tenet of stress testing programs in banks and a qualitative measure used by regulators to assess the rigor, auditability, and repeatability of the banks’ internal stress testing business processes. While all but one bank passed the quantitative assessment in the recent 2013/2014 US CCAR test, four more failed on qualitative grounds.

For example, the Fed’s 2014 CCAR objected to the capital plans of Citigroup, Santander, Royal Bank of Scotland, Zions, and HSBC⁶ due to qualitative deficiencies in their governance framework, analysis, internal controls, information systems, and assumptions when performing stress testing and creating their capital plans. As a consequence, these institutions cannot implement their capital plans (including increasing the pay-outs ratios or capital distributions to shareholders) until an updated plan is resubmitted and remediation actions implemented. The final result is important, but it is also crucial that banks show how stress testing-related metrics are calculated and used at the institution.

Regulators consider it a failure in management when data is not available, and a lapse in governance when data is present but a managerial team is unable to turn it into actionable information in a timely fashion. In either case, both are likely to lead to a failed stress test evaluation on qualitative grounds and the delivery of an urgent Matter Requiring Attention (MRA) letter.

It can be time consuming to set up and execute a stress testing governance program to enable oversight of the stress testing process, the construction and of execution of a defined stress testing process framework, and a single point of contact with the regulatory bodies. The generation of ever-changing swathes of data can become as much of a hindrance as a help.

In Moody’s Analytics view, there are a number of considerations that leaders should focus their attentions on when considering stress testing governance programs:

1. Stress testing program board: By its nature, stress testing is ubiquitous and requires cooperation, collaboration, and participation between business units. Banks should set up a single stress testing program board charged with the centralized coordination and oversight of bank-wide stress testing activities. This board should be led by the CRO and report to the executive board and CEO.
2. Bank-wide data: Due to the pervasive nature of bank stress testing, the aggregation, consolidation, and ultimate control and management of bank-wide data must also be considered a priority for management teams. Without the ability to efficiently pull together a complete picture of data across the bank, baseline that data, and then run scenarios in a controlled, methodical, and repeatable manner, teams can spend all of their time on data collection and quality issues rather than on the evaluation of results.
3. Obsolete technology: On an enterprise-wide scale, this can lead to chaos, confusion, and hugely inefficient and expensive processes. We estimate that a quarter of banks still rely heavily on obsolete technology, such as Excel spreadsheets and email systems, to provision their stress testing.
4. Stress testing-specific business information systems: It is absolutely essential that banks implement stress testing-specific business information systems that can institutionalize their stress testing framework and provide the functionality to manage data, control and orchestrate workflows, run scenario analysis while seamlessly integrating the banks’ models, and automate the generation of regulatory and management reports.
5. Support governance and control across geographies: It is likely that complex banks with foreign banking operations in multiple geographies will be required to execute simultaneous tests by different regulatory bodies using different scenarios in different territories. When reviewing options for the infrastructure to support governance and control across geographies, banks must consider the ability to quickly adapt to international standards and languages while providing results consistent with their other territories.
6. Automation and improved efficiency: Most banks typically take between one and four months to run their stress test. With automation and improved efficiency, comes the opportunity to reduce the time required and more frequently run stress tests. Banks that embrace this opportunity, will reduce cost and reap long-term business benefits. Stress testing then has the potential to move from a typically regulatory-driven exercise to a business-as-usual activity that contributes an additional dimension to the banks’ risk appetite measure and capital planning and budgeting analysis.

Regulators have increased their focus and expectations on documentation, workflow, processes, and unstructured information to emphasize the importance of stress testing as both a risk management and supervisory tool. The coordination with other relevant regulatory processes (e.g., Internal Capital Adequacy Assessment Process, or ICAAP) and requirements by jurisdictions is also critical when operationalizing a stress testing program – especially for global banks that may be subject to the CCAR in the US, Bank of England PRA in the UK, and EBA/ECB stress tests in Europe.

A stress testing program should focus on automating and streamlining the workflow process across the enterprise, identifying dependencies, and maximizing the return-on-investment by addressing key elements (see Figure 2).

Figure 2. Key elements of a stress testing program

Source: Moody's Analytics

The roles and responsibilities of the institution’s board of directors and senior management in the stress testing program are important. For example, in its discussion paper, the Bank of England stresses the need for senior management and the board to be closely engaged with the stress testing exercise. In the US, banks’ senior management is requested to provide the board of directors with sufficient information to facilitate their understanding of the stress testing used by the firm for capital planning purposes.

From an operational perspective, a stress testing program requires close collaboration among different stakeholders at a bank (e.g., finance, technology, risk, auditing, and business lines). Therefore, designing a proper stress testing governance framework is a necessary condition to successfully operationalize the stress testing requirements (internal and regulatory-driven) and set an effective, consistent view across the organization when deploying a stress testing program. Some of the questions that the institutions must answer for a proper design of the stress testing framework are:

• Technology and workflow design: How to best operationalize the stress testing program at the bank?
• Governance: Who are the owners of the respective tasks? Which body is responsible for the validation of results? What internal controls are needed? What framework is requested for each jurisdiction where the bank is subject to regulatory supervision?
• Policies and communication practices: Which policies and practices should banks use for the enterprise-wide stress testing function? How should banks build effective communication flows across divisions and business units?
• Consistency: Is there an alignment between internal/business units and regulatory stress testing requirements under applicable jurisdictions?
• Dependencies: Identify the key dependencies across the areas affected by the stress testing program, especially reporting, architecture and IT, modeling, data, and regulatory processes (e.g., ICAAP, ILAAP).
• Key performance and risk indicators: What are the KPIs linked to the stress testing program? How should banks reconcile these with the regulatory indicators and regulatory process?
• Modeling: Are the models properly designed and aligned with the goals of the stress testing program at the institution (e.g., level of granularity, top-down vs. bottom-up, etc.)?
• Contingency planning: Are the results of the stress testing program used for contingency planning? Does the stress testing program provide actionable results for the business?
• Documentation: Is the documentation solid and complete? Does the documentation meet the regulatory expectations on stress testing?
• Auditing and regulatory compliance: Can the results, models, data, and systems be audited? Does the data infrastructure meet the BCBS⁷ principles on data aggregation and management?

Finally, enterprise stress testing programs must be integrated into financial institutions’ management and governance frameworks to guarantee a consistent view across businesses, jurisdictions, regulatory requirements, and budgeting/accounting projections at both a group and subsidiaries level. Therefore, the institutions’ process and governance framework for stress testing calculations and workflows is becoming even more important than the calculation itself.