Whether it was Banks or Regulators who invented the concept of Stress Testing remains a matter for debate (a case of chicken verses the egg), but the impact across the sector during the last decade or so has been immense and with regulatory requirements continually evolving (and Banks investing heavily in their internal risk management operations to keep up), there is little prospect of matters dumbing down anytime soon.
Like it or not there is no question that the financial sector has accepted the need to swallow the bitter pill that is stress testing, but what about those in the non-financial world? Are there any potential boardroom lessons to be learned here from the Banks gruelling experience? Sure, industry execs do not have to face off to anything like the regulatory pressure applicable to Banks, but they do have their shareholder & investor interests to protect of which remaining diligent (as well as profitable) features high, making my answer to the question a most definitive "yes".
A bitter but necessary pill
For those unfamiliar with the concept of Stress Testing, Banks now have to demonstrate that they have sufficient capital to weather unexpected storms in the form of unfavourable economic scenarios such as a deep recession or financial crisis. In the tests such scenarios are presented in the form of a series of hypothetical events such as a sharp rise in unemployment or a sustained fall in property prices, where in each case the Bank has to model what the impact of such an event would be on its capital reserves. What the regulators are looking for is resilience in the form of capital adequacy and the Bank’s ability to weather the storm for if (or when) such an event arrives. It’s an ever evolving game of cat and mouse, yet love it or loathe it stress testing has served as a sharp wakeup call for the financial sector with the result that it is now far less likely that a Bank or financial institution will end up as so many did during the 2007-09 economic meltdown - namely caught severely undercapitalized or in some cases finding themselves simply bust.
Event Vs. Scenario testing
Some businesses do undertake a form of stress testing but this tends to be in the form of modelling for specific trigger events as occasionally reported via the risk register in annual reports. The key difference here is that the latter tend to be focused on the gradual evolution of core risk factors over time, or on specific incidents (an industrial accident for example) which whilst rare are also quite probable at some point in the future. Scenarios on the other hand focus more on dramatic, rapid & unexpected change. Think of it a little like planning for a lottery win. An extremely unlikely event, but someone, somewhere invariably does and the impact on their lives is near always dramatic.
Scenarios also differ in the sense that a single dramatic event can quickly trigger a domino effect at a business, sector, or even economic level. Take for example the theoretical consequences of a significant & successful cyber attack on a UK utility. If a critical infrastructure was taken out following such an attack then within hours the impact would be felt both in the workplace & home and public confidence would very quickly evaporate. The following tsunami could see utility share prices tumble, stock markets crash, political instability & the almost certain introduction of stringent regulations to prevent a repeat occurence. In such a scenario any utility operator found wanting in respect of the latter would inevitably face the prospect of losing their licence. Unlikely? Well some experts now say that a cyber attack of this magnitude is almost certainly going to happen. According to Ciaran Martin, head of the UK’s National Cyber Security Centre a major cyber-attack on the UK is a matter of “when, not if”, raising the prospect of devastating disruption to British critical infrastructure. Remember, someone, somewhere wins the lottery.
Stress Testing & Risk Management, complimentary medicine?
I’ve experienced stress testing first hand but confess that I am most definitely not a modeller nor hold any ambition to become one! My interest here is down to my involvement in the more general world of financial risk management, where throughout the course of my work I’ve more often than not been left aghast at how businesses miss highly predictable risks in their strategic planning, let alone those which are unforeseen.
Not that long ago I was engaged with one such business - a global leader in the manufacture and supply of hi-tech luxury yachting equipment. The company was profitable and expanding (via debt) and like so many in high growth mode, all eyes were focused on sales & expansion. The business also had one glaringly obvious risk within its supply chain modus operandi by opting to have over 50% of its key components manufactured externally and supplied on a non return basis; margins & profit being maintained by committing to aggressive supply contracts. Whilst severely flawed, this strategy was fine whilst sales remained robust (as forecast) and provisioning covered situations up to a c10% drop in sales. The one scenario the business had not planned for however was the collision of this less than perfect supply chain strategy with the global meltdown of 07-09. Shortly after further increasing its borrowing to expand into the Asian market the consequences of the latter hit hard. Within a relatively short space of time sales fell by over 30% (buyers in the luxury end of the market simply dried up) and the company’s working capital entered into a protracted & rapid downwards spiral as the result of too much stock, too little cash. Within months the business was unable to satisfy the financial covenants set by its lenders and a year later, having seen over 85% of its stock market value wiped off the board, the company (which had been under family control for over 20 years), was sold in what effectively was a "fire-sale".
It would be foolish to believe that the above only applies to big-business. The last decade has seen an explosion of emerging tech, challenger & disruptive businesses, many of which would probably find taking a lesson from the established Banking world as an affront to their values. But a lot of these businesses operate in the very sectors which have the greatest potential exposure to volatility if subject to sudden changes in the external environment. As an example, look what happened to literally 100's of the tech savvy payday loan operators (who ironically stepped in to fill a void left by the traditional lending sector). One stringent regulatory change in respect of capped interest rates later and within months almost 50% had disappeared. And what contingency planning had a very well known, disruptive taxi service in place when their licence to operate in London was suddenly withdrawn on account of public safety?
"Scientia potentia est"
Taking all of the above into account I believe that there is little to argue against businesses of all shapes & sizes taking a more aggressive & structured look at the risks they face and steps they need to take in order to quantify those risks in the context of broader scenarios, not just discrete sensitivities. The objective should be to adopt & implement a more proactive & structured approach to measuring business resilience, including the influence of more extreme, one-off events. At the very least, developing stress testing capability in these areas would inform businesses as to where they need to focus their efforts on maintaining that all important resilience. Certainly in the examples quoted above, it doesn't take a rocket sceintist to conclude that had such an approach been taken, difficult situations could well have been prevented from rapidly evolving into catastrophes.
The good news is that there is no need for businesses to invest in rocket scientists quite yet, for whilst the mechanics may be expedited within Risk, the natural home for stress testing resides with the strategy team. With this in mind it would be relatively easy for most organisations to incorporate stress testing into their strategic decisioning processes as it would be to start challenging basic assumptions and regularly reviewing existing systems. Applying rigid stress testing of balance sheets and cash flows under various scenarios would be a good starting point as would delving deeper into monitoring external events in addition to continuous risks (such as GDP). Risk-mitigation strategies could be modelled in addition to the risks themselves and it would take precious little effort for the executive team to initiate and sustain a conversation about risk that is explicitly tied to strategic planning, capital allocation and key decision making.
Stress testing cannot prevent stress, nor can it identify which scenarios might impact down the line. But it does enable executives to consider some previously overlooked sources of stress (especially when considering external risk factors) and shed light on the potential magnitude of their impact on their business and the adequacy of the latter's risk-bearing capacity to survive them. Knowledge which in today's highly connected & volatile business world, might one day prove invaluable.
