Introduction

• It is important to understand how ORM fits into the financial industry’s Enterprise Risk Management (ERM) framework, which measures various risk types, including credit, market, liquidity, and operational risks.
• This figure presents an ERM framework applicable in the financial industry. It involves a risk management cycle that encompasses four stages – risk
  identification, risk assessment, risk mitigation, and risk monitoring. These
  stages may be carried out either together or sequentially, depending on the
  situation. The cycle is ongoing, reflecting the dynamic nature of risk management, as risk exposures evolve and new risks arise.
  
• Around the risk management cycle, three elements extend beyond the scope of operational risk and resilience and apply to all risks in an organization – risk governance, risk culture, and and risk appetite. In most industries, these three elements will be enough to complete the ERM framework. A fourth element unique to the financial industry is the role of risk capital and stress testing. These four elements must work together to ensure financial and operational resilience in financial institutions.
• ERM is guided by risk governance, culture, and appetite which determine priorities.
  • Risk governance outlines the roles and responsibilities of individuals in the three lines of
  • defense, and facilitates decision-making and reporting, often through committees.
  • Risk culture pertains to an organization’s values and behaviors when managing risk, while preferences on appropriate levels of risk-taking are expressed through risk culture, incentive structures, business strategy, risk-related policies, and risk appetite statements and limits.
  • Risk appetite defines an organization’s risk management priorities and the type and amount of risk they are willing to tolerate.
    These three elements are interconnected and they impact the capital levels of financial firms, which are influenced by both their regulatory capital required for risk-taking and their economic capital aligned with their own risk appetite.

Risk Governance

• The three Lines of Defense model articulates the roles, responsibilities, and accountabilities for the overall risk management of an organization. The responsibilities and accountabilities for each line are defined in risk governance policies.
  
• The first line of defense is responsible for managing risks, with designated risk owners having specific responsibilities. Risk owners are accountable for identifying, measuring, mitigating, and reporting the risk they own.
  They have the authority to make decisions ensuring an appropriate balance between risk and reward, and can expose the organization to risks within the limits of the firm’s risk appetite. The risk-return trade-off is either qualitative or quantified as expected revenues versus expected and unexpected losses, often expressed as RAROC in credit and market risk activities.
• The second line of defense oversees risk management activities in the first line by setting methods, tools, and models for managing and measuring risk types. They develop policies, train staff on risk matters, and raise risk awareness. The second line also monitors and tests the effectiveness of the ERM framework, and challenges risk controls or management activities performed by the first line.
• The second line of defense in banks typically includes credit risk, market risk, and operational risk management departments, as well as compliance and information security. It may also involve hybrid functions, such as legal, finance, and IT, when they participate in risk oversight.
• The third line of defense involves internal and/or external audits, and other independent third parties, who report independently to the board of directors. They evaluate the effectiveness of risk management activities in both the first and second lines. Internal audit may be outsourced to third parties, particularly by smaller institutions. External audit provides an extra layer of verification, sometimes called a fourth line of defense.
• The board risk committee oversees all risks across an organization. This committee is usually an independent body of the board of directors and functions based on a committee charter or terms of reference. This charter is often public, as part of the Pillar 3 rules.

Risk Culture

• Risk culture is intertwined with a company’s overall culture and goes beyond being vigilant and reporting operational risk incidents. At the enterprise-wide level, risk culture-and corporate culture – is “what happens when no one is looking”. Corporate culture encompasses the values, beliefs, and behaviors of all employees in a firm, which are influenced by the senior management and executives. The company’s culture has a significant impact on its risk management approach, ranging from cautious to bold and from compliant to questioning.
• In 2013, The Journal of Finance published a paper on the correlation between risk culture, risk management strength, and resilience of US bank
  holding companies (BHCs) during the financial crisis. The authors created a risk management index (RMI) to measure the strength and independence of the risk management function at BHCs (as shown in this table). They found that higher RMI correlated with lower tail risk, non-performing loans, and better operating and stock return performance during the crisis. Between 1995 and 2010, higher lagged RMI correlated with lower tail risk and higher return on assets, indicating that a strong and independent risk management function can reduce tail risk at banks.

  Variable	Description
  CRO present	A CRO (chief risk officer) function exists in the firm (dummy variable)
  CRO executive	CRO being an executive or not (dummy variable)
  CRO top 5	CRO amongst the top 5 paid executives in the firm (dummy variable)
  CRO centrality	CRO pay / CEO pay (in %)
  Risk committee experience	At least one non-executive director with banking experience
  Active risk committees	Regularly meeting more frequently than average

• Risk culture is viewed as a critical factor in determining the effectiveness of ERM frameworks by regulators.
  • In recent years, the New York Fed has organised a series of events, webinars, and publications aimed at reforming risk culture
  • The Australian Prudential Regulation Authority (APRA) highlighted the Commonwealth Bank of Australia’s (CBA) shortcomings in risk culture and governance in May 2018. These flaws caused a number of issues at the bank, including money laundering, overcharging customers, and data loss, resulting in the largest regulatory fine in Australian history.
  • The FCA in the United Kingdom regularly updates its regulatory enforcement perspective on risk culture and conduct.
• Finally, the risk culture and governance arrangements of an organization are important manifestations of its appetite and tolerance for risks, both financial and non-financial.

Risk Appetite

• Risk appetite refers to an organization’s willingness to accept risks in pursuit of objectives. In the financial industry, banks are willing to take financial risks, including credit, market, and liquidity risks that are central to their various activities. While operational risks are also present in banking activities, risk-taking for all these risks is constrained by allowable exposures, explicit controls, and monitoring that establish clear boundaries and conditions. These financial risks are associated with visible return premiums, but even their risk-taking is limited.
• A credit risk policy serves as a risk appetite statement for credit risk and covers aspects such as defining maximum lending per client, industry, currency, and term, identifying acceptable solvency and liquidity ratios, specifying eligible collateral in case of default, reporting monitoring metrics during the credit exposure, and establishing criteria for placing loans on a “watch list”. While not always explicitly named as such, credit risk policies have existed in banking for a long time before the emergence of the term “risk appetite”.
• Similar risk appetite statements apply to market risk limits in exposures to markets, products, and currencies, trading limits in VaR, volatility, and deviations to benchmarks, and monitoring of numerous metrics through automated systems in a trading room. Additionally, investment guidelines and portfolio limits apply to asset-management activities.
• Credit and market risk policies are structured similarly to operational risk appetite frameworks, which are based on limits to risk exposure, key controls, and monitoring metrics. In fact, the best practices for establishing operational risk appetite have been in use for decades in credit risk and market risk management, predating the term “risk appetite”.
• At the ERM level, risk appetite is typically communicated through overarching statements and criteria, which can range from a few pages to more detailed explanations of risk management strategies and priorities.

ERM And Financial Measures Of Risk

• ERM in financial services plays a critical role in risk management as well as ensuring an institution’s sustainability and solvency by providing enough capital funding to cover unforeseen losses that could occur in any of the major risk categories.
• The quantification of enterprise risk is reflected in the various components and actions of an ERM framework, including –
  • Regulatory capital and supervision
  • Economic capital
  • Risk-adjusted return on capital (RAROC) thresholds
  • Capital aggregation and diversification

The Role Of Regulatory Capital

• The central bank Governors of the Group of Ten countries established the Basel Committee for Banking Supervision (BCBS), which includes representatives from the banking authorities of each member country. The BCBS provides guidance for the regulation and supervision of banks in G-10 nations and beyond.
• The BCBS aims to achieve three objectives through prudential regulation of the financial industry –
  1. To ensure the solvency and soundness of all financial intermediaries
  2. To provide customers protection from undue risks (failure, fraud, opportunistic behavior)
  3. To promote the efficient and competitive performance of financial institutions
• By encouraging the soundness and solvency of financial intermediaries, BCBS seeks to ensure the global financial system’s stability. This is accomplished by imposing regulatory capital requirements, assessing senior management’s expertise and track record using the “fit and proper” criteria, and monitoring and reporting on the activities of the bank.
• In 1988, the BCBS introduced Basel I, which required banks to hold a minimum level of regulatory capital to cover unexpected credit losses. This capital was calculated as 8% of risk- weighted assets (RWA). The ratio was called “the Cooke ratio” after the BCBS president. Sovereign credit to OECD countries did not have capital requirements.
• As financial markets evolved in the 1990s, regulators expanded regulatory capital to market risk using Value at Risk (VaR) in 1996. In 2002, “Basel II” added operational risk regulatory capital and reformed credit capital calculation based on counterparties’ credit ratings. Despite these changes, the overall minimum requirement of 8% risk-weighted assets (RWA) as regulatory capital remained unchanged. While Basel regulatory frameworks are not legally binding, some jurisdictions passed laws to enforce Basel recommendations.
• Basel II introduced a three-pillar approach to banking regulation, which expanded beyond capital requirements.
  • Pillar 1 : Regulatory Capital – Mandatory minimum level of capital to cover credit, market, and operational risks, and minimum liquidity ratio.
  • Pillar 2 : Supervisory Review Process – Adjustments to the Pillar 1 requirements based on the specific risk profile of an institution, its activities, and the quality of its risk as assessed by the regulator and by the firm itself.
  • Pillar 3 : Market Discipline – Body of rules on mandatory information disclosures, yearly or quarterly, by financial institutions regarding the financial situation and risk information.
• “Basel III” is the latest financial reform that learned from the 2007-2009 crisis. It introduced a minimum regulatory ratio for liquidity risks and a countercyclical buffer, which requires banks to reserve an extra 2.5% of risk-weighted assets (RWA) during periods of economic growth. This provides additional protection during recessions or financial market crises.
• Despite regulatory efforts, regulatory capital requirement metrics can be unreliable as they are not very risk-sensitive and may not fully reflect the risk profile of the firm be reliable,. This is especially true for standardized approaches used under Pillar 1 for any risk types.

Economic Capital

• In addition to meeting the minimum regulatory capital requirements, financial intermediaries must determine their own capital needs that accurately reflect their risk profile and potential for covering unexpected losses. Economic capital is the level of equity and subordinated debt necessary for a bank or insurance company to cover unexpected losses for one or more risk types. The combined assessments of Pillars 1 and 2 are the regulatory equivalent to economic capital.
• Tier-1 banks typically use internal modeling approaches and qualitative capital overlays to calculate their economic capital needs, particularly for hard-to-measure and emerging risks.
• Large banks link their required level of economic capital to maintaining their credit rating, which affects their cost of funds. A higher capital buffer can improve creditworthiness and lower funding costs. The relationship between economic capital and credit rating is shown in the figure in the next page. Economic capital is calculated like a 𝑉𝑎𝑅 on the organization’s revenue distribution, taking into account diversification effects across all risk types. On average, AAA-rated firms have a 0.01% default probability over 1 year, while AA-rated firms have 3 basis points (bp). To achieve an AA rating, a bank calculates its economic capital to cover unexpected losses for any risk at a 99.97% confidence interval.
  

• Financial intermediaries need to allocate economic capital to every activity they engage in due to the risk it poses. This allocation of capital can be costly. As a result, big banks keep a close eye on the risk and return of their products and services by utilizing RAROC.

RAROC – Risk Adjusted Return On Capital

• Many banks adopted the RAROC metric in the 1980s and 1990s under Basel I. While it is mostly applicable to credit risk, it is discussed here within the ERM framework.
• ROE and ROC are crucial profitability measurements for companies in any industry. While ROE assesses profit relative to stockholder equity, ROC determines the percentage of profit generated per unit of capital, including debt in the denominator. RAROC is a risk-adjusted version of ROE, primarily used in banking, especially in credit risk activities, to account for the unique nature of lending. RAROC = Expected after-tax risk-adjusted net income/Economic Capital
• RAROC adjusts net income for EL generated by risk in the numerator and utilizes economic capital, or the equity required to cover risks, as the denominator.
• RAROC is a simpler metric for assessing credit activities, where historical data can be utilized to estimate EL. However, it is more complicated for market risk, where setting EL is often challenging and may be set to 0. Operational risk is generally not assessed using RAROC because it is difficult to associate explicit revenues with operational risk, compounded by uncertainty in economic capital.
• The level of granularity at which RAROC is estimated depends on the extent of the profitability calculations. RAROC revenues can be determined based on factors such as a transaction, a client, a portfolio, or an entire business line, depending on what falls within the scope of the profitability calculation. Expected losses (EL) are also subject to the same principle, with the credit EL being calculated for specific portfolios, types of clients, or segments of the business.
• Minimum RAROC requirements per transaction, client, and line of business provide pricing criteria, especially in credit. RAROC helps to
  • Quantify the bank’s funding cost,
  • Manage capital efficiently, and
  • Set objectives for the bank’s commercial agents.

Capital Aggregation And Diversification

• Once capital has been identified for each risk class, the next step involves aggregating total capital requirements. To account for the fact that risks may not all materialize simultaneously, regulators allow for some diversification measures to be taken across credit risk, market risk, and operational risk classes. Inter-risk diversification, depicted in this figure, aggregates the various risk classes to further diversify risk. This complements intra-risk diversification, which pertains to risk diversification within each risk class.
• Aggregated capital is less than the sum of the standalone capital for
  individual risks, leading to diversification benefits. Operational risk offers significant diversification benefits as it is typically less correlated with other financial risks due to its unique risk drivers. While credit and market risks tend to increase correlations during crises, operational risks tend to move independently. Therefore, aggregating operational risk with other risks can result in significant diversification benefits, with diversified operational risk capital being 30% to 40% lower than the sum of its components.
  

• In the United States, the focus has shifted to stress testing, particularly for operational risk. The Federal Reserve’s CCAR program models are now focused on forecasting more tangible losses than what the AMA required for operational risk, which aimed to estimate the worst- case scenario of total annual losses at the 1 in 1000 level (also known as the 1 in a 1000-year loss).
• Stress testing involves estimating expected losses under adverse economic conditions, including plausible idiosyncratic scenarios within the stress window. Rather than extreme percentiles, the emphasis is on conditional expected losses across scenarios of varying severity, which has made quantification much more practical for risk management purposes.
• Capital, whether it be regulatory or economic, is a through-the-cycle concept. Contrary to this, stress testing, is a point-in-time activity.

Stress Testing Framework For Financial Institutions

• Stress testing is a test used to determine the stability of a system by pushing it beyond normal capacity to observe the results. After the 2007-2009 financial crisis, regulators began promoting stress testing as a tool to assess systemic risk. The stress tests assess how institutions would fare under extreme operating conditions, with an emphasis on macroeconomic and market conditions that are the main drivers of losses. The goal is to ensure that institutions can absorb losses under those scenarios and remain operational.
• The Basel Committee views stress testing as an “important risk management tool that is used by banks as part of their internal risk management”. It helps banks anticipate adverse outcomes related to various risks and estimate the amount of capital needed to absorb losses in case of large shocks. Thus, stress testing provides insight into the necessary level of capital to endure worsening macroeconomic conditions.
• The 2007-2009 financial crisis significantly impacted global stress testing practices. The BCBS noted in its 2009 Principles for Sound Stress Testing Practices and Supervision that weaknesses in pre-crisis stress testing practices were highlighted in four areas –
  • use of stress testing and integration in risk governance
  • stress testing methodologies
  • scenario selection
  • stress testing of specific risks and products.
• The 2018 BCBS stress testing principles outline nine principles for banks. They are more general than the 2009 version and can be applied across jurisdictions due to the evolution and importance of stress testing. They provide guidance for a comprehensive stress testing framework that can adapt to changes over time.

1	Stress-testing frameworks should have clearly articulated and formally adopted objectives.
2	Stress-testing frameworks should include an effective governance structure.
3	Stress testing should be used as a risk management tool and to inform business decisions.
4	Stress-testing frameworks should capture material and relevant risks and apply stresses that are sufficiently severe.
5	Resources and organizational structures should be adequate to meet the objectives of the stress-testing framework.
6	Stress tests should be supported by accurate and sufficiently granular data and by robust IT systems.
7	Models and methodologies to assess the impacts of scenarios and sensitivities should be fit for purpose.
8	Stress-testing models, results, and frameworks should be subject to challenge and regular review.
9	Stress-testing practices and findings should be communicated within and across jurisdictions.

• A stress-testing taxonomy can aid in understanding the diverse stress-testing practices across jurisdictions and how they have developed over time. Additionally, it can assist banks in recognizing suitable stress-test planning and execution strategies by considering how regulatory expectations align with stress-testing practices in the taxonomy..
• The stress-testing taxonomy uses two dimensions to capture the characteristics of both bottom-up bank-driven and top-down supervisor-driven stress-testing approaches –
  • Dimension 1: Quantitative-Qualitative Approach Dimension This dimension covers a range of methodological approaches from highly quantitative to highly qualitative. Quantitative approaches, such as model sensitivity to parameter shocks, have been utilized for market and credit risk the longest. Qualitative approaches, such as macro stress testing and reverse stress testing, focus more on scenario analysis and non- model-based evaluations. For example, idiosyncratic scenario development to assess the impact of an event on a bank’s reputation or the effects of an economic recession on a bank’s operational risk exposure are qualitative approaches.
  • Dimension 2: Measurable-Immeasurable Risk Dimension This dimension ranges from probabilistic analysis of measurable risks to hypothetical analysis of immeasurable risks. Measurable risks involve assigning probabilities to outcomes and modifying model parameters in credit, market, and operational risk. Immeasurable risks involve analyzing unknown unknowns, or Knightian uncertainty. Analyzing the two possible ways an idiosyncratic risk may materialize falls under this category. Stress-testing approaches fall under three categories: parameter testing, macro stress testing, and reverse stress testing.
    

Stress Testing Types

1. Parameter Stress Testing
   Parameter stress testing, sometimes referred to as model stress testing, tests the robustness of a model by changing its parameters and analyzes measurable risks using quantitative approaches. This method is commonly used by banks for stress testing and outside of it. Market risk stress testing was one of the earliest types of stress testing using this method. Parameter testing also takes place in sensitivity stress testing for business and strategic planning purposes.
2. Macroeconomic Stress Testing
   Macroeconomic stress testing involves regulators providing G-SIBs (globally systemically important banks) with a list of macroeconomic shock scenarios to assess their solvency. This type of stress testing seeks to stress both measurable and immeasurable risks using both quantitative and qualitative approaches. The objective is to understand how banks will perform in adverse macroeconomic conditions, and the focus is on the impact of changes in macroeconomic factors on the output of models. Macro stress testing differs from parameter testing in that it does not focus on statistical scenarios but rather on estimating outcomes based on a set of macroeconomic scenarios. The exercise is run bank-wide and is an important step for demonstrating financial and operational resilience.
3. Reverse Stress Testing
   Reverse stress testing identifies potential scenarios that could lead to a banking institution’s failure and assesses the likelihood of these scenarios. This testing relies on qualitative approaches and considers immeasurable risks, such as a downgrade in credit rating, severe portfolio losses, or the loss of a major client. The aim is to identify vulnerabilities in the organization’s business and operational model, including tail risk events, and to explore potential mitigating actions or triggers for future action. Reverse stress testing is primarily a risk management tool, rather than a tool for calculating financial resources. If unsustainable shocks are identified, the organization needs to produce wind-down planning scenarios or resolution planning.

Resolution Planning

• Resolution planning involves creating a plan to ensure that the institution can be closed down in an orderly manner, with minimal disruption to stakeholders and the financial system. This planning process requires the organization to identify the specific types of events that could lead to a wind-down, such as significant financial losses, loss of key clients, or damage to critical infrastructure.
• In order to do this, the organization must review its business model, exposures, and vulnerabilities, as well as its revenue drivers. The wind-down planning process should also involve determining key indicators for winding down, assessing the impact of closure on internal and external stakeholders, and planning for a transition period with reduced resources.
• Additionally, the plan must account for the resources necessary for an orderly closure in terms of liquidity, solvency, personnel, and infrastructure.

Stress Testing For Operational Risk

• Since the great financial crisis of 2007-2009, stress testing for financial institutions has largely been synonymous with macro stress testing. However, the COVID-19 pandemic created both macroeconomic shocks and operational shocks for banks that largely exceeded any macroeconomic stress tests prescribed by regulators.
• Modern-day operational risk stress testing goes beyond the loss distribution approach (LDA). The focus is on projecting losses under stressed macroeconomic conditions and understanding how risk changes over time. Banks need to develop robust frameworks to forecast a variety of macroeconomic scenarios, utilizing appropriate methodologies such as regression and scenario analysis.
• The US Federal Reserve’s CCAR program is advanced in terms of its expectations for operational risk stress testing, which should relate to the institution’s risk identification process. Frameworks developed since the Fed’s supervisory letter SR 15-18 have decreased the proportion of total forecasts produced by quantitative models and increased the contribution of scenario analysis and expert judgment.

Operational Risk Stress Testing Framework

• To develop an operational risk loss forecast based on quantitative and qualitative techniques, banking institutions need a comprehensive stress-testing framework consisting of three components –
  1. Expected non-legal loss forecast module – This uses a quantitative model to project a loss forecast for each risk type, refined by expert judgement.
  2. Legal loss module – This forecasts losses for expected immaterial “bulk” litigation cases, conditional expected litigation losses from the current legal case load above the reserved threshold, and incremental future litigation cases.
  3. Idiosyncratic scenario add-on module – This covers bank-specific risk exposures derived from storylines designed to capture a bank’s unique operational risk profile. A storyline can be a single scenario of extreme events or a combination of them. An example of a combination of events would be when external shocks trigger a chain reaction of tail operational risk events within a firm, such as system disruption, cyberattack, customer withdrawals, and reputational damage.
     

• The non-legal loss forecast module has two components –
  1. A quantitative model that produces loss forecasts for risk-type segments in baseline and adverse macroeconomic scenarios.
  2. Expert refinement through qualitative scenario analysis with subject matter experts to refine the model output based on the institution’s business and risk profile, controls landscape, and industry developments.
• To develop the methodology for the model component of the non-legal loss forecast, financial institutions must first determine if their operational risk losses are sensitive to macroeconomic factors. This issue remains unresolved, with some arguing that operational risk is unique to each institution and not influenced by macroeconomic conditions. Despite mixed research results, there is growing regulatory pressure, particularly in the US, to connect operational risk losses to macroeconomic conditions.
• Banking institutions should strive to establish a structured approach to connect macroeconomic conditions and operational risk losses, even though it may be challenging. Not all loss types will have a direct relationship with macroeconomic variables, so institutions should focus on understanding the connection between certain event types and macroeconomic variables.

Operational Risk Stress Testing Models

• Banking institutions can model total operational risk losses or separate them into frequency and severity components when developing macroeconomic-based stress-testing models. The preferred approach is to model frequency and severity separately, and two methodologies are typically used –
  • Regression models are used to capture the relationship between operational losses and macroeconomic conditions, with frequency and severity modeled separately and combined through multiplication.
  • Loss distribution approach (LDA) models are commonly used for regulatory and economic capital modeling but can be unstable. A variation is the “conditional” LDA model, where the frequency of losses is dependent on macroeconomic variables, assuming operational risks’ sensitivity to macroeconomic conditions.
• Traditional LDA is seen as a backup option when regression models fail, as it assumes a fixed risk exposure that doesn’t change over time, making it ill-suited for stress testing. Conditional LDA reflects a tradeoff between LDA and regression-based stress tests, using a regression model to capture changes in frequency and assuming a constant severity distribution. Expert judgement is used to select a higher percentile reflecting expected average losses in a stressed environment, which is then combined with frequency forecasts through Monte Carlo simulation. The challenge is choosing an appropriate percentile for severity, as using the regulatory capital percentile of 99.9% would always project undercapitalization. Stress testing aims to assess whether an institution’s capital is sufficient to withstand specific macroeconomic environments. Regulators have addressed the flaw by not imposing any percentile requirement on stress testing by establishing a principle that stress testing frameworks should capture relevant risks and apply sufficiently severe stresses.
• Just like frequency, the severity of operational risk losses can be assumed to be influenced by macroeconomic factors such as regulatory and legal indicators, geographical factors, and per- capita GDP. A study found that different risk types are correlated with various economic indicators, with Internal Fraud and Clients, Products and Business Practices losses linked to constraints on executive power, insider trading, securities and shareholder protection laws, banking activity restrictions, supervisory power, and governance index.
• However, modeling the distribution of severity losses is more challenging as it is heavily impacted by tail events, making the mean estimator non-robust. Banks can use median severity or other approaches to mitigate the impact of outliers. Regression analysis is used by some institutions to estimate average loss severity, incorporating macroeconomic variables to capture the impact of adverse economic conditions. Simple linear or log-linear models are typically used, with explanatory variables including macroeconomic or other relevant factors. Regression modeling is seen as a credible, data-based method for projecting average severity under different macroeconomic conditions. Some banks use simplified analytical approaches if unable to develop a more sophisticated method.
• After the model produces an estimate of stressed losses, an expert refinement is performed using scenario analysis to ensure all material risks are adequately covered, particularly for risks with little historical data or that are changing. This refinement relies on qualitative analysis by subject matter experts who are either risk management or business experts. The risk owner and specialist review and challenge the model-based non-legal loss forecast process, inputs, and outputs, including historical data, modeling approaches, and plausibility of resulting forecasts. This is required to validate every operational risk capital model. Subject matter experts identify and discuss any potential or recent changes to conditions that could invalidate historical loss experiences or other approaches to mitigate the impact of outliers. Regression analysis is used by some institutions to estimate average loss severity, incorporating macroeconomic variables to capture the impact of adverse economic conditions. Simple linear or log-linear models are typically used, with explanatory variables including macroeconomic or other relevant factors. Regression modeling is seen as a credible, data-based method for projecting average severity under different macroeconomic conditions. Some banks use simplified analytical approaches if unable to develop a more sophisticated method.
• After the model produces an estimate of stressed losses, an expert refinement is performed using scenario analysis to ensure all material risks are adequately covered, particularly for risks with little historical data or that are changing. This refinement relies on qualitative analysis by subject matter experts who are either risk management or business experts. The risk owner and specialist review and challenge the model-based non-legal loss forecast process, inputs, and outputs, including historical data, modeling approaches, and plausibility of resulting forecasts. This is required to validate every operational risk capital model. Subject matter experts identify and discuss any potential or recent changes to conditions that could invalidate historical loss experiences.

Stress Testing Framework For Financial Institutions

• The legal loss module predicts a bank’s litigation-related losses over the stress-testing period. These losses are a significant portion of a bank’s overall operational risk. However, there is a challenge in forecasting legal losses due to the delay between adverse economic conditions and actual legal losses, which may not occur until years later. Therefore, any forecast must consider the time lag between the factors driving the estimate and the occurrence of losses.
• The idiosyncratic scenario add-on module captures a bank’s unique operational risk profile and is a critical component of scenario analysis in stress testing. This module should be developed through a transparent and well-supported process, addressing vulnerabilities specific to the bank. Storyline development follows after the selection and filtering of top material risks.