Scenario Analysis, Stress

and Reverse Stress

Testing
Operational Risk Sound
Practice Guidance

An IRM Group Company

Foreword
The Institute of Operational Risk (IOR) was created in January 2004 and became part of
the Institute of Risk Management in 2019. The IOR’s mission is to promote the development
of operational risk as a profession and to develop and disseminate sound practice for the
management of operational risk.
The need for effective operational risk management is more acute than ever. Events such as
the global financial crisis or the COVID-19 pandemic highlight the far-reaching impacts of
operational risk and the consequences of management failure. In the light of these and numerous
other events organisations have to ensure that their policies, procedures, and processes for the
management of operational risk meet the needs of their stakeholders.
This guidance is designed to complement existing standards and codes for risk management
(e.g. ISO31000). The aim is to provide guidance that is both focused on the management of
operational risk and practical in its application. In so doing, this is a guide for operational risk
management professionals, to help them improve the practice of operational risk in organisations.
Readers looking for a general understanding of the fundamentals of operational risk management
should start with the IOR’s Certificate in Operational Risk.
Not all the guidance in this document will be relevant for every organisation or sector. However,
it has been written with the widest possible range of organisations and sectors in mind. Readers
should decide for themselves what is relevant for their current situation. What matters is gradual,
but continuous improvement.

The Institute of Operational Risk Sound Practice

Guidance
Although there is no one-size-fits-all approach to the management of operational risk,
organisations must benchmark and improve their practice regularly. This is one of a series of
papers, which provides practical guidance on a range of important topics that span the discipline
of operational risk management. The objectives of these papers are to:
• Explain how to design and implement a ‘sound’ (robust and effective) operational risk
management framework
• Demonstrate the value of operational risk management
• Reflect the experiences of risk professionals, including the challenges involved in developing
operational risk management frameworks

2
Contents
1. 1 Introduction 4
2. Demarcating Scenario Analysis, Stress and Reverse Stress testing 5
3. Conducting Effective Scenario Analysis, Stress Testing and Reverse Stress Testing 6
3.1 Identifying and agreeing the focus of analysis 6
3.2 Determining the level of analysis 8
3.3 Preparing for a workshop 9
3.4 Conducting a workshop 9
3.4.1 The participants 10
3.4.2 Key output variables 10
3.4.3 Assessing probability and impact 11
3.4.4 Workshop analysis techniques 12
3.5 Validation of outputs 13
3.6 Governing the process 13
4. Making Effective Use of the Outputs 14
4.1 Reporting the outputs 14
4.2 Using scenarios to support risk assessments 15
4.3 Risk and capital modelling 15
5. Further Guidance on Stress Testing and Reverse Stress Testing 15
5.1 Stress testing 15
5.2 Reverse stress testing 16
6. Conclusion 17

3
Section 1 - Introduction
The accurate assessment of operational risk is a major challenge for organisations. Often
historical data on probability and impact is limited and even when available there is no guarantee
that historical trends will repeat themselves.

Particularly problematic are low probability, high impact ‘tail’ events, where data is often non-
existent. Likewise, dynamic organisational environments, where there are high levels of internal
or external change (e.g. political, technological or social change), further reduce the value of
tracking historical tends.

Scenario analysis, and the related tools of stress and reverse stress testing, have emerged as
common responses to the problems of limited data and unreliable trends. When done effectively,
these tools can shed light on uncertainty and help organisations to prepare for and pro-actively
respond to operational risk events. This includes, but is not limited to:
• Enabling management to test the resilience of their organisation in relation to major
operational risk events and providing an opportunity to discuss, in advance, how to respond
to them
• Providing a forward-looking perspective, by focusing on managers’ attention on future
operational risk events that may differ from those in the past
• Offering a break from day-to-day risk management activities, helping managers to think
creatively about future operational risk events and to share their knowledge and expertise in a
less time-pressured environment
• Complementing other risk identification and assessment techniques, such as loss event
analysis and risk and control self-assessment. By incorporating the data produced by these
techniques and providing structured methods to fill in knowledge gaps
• Improving the control environment, where potential gaps or weaknesses in existing controls
are identified as part of the analysis

4
Section 2 - Demarcating Scenario Analysis, Stress and
Reverse Stress testing
Figure 1 illustrates the relationship between scenario analysis, stress testing and reverse stress
testing.

Figure 1: comparing scenario analysis, stress testing and reverse stress testing

Stress testing involves the assessment of specific stress events that might occur within the
external operating environment of an organisation and which may impact on a range of risk types,
including operational risk. Examples include an economic recession, pandemic or political events
like Brexit. Stress events have the potential to seriously disrupt the strategy and operations of an
organisation, making them high impact, though usually, the probability of occurrence is low.

Reverse stress testing involves analysing events that threaten the viability of an organisation,
causing insolvency or bankruptcy. The starting point of reverse testing is to identify the point
of non-viability, usually in terms of determining the maximum financial loss that an organisation
can withstand and then considering the types of internal risk event that may cause losses which
exceed this value. From an operational risk perspective, this may include a major IT failure or
fraud, for example.

Scenario analysis encompasses an element of stress and reverse stress testing but can be used
in a wider range of applications. Scenarios need not be extreme stress events, for example, but
more common situations that have a higher probability of occurrence, up to and including events
that may be expected to occur once or more a year. In contrast, the events considered as part of
the stress and especially reverse stress testing will occur much less often and have a significantly
higher impact.

An alternative perspective on demarcating stress and scenario testing is in terms of the number
of variables analysed. From this perspective, stress testing involves analysing the impact of major
changes in a limited number of variables (usually one or two), while scenario analysis is said to
involve the analysis of changes in a wider range of variables.

5
For example, a stress test might analyse the financial impact of a significant change in interest
rates or the rate of inflation. In contrast, scenario analysis would consider the wider implications
of an economic recession (increased unemployment, reduced credit ratings, etc.).
The IOR’s view is that, while a variable based distinction may apply in an accounting, finance or
strategic risk perspective, it does not apply from an operational risk perspective. This is because
operational risk events are multi-faceted and necessarily involve changes in a range of variables.
These changes may be relatively small or stressed to a significant degree. Hence a better way to
distinguish between scenario analysis and stress testing is in terms of severity of impact, rather
than the number of variables to be considered.

6
Section 3 - Conducting Effective Scenario Analysis,
Stress Testing and Reverse Stress Testing
Like most risk identification and assessment tools, effective scenario analysis, stress testing and
reverse stress testing is a process that involves a number of stages. These are as follows:

• Identifying and agreeing the focus of analysis

• Determining the level of analysis
• Preparing for a workshop
• Conducting a workshop
• Validation of the outputs
• Governance of the process

Each of these sub-elements is explored further below.

Section 3.1 - Identifying and agreeing the focus of analysis

Effective scenario analysis, stress testing and reverse stress testing can take significant time and
resources. This means that the potential number of topics that can be analysed at any given time
is limited. As a result, it is important to ensure that those selected are the most relevant.

For organisations that categorise their operational risks (see IOR Sound Practice Guidance
on Operational Risk Categorisation), one common approach is to select one topic for each of
the level 1 or 2 operational risks that their organisation is exposed to. However, this is a rather
arbitrary approach, especially where some categories are considered more or less significant
than others. Ultimately the number of topics per risk category should vary depending on
the nature, scale and complexity of an organisation and the stability of its operational risk
environment. There is no point in selecting a topic for a non-significant risk category. Equally, the
most significant risk categories may require the analysis of multiple topics.

In choosing the topics to focus on, a consultative approach is recommended. The (operational)
risk function should work with the wider management of the organisation to select those
considered most relevant. This includes working with senior group management and business
unit management where appropriate. It may also include working with the board for the analysis
of the most major group-wide operational risks, especially in relation to topics for reverse stress
testing. From an operational risk perspective, relevant topics for analysis/testing will come from
the external and internal environment of an organisation. Table 1 summarises some common
environmental sources:

External Environment Internal Environment

Operational risk events that have recently Operational risk loss events and near misses
impacted similar organisations. Plus, that have occurred within the organisation.
operational risk events identified as being Near misses can be especially useful in
of particular significance over the coming topic selection. Allowing the organisation to
year (e.g. as identified by professional investigate how impactful they would have been
organisations, regulators, or institutions like the as they crystallised into losses
World Economic Forum)
Regulatory or legislative changes, such as the Output of the risk and control assessment
risks associated with new laws or regulations process, especially the most significant risks
(e.g. GDPR) in terms of probability and impact or risk
exposures that have increased significantly
7
Social changes, such as changes in norms Information on control weaknesses,
and behaviours (e.g. attitudes towards data including the output from internal audits, to
privacy, the environment, etc) help understand how control failures might
contribute to a scenario or stress event
Economic changes, such as a recession Trends in key risk or control indicators,
especially those that indicate a large increase
in potential risk exposure
Political changes, such as the impact of a new Changes in the financial or operational
government performance of the organisation
Technological change, such as the ‘internet of Strategic change, such as IT systems
things’ and other IT innovations implementation, new products, etc
Environmental events, such as pandemics or Operational changes such as process
the effect of climate change improvements, changes in supply chains,
outsourcing, etc

Table 1: external and internal environmental sources of topics

A key factor in the selection of topics to focus upon, reflected all of the sources above, is
the potential for a significant increase in operational risk exposure. Where risk event data,
assessment and monitoring tools or a scan of the external environment reveals that a significant
increase in the probability or impact of particular operational risks has occurred, or is likely to
occur, then this should be a particular focus of attention and the risks in question should be
worked into the topics for analysis/testing.

Another influence on the focus of attention on the above environmental sources is the degree of
confidence that can be placed in current risk assessments and the accuracy and completeness
of loss event and near-miss data. For example, where an organisation is not confident about
the accuracy of risk and control self assessments, especially were it has insufficient data on
actual events and historic trends appear unstable, it should supplement these assessments with
scenario analysis and stress/reverse stress testing to help fill in the gaps. This might include
using scenarios to analyse the relationships between the causes of one or more risk events
(causes that are likely to come from the environmental sources identified in Table 1) or stress
testing the scale of the effects (e.g. the effects of IT failures of different durations).
Other factors that may increase the focus of attention on the sources outlined in Table 1 include:
• The pace of change, the faster an area is changing (e.g. technological innovation), the greater
should be the level of focus
• Concerns about future changes, that might create major new emerging risks
• The degree of internal strategic or operational change, the greater the level of change the
greater the focus
• The ability of an organisation to manage potential sources of operational risk. For an example
concerned about technological change and its ability to manage the associated risks may
choose cyber risk as an important topic for scenario analysis and stress testing
Ultimately these factors are linked to two fundamental elements that should influence the choice
of topics for analysis/testing. The proximity of an organisation to potential operational risk
scenarios/stress events and their vulnerability to these scenarios/stress events. The more urgent
or pressing a source (e.g. imminent regulatory change) the higher it’s a priority for inclusion.

8
Equally the less able an organisation feels in relation to controlling a source (e.g. rapid internal
change) the higher the priority for inclusion. In some sectors, regulators may stipulate specific
scenarios or stress/reverse stress tests for analysis. This is most common in financial services but
can occur in other heavily regulated sectors like social housing. It is imperative that organisations
fulfil their regulatory obligations and analyse any scenarios or stress/reverse stress tests set by
their regulators.

Section 3.2 - Determining the level of analysis

At a minimum scenario analysis and stress/reverse stress testing should be conducted at the
organisation-wide (group) level. Additionally, organisations may choose to conduct analyses/tests
at the business unit or even department and functional level, though the latter two (department
and function) is less common.

Stress and reverse stress testing are especially important at the organisation-wide level. This
is to help the organisation (especially board/senior management), understand its financial
sustainability. Though an organisation may appear to have a strong balance sheet, it may be that
future operational risk events (such as a pandemic) will weaken it severely. The sooner board
directors/senior managers can understand and prepare for these events the stronger will be their
organisation over the long term. Organisation-wide analyses/tests should be determined on a
top-down basis, with the (operational) risk function working with senior management to agree on
the topics for analysis.

Business unit or department/function analyses and tests may be agreed on a bottom-up basis. It
is, however, recommended that the choice of topic is reviewed and signed off by the (operational)
risk function – to ensure maximum relevance and to maintain consistency across the organisation
for reporting, where possible.

Section 3.3 - Preparing for a workshop

The best way to conduct scenario analysis, stress testing or reverse stress testing in an
operational risk context is through a workshop. Given the multi-faceted nature of operational risk
(multiple causes, effects, etc.) no one individual, department or function will have the knowledge
and expertise required to complete an effective analysis/test.

However, workshops are resource-intensive and it is important to conduct them as efficiently as

possible. This means that research will be required in advance of the workshop, to help save time
on unnecessary details and to avoid any misunderstandings or loss of focus on the central topic
for analysis/testing.Table 2 summarises the key tasks pre-workshop:

Task Description
Agree topic and Ideally each workshop should focus on one topic only. This will avoid
objective confusion and ensure that fatigue does not set in. In terms of objectives
the severity of analysis should be agreed (e.g. a routine or more stressed
scenario, etc.), as should the information to be collected (probability and or
impact estimates, action plans, etc.)
Background The (operational) risk function should collate the available information on
research the topic in question and ensure that this is communicated in a clear way to
the attendees. This might include information on recent loss events or near
misses, risk and control self assessment information, risk indicator reports,
etc.

9
Determine and See 3.4.1 below for guidance on participants
invite participants
Agree facilitator Workshops should be facilitated. This may be by someone in the
(operational) risk function or similar. Or an external facilitator. The individual
should have experience facilitating workshops and be knowledgeable of the
organisation’s analysis/testing process. A note-taker should also be present
to ensure that discussions and decisions are recorded.
Decide analysis See 3.4.3 below.
method
Agree and Ensure that all participants know the time and place of the workshop and
distribute agenda understand who else is attending, the workshop objectives, etc.

Table 2: Key tasks pre-workshop

Section 3.4 - Conducting a workshop

Workshops should take place in a suitable environment, one that is quiet and away from the par-
ticipants’ ‘day job’. This will allow us to focus on the workshop.

Workshops should typically last for 2-3 hours. Longer durations will lead to fatigue. A short break
should be scheduled every 1-2 hours.

As indicated above workshops should be facilitated and follow the agreed agenda.

Section 3.4.1 - The participants

The participants will depend on the focus of the workshop (e.g. the type of risk and focus, etc.).
As a rule, the following should attend:
• The relevant risk owner(s)
• The senior manager(s) with responsibility for the topic of focus, where they are not the risk
owner
• Other subject matter experts, covering key control areas like IT systems and security,
customer relations, marketing, human resources, finance, etc
• An independent observer, such as an internal auditor or representative from the risk function
Around 6-8 attendees are optimal, with 12 as a maximum. As workshops increase in size,
facilitation becomes harder and there will be insufficient time to ensure that all voices are heard.
The role of the independent observer is to look for potential bias. The observer should only speak
if they are concerned that a risk exposure or control effectiveness assessment is being over or
underestimated.
Even if vocal, senior managers have an important role to play in scenario/stress workshops.
Experience shows that if this task is delegated to more junior members of the team, the
quality of the workshop output is often reduced and consequently there is a lack of senior
management buy-in. Executive and the senior management teams are often the ones with
ultimate accountability line when certain types of severe scenarios materialise, so they should be
engaged in the process.

10
Section 3.4.2 - Key output variables
Though the open discussion is important, this discussion must be focused on producing
usable management information, to support risk assessment, monitoring and control. Table 3
summarises the key variables that should be discussed during a workshop. The outcomes of the
discussion on these variables should be recorded on a template.

Variable Explanation
Scenario A brief description of the narrative (storyline) of the scenario or stress
Description event in question. What has happened and in what context (e.g. a major
fraud that occurs during a recession, business disruption during a
pandemic, etc)
Causes The events that lead up to the scenario/stress event, including people,
process and systems failures or external events.
Effects The effects of the scenario/stress event, notably whether a financial or
reputational impact is expected, as well as potential impacts on people
(e.g. health and safety or employee morale)
Controls An assessment of how well controls might cope during the scenario,
especially a stressed scenario. Participants should discuss whether
controls will remain effective and what if any controls might fail
Mitigating Actions Actions that would be taken during the scenario/stress event to help
During the Scenario mitigate its effects.
Assessing See 3.4.3 below
Probability and
Impact
Current Actions Actions that should be taken following the workshop to help reduce the
probability or impact of the scenario or stress event in question. Typically,
this will include enhancing existing controls or adding new controls. For
more on this please refer to the IOR’s Sound Practice Guidance on Risk
and Control Self Assessments

Table 3: Key output variables

Section 3.4.3 - Assessing probability and impact

Probability
The IOR’s Sound Practice Guidance Paper on Risk and Control Self Assessments provides
general guidance on the assessment of probability and impact. This should provide the
foundation for any assessment during a scenario or stress event analysis workshop.

A key difference relates to the severity of scenarios and especially stress events. Hence the
probability and impact scales used for routine risk and control self-assessment may prove to be
insufficient. In addition, accurate probability assessments for scenarios and especially stressed
events can be hard, if not impossible, because of a lack of objective data.

Probabilities may be expressed as follows:

1. In formal statistical terms (e.g. 1% or 0.01 chance of occurrence)
2. In terms of duration, such as a 1 in 10 or 1 in the 100-year event
3. In qualitative terms (expected/routine, unexpected/stressed and tail/worst-case)

11
If formal probabilities are used it is recommended that these are presented in terms of ranges, for
example, 1%-10%, 10-20%, etc. This is because of the difficulties assigning precise probabilities.
However, the use of statistical probabilities is not recommended because non-risk professionals
tend to struggle with formal statistical representations of probability. Generally, it is better to use
duration ranges or qualitative terms. For example:
• 1 in 10 years or ‘routine’ event – that is expected to occur several times during a working
lifetime. It is likely that an organisation will have prior experience of these within the working
lifetime of the participants
• 1 in 40 years or ‘stressed’ event – that will only occur once, if at all, during a working lifetime.
It is less likely participants will have personal experience of such an event, but they may have
observed them affecting other organisations
• 1 in 80 years or ‘tail’ event – that may occur once during an individual’s whole lifetime. There
may not be any examples of such events, except possibly in historical records. Though such
historical examples would have to be extensively reworked to bring them up to date.
Workshop participants should be provided with definitions like the three above during a
workshop, to help them discuss and agree on the probability of occurrence
Different versions of a scenario or stress event will have different probabilities. There is no need to
try and define every possible version of a scenario. The point is to examine scenarios and stress
events that are representative of hypothetical, yet foreseeable, operational risk events, that are
useful for management to discuss. That said some organisations do take one central scenario for
a particular risk category (e.g. damage to physical assets) and then work on different versions for
2-3 probability levels. For example, a routine version of the scenario (e.g. repairable damage to
an area of a building), followed by a stressed (repairable damage to the whole building) and tail
event (destruction of the building).
Impact
Scenarios, especially when worked into stress or reverse stress events, are by definition high
impact. In the case of reverse stress events, the impact is effectively determined in advance,
since by definition such events are solvency threatening. Impact need not be quantified for
scenarios and stress events. Instead, events might simply be labelled routine/expected, stressed/
unexpected or extreme/tail, as indicated above.

Where an organisation does wish to quantify the impact it is recommended to start with a
discussion of the effects and to then think about the quantum of these effects, typically in
financial terms, but reputational impacts may also be considered (e.g. impact on customer
goodwill). Table 4 summarises some financial and reputational effect factors that could be
estimated quantitatively.

12
Financial Reputation
Cost of replacing or repairing assets Loss of customers/market share (no. customers
or % loss of market share
Fines or liability claims Negative press (extent and duration)
Clean-up costs Impact on staff morale (e.g. staff retention)
Third party costs, e.g. legal costs Credit rating downgrade
Loss of revenue due to business interruption Regulatory censure (number of times
organisation is named and shamed and duration
of regulatory attention)
Bad debts and other non-recoverable assets
Loss of investment income

Table 4: Examples of quantifiable impacts

Where quanta are used it is recommended that they are presented in terms of a range. Precise
estimates of impact are impossible, given the hypothetical nature of scenarios and imply a false
sense of accuracy and objectivity.

Additional guidance on impact in relation to stress and reverse stress testing is provided in
section 5 below.

Section 3.4.4 - Workshop analysis techniques

Workshops can be conducted in two main ways:
1. Unstructured – open discussion of the scenario or stress event. Participants are free to
highlight the issues of most concern to them
2. Structured – discussion is directed using a specific analysis technique, such as fault and
event trees or the Delphi technique
A structured approach is not necessarily superior. This is because it may limit participant
creativity and divert their attention from important aspects of a scenario that are especially
relevant to an organisation. Equally an unstructured approach does not mean the absence of
an agenda. Just that the discussion of specific agenda items are not structured using formal
analysis techniques.

Section 3.5 - Validation of output

To help combat subjective bias it is recommended that the output from scenario workshops
are validated in a systematic fashion. Unlike Risk and Control Assessments a comparison of
the output from similar scenario workshops is rarely possible, as each scenario will be unique.
However, there are other approaches that could be used. For example:
• Comparison with the available data on external events, through the use of public data or an
external loss database. Though an organisation may not have experienced a stressed or tail
scenario it may be that other, similar, organisations have
• Where an organisation has access to an external loss database it may even be possible to
determine the probability of occurrence for more extreme events, providing that sufficient data
is available to build a reliable probability distribution
• For business unit or department/function level scenarios, intra-organisation comparisons may
be possible, providing they have investigated similar scenarios

13
• Where the (operational) risk function participates on practitioner forums with representatives
from the risk functions of other organisations they might agree to share information on
operational risk scenarios to help them compare results. Information can be checked for
commercial sensitivity before sharing
• Some vendors offer standardised lists of completed scenarios for organisations in certain
sectors. While these standardised scenarios do not reflect the nature, scale and complexity
of an organisation they may help in providing a simple benchmark against which to compare
results. Organisations could use these lists to aid both scenario selection and to compare
results. Where organisations choices and results differ significantly from the standardised
scenarios, they should investigate the reasons why
Finally, the organisation’s scenario analysis process should be subject to periodic review by
the internal audit function. This should include reviewing the implementation of the process and
comparing its design with available good practice guidance, such as this paper.

Section 3.6 - Governing the process

The (operational) risk function is responsible for the design and implementation of an
organisation’s scenario analysis and stress/reverse stress test processes for operational risk
events. The function should ensure that these processes are effective and periodically review
their design and implementation.

Where an organisation has a risk committee it may decide to give this committee the authority
to review and sign off the design and implementation of these processes. This is especially
important where scenario analysis and or stress/reverse stress testing is a regulatory requirement.
Where scenario analysis and or stress/reverse stress testing is a requirement, but there is no
risk committee the audit committee should sign off design and implementation to ensure that the
processes are compliant. Internal audit reports on scenario analysis and stress testing processes
should also be reported to the audit committee, as with any other internal audit report.

It is rare that boards will be asked to sign off operational risk scenario analysis or stress/reverse
stress testing processes. However, it is common for them to receive reports on the outputs of
operational risk scenario analyses and stress/reverse stress tests to support their governance
responsibilities.

Beyond the immediate confines of operational risk, Boards may be asked to review the agreed
topics for scenarios and stress tests and suggest any additional ones they feel are necessary,
which might include scenarios/tests that have an element of operational risk exposure. In some
sectors, this may be a regulatory requirement, as is the requirement for boards to receive
information on the most significant, organisational wide, scenario analyses and stress tests. For
example, within financial services, it is common for scenario analysis and stress testing to be
used as part of the Pillar II supervisory review and evaluation process (SREP) that forms part of
the banking and insurance capital adequacy regulations. This process covers exposures to a
range of risk types, including operational risk.

In terms of reverse stress tests, where conducted, these should always be reported to boards.
Reverse stress tests provide important information on the long-term viability of organisations and
their ability to remain a going concern.

Finally, some organisations may be required to report the results of their scenario
analysis and stress/reverse stress testing processes to regulators. This is the case for
systemically important financial institutions and in non-financial sectors like social housing.

14
Section 4 - Making Effective Use of the Outputs
Given the resources required it is important to make full use of the outputs from any scenario
analysis, stress testing or reverse stress testing process. This will include using these outputs for
governance and compliance purposes and to support strategic and operational decision making.

Section 4.1 - Reporting the outputs

As explained above, boards should receive reports on completed operational risk scenario
analyses, stress tests and reverse stress tests. Especially where these relate to events and effects
that could impact on the strategy, business plan and financial viability of an organisation.

Senior management and, where relevant, the risk committee should also receive reports on the
output, including the actions being taken to mitigate the probability and impact of the operational
risk events analysed as part of this process.

Reports should not contain any unnecessary detail. Boards and senior management have limited
time and must allocate this to a wide range of tasks. The focus of these reports should be on the
potential impacts of events (financial or reputational) and the implications for the organisation’s
financial position and business plan. Where appropriate information might also be provided on
the actions taken to mitigate identified control weaknesses. This is especially relevant for senior
management and the risk committee or equivalent.

Section 4.2 - Using scenarios to support risk assessments

The results of operational risk scenario analysis and stress testing can be used to inform risk and
control self-assessments. This is especially the case for assessments of inherent (gross) risk.
This is because inherent risk assessments reflect a hypothetical level of exposure, assuming
the absence/ineffectiveness of key controls. Management can find it hard to determine reliable
assessments of inherent risk given its hypothetical nature. Scenario analysis and stress testing
provide a structured means to achieve such assessments.

For more on risk assessment please refer to the IOR’s Sound Practice Guidance Paper on Risk
and Control Self Assessment.

Section 4.3 - Risk and capital modelling

A few organisations, especially in the financial services sector, construct statistical models to
estimate probability and impact distributions for operational risk events. The aim is to understand
the fullest possible range of outcomes and to assign probabilities to each of these outcomes.

A key input into this modelling is internal and external loss data. However, such data is historical
and is often incomplete. Hence scenario analysis, stress and reverse stress testing are often
used to supplement internal and external loss data.

Where organisations attempt to build statistical models for the operational risk it is strongly
recommended that they incorporate the outputs from their scenario analysis and stress/reverse
stress testing processes into these models. These outputs can provide valuable information
on the ‘tail’ of the probability and impact distributions that they construct. Risk models are only
effective if they represent the full range of outcomes for a given risk event.

15
Section 5 - Further Guidance on Stress Testing and
Reverse Stress Testing
Section 5.1 - Stress testing
Within an operational risk context, stress testing involves the assessment of a major stress
event across a range of risk factors. Such events may include crises and natural/human-made
disasters. Examples include:
1. Environmental disasters (e.g. floods, storms, volcanos, etc)
2. Pandemics, COVID-19 is an example
3. A significant economic recession
4. Political disruption, such as trade wars
5. The failure of an important counterparty (e.g. supplier, outsource service provider or
customer)
6. Major cyber attack
7. Adverse social media campaign
8. Terrorist attack
The idea is to stress an organisation’s operational risk exposures and to investigate how its
controls may be impacted by such events. Key questions include:
• Will controls remain effective? What if any controls might fail?
• What would be the financial and reputational impacts of such events? How might control
failures/ineffectiveness escalate these impacts?
• Can these impacts be mitigating during the event?
• Might additional controls be required to help reduce the probability and or impact of stress
events?
Should existing controls be reinforced to ensure they are effective during stress events?
Do other factors, such as the timing of an event, influence the scale of the stress event?
Could multiple stress events occur simultaneously, what would the impact of this be?
In relation to the timing of an event, sensitivity analysis can be used to examine whether the
timing is a factor. For example, an organisation that experiences a stress event during a
seasonally busy period (e.g. Christmas) may suffer a higher level of loss at that time, relative to
a less busy period. Sensitivities might also be performed to take account of differences in the
business cycle or other economic variables such as changes in inflation or interest rates. For
example, the financial impact of COVID-19 on organisations is estimated to have been greater in
Europe and the US, relative to other recent pandemics (SARS, Bird flu, etc.) because of low levels
of economic growth prior to the pandemic.

In relation to multiple stress tests, it is recommended that individual tests are combined to
examine the cumulative financial impact on an organisation. This might include combining
potentially correlated stress events (e.g. a cyber attack followed by an adverse social media
campaign), as well as that could occur together (e.g. a new wave of COVID-19 coupled with a
no-deal Brexit).

16
In addition, organisations might investigate how many if the identified stress events they could
withstand at the current time. It is unlikely that any organisation could withstand ever identified
event were they to occur simultaneously. But it is useful to understand the number that could
be survived at a given point in time. Such analysis should be reported to the board and senior
management to help them better understand the future financial viability of the organisation.
Section 5.2 - Reverse stress testing
As explained above the purpose of reverse stress testing is to understand when an organisation
becomes non-viable. This may include the viability of the organisation’s business plan, as well as
its financial viability (solvency).

The starting point for reverse stress testing is usually the financial accounts of an organisation.
Meaning its:
1. Statement of income and expenditure (annual profit and loss account)
2. Statement of financial performance (balance sheet)
3. Cash flow statement
In terms of the statement of income and expenditure an organisation might start with its previous
year’s profit or surplus, or for a more forward-looking approach, the predicted profit or surplus
for the current year and consider the impact of this being reduced to zero. Alternatively, it might
determine the point at which net income (EBITDA) interest cover debt covenants are breached.

In terms of the statement of financial performance, an organisation could determine the point of
non-viability where it ceases to be a going concern (e.g. where all capital is lost and the value of
its liabilities exceed those of its assets).

Finally, in terms of the cash flow statement, an organisation might determine the point at which
it can no longer meet its liabilities as they fall due. Having determined these points a common
next stage is to consider the stress events or combination of stress events that could cause such
severe financial impacts. From an operational risk context, this might include:
• Events which eliminate the capital base of an organisation, such as a major environmental
disaster that results in crippling clean up and litigation costs
• Events that destroy the infrastructure of the organisation and therefore its ability to generate
income (e.g. major systems failure, loss of key buildings, prolonged supply chain failure, etc)
• Sudden loss of liquidity, such as a major debt covenant breach or loss of investment-grade
credit rating
• Major loss of reputation, leading to the loss of many customers, employees, suppliers, etC
• Serious regulatory or legal sanctions (e.g. forced closure)
It is unlikely that every potential extreme scenario will be, or can be, considered. This is not the
point of reverse stress testing. Primarily the aim is to help the board and senior management
understand when the organisation becomes non-viable so that they can ensure that the
organisation has sufficient funds (capital and liquidity). However, it is also prudent for them
and their organisation to understand the types of event that may cause non-viability. From an
operational risk perspective, there are many such events and boards/senior management will
better understand the value of operational risk if such events are identified.

17
Section 6 - Conclusion
The IOR’s view is that scenario analysis, stress testing and reverses stress testing are important
components within an organisation’s operational risk management framework. Operational
risk events are often the most serious of all for organisations, eclipsing pure market, credit or
business risk events in terms of their magnitude. The COVID-19 pandemic is a recent example,
as was the Global Financial Crisis of 2007-8.

It is imperative that organisations prepare for the unexpected, including so-called ‘tail’ events that
may threaten their viability. Though it may be impossible to anticipate every possible event, that
is not the point. The point is to help management, especially the board and senior management,
to understand the types of event that may threaten their organisation and to ensure that their
strategic and operational decisions do not significantly increase their exposure to such events, or
render the organisation excessively vulnerable to their impacts.

18
 www.theirm.org

Developing risk professionals