- Type of Publication: Guideline
- Category: Sound Business and Financial Practices
- Date: December 2009
- No: E-18
- Audiences: Banks / T&L / BHC / Co-op / Life / P&C / IHC
Stress testing is an important tool for senior management to use
in making business strategy, risk management and capital management
decisions. This guideline sets out OSFI’s expectations with respect
to stress testing and applies to banks and bank holding companies,
and to all federally regulated trust and loan companies, cooperative
credit associations, life insurance companies and fraternal benefit
societies, property and casualty insurance companies and insurance
holding companies (collectively referred to as “institutions”).
A. Stress Testing Defined
Stress testing is a risk management technique used to evaluate
the potential effects on an institution’s financial condition, of
a set of specified changes in risk factors, corresponding to exceptional
but plausible events. Stress testing
includes scenario testing and sensitivity testing (refer to Glossary).
Stress testing is especially important after long periods of benign
economic and financial conditions, when fading memory of negative
conditions can lead to complacency and the underpricing of risk.
It is also a key risk management tool during periods of expansion,
when innovation leads to new products that grow rapidly and for
which limited or no historical experience is available.
Stress testing attempts to determine the impact of situations
where the assumptions underlying established models used in managing
a business break down. This applies equally to valuation models,
models of individual risks and models that aggregate individual
B. Purposes of Stress Testing
Stress testing should be embedded in enterprise wide risk management.
A stress testing program as a whole should be actionable, playing
an important role in facilitating the development of risk mitigation
or contingency plans across a range of stressed conditions. It should
feed into the institution’s decision making process, including setting
the institution’s risk appetite, setting exposure limits, and evaluating
strategic choices in longer term business planning.
An institution’s stress testing program should serve the following
- Risk identification and control – Stress testing
should be included in an institution’s risk management activities
at various levels, for example, ranging from risk mitigation policies
at a detailed or portfolio level to adjusting the institution’s
business strategy. In particular, it should be used to address
institution-wide risks, and consider the concentrations and interactions
between risks in stress environments that might otherwise be overlooked.
- Providing a complementary risk perspective to other
risk management tools – Stress tests should complement
risk quantification methodologies that are based on complex, quantitative
models using backward looking data and estimated statistical relationships.
In particular, stress testing outcomes for a particular portfolio
can provide insights about the validity of statistical models
at high confidence intervals, for example those used to determine
As stress testing allows for the simulation of shocks which
have not previously occurred, it should be used to assess the
robustness of models to possible changes in the economic and
financial environment. Stress tests should help to detect vulnerabilities
such as unidentified risk concentrations or potential interactions
between types of risk that could threaten the viability of the
institution, but may be concealed when relying purely on statistical
risk management tools based on historical data.
Stress testing can also be used to assess the impacts of customer
behaviour arising from options embedded in certain products
– particularly where the impact is not easily modelled under
- Supporting capital management – Stress testing
should form an integral part of institutions’ internal capital
management where rigorous, forward-looking stress testing can
identify severe events, including a series of compounding events,
or changes in market conditions that could adversely impact the
- Improving liquidity management – Stress testing
should be a central tool in identifying, measuring and controlling
funding liquidity risks, in particular for assessing the institution’s
liquidity profile and the adequacy of liquidity buffers in case
of both institution-specific and market-wide stress events.
C. Role of Senior
Senior management (including, in the case of foreign insurance or bank branches, the Chief Agent or Principal Officer, respectively, and an appropriate senior official from the branch’s home office) involvement in the stress testing program is essential for its effective operation. Senior management is accountable for the program’s implementation, management and oversight and for ensuring that the institution has adequate plans to deal with remote but plausible stress scenarios.
Senior management must ensure there is a “fit for purpose” program in place that is enterprise wide and that operational management has adopted policies requiring appropriate use of stress testing as a management tool.
Senior management should be able to identify and clearly articulate
the institution’s risk appetite and understand the impact of stress
events on the risk profile of the institution. Senior management
must participate in the review and identification of potential stress
scenarios, as well as contribute to the development and implementation
of risk mitigation strategies. In addition, senior management should
consider an appropriate number of well-understood, documented, utilised
and sufficiently severe scenarios that are relevant to their institution.
Senior management’s endorsement of stress testing as a guide in
decision-making is particularly valuable when the tests reveal vulnerabilities
that the institution finds costly to address or difficult to resolve
in a timely, appropriate and realistic manner.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of institution Boards of Directors in regards to operational, business, risk and crisis management policies.
D. General Considerations for Stress Testing
Stress testing programs should take account of views from
across the organisation and should cover a range of perspectives
The identification of relevant stress events, the application
of sound modelling approaches and the appropriate use of stress
testing results each require the collaboration of different senior
experts such as risk controllers, economists, business managers,
traders and actuaries. Institutions should also use a range of techniques
in order to achieve comprehensive coverage in their stress testing
program, including quantitative and qualitative techniques to support
and complement models and to extend stress testing to areas where
effective risk management requires greater use of judgement.
Institutions should have written policies and procedures governing
the stress testing program. The operation of the program should
be appropriately documented.
The assumptions and fundamental elements for each stress testing
exercise should be appropriately documented, including the reasoning
and judgements underlying the scenarios chosen and the sensitivity
of stress testing results to the range and severity of the scenarios.
The level of documentation should be based on the nature and purposes
of the stress testing. For example, documentation of ad hoc sensitivity
tests for tactical decisions may be less elaborate than the documentation
of enterprise-wide stress tests used for strategic decision making.
An evaluation of fundamental assumptions should be performed regularly
or in light of changing external conditions. The results of the
assessments should also be documented.
An institution should have a suitably robust infrastructure
in place, which is sufficiently flexible to accommodate different
and possibly changing stress tests at an appropriate level of granularity.
The infrastructure should be able to aggregate comparable risks and exposures across the institution. It should allow for reporting to senior management in a timely manner throughout the fiscal year. The infrastructure and information systems should be sufficiently flexible to accommodate a timely increase in the frequency of ad hoc sensitivity testing to support senior management’s response to rapid changes in the operating environment and also for purposes of responding to the concerns of external stakeholders and regulators.
An institution’s stress testing infrastructure and information
systems should be commensurate with the nature and complexity of
the institution and its risk profile. For example, greater risk
factor volatility and shorter time horizons for management actions
require infrastructure and information systems that accommodate
more frequent stress testing in those areas.
An institution should regularly maintain and update its stress
testing framework. The effectiveness of the stress testing program,
as well as the robustness of individual components, should be assessed
regularly and independently.
Assessments of effectiveness should be qualitative as well as
quantitative, given the importance of judgments and the severity
of shocks considered. Areas for assessment should include effectiveness
of the program in meeting its intended purposes, documentation,
development work, system implementation, management oversight, data
quality and hypotheses and assumptions used.
Since the stress test development and maintenance processes often
imply judgmental and expert decisions (e.g. assumptions to be tested,
calibration of the stress, etc.), the independent control functions
such as risk management and internal audit should also play a key
role in the process. In particular there should be an independent
review (e.g., by internal audit) of the adequacy of the design and
effectiveness of the operations of an institution’s stress testing
E. Methodology and Scenario Selection
Stress tests should cover a range of risks and business areas,
as well as at the institution-wide level. An institution should
be able to integrate effectively, in a meaningful fashion, across
the range of its stress testing activities to deliver a complete
picture of institution-wide risk.
A stress testing program should consistently and comprehensively
cover product-, business- and entity-specific views. Using a level
of granularity appropriate to the purpose of the stress test, stress
testing programs should examine the effect of shocks across all
relevant risk factors, taking into account interrelations among
Comprehensive stress testing programs should consider the institution’s
most material and significant risks. Where relevant and material,
such risks may include:
- credit risk, including counterparty and reinsurance risk
- market risk, e.g.,
- general market
- cash flow mismatch
- interest rate
- foreign exchange
- insurance risk, e.g.,
- claim frequency and severity
- persistency and lapse risk
- liquidity risk
- operational and legal risk
- concentration risk
- contagion risk
- risk to reputation
- securitization risk
- new business risk
- regulatory risk
- inflation risk
The impact of stress tests is usually evaluated using one or more
measures. The particular measures used will depend on the specific
purpose of the stress test, the risks and portfolios being analysed
and the particular issue under examination. A range of measures
may need to be considered to convey an adequate impression of the
impact. Typical measures used are:
- asset and liability values
- level of impaired assets and write-offs
- accounting profit and loss
- economic profit and loss
- required and available regulatory capital
- economic capital
- liquidity and funding gaps
Stress testing programs should apply across business and product
lines and cover a range of scenarios, including non-historical scenarios,
and aim to take into account system-wide interactions and feedback
effects (e.g., second order and macroeconomic effects).
Stress tests should be conducted flexibly and imaginatively, in
order to improve the likelihood of identifying hidden vulnerabilities.
A “failure of imagination” could lead to an underestimation of the
likelihood and severity of extreme events and to a false sense of
security about an institution’s resilience.
The institution should assess the impact of severe shocks and
periods of severe and sustained downturns, including its ability
to react over the time horizon appropriate for the business and
risks being tested.
Institutions should use stress tests to identify, monitor and
control risk concentrations. To adequately address risk concentrations,
the scenario should to be firm-wide and comprehensive, covering
balance sheet and off-balance sheet assets, contingent and non-contingent risks, and should give due consideration to actions beyond
contractual obligations that might be undertaken to preserve reputation.
Further, stress tests should identify and respond to potential changes
in market conditions that could adversely impact an institution’s
exposure to risk concentrations.
Stress tests should feature a range of severities, including
events capable of generating the most damage, whether through size
of loss or through loss of reputation. A stress testing program
should also determine what scenarios could challenge the viability
of the institution (reverse stress tests). Such tests may be useful
in uncovering hidden risks and interactions among risks.
Stress tests should be geared towards events and business areas
that might be particularly damaging for the institution. Areas which
benefit in particular from the use of stress testing are business
lines where traditional risk management models indicate an exceptionally
good risk/return trade-off; new products and new markets which have
not experienced severe strains; and exposures where there are no
liquid two way markets.
Institutions should conduct reverse stress tests. A reverse stress
test starts with a specified outcome that challenges the viability
of the firm. One example of such an outcome would be that over a
short time period, the firm incurs a very large loss that challenges
its viability. The analysis would then work backward (reverse engineered)
to identify a scenario or combination of scenarios that could bring
about such a specified outcome. The reverse stress test induces
institutions to consider scenarios beyond normal business settings
that would include events with contagion and systemic implications.
As part of an overall stress testing program, a deposit-taking
institution should aim to take account of simultaneous pressures
in funding and asset markets, and the impact of a reduction in market
liquidity on asset valuation. Funding and asset markets may be strongly
interrelated, particularly during periods of stress. An institution
should enhance its stress testing practices by considering important
interrelations between various factors, including price shocks for
specific asset categories; the drying-up of corresponding asset
liquidity; the possibility of significant losses damaging the institution’s
financial strength; growth of liquidity needs as a consequence of
liquidity commitments; taking on board affected assets; and diminished
access to secured or unsecured funding markets.
As part of an overall stress testing program at an insurance company,
specific consideration should be given to important interrelations
between various risk factors. For a life insurer, changes in economic
conditions can significantly affect policyholder behaviour such
as lapse rates, utilization of options within an insurance contract,
and morbidity and recovery rates. For a property and casualty insurer,
changing economic conditions will not only influence investment
income and company expenses, but can also, particularly in times
of inflation, lead to higher claims and loss reserves. The interrelations
of various factors will depend upon the insurer’s products, its
investment policy and its approach to managing its business. A critical
goal for insurers is to identify situations in which the assumed
normal pattern of interrelationships breaks down due to a change
in the business environment.
F. Specific Areas of Focus
The following risks have proven to require specific attention
in light of experience of financial market turmoil:
- Risk Mitigation
- Securitization and Warehousing Risks
- Risks to Reputation
- Counterparty Credit Risk
- Risk Concentrations
As such, stress testing should be prominent among the risk assessment
tools used where these specific risks are material.
Stress testing should facilitate the development of risk mitigation
or contingency plans across a range of stressed conditions. The
performance of risk mitigating techniques, like reinsurance, hedging,
netting and the use of collateral, should be challenged and assessed
systematically under stressed conditions when markets may not be
fully functioning and multiple institutions simultaneously could
be pursuing similar risk mitigating strategies.
Stress testing should also reflect constraints on management action
and should not place undue reliance on the timeliness of mitigating
Securitization and Warehousing Risks
The stress testing program should explicitly cover complex and
customized products such as securitized exposures. Stress tests
for securitized assets should consider the underlying assets, their
exposure to systemic market factors, relevant contractual arrangements
and embedded triggers, and the impact of leverage, particularly
as it relates to the subordination level in the issue structure.
The stress testing program should cover pipeline and warehousing
risks. These are market, credit and funding risks arising in the
period prior to securitization or sale and which may arise from
the need to hold assets for longer periods than originally planned
when markets are disrupted. An institution should include such exposures
in its stress tests regardless of their probability of being securitized.
Many of the risks associated with pipeline and warehoused exposures
emerge when an institution is unable to access the securitization
or other markets due to either institution specific or market stresses.
Risks to Reputation
An institution should enhance its stress testing methodologies
to capture the effect of risks to reputation. To mitigate reputational
spill-over effects and maintain market confidence, an institution
should have an approach to assess the impact of risks to reputation
on other risk types.
The institution should integrate risks arising from off-balance
sheet vehicles and other related entities in its stress testing
program. An institution should carefully assess the risks associated
with commitments to off-balance sheet vehicles related to structured
credit securities and the possibility that assets will need to be
taken on balance sheet for reputational reasons. Therefore, in its
stress testing program, an institution should include scenarios
assessing the size and soundness of such vehicles relative to its
own financial, liquidity and regulatory capital positions. This
analysis should include structural, solvency, liquidity and other
risk issues, including the effects of covenants and triggers.
Counterparty Credit risk
An institution may have large gross exposures to leveraged counterparties,
including hedge funds, financial guarantors, investment banks and
derivatives counterparties that may be particularly exposed to specific
asset types and market movements. Under normal conditions, these
exposures are typically completely secured by posted collateral
and continuous re-margining agreements yielding zero or very small
net exposures. In the case of severe market shocks, however, these
exposures may increase abruptly. The potential cross-correlation
of the creditworthiness of derivative counterparties with the risks
of the reference assets may emerge (i.e., wrong-way risk). An institution
should ensure that its stress testing approaches related to derivative
counterparties are robust in their capture of such correlated tail
Stress testing should consider risk concentrations resulting directly
from risk taking activities as well as those resulting indirectly
from actions to mitigate risks, e.g., concentrations of credit counterparty
risk arising from hedges of market and insurance risk.
Risk concentrations may arise along different dimensions:
- single name concentrations
- concentrations in regions or industries
- concentrations in single risk factors
- concentrations in indirect exposures via posted collateral or
- concentrations in off-balance sheet exposure, contingent exposure
or non-contractual obligations by reputational reasons
In addition, concentrations may arise based on correlated risk
factors that reflect subtler or more situation-specific factors,
such as previously undetected correlations between market and credit
risks, as well as between those risks and liquidity risk.
G. Supervisory Considerations
OSFI reviews institutions’ stress testing programs as part of
the supervisory review process as described in the Supervisory Framework,
and as part of its review of a deposit-taking
institution’s Internal Capital Adequacy Assessment Process (ICAAP).
For insurers, one example of stress testing is Dynamic Capital Adequacy
Testing (DCAT). OSFI expects to see evidence that stress testing
is integrated into institutions’ internal risk management processes.
OSFI uses the results of institutions’ stress testing programs
as important information and integrates the results into its assessment
of the inherent risks and risk controls and oversight of institutions’
In assessing institutions’ stress testing programs, OSFI may:
- Evaluate whether scenarios chosen are consistent with the risk
appetite the institution has set for itself.
- Assess whether scenarios are appropriate to the portfolio of
the institution and that they include severe shocks and periods
of severe and sustained downturn. The scenarios chosen should
also include, where relevant, an episode of market turbulence
or a shock to market liquidity.
- Assess whether the frequency and timing of stress testing is sufficient to support timely management action. For example, stress testing and DCAT are complementary initiatives. More frequent stress testing at the business unit level facilitates timely reaction to sudden market developments. It also supports the integration of the DCAT process with the finalization of an annual business plan by providing timely inputs based on current information. While it is up to each institution to determine how to best integrate DCAT and other stress testing into its business planning process to achieve the maximum benefits, ideally the annual DCAT of an insurance company would be available to the Board of Directors, Principal Officer or Chief Agent as soon as is reasonably possible; in all cases the annual DCAT should be submitted to OSFI within 30 days of its presentation to the Board of Directors, Principal Officer or Chief Agent.
- Ask institutions to evaluate scenarios under which viability
is compromised and may ask institutions to test scenarios specific
to different lines of business, to assess the plausibility of
events that could materialize in significant strategic or reputational
risk, in particular for business lines with significant balance
- Ask institutions, from time to time, to carry out standardized:
- sensitivity tests for individual businesses/products given
evolving market conditions or
- scenario tests for use by OSFI to assess system wide vulnerabilities.
- Examine the future capital resources and capital requirements
under adverse scenarios. In particular, OSFI would consider the
results of forward-looking stress testing for assessing the adequacy
of capital buffers.
- Take account of the extent to which capital might not be freely
transferable within groups under adverse scenarios. OSFI would
also consider the possibility a crisis impairs the ability of
even very healthy institutions to raise funds at reasonable cost.
- Review the range of management actions envisaged by institutions
in response to the results of the stress testing exercise and
be able to understand the rationale for the management body decision
to take or not to take remedial actions. Supervisors may challenge
whether such actions will be available in a period of stress and
whether the institution will realistically be able and willing
to take such actions.
- Make recommendations to an institution to take appropriate
remedial action to address weaknesses in its stress testing program.
From time to time, OSFI may conduct an analysis of the impact
of system-wide stress scenarios. OSFI intends as much as possible
to test the impact of these system-wide scenarios using information
that is reported in regulatory returns or regularly collected as
part of the supervisory review process in order to minimize data
calls on institutions.
Scenario testing uses a hypothetical future state of the world
to define changes in risk factors affecting an institution’s operations.
This will normally involve changes in a number of risk factors,
as well as ripple effects that are other impacts that follow logically
from these changes and related management and regulatory actions.
Scenario testing is typically conducted over the time horizon appropriate
for the business and risks being tested.
Sensitivity testing typically involves an incremental change in
a risk factor (or a limited number of risk factors). It is typically
conducted over a shorter time horizon, for example an instantaneous
shock. Sensitivity testing requires fewer resources than scenario
testing and can be used as a simpler technique for assessing the
impact of a change in risks when a quick response or when more frequent
results are needed.