Insurers carry out stress testing to meet regulatory requirements and build a stronger business. In the first part of this InsuranceERM roundtable held in association with QRM, risk and actuarial executives discuss the metrics they test, how they design scenarios and how to inspire useful actions
- Richard Charlton - deputy chief risk officer, Canada Life
- Jason Domoney - head of enterprise risk management, Bupa
- David Leach - risk management head of investment oversight, ReAssure
- Karina Lo Dico - chief actuarial officer, Forester Life
- Charles Richard - co-founder, Quantitative Risk Management
- Vinaya Sharma - managing director and actuary, Quantitative Risk Management
- Peter Shepherd - chief risk officer, Rothesay Life
- Peter Telford - enterprise risk director, Legal & General
- Perry Thomas - chief risk officer, Lloyds Banking Group
Chaired by Christopher Cundy, managing editor, InsuranceERM
Why do stress testing?
Chris Cundy: Let us kick off with a simple question. Why do you do stress testing?
Richard Charlton: A few of the key reasons for me are: to understand where the potential vulnerabilities of the business are; to put them into context for senior management and the board; and to understand the sensitivities of the balance sheet and other business metrics.
Chris Cundy: Does that sum it up for everyone?
Peter Shepherd: It is hard to know how to think about risk in your business without trying to model against what you feel are a realistic set of scenarios for that business.
David Leach: Stress testing is important in establishing how much of a capital buffer you need above regulatory capital requirements.
Peter Telford: We get considerable value from robustness-testing our business plan. We do not want a strategy that is made of glass and is no longer valid as soon as one of our assumptions is a percentage point off. So by picking carefully our plausible adverse scenarios, we can say 'this is our plan … and it can still be our plan if the future deviates from our best estimate'.
Jason Domoney: Bupa is a multinational firm with diverse businesses – not just insurance. Stress plays out very differently in those businesses, so trying to understand the impact on the whole of the group is useful to us.
Peter Telford: Besides saying what happens if a 1-in-10 or a 1-in-200 event occurs on a risk that we know we have, stress testing is also a useful check on risks that you do not think you have.
"Stress testing is also a useful check on risks that you do not think you have"
For example, interest rate risk. A firm might say, 'We aim for a cash-flow match, and then we set tolerances over that,' tolerances which might be expressed in terms of PV01. But PV01 is not the whole story of the risk. If you pick your interest rate stresses carefully, you can test whether you are really matched or not. That is an important piece of information – validating your whole risk-management framework around interest rate risk in that instance, and validating the approach you take in modelling the residual risk.
Charles Richard: What is your definition of stress testing? Because traditionally there is the stochastic approach where you are running thousands of scenarios and looking at a tail, and then there is the other approach where you are doing scenario-based analysis.
Richard Charlton: We have a suite of both: some plausible combination scenarios, and then we also look to our modelling that is based upon probability distributions and integrating a range of different key risk factors on a more statistical footing.
Perry Thomas: Your internal model will give you a surface you can plot to, and then you have a deterministic scenario: 'This scenario does this. It looks like that in terms of results.' Then you think about your reverse stress testing separately.
Setting risk limits
Chris Cundy: Stress testing does not exist in its own bubble. How does it relate to other risk management activities, such as setting risk limits?
Perry Thomas: Stress tests inform the debate about risk limits.
Peter Shepherd: Completely. You cannot have one without the other. The biggest question for me is, if you are setting a limit, what level of stress do you want that limit to be calibrated against? The tough bit is not so much coming up with the stress scenario, but calibrating it to the 'so what' that you are looking for.
For instance, are you trying to design a stress scenario and a limit that allows you to continue within your solvency target range if your scenario plays out? Or keep your rating (if you have one)? Or stay solvent?
Richard Charlton: Understanding the sensitivities of our balance sheet to things other than the 1-in-200 scenario, which had been a key focus in the run-up to Solvency II, has kept us busy in the past year. However, it brings into focus the appropriateness of the models at those less extreme probability levels. It starts to hit you in the pocket if your 1-in-20 calibration looks a little bit unreasonable.
Stress testing other metrics
Chris Cundy: What common metrics do you stress test, apart from capital?
Richard Charlton: We are stress testing in respect of liquidity as well as capital. For example, it is no good being hedged to the hilt and covering your balance sheet position if it could leave you exposed to heavier cash calls on collateral, etc. So understanding both aspects in terms of capital and cash is quite key.
"The tough bit is not so much coming up with the stress scenario, but calibrating it to the 'so what' that you are looking for"
Charles Richard: You cannot forget income either. What is your forecast in income going to be by each one of these scenarios, to go along with what your liquidity risk or market value would be?
Peter Shepherd: The relative importance of those is going to change significantly, depending on whether you are a public company, private company, or what your long-term business plan is. For example, I could imagine a public company being much more focused on what their income volatility is in a stress scenario than a private company.
Perry Thomas: Business indices are the main one. For example, with a reputational risk like a cyber attack, you are going to lose persistency and new business.
Who does the stress testing?
Chris Cundy: Who is responsible for doing the stress testing?
Perry Thomas: We have workshops to work out the detail in the scenarios. We run those, but the finance team would do all the runs.
Karina Lo Dico: In our company, risk would provide the scenario, which the actuaries would model.
Richard Charlton: We have a few actuaries in risk – myself being one of them – and we engage with the actuarial team to come up with a sensible approach. In theory, there can sometimes be a desire on our part to run more scenarios, but we need to be mindful of the number that can be run, and be pragmatic.
Peter Telford: The risk function typically owns the framework and defines the desired outcomes of the process. If the risk function has the skillset, they can also provide independent challenge to the results, but ultimately, if there is a lot of heavy quantitative work, this is best done in the actuarial/finance teams.
Developing scenarios
Karina Lo Dico: How do we broaden scenarios? Actuaries tend to think about scenarios in terms of variables, in the model, with direct links to capital requirements. But does that narrow our thinking, or limit our ability to allow for developing future risks? Are we thinking too narrowly about stresses?
Peter Shepherd: We tend to pick that up in our emerging risk framework and, as you can imagine, political risk and regulatory change is right up there. We look to do some scenario planning around that, so we might develop a specific stress around reduced access to markets as a result of Brexit, for example. But again, the hard bit is, 'what is your scenario seeking testing against?'
Actuaries tend to think about scenarios in terms of variables, in the model, with direct links to capital requirements. But does that narrow our thinking?"
Peter Telford: The hardest assumptions to control are the ones that do not look like assumptions, because they are not parametrised, rather they are part of the structure of your model, and so you have to make some kind of qualitative change to the way you ask a question in order to test that sort of assumption.
Perry Thomas: One example would be the way conduct risk crystallised on the balance sheet. The largest fine in banking in 2010 was something like £600m; now it is £9bn. How do you see that coming?
Jason Domoney: We tend to start with big-picture questions, because otherwise you run the risk of only stressing the insurance business, or only running risks that affect the care homes. So if you want something that affects the group, you have to think bigger picture and narrow it down afterwards. Trying to design scenarios that tick enough of the boxes can be tricky.
Peter Telford: As soon as the group becomes fairly diverse, you have to think about whether you need locally defined stresses in the scenario tests as well, because what looks severe for the group might not cover the critical risks in individual business units.
Stress testing Brexit-type risks
Chris Cundy: Is stress testing useful for difficult-to-define or binary scenarios?
David Leach: I guess a number of insurers have working parties looking at Brexit‑type risks, and that is an area where stress and scenario testing could potentially add some value, particularly thinking about how the company responds. It is not just about producing numbers, but very much about working through roles and responsibilities, should something happen, and what management actions can be taken to mitigate the impacts.
Peter Telford: From a stress testing point of view, the interesting thing about Brexit is that it was not a statistical risk, so before the vote, you could not truly say it was 1-in-2 or 1-in-10; we were facing uncertainty rather than risk. The point is that stress testing binary scenarios as well as probability-based scenarios is useful; you are focusing on the consequences and therefore whether and how to mitigate that risk; you do not need to attach a probability to it.
Perry Thomas: Six months before the Brexit vote we ran workshops and worked through the scenarios and put in hedging programmes for what we considered tail events. It was almost costless, partly because at that point nobody thought it would happen, but it turned out to be a great call. But going forward, who knows?
Engaging to create an action plan
Richard Charlton: One dimension that is becoming more and more pertinent is the need to plan a range of management actions so we are not left scratching our heads when something does crop up. It also lends itself to our recovery and resolution planning, where we need to build up our recovery plans for plausible scenarios which could actually cause a large degree of detriment to the company.
Karina Lo Dico: With the range of scenarios, how do you engage the board and executive to create an action plan and generate the urgency to address some of those issues, rather than scenario results just being a set of numbers on a piece of paper?
"Life is somewhat more manageable if we build up a set of plausible actions that we can take off the shelf, partially developed, and implement things more quickly."
Richard Charlton: It is a good question. The lesson I suppose is that life is somewhat more manageable if we build up a set of plausible actions that we can take off the shelf, partially developed, and implement things more quickly. Some of it is reactive, some of it is preventative, and it is about getting that balance between the two.
Peter Shepherd: There is a danger with stress testing that it just becomes an exercise in its own right, so to have examples of where stress testing has led to something that has made a business safer is very useful. Many things are at risk; you have to ask yourself, 'Why am I doing this, and is it going to make a difference coming out of the other end?'
Brexit is a really good example – certainly in our firm, and others I am sure – to show that pre‑planning and stress testing different possible outcomes led to a much safer business.
David Leach: What we have done in the past is to ensure that for every scenario, there is a person from the executive management team whose is appointed the leader for that scenario. I am not saying it always works!
Vinaya Sharma: Somebody has to champion those stress tests for action to take place. Is it the board? Is it the CRO? Is it the CFO?
Perry Thomas: It depends. Often, it is the CRO, but they have an influence on the board. However, there is no point presenting stress tests without some corresponding possible actions. For example, testing the effect of low interest rates: hedging half a point down is expensive, but if you want to hedge 2% down, that becomes very cheap. So you can have a discussion around the cost of taking the tail off.
David Leach: Also, line one needs to demonstrate that they are appropriately controlling their risks. When we have done it in the past, the people that we assigned to the different scenarios were typically line-one people.
Peter Shepherd: It is probably fair to say that the CRO and the board collectively own the framework around stress testing, because they own the risk appetite, but the actual implementation of it and the design is something more fluid across the firm.
Richard Charlton: From my experience, it would be the CRO who would propose the suite of scenarios and the suite of stresses to run, but certainly it helps to engage with the board with the plan, and receive feedback. It means when you come along a couple of months later with the results and some of the consequential actions that might be necessary, the foundations have been set for engagement and understanding of the scenarios more. And you do not want to have the construction of the scenarios totally unravelling if they are strongly challenged; such challenge is easier to accommodate at the start of the process.
Having said that, the world keeps moving, so sometimes what seems a good scenario may turn out to be irrelevant.