Explore This Section

SRC Insights: Fourth Quarter 2008

Stress Testing as a CRE Risk Management Tool,
Part III

This article concludes our three-part series on the use of stress testing as a risk management tool for banking organizations with high levels of CRE concentrations. Earlier in our series, we introduced the benefits and foundations of stress testing (Part I, Second Quarter 2008) and suggested ways to stress test unique segments of the CRE portfolio (Part II, Third Quarter 2008). This final segment highlights the critical role of the board of directors and senior management in the process, from developing policies and procedures to utilizing the information to direct mitigation strategies and contingency plans. In addition, we will briefly discuss how this information fits within the strategic planning process.

The Role of Senior Management and the Board of Directors

The board of directors has the ultimate responsibility for the level of risk assumed by an institution and its overall risk management program. This includes oversight of the stress testing program. The board of directors ensures that the stress testing program is meaningful, effective, and fully supported by the senior management team. The depth and degree to which the board will be involved in the process will largely depend on the size of the institution. Some institutions may have a risk management committee, which actually includes board representation, to oversee the program. Senior management is responsible for the day-to-day oversight of the stress testing program.

Senior Management's Responsibilities for Overseeing a Stress Testing Program
Review the portfolio and the external environment and develop a comprehensive risk assessment
Design stress tests based on the risk assessment
Oversee management information systems used in the process
Develop and document assumptions and scenarios incorporated into the stress testing program
Develop and document procedures
Assign staff responsibilities
Ensure that stress tests are conducted and analyzed regularly in accordance with policy requirements
Report the results of stress testing activities to the board of directors
Comply with recommendations made during independent validations

Policies and Procedures

Effective policies and procedures must be developed in order to manage risk successfully. The development of policies, performance measures, and monitoring procedures must coincide with the institution's strategic plan and the board's risk appetite. Policies and procedures are not steadfast guidelines, but they may be changed periodically to reflect the changes in the risk profile of the institution or in its external environment. The board of directors is ultimately responsible for reviewing and approving the stress testing policy and program and establishing limits and maximum risk tolerance levels to be measured in the stress testing process. The policy should be formally documented, approved by the board of directors at least annually, and communicated and reviewed by all affected personnel.

A comprehensive policy may include the following key elements.

A general purpose statement. The statement will largely depend on the breadth of the goals the institution expects to achieve through stress testing. An example of a very basic purpose statement is: "The general purpose of stress testing is to determine whether capital sufficiently covers losses and to aid in the development of contingency plans, which ensures capital protection should stress testing results become a reality."

Designation of authorities, responsibilities, and accountability. The policy should include assignment of oversight and day-to-day responsibilities associated with the stress testing process. Formal lines of authority and a program that includes separation of duties should be established to maintain the integrity of the process. Authorities assigned as part of the stress testing program should be clearly defined and communicated among the responsible parties.

It is also important for the policy to address required approvals for changes in the methodology, processes, and assumptions within the stress testing program. Any significant changes in the stress testing methodology and related process should be required to be approved, at a minimum, by senior management and, if appropriate, reported to the board of directors.

The policy should also designate authorities for the implementation of risk mitigation strategies. The policy should include the types of remedial or mediation activities allowable under the designated authorities. Some level of materiality should be incorporated so that minor changes can be implemented routinely. Guidelines can be set based on the size of the loss, the level of earnings impact, or capital level change, for example. Results over a certain threshold might include more board involvement in mitigation strategies, while results under a certain threshold may warrant only senior management involvement with a summary provided to the board at the next meeting.

Minimum scope and core assumption requirements. The policy should define the scope of the stress testing program. This includes identifying which segments of the portfolio will be subject to stress testing (i.e., all or portions of the CRE portfolio). In addition, core assumptions or scenarios should also be included, with a caveat that additional stress tests should be performed as needed based on changes in the portfolio composition and external environment. Procedures should include detailed assumptions underlying stress tests and how results were derived. The board should remember to consider feedback provided in any independent review of the stress testing program, as it sets these minimum standards in the policy.

Stress testing frequency requirements. Include defined standards for the frequency of stress testing (i.e., monthly, quarterly, semiannually, etc.), which will largely depend on the risk profile of the institution. Institutions with weaker levels of capital and heightened sensitivity to stressed scenarios may require more frequent testing, while others may not. Frequency requirements outlined in the policy should be adjusted routinely depending on changes in the institution's risk profile.

Establishment of limits and tolerances. Establishing limits and maximum risk tolerance metrics will help the board and senior management with ongoing decisions. The policy should include guidelines which trigger when remedial actions should be taken—for example, when the magnitude of expected losses and the earnings and capital impact of the stresses reach a certain level. Limits should be periodically reviewed as part of the independent review of assumptions; however, adjustments to limits should be well-supported and well-documented to avoid using limit adjustments to effect a more favorable outcome and mask the underlying degree of risk.

Reporting requirements. Effective reporting is essential to the board's understanding of the stress testing program and its ability to make decisions. Reports should ultimately provide the board and senior management with an overview of the material areas of risk exposure. Minimum reporting requirements, as highlighted in the policy, will depend on the board's appetite for information; however, at a minimum, they should include variance in the results to limits, a narrative of the drivers of reported metrics, exceptions to policy, and a summary of any material remedial actions taken and their outcome.

The board should also indicate how frequently reports are to be reviewed and whether they should be reviewed by the board or a designated committee thereof, such as a risk management committee. Reports should also be shared with other senior managers and business line managers, as appropriate, so they may be aware of potential identified risks as they carry out their assigned responsibilities.

Independent review requirements. Considerable changes in market conditions, portfolio distribution, and other factors can invalidate stress assumptions. Independent evaluation will help ensure that the stress testing program remains relevant. Some institutions, depending on their size and the data platforms used, may choose to use an outside vendor to validate the program; however, others may utilize internal resources, such as internal audit or loan review personnel.

Regardless, it is important for the reviewer to remain independent of the stress testing process and have sufficient training in and knowledge of stress testing. An independent review should be completed at least annually, or more frequently if significant changes in the portfolio or the external environment occur. The policy should include a review of the following:

  • The adequacy of the scope of the program (i.e., sufficient level or appropriate types of loan exposures)
  • The validity of the assumptions used and scenarios applied
  • The accuracy, reliability, and completeness of the data inputs, model formulas, and other program infrastructure elements
  • The adequacy of the management information system
  • The level of stress testing that is incorporated into daily risk management processes
  • The appropriateness of policies and procedures
  • Whether appropriate authorizations were obtained for significant changes in the program or for remedial or mitigation activities
  • The appropriateness and adequacy of stress testing documentation
  • The accuracy of results reporting to the board and senior management

Remedial activities and risk mitigation strategies. The results of stress testing will typically prompt the implementation of mitigation strategies. Risk mitigation strategies help to soften the potential impact of stressed scenarios should they become an actuality in the future. Practical examples of remedial activities that an institution may choose to undertake include:

  • Reducing exposures to certain loan sectors or geographic regions through loan participations, allowing loan run-off at maturity, or reducing or prohibiting certain types of lending
  • Strengthening or restructuring individual credits in portfolio sectors with higher identified sensitivity to stress scenarios
  • Implementing more rigorous underwriting standards, such as reducing maximum LTV levels or increasing minimum debt coverage ratios for new loans or loan renewals in certain CRE sectors
  • Implementing more rigorous credit administration practices, i.e., increasing the frequency of the submission of operating statements and rent rolls for the properties securing the bank's loan (when documents allow), increasing property inspection frequency, routinely inspecting the status of property tax payments, or obtaining updated interim credit bureau information for guarantors
  • Increasing loan loss provisions and the ALLL and reviewing underlying assumptions based on newly identified risk exposures presented during stress tests
  • Increasing the minimum capital levels beyond policy requirements to provide a buffer
  • Pricing for risk

Contingency Plans

Contingency plans define the board-approved actions that the institution must take, should attempts to minimize risk through mitigation strategies fail and worst-case assumptions become true. A contingency plan should emphasize the need for capital protection and should include, but should not be limited to, the following elements:

  • Definition of events which would trigger implementation of the contingency plan
  • Required actions to be performed by management should identified situations occur under a given scenario
  • Authorities for making decisions under periods of stress
  • Defined responsibilities of staff, management, and the board during stressed conditions
  • A list of alternatives for raising additional capital under stressed conditions
  • A list of alternative sources of funding should the availability of capital from investors be unobtainable and/or losses result in cash flow shortfalls which require augmentation from outside sources
  • Procedures for coordinating timely communications both within and outside the organization during periods of stress
  • Guidelines for dealing with outside parties, such as the media, regulators, counterparties, etc.

Strategic Planning

Finally, perhaps the most valuable role that the board and senior management can play in emphasizing the importance of stress testing is in their use of the results in the strategic planning process. Stress testing can provide valuable input for future business decisions and can guide institutions as they consider adding new business activities or products and entering new markets, or they can just guide the emphasis to a particular set of activities. Stress testing can also provide insight into whether budgeted earnings and growth should be adjusted to reduce risk.


It is our hope that, in utilizing the basic framework presented in this series, board members and senior management at institutions with high CRE concentrations will find that the benefits of stress testing far outweigh the time spent on implementing and maintaining the program. For questions and additional information on adopting or expanding a stress testing program, please contact Jim Adams at (215) 574-4325 or Sharon Wells at (215) 574-2548.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.