Testing to failure: Why Reverse Stress Testing is redefining geopolitical risk

Most financial institutions now acknowledge geopolitical risk within risk inventories or emerging risk registers. However, our discussions quickly highlighted a familiar gap between recognition and execution.

As our guest speaker Derek Leatherdale, senior geopolitical risk advisor at Sibylline and former head of HSBC's geopolitical risk function, observed: "It's there on paper, but in practice it's hit and miss. Firms often don't really know what 'integrating geopolitical risk' actually means — and supervisors don't always know what they're looking for either."

Participants noted that geopolitical risk often cuts across traditional risk categories, making it difficult to "dock" into ERM unless governance, ownership and escalation routes are clearly defined. This challenge is not theoretical. Leatherdale referenced regulatory interest in how street protests in Hong Kong could impact the financial performance of banking businesses operating there, with supervisors focusing on second-order transmission channels — such as impacts on mortgage portfolios and balance sheets — rather than treating the protests as purely reputational or conduct issues.

The example illustrated how geopolitical events can crystallise rapidly into financial risk — and why ERM frameworks must be capable of capturing those transmission channels.

A recurring theme was that failures are rarely driven by lack of insight, but by breakdowns in communication. As one participant put it: "Almost every lesson learned boils down to bad communication of risk information that should have been on someone's desk — someone knew, but nobody said."

What was discovered: A UK building society identified post-COVID that a significant proportion of its branch properties were ultimately owned by Russian oligarchs.

Why it mattered: The exposure only became visible once sanctions risk and ownership structures were reassessed through a geopolitical lens.

ERM lesson: Geopolitical impact assessments frequently uncover previously unseen risk concentrations, particularly across property, counterparty and supply-chain dependencies.

A central theme of both sessions was the growing regulatory focus on geopolitical risk, particularly in Europe. Members discussed the European Central Bank's (ECB) decision to require banks it supervises under the Single Supervisory Mechanism to conduct a geopolitically-driven reverse stress test as part of a 2026 thematic exercise.

Reverse stress testing flips the traditional stress-testing approach. Rather than modelling predefined adverse scenarios, firms work backwards from a defined failure point — for example, a severe capital depletion — to identify the scenarios and transmission channels that could plausibly cause it.

As Leatherdale highlighted during the discussion: "The ECB has said to firms: you've got to produce a geopolitically-scenario reverse stress test — around a 300-basis point CET1 impact — but it's up to firms to work out the scenarios."

Importantly, the ECB has deliberately not prescribed scenarios, forcing banks to identify their own vulnerabilities rather than rely on regulator-designed narratives. This has sharpened focus on hybrid threats, such as the interaction between geopolitical escalation, cyber disruption, sanctions, funding markets and operational resilience.

Crucially, participants stressed that geopolitical risk cannot be addressed through generic scenarios. Leatherdale asserted: "Geopolitical risks are idiosyncratic. Even where impacts are common, the magnitude and materiality are very different firm by firm."

Steve Bailey, immediate past chair of ACCA's global forum for governance, risk and performance and board director across sectors, offered a candid perspective on the practical challenges of implementing reverse stress testing:

"I've had my fair share of discussions about reverse stress testing but have never used it accordingly — but that time is rapidly approaching. Its benefits are clear: it engages clients at an early stage as they can start with what they perceive to be realistic risk outcomes. But the downsides are significant. Values are subjective, aggregation is really complex, and the scope is daunting — external risks, geopolitical risks, and operating risks should all be included, and that's a huge vision and knowledge field. Risks also tend to be based on known or historical risks rather than emerging risks or black swans, so you could be fooling yourself with the outcome. The real crunch comes when it comes to accounting for and reporting these current or potential risks — and the profession is not addressing this issue as well as we should be. AI will also play a part in broadening and accelerating reverse stress testing, which presents both opportunities and challenges."

Bailey's observations capture the tension many practitioners face: reverse stress testing is increasingly necessary but operationalising it effectively remains a significant undertaking.

Reverse stress testing was seen as uncomfortable but valuable precisely because it forces firms to confront how their business model could fail, not just how it performs under adverse conditions.

Leatherdale highlighted that reverse stress testing often exposes concentration risks linked to geography, funding or counterparties; assumptions about market liquidity under stress; and over-reliance on management actions that may not be feasible in a crisis.

He cautioned that unstructured or informal analysis risks being ignored: "If you're a risk function talking about geopolitical risk, you need to produce analysis that people can actually operate to. Otherwise, you lose out to informal or armchair analysis."

Example scenario discussed:

A regional conflict escalation triggers sanctions, cyber disruption and funding market stress simultaneously. Key questions for firms: Where do capital and liquidity pressures crystallise first? Which management actions are realistically executable? What assumptions break down under correlated shocks?

Across both sessions, there was broad consensus on emerging good practice for embedding geopolitical risk:

• Board and ExCo sponsorship, typically via the board risk committee
• Integration into stress testing, International Capital Adequacy Assessment Process (ICAAP) and strategic planning
• Cross-functional engagement across risk, finance, legal, compliance, cyber, HR and government affairs
• Bespoke scenario design, grounded in firm-specific exposures

Leatherdale illustrated this with a cross-sector example from outside banking as this ACCA community includes members across all sectors. British Petroleum's standing geopolitical advisory capability enabled the organisation to prepare for a rapid exit from Russia ahead of the Ukraine invasion. While financial losses of $25bn were unavoidable, early scenario analysis supported decisive strategic action and avoided prolonged uncertainty.

The example reinforced a key message from the sessions: geopolitical risk management is about preparedness and decision-making, not prediction.

1. Geopolitical risk adds value only when embedded into decision-making

Having geopolitical risk on a register is insufficient. Firms need analytical frameworks that translate external developments into actionable business intelligence.

2. Reverse stress testing is becoming a supervisory inflection point

The ECB's approach signals a shift from voluntary to mandatory integration of geopolitical scenarios into capital adequacy and resilience frameworks.

3. Governance and escalation matter more than forecasting accuracy

Clear ownership, cross-functional collaboration and board-level sponsorship are essential to move beyond theoretical exercises. Leatherdale emphasized that effective geopolitical risk management is fundamentally about preparedness and decision-making, not prediction — echoing Eisenhower's famous observation that "plans are useless, but planning is essential”. The value lies in the process of thinking through scenarios, identifying vulnerabilities and establishing response frameworks, rather than in accurately forecasting which specific scenario will unfold.

4. Firms must design idiosyncratic scenarios, not generic narratives

Geopolitical risk is firm-specific. The magnitude and nature of impacts vary dramatically based on business model, market footprint and supply-chain dependencies.

5. CROs are increasingly building dedicated geopolitical risk capability

Financial institutions are starting to appoint heads of geopolitical risk, recognising that they have deep expertise in credit, market, operational and cyber risk — but often lack geopolitical specialists.

Strong CRO leadership was seen as pivotal in making this work. As Leatherdale noted: "The best CROs aren't the ones who try to know everything — they're the ones who make sure everyone else knows what they know."