A VaR number is a confident little sentence: “we are 99% sure we won’t lose more than $4.2 million tomorrow.” Lovely. But confidence is cheap — anyone can promise a number. The whole point of a 99% VaR is that it makes a falsifiable claim: across many days, losses should blow past the line on about 1% of them, no more, no less. That’s not a vibe; it’s a count you can check.
Backtesting is the audit. You line up every day’s predicted VaR against the loss that actually happened, and you tally the days reality punched through. Too many breaches and your model is dangerously optimistic. Too few and it’s a coward, locking up capital you didn’t need to. A model that’s never wrong is a model that’s lying about how often it’s right. Let’s learn to count — and then learn exactly where VaR keeps lying anyway.
Before you read — take a guess
Your 99% 1-day VaR is backtested over 500 trading days. Roughly how many days do you EXPECT the loss to exceed the VaR?
Did reality agree? Count the breaches
Analogy. A weather app that says “10% chance of rain” isn’t wrong when it rains — it’s wrong if, over a hundred such days, it rains on forty of them. You judge a probabilistic forecast not by any single day but by its hit rate over many days. VaR is exactly that kind of forecast, and backtesting is exactly that kind of audit.
Definition. An exception (or breach) is a day on which the realised loss exceeded the VaR predicted the day before. Backtesting compares the time series of predicted VaR to the time series of realised P&L and counts the exceptions. The count is the raw evidence; everything that follows — Kupiec, Basel — is just a rule for deciding whether that count is acceptable.
Drag the confidence slider below. A stricter 99% VaR sets a deeper loss limit, so fewer days punch through it; loosen to 95% and the line rises, catching more breaches. The exceptions light up in red, and the summary tallies them against the count you’d statistically expect.
- Exceptions (breaches)
- 4
- Expected
- 0.6
- VaR limit
- −3.0%
Each bar is one day's P&L; the dashed line is the VaR loss limit. A loss that punches through it is an exception (red, with a triangle marker). A stricter 99% VaR sets a deeper limit, so fewer days breach it. The traffic-light zones here are scaled down to this short demo window — the official Basel cutoffs are calibrated for a 250-day year.
The expected exception rate
Before you can say a model is wrong, you need to know what right looks like. For a confidence level over days, the expected number of exceptions is simply:
Worked example. A 99% VaR over one trading year (): expected exceptions . So a healthy model should breach roughly 2 or 3 times a year. A 95% VaR over the same year expects breaches — twenty times as many, because 95% is a far less demanding promise.
Now the part people forget: both directions are failures.
- Too many breaches (say 8 when you expected 2.5) → your VaR is too low. You’re systematically underestimating risk, holding too little capital, and one bad week could be ruinous. This is the dangerous failure.
- Too few breaches (say 0 when you expected 2.5) → your VaR is too high. The model is over-cautious, freezing capital you could have deployed and lying about how safe you really are. A risk number that’s never tested isn’t conservative; it’s uncalibrated.
A good model lands near the expected rate from both sides. “Never breached” earns no gold star.
A desk runs a 95% 1-day VaR over 250 trading days. How many exceptions are expected, and what does a count of just 2 suggest?
The Kupiec POF test
Counting is easy; deciding is the hard part. If you expected 2.5 breaches and got 4, is the model broken — or is that just luck? Random sampling means even a perfect model won’t hit exactly 2.5. We need a statistical test.
Analogy. It’s the same logic as testing whether a coin is fair. Flip it 250 times, expect 125 heads, get 138 — is it biased, or just noise? You compute how surprising 138 is under the “fair coin” assumption, and reject fairness only if it’s surprising enough.
Definition. The Kupiec proportion-of-failures (POF) test asks: is the observed breach rate (with exceptions in days) statistically consistent with the promised rate ? It’s a likelihood-ratio test — it compares how likely the data is under the model’s promised rate versus under the rate you actually observed:
When the observed rate matches the promise, the two probabilities are nearly equal, the ratio is near 1, its log is near 0, and — no evidence against the model. As the observed rate drifts from the promise, grows. You compare it to a chi-squared critical value with 1 degree of freedom (about 3.84 at 95% significance); exceed it and you reject the model.
Worked intuition. 5 breaches when 2.5 were expected (, ) gives an around 2 — below the 3.84 threshold, so it’s borderline but not rejected. Twice the expected rate sounds alarming, but with only a handful of events the noise is large, and the test (rightly) refuses to condemn on thin evidence. Push to 9 or 10 breaches and sails past 3.84 — now you reject.
Count isn't everything — clustering matters too
Kupiec only checks the number of breaches, not their timing. But ten exceptions sprinkled evenly across a year is a very different animal from ten that all hit in one ugly fortnight — the second screams that your model misses regime changes. Christoffersen’s test adds an independence check: exceptions should be spread out, not clustered. A model can pass Kupiec (right total) yet fail Christoffersen (breaches bunch up). Real validation uses both.
Fill in the logic of the Kupiec POF test.
Pick the right option for each blank, then check.
The Kupiec test compares the observed breach rate to the promised rate using a statistic, which you compare to a critical value (about at 95% significance). The test adds a check that breaches are independent and don't cluster in time.
The Basel traffic light
Regulators can’t have every bank inventing its own pass/fail rule, so the Basel Committee wrote a dead-simple one: run a 99% 1-day VaR over the last 250 trading days, count the exceptions, and read off a colour.
Analogy. It’s a literal traffic light. Green: drive on, your model’s fine. Yellow: slow down — we’re not sure, so we’ll make you hold more capital as a penalty until you prove yourself. Red: stop — your model is rejected, and supervisors step in.
The bite is in the capital multiplier. Required market-risk capital is roughly your VaR times a multiplier (floor of 3). In the yellow zone, is bumped up in steps the more breaches you have; in red, the model is thrown out entirely. More breaches → higher multiplier → more capital frozen. Backtesting isn’t an academic exercise — it directly sets how much money the regulator makes you park.
| Zone | Exceptions in 250 days | Verdict | Capital multiplier |
|---|---|---|---|
| 🟢 Green | 0–4 | Model accepted | 3.00 (no add-on) |
| 🟡 Yellow | 5–9 | Model questionable | 3.40 → 3.85 (rises with each breach) |
| 🔴 Red | 10+ | Model rejected | 4.00 (plus supervisory action) |
Note the asymmetry baked in: green tolerates 0–4, comfortably bracketing the 2.5 you statistically expect, because regulators would rather not punish honest noise. But cross into yellow and the cost climbs fast — the system is tuned to make underestimating risk expensive.
A bank's 99% VaR records 7 exceptions over the 250-day Basel backtest. What happens?
Where VaR lies to you
Backtesting can tell you a model is mis-calibrated. It cannot save you from the things VaR was never designed to see. Even a VaR that sails through every backtest carries deep, structural blind spots — and ignoring them is how firms blow up.
The five honest limits of VaR
1. Fat tails. Markets are not Gaussian. Real returns have fat tails — extreme moves happen far more often than a normal curve (or a short, calm estimation window) predicts. A “25-standard-deviation” day should never occur in the lifetime of the universe; in 2008 banks reported several in a row. LTCM (1998) and the 2008 crisis were both, in part, models trusting a thin-tailed world that doesn’t exist.
2. It’s silent on tail size. VaR tells you the threshold you’ll breach 1% of the time — and says nothing about how bad the loss is once you’re past it. A $4M VaR is identical whether the breach-day loss is $4.1M or $400M. That blind spot is the entire reason Expected Shortfall exists: it averages the losses beyond the VaR.
3. Procyclicality. VaR is estimated from recent data, so it shrinks in calm markets (low recent volatility → low VaR → desks feel free to lever up) and explodes after a crash (the crash enters the window → VaR spikes → risk limits breach → everyone is forced to de-risk at the same time, into a falling market). VaR thus amplifies cycles: it whispers “go bigger” at the top and screams “sell everything” at the bottom — a feedback loop that turns selloffs into stampedes.
4. It can be gamed and isn’t additive. A desk can shuffle risk into the far tail — selling deep out-of-the-money options — to lower reported VaR while raising true catastrophe risk. And ordinary VaR is not subadditive: the VaR of two desks combined can exceed the sum of their individual VaRs, so it can wrongly penalise diversification (the coherence flaw that, again, ES fixes).
5. The “97% of the time you’re fine” false comfort. A number that’s right 99% of the time trains everyone to ignore the 1% — which is precisely the part that bankrupts you. VaR’s seductive single-sentence packaging breeds overconfidence. It is a floor on your understanding of risk, never the ceiling.
A risk manager argues: 'Our VaR dropped 30% this quarter — markets are calm, so we can safely take more risk.' What's the trap?
Stress testing and scenario analysis
VaR is a fair-weather statistic — it describes the distribution it was fed, and that distribution is mostly placid days. It is structurally bad at the rare, violent event that actually matters. The fix isn’t a better VaR; it’s a different tool that doesn’t lean on the recent distribution at all.
Stress testing asks a blunt “what if?” — what does this portfolio lose under a deliberately brutal, named scenario? You don’t estimate the scenario’s probability from recent data; you simply impose it and measure the damage:
- Historical replays: revalue today’s book through the 2008 crash, the COVID-19 February 2020 plunge, the 1987 Black Monday, or a 1994-style rate shock.
- Hypothetical shocks: rates +300 bp overnight, equities −25%, credit spreads doubling, a key correlation snapping to 1.
Where VaR says “1% of normal days look this bad,” stress testing says “if this specific catastrophe hits, here is the bill” — no probability, no thin-tail assumption, no recent-calm bias. Regulators now require it alongside VaR precisely because the two cover each other’s blind spots: VaR for the routine, stress tests for the tail VaR can’t see.
Match each risk tool to what it actually checks.
Pick a term, then click its definition.
Putting it together — the whole topic
Step back and look at the arc you’ve climbed. VaR compresses an entire portfolio’s risk into one falsifiable sentence — a horizon, a confidence level, a dollar loss. You learned to build that number three ways: historical simulation (replay the past), the parametric / variance–covariance method (assume a bell curve and use algebra), and Monte Carlo (simulate thousands of synthetic tomorrows) — each with its own assumptions and failure modes. You scaled it across horizons with the square-root-of-time rule, then met Expected Shortfall, which answers the question VaR refuses — how bad is it once you breach? — and patches VaR’s coherence flaws. Here you backtested the whole edifice: count exceptions against , run Kupiec and Christoffersen, read the Basel traffic light. And finally you stared at where it all lies — fat tails, tail-blindness, procyclicality, gaming — and added stress testing to cover the catastrophe VaR can’t model. You can now compute a VaR three ways, average its tail, scale it, validate it against reality, and explain with numbers exactly when to distrust it. That is what an expert does: trusts the number, and knows its lies.
Big picture
Value at Risk — the whole topic
- Value at Risk
- What VaR says
- Horizon + confidence + dollar loss
- "99% sure we won't lose > $X tomorrow"
- Silent on the size of the breach
- Three engines
- Historical: replay the past
- Parametric: bell curve + algebra
- Monte Carlo: simulate tomorrows
- Scaling across time
- Square-root-of-time rule
- Breaks under autocorrelation / fat tails
- Expected Shortfall (CVaR)
- Average loss beyond the VaR line
- Coherent: subadditive, rewards diversification
- Answers the question VaR refuses
- Backtesting
- Count exceptions vs (1−c)·N
- Kupiec POF: is the count consistent?
- Christoffersen: are breaches independent?
- Basel light: green 0–4 / yellow 5–9 / red 10+
- Yellow/red raise the capital multiplier
- Where VaR lies
- Fat tails: LTCM, 2008
- Procyclicality: shrinks calm, explodes post-crash
- Gameable and non-additive
- "97% fine" false comfort
- Fix: stress tests + named scenarios
- What VaR says
Recap: backtesting and the limits of VaR
A 99% 1-day VaR is backtested over 1,000 days. How many exceptions are expected?
Check your answer to continue.
That’s the topic. You’ve built VaR three ways, sharpened it with Expected Shortfall, scaled it across time, validated it against reality, and learned exactly where it breaks. One thing remains: prove it. The final exam is a single graded run across the whole topic — one question at a time, each answer locked the moment you submit, score revealed only at the end. No notes, no second chances. Go earn the number.