As model risk management challenges continue to evolve, many banks are applying new tools and practices to manage and monitor this important risk function more effectively.
What is model risk management in banking?
Model risk management is the practice of gauging potential risks by analyzing and evaluating those risks and taking corrective measures to minimize them. Whenever an organization makes a decision involving investments, they try to figure out the number of financial risks attached to them.
A model risk management system is important in banking because banks are exposed to various risks — both financial and non-financial. Risk management is a complex process, so banks try to use model risk management tools that simplify and streamline this procedure. However, models aren’t entirely foolproof. Poor specifications, technical glitches, and data or calibration errors can all hinder a model’s accuracy. Banks use a model risk management system that involves testing, governance policies, and independent review on an ongoing basis to reduce these errors.
The current state of model risk management
The practice of model risk management has undergone some significant changes in the years since the Federal Reserve and the Office of the Comptroller of the Currency issued “Supervisory Guidance on Model Risk Management” (SR 11-7, OCC 2011-12). When the interagency guidance was first published, the use of sophisticated financial models was concentrated primarily in large institutions, particularly those with more than $10 billion in assets, which were subject to heightened regulatory scrutiny.
However, in the ensuing years, attention to model risk management became much more widespread as model usage continued to increase in banks of all sizes for various purposes, including compliance with rapidly changing regulatory and financial reporting requirements. When the Federal Deposit Insurance Corporation adopted the interagency guidance in 2017, a wider universe of banks recognized the need to improve their MRM capabilities. Advances in models such as the incorporation of advanced statistics and machine learning also spurred a greater need for efficient management of the associated model risks.
Today, the maturity levels of model risk management programs vary considerably across the industry. Many banks with less mature programs are still identifying and refining their model inventories or working their way through the first or second round of validations of key models — a function typically outsourced or supplemented by support from internal audit. In larger, more mature programs, however, management’s focus is shifting toward gaining more value from the effort, realizing efficiencies, developing a holistic view of the organization’s model risk, and enhancing internal resources to build more sustainable MRM practices.
Evolving model risk management practices
At a fundamental level, model risk management encompasses a range of activities within three overarching functions:
1. Model development, implementation, and use. This function encompasses a clear understanding of the model’s purposes, support for the theory and design of the model, rigorous assessment and preparation of data, a disciplined approach to implementing the model in the bank’s environment, comprehensive testing, and challenge by model users.
2. Model validation. This function consists of a set of processes and activities conducted by a party independent from model development, which are intended to verify that models perform as expected.
3. Governance, policies, and controls. A governance framework provides the necessary policies, procedures, and management oversight to verify that the MRM program appropriately manages model risk in alignment with the extent and sophistication of the bank’s usage of models.
Model risk management practices within these functions have continued to evolve to enhance the MRM function. They include:
● Ongoing monitoring
○ A standardized manner for model owners to document an ongoing monitoring plan
○ Tracking of the execution of ongoing monitoring activities by the model risk management function
○ Visibility to model performance issues and an understanding by model risk managers of the impact to interconnected models
○ Aggregated reporting on ongoing monitoring compliance and model performance
● Change management
○ A standardized method for documenting changes
○ A clear definition of what constitutes a material change
○ Notification of material changes to model risk management
● Nonmodel tools
○ Identification of nonmodel applications or end-user computing systems (EUCs) and inclusion in the model inventory
○ Established policies and procedures to provide oversight
● Model validation
○ A standardized model validation report
○ An established set of risk-based activities to conduct between full validations
○ A centralized manner for tracking validation findings and timelines for remediation
Advancing the MRM function to drive business value while realizing efficiencies can be challenging. A successful program requires that model risk management teams address rising volumes of model usage and evolving requirements and expectations by model users and regulators alike.
Addressing the challenge of ongoing monitoring
One of the first challenges to address in many organizations is the lack of a standardized process for model owners to conduct and document their ongoing monitoring. For example, when hundreds of bank executives participating in a recent Crowe webinar were asked to identify their top MRM-related challenges, their number-one concern involved working with model owners to conduct such monitoring. Nearly half (45.5%) said they expect this to be one of their top challenges in the coming year (Exhibit 1).