Firms new to the discipline have their work cut out as regulators bring attention and clarity to model risk. The experience of forward-thinking early adopters and other best-practice resources can help, say experts from SAS.
Friday, October 27, 2023
By Miles Elliott and David Asermely
As the financial sector faces the most treacherous risk climate in more than a decade, financial firms are reevaluating their model risk management (MRM) practices – and not a moment too soon. Errors and lax MRM practices have been implicated in a number of high-profile banking failures over the years, including the 2007-2008 global financial crisis.
As financial institutions deploy ever-more varied and sophisticated models in their quest to meet consumers’ evolving expectations, they find their MRM responsibilities spiraling in complexity. In fact, nearly one-third of firms (28%) are already running more than 100 models, according to research by PwC.
It goes without saying that firms need the right level of oversight and governance to adhere to the latest regulations. Unlike many financial regulatory standards, the U.S. has led the way on MRM, with the SR 11-7 guidance setting the bar for improved governance and control requirements for the design and execution of MRM. It also cemented the status of model risk alongside more established risk types, such as credit risk.
Soon the U.K. will close the regulatory gap with its first fully holistic MRM framework, due to come into force in May 2024.
Shifting Regulation in the U.K.
Until now, regulations in Europe, including the U.K., have tended to target different aspects of the risk management lifecycle – such as augmenting regulatory expectations of capital models via the European Central Bank’s Targeted Review of Internal Models (TRIM) in 2016, or setting the principles for models used in stress testing (SS3/18) in 2018. The limited scope of regulations could be among the reasons some firms hadn’t prioritized MRM in recent years.
That’s all set to change. The Bank of England regulator, the Prudential Regulation Authority (PRA), formally consolidated CP6/22 into PS6/23 and SS1/23 earlier this year. The latter is underpinned by five principles:
Model identification and model risk classification.
Model development, implementation and use.
Independent model validation.
Model risk mitigants.
It should be noted that, in its CP6/22 consultation, the PRA said it had found “evidence of poor MRM when reviewing firms’ applications for internal regulatory model permissions and when reviewing approaches to expected credit loss accounting under IFRS 9.”
Given the changing environmental and digital landscape, and increasingly sophisticated risk modeling methods, the PRA said it expected the use and complexity of models to grow. It cited the need to quantify financial risk linked to climate change as well as the use of artificial intelligence (AI) and machine learning(ML).
How Prepared Is the Industry for New Regulation?
The economic impact of COVID-19, war in Ukraine, the integration of ESG and climate risk, and firms’ expanding use of AI and ML gave the PRA the stimulus it needed to drive a holistic MRM framework to the forefront in the U.K. Still, commercial pressures, growing resourcing costs, technological change, and variations in legislation in different jurisdictions can all make model risk management a challenge.
That hasn’t stopped firms being proactive in their approach to managing the risks. The appointment of model risk officers, and the emergence of model risk as a principal risk within firms’ risk management frameworks, are signs that forward-thinking senior managers have already made significant strides in this area. Likewise, many firms have already made great progress in mitigating model risk.
SS1/23 proposes a holistic approach to regulation – setting the standard required for managing MRM in the modern age. Its principles should bring greater clarity and set the standard across the financial services industry. But that begs the question, where will banks focus in the months ahead? That will largely depend on where they are today.
Innovator Firms Pave the Way
Forward-thinking firms, the innovation trailblazers, have already spent the past decade developing risk management frameworks, incorporating model risk ownership, accountability, controls, and associated governance across the three lines of defense.
Their model definitions tend to go beyond traditional regulatory risk-focused models to incorporate a wider group of models into their inventory, including forecasting, fraud, marketing and pricing models. Many are expanding their analytics-based deterministic modeling approaches to include judgmental rule-based methods.
They are also extending their definitions beyond a pure statistical model to include, at least in part, deterministic/quantitative processes built and executed in end-user computing controls (i.e. spreadsheet calculations).
Most often, they have also:
Had a focus on building skills and capabilities around model risk leadership and working practices.
Reviewed processes supporting the design, execution and embedding of model governance within the firm’s risk management framework.
Leveraged technology to improve, for example, inventory management, model monitoring and validation documentation.
Those that have invested in all three areas – people, process and technology – have typically been able to reduce operating costs through enhanced process efficiency, mitigated both operational and compliance risk thanks to strengthened governance and control, and grown revenue by shortening the time from model risk identification to model risk remediation.
Expectations for Firms New to MRM
The financial institutions just starting to hone their MRM maturity have significant work ahead of them. It will require a period of adaptation, acceleration and, importantly, investment across (at the risk of repetition) people, process and technology.
The upside is the lessons the new-to-MRM crowd can glean from the early adopters. For example, as AI and ML have advanced and become more widely adopted, so too have MRM and governance evolved to reflect the new challenges and considerations associated with these technologies. Firms will find plenty of resources and expertise for developing best practices.
Firms can also learn a lot from the regulatory bodies. Consider, for example, the PRA’s thematic review of regulatory returns, which highlighted the following concerns:
Senior management isn’t fully accountable and responsible, leading to fragmented business processes, insufficient oversight and poor governance of regulatory interpretations.
Insufficient controls and control frameworks have created gaps in business processes, and inadequate reconciliation.
A lack of investment and prioritization has reduced capability and capacity, requiring short-term fixes and the need to source underlying data.
High levels of manual intervention and operation of associated business processes, coupled with an over-reliance on outdated infrastructure.
Challenges Ahead: 5 Ways to Improve MRM
Analytical models are the lifeblood of modern financial institutions. Business decisions made based on misinformed or incorrect model use, especially during times of stress and uncertainty, can spell a firm’s doom and wreak havoc on the industry more broadly.
At the same time, MRM is about more than just regulatory compliance. The convergence of big data, AI, ML and blockchain technology, in parallel to the digitalization and commoditization of models, is rapidly transforming how MRM is performed and the value it can deliver. SAS has partnered with 80+ banks across the globe to implement robust MRM, accumulating knowledge and expertise as the domain has evolved.
Whatever a firm’s current MRM acumen, navigating the complexities of forthcoming regulatory changes – and the ones that follow in the years to come – will require diligence and continuous improvement. Please stay tuned for part two of our exploration of the current MRM landscape, where we will present five ways financial institutions, the leaders and up-and-comers alike, can improve the breadth and depth of their MRM strategy and processes.
Miles Elliott, Risk Management Advisory Lead for EMEA at SAS, has over 25 years of financial services experience serving multiple banking groups, covering start-ups to global systemically important banks (G-SIBs) across both U.K. and international jurisdictions. He has held a variety of risk modeling roles, including risk modeler, Head of Risk Modeling and Chair of Model Risk Committee. He joined SAS in 2019 given his deep belief in SAS’ capability to power firms through their risk management transformations.
David Asermely, Global Lead for AI Governance and Model Risk Management at SAS, is responsible for product design, support, partner strategy and more. Passionate about translating data into actionable intelligence, he combines the best technologies and design principles to help financial services organizations improve modeling efficiency and quality. Asermely holds Master of Science and MEd degrees from the University of Massachusetts Amherst. Prior to joining SAS, he managed the Bank of New York Mellon’s Global Performance and Risk Analytics product set.