State of play for Model Risk Management

The use of models by Banks and Financial institutions to support decisions, particularly in originations, pricing and Regulatory Capital, has been in place for a long time. Following the introduction of IFRS 9, the usage of predictive models to calculate impairment provisions also became commonplace, and we are seeing models being utilised to drive more and more decisions in more and more areas.  With the increasing complexity of these models, the need for effective Model Risk Management (MRM) has never been more critical. This increase in the volume of models and their complexity has also been a concern to regulators with a number of Central Banks issuing principle-based standards outlining their expectations for their supervised institutions, with the most recent and notable examples being the Central Bank of UAE with their Model Management Standards and Model Management Guidelines and the UK PRA with their Supervisory Statement SS 1/23. The rise in focus on Model Risk Management was emphasised at the recent Credit Scoring and Credit Control conference in Edinburgh, UK, with an entire conference thread dedicated to Model Risk Management and included a keynote speech from the PRA on “The Evolving Role of Model Risk Management (MRM) in a Changing World”.

Understanding Model Risk

Model Risk refers to the potential for adverse consequences arising from incorrect or inadequate use of models in the decision-making process. The consequences of model risk can be far-reaching. Incorrect or misunderstood model outputs can lead to financial losses, regulatory penalties, and reputational damage. Moreover, model risk can undermine the overall stability of financial institutions and the broader financial system.

PRA SS 1/23: The UK Approach

In the United Kingdom, the PRA issued Supervisory Statement 1/23 (SS 1/23) in May 23 to provide guidance on Model Risk Management and has followed this up with an industry talk at the Edinburgh Credit Scoring Conference in August this year. SS 1/23 sets out the PRA’s expectations for firms in managing the risks associated with their models. The SS is structured around five high-level principles designed to cover all the elements of the model lifecycle. This includes model risk classification, governance, model development& implementation, model validation and model risk mitigants.

Key Highlights of PRA SS 1/23:

Model Identification & model risk classification: Firms are expected to define their models clearly to set the scope for MRM. Maintaining inventory of the models helps to identify and report on the model risks and identify any model inter-dependencies.

Model Governance: Firms are expected to establish robust governance arrangements for model risk management. This includes clear roles and responsibilities, oversight by senior management, and board-level engagement, driving a culture of model risk across the organisation. As reiterated at the conference, this governance framework needs to consider the wider scope beyond models to ensure that there is not a ‘cliff edge’ with regards to rigour between those deemed to be within scope and those outside.

Model Development, Implementation & Use: The PRA emphasizes the importance of sound model development practices, including data quality, adequate testing, choice of methodologies, and documentation. Models should be developed by individuals with the necessary skills and expertise. Also, firms should use models in a way that is consistent with their intended purpose. They must also have effective processes for model implementation and ongoing monitoring.

Model Validation: Independent validation is the foundation of MRM. Firms are required to have a validation function that rigorously assesses model accuracy and reliability in an independent manner.

Model Risk Mitigants: Firms to have established policies and procedures for the use of model risk mitigants when models are underperforming and for the independent review of any post-model adjustments. This was an area of renewed focus at the conference, with the need for an approved and ready-to-go ‘back up plan’ being highlighted in instances of model underperformance.

Central Bank UAE Model Management Standards

The Central Bank of the UAE also recognises the significance of model risk management and has issued its own guidelines. While specific standards may vary between jurisdictions, the core principles remain consistent.

Key Highlights of Central Bank UAE Model Management Standards:

Model Governance and Oversight: Similar to PRA SS 1/23, the Central Bank of the UAE places importance on governance and oversight. Financial institutions are expected to establish clear lines of responsibility for model risk management, with a responsibility on the board and CRO to ensure the culture of Model Risk Management is embedded across the organisation.

Model Validation and Documentation: Robust validation processes are crucial. Firms are required to document the development and validation of models comprehensively.

Model Use and Monitoring: Models should be used in alignment with their intended purpose, and there should be ongoing monitoring to ensure their continued accuracy and effectiveness.

Conclusion

Historically Model Risk Management has been overly weighted towards model validation, however, the regulations are requiring organisations to take a more holistic view across the model lifecycle, with great focus on data management, implementation and model usage. Given the focus of model risk is to safeguard decisions, the attention on the latter point is unsurprising. This was a key point in my panel discussion at the Credit Scoring and Credit Control conference, where I suggested that MRM could be rebranded as Decision Risk Management to emphasise the importance of this holistic approach.

It is becoming more evident that Model Risk Management is a vital component of sound risk governance within the financial industry. The guidelines provided by regulatory authorities, such as the PRA in the UK and the Central Bank of the UAE, serve as valuable roadmaps for financial institutions to navigate the complex terrain of model risk.

Firms that effectively implement these guidelines not only reduce their exposure to model risk but also enhance their overall decision-making processes, which should be a priority for all organisations. As data and analytics play an increasingly pivotal role, the importance of robust Model Risk Management should not be underestimated. It is a critical element in maintaining the stability and integrity of the financial system, benefiting institutions and stakeholders alike and helping Banks and Financial Institutions make the best decisions to benefit their staff, customers and stakeholders alike.