Model risk management – Governance

What firms should be doing to effectively implement this principle?

1. Establish a firm-wide MRM framework with policies and procedures documented for all stages of the model lifecycle.
2. Ensure that roles and responsibilities are assigned appropriately across business lines with appropriate segregation of duties and aligned to the skills and knowledge within the organisation.
3. Establish a model risk appetite supported by thresholds, monitoring and reporting processes.

1. Establishing an effective organisational structure through defined roles and responsibilities

The Prudential Regulation Authority (PRA) highlights the importance of defining and documenting the roles and responsibilities for MRM and provides a general structure for firms to use by outlining the ‘model lifecycle’, the key stages in this process, and an indication of the individuals implicated in it. The organisational and governance structure for MRM should be designed in a commensurate way to suit the firm’s business model, risk profile and structure of business lines.

The model lifecycle describes the different stages of a model from conception to decommissioning, including the modelling, validation, and control activities.

Practically, this process will be firm-specific and depend on the business model, structure of the business and where model risk skills and experience lie in the firm. However, it can be thought of in the context of the three lines model:

The core modelling process

• Consists of model development, implementation and use and will usually sit in the ‘first line’.
• Comprised of model owners, users and developers.
• Model owners must ensure that standards and limitations are identified, and model performance meets expectations.

The model validation process

• Consist of the set of activities intended to verify that models perform as expected.
• Can sit within the‘first’ or ‘second line’ or alternatively can be outsourced.
• Crucially, model validation should be independent from the core modelling process and carried out by individuals with the necessary technical skills and knowledge.

Risk Control

• Involves monitoring, measuring and oversight of the model risk process.
• Will typically exist within the ‘second line’.
• Within more mature institutions, firms may establish a dedicated MRM second line function to carry out these activities.

Internal Audit

• The ‘third line’ is responsible for periodically and independently assessing the MRM environment.

As with any other risk discipline, tone from the top is key to success; culture and vision must be established top down with ultimate accountability for risk management residing with the Board. To avoid MRM being seen as a compliance exercise, stakeholder engagement (from the Board and Senior Management) is a key success factor.

2. Embedding an effective framework with robust policies and procedures covering the model lifecycle

Underpinning the MRM framework are the policies and procedures which enable businesses to apply model risk practices effectively and consistently. The PRA outlines the following eight areas it considers firms should develop as a minimum:

We have explored the first two areas, model definition and tiering, in our first article in this series. In the following paragraphs, we will cover the standards firms should set out to measure and monitor model performance and subsequently how firms deal with any issues that may arise through the model lifecycle.

3. Establishing model risk appetite supported by thresholds monitoring and reporting processes

Effectively assessing and reporting on model risk remains a challenge for firms which can create challenges for board and senior management engagement and oversight. As regulation is not prescriptive when it comes to measuring model risk, there is no consensus on the specific metrics firms should use to measure risk at the individual or aggregate level. Despite these challenges the regulatory expectation is clear: boards and senior management must remain engaged with and maintain oversight over the model risk ecosystem. Integrating MRM into a firm’s risk appetite and risk management framework is key to ensuring MRM becomes a business focus.

Firms should leverage the policies, procedures, and standards on models it has put in place to establish qualitative and quantitative model risk metrics. For example, the model inventory can form a basis for reporting on individual models and on the whole model portfolio. Specific metrics could include:

• The number of material and complex models driven by the firm’s tiering system (e.g. high, medium, and low).
• The number of models currently performing outside of expectations.
• The number of models which have experienced issues in the last year (e.g. back testing and model exceptions).
• Changes in model performance over time.

Additionally, the tiering system can be used as way to focus reporting on higher risk models.

Furthermore, effective monitoring and reporting processes will enable firms to swiftly identify and escalate any issues with their models as well as any subsequent need for model changes. Firms should establish a clear escalation and governance process to be followed when a material change is required. When issues are identified with the model, either through validation or ongoing monitoring, firms need to ensure they follow their prescribed process and are documenting validation and changes. Some of the key areas to consider and document into policy include:

• Sign-off responsibilities (model owner, committees etc.).
• Validation required before sign-off.
• The impacts of any change (on the model, other indicators etc.).
• Documentation required in the model inventory.

Conclusion

In summary, embedding effective governance, oversight and accountability for model risk management is critical to ensuring the firm is able to manage model performance and model risk. Boards have an important role in promoting the right tone from the top, ensuring there is clear accountability and responsibilities across the three lines of defence and providing effective challenge and oversight linked to a clearly defined risk appetite.

In subsequent articles will address model development, validation and mitigants in greater detail.

Get in touch

To speak to our prudential risk experts about model risk management principles, get in touch using the button below.

Contact us today