Model risk management
Getting policy and governance right
Model risk management: Getting policy and governance right
By Azer Hann and Bevan Ferreira
As the main source of quantitative, predictive data and information for financial institutions (FIs), models represent a critical aspect of the decision-making process. The risk associated with models must be managed effectively and consistently to ensure sound decision-making. If not, banks and other institutions may find themselves facing a range of issues, financial and otherwise.
Regulators have recently been focusing on governance and policy implementation around model use since it is not at the level it should be—meaning FIs demonstrating lax model risk management (MRM) may increasingly face regulatory challenges. Canada is expected to introduce MRM guidelines soon, so Canadian institutions need to start strengthening their model risk management practices or be prepared to face regulatory issues down the road.
The challenge of enhancing governance and policies
While final guidelines have not yet been clarified for Canada, they could raise certain challenges, particularly around fulfilling any compliance requirements regarding the use and implementation of model technology and model-derived data.
On the policy side, more robust policies and standards will be required for all model types, particularly around model use and monitoring. This will almost certainly require current governance structures to be not only expanded but, in some cases, revamped. Notably, these kinds of changes often present some pain points around gaining senior management buy-in and sourcing the appropriate, specialized resources. The aim, however, is both to elevate standards and to account for the growing number not only of models in use but also of in-scope items that must be regularly reviewed and monitored.
What should financial institutions be doing?
It’s clear that regulators are putting a premium on the enhancement of MRM governance and policy, and the issues mentioned here only cover a few potential challenges. There are, however, some steps FIs can take to begin developing an appropriate and forward-looking MRM framework.
The first step with governance, and one of the most critical, is to ensure that the entire model process is aligned with the three lines of defense. The first line—the individual business functions—owns the models (and the risk) and is responsible for developing them and ensuring their readiness for use. The second line, made up of the risk and capital management functions, is responsible for model management and validation. That means regularly monitoring model outputs and determining whether the models are working correctly. Internal audit, the third line, provides another tier of governance, assessing the overall effectiveness of the organization’s MRM program, reporting gaps, and making improvement recommendations. Importantly, these divisions of responsibility must be clearly separated to ensure independent oversight is being exercised at each stage.
The governance framework should also define and classify what is actually considered a model, which has more to do with its intended use and outputs than its structure and complexity. In addition to establishing a model risk appetite, it should also include a list of risks addressed by the model and risks to the model itself.
From a policy perspective, it is important for FIs to establish policies to ensure alignment and to set minimum usage standards across the organization once an enterprise-level model risk strategy and appetite have been established. Policies and procedures should cover vetting, monitoring, testing, implementation, appropriate controls, IT system integration, application testing, and model production. Policy should then mandate training and feedback requirements for model users, quantification of errors, ongoing monitoring, and model use reporting.
Model use documentation is also important (to mitigate key-person risk), including things like the purpose of the model and what it can and can’t be used for. Standards and documentation are also required around the initial model development process and how to vet a model before implementation.
MRM is more than a compliance exercise
By better understanding anticipated regulatory measures, identifying key MRM issues and taking early action to address them, FIs can improve their model management framework—and decision-making. This will help ensure a strong compliance footing as regulatory measures increase, leading to greater clarity and accountability around model use.
But there’s an even bigger picture: through compliance, FIs can expect faster, more effective reconciliation of results by strengthening expected outcomes and increasing transparency and process management. Further, beyond compliance, an effective model risk management framework can help FIs increase efficiencies and gain competitive advantage.
Deloitte has deep industry knowledge and global experience helping banks comply with model risk management requirements. Our comprehensive model risk management framework covers a range of governance and policy considerations. We can help you close gaps in current practices and identify opportunities to revise and improve key processes.