Building a robust model risk management framework in financial institutions

By Nadege Grennepois (Partner Risk Advisory, Deloitte France), Frederic Bertholon-Lampiris (Executive Director Financial Risk, Deloitte Southeast Asia), and Anca Maria Alvirescu (Senior Consultant, Deloitte Southeast Asia)

With increasing volumes of data, and the introduction of Artificial Intelligence (AI) and Machine Learning (ML) technologies, models are at the heart of every financial institution (FI)’s operations. But as FIs increasingly rely on model outputs for decision-making, the focus on model risk – or risk of errors in the development, implementation, or use of models – has continued to gain momentum.

There are several reasons for this. Firstly, the evolving technological capability of algorithms have resulted in widespread democratisation of model development, enabling users to deploy models without relying on internal IT or traditional model development functions. While this increases the speed of innovation, it also increases the risk for organisations, as these new models are not subjected to the same robust testing systems and governance structures as traditional ones.

Secondly, there has been increasing stakeholder expectations related to the documentation, accountability, controls, and risk management of models. Regulators have been intensifying their scrutiny on model risks, focusing on models with elements of AI systems and ML algorithms.

In Singapore, the Monetary Authority of Singapore (MAS) released its set of principles to promote fairness, ethics, accountability, and transparency (FEAT) in the use of AI and Data Analytics (AIDA) in Singapore’s financial sector, and guide FIs in their governance and mitigation of model/algorithmic risks. This direction has been reinforced by the Personal Data Protection Commission, which released a discussion paper on its Model AI Governance Framework articulating a common AI governance approach and a set of consistent principles on the responsible use of AI, to promote its adoption while ensuring that its risks are assessed, monitored, and mitigated.

What is model risk?
Model risk is the potential loss that an FI may incur, as a consequence of decisions that could be principally based on the output of models, due to errors in the development, implementation, or use of such models. Similarly, algorithmic risk may rise from the use of data analytics and cognitive technology-based software algorithms in automated and semi-automated decision-making environments.

Risk factors

Model/algorithmic risks should be considered as a specific risk type to be managed in a similar way to other risks faced by FIs. This means that a robust framework should be put in place to identify, assess, mitigate, and monitor the evolution of model/algorithmic risks across the organisation.

Several underlying factors contribute to model risk:

  • Human biases: The cognitive biases of model developers and users could skew outputs and yield unintended outcomes, especially when there is a lack of governance, or misalignment between the organisation’s values and behaviours of individual employees.
  • Technical flaws: A lack of technical rigour during development, training, testing, or validation processes could result in models producing inaccurate outputs.
  • Usage flaws: Even if the models produce accurate outputs, flaws in their implementation or integration with operations could result in inaccurate judgements. 
  • Security flaws: Security breaches could enable internal or external actors to manipulate the outputs of a model to influence decision-making.
Five pillars of a model risk management framework

Regardless of the organisation’s size and structure, its model risk management framework should consist of clearly defined roles and responsibilities across all stages of a model’s life cycle. In addition, a sound framework should define the level of control and ensure clear accountability for each model/algorithm within its scope, depending on the magnitude of its expected impact on business performance and organisational reputation.

Overall, a robust framework should include five pillars, to be adapted to the level of materiality and complexity of the scope:

  1. Organisation and governance: Existence of a model risk management function, approved by the board and reporting to the Chief Risk Officer, which assesses and manages model/algorithmic risks
  2. Model life cycle management: Continuous monitoring of all stages in a model’s life cycle, including development, documentation, classification, validation, and inventory maintenance
  3. Model control framework: Initial validation before implementation, and continuous review of models and algorithms that have been assigned the highest level of risk
  4. Model risk assessment and quantification: Assessment and quantification of model/algorithmic risks with the use of qualitative and quantitative techniques
  5. Model risk management processes and technology: Implementation of appropriate processes and technology to support the management of traditional and AI-based models
Raising awareness on model/algorithmic risk management

In order for FIs to assess and monitor their model risks, the appropriate metrics will need to be defined in alignment to their risk appetite and risk tolerance limits, and continuously monitored by the board and senior management.

The implementation of a central model inventory that encompasses all of an organisations’ models, tools, and calculators can enable stakeholders to assess the risk criticality levels for each model based on materiality and complexity, and focus testing and validation efforts on models deemed to be of higher risk. Such an inventory would enable risk mitigation actions to be documented, and enable organisations to identify models that are not fit for purpose, or which have been used for unintended purposes.

Ultimately, a model risk management framework should strive to embed a model governance culture within the organisation. Rather than focusing only on compliance, the framework should provide guidance, standardisation, and clear communication channels – features that could lead to long-term, improved efficiency in model development with enhanced governance. In this way, risk management can contribute to a better and sounder decision-making process, instead of being simply an oversight function.