The PRA’s proposed principles on MRM for banks represent a significant elevation of the bar, and when finalised later this year will demand a significant programme of work to catalogue, categorise and risk-assess the models they use, and to improve governance and oversight processes. The PRA has said it expects an “Initial self-assessment” along with “prepared remediation plans” for them to comply with within a 12-month period.
MRM currently only applies to banks. However, the PRA intends to make MRM applicable to insurers once the Solvency II reforms are finalised. In the meantime, the PRA has indicated in its supervisory priorities for 2023 that insurers should consider how the MRM principles could be applied.
The PRA’s basic concern remains that many banks are not monitoring or managing effectively the aggregate risks they face due to the broad range of models they use. The overarching aim is to ensure that senior management and Boards have clear sight of the aggregate risk that models represent and receive reporting to enable them to be confident that the risk is being managed.
The main challenge for firms will stem from the PRA’s proposal for a very broad definition of what constitutes a “model”, covering any instance where a qualitative or quantitative input is subjected to a transformation that produces a qualitative or quantitative output. This captures traditional credit and market risk models, but also extends to a wide range of algorithms, estimators, heuristics, decision trees and spreadsheet-based calculators that banks may not currently define as models. Banks with regulatory approvals to use models for credit and market risk capital calculations may have hundreds of such models; beyond these categories, large banks may count their “models” under the PRA’s definition in the thousands.
The first stage of implementing the principles – subject to any changes the PRA makes to the definition of a model - will require banks to create an inventory of models and undertake a risk-classification exercise for all in-scope models. This will be challenging, not least because the technology capabilities required to support the expanded model inventories may go beyond those of existing systems. Furthermore, processes that may appear innocuous (for instance, a spreadsheet that collates inputs from three source systems and adds the figures together to form part of a finance/risk reconciliation adjustment for the monthly management accounts) may now count as a “model”. The creation of the inventory will need to be iterative to deliver the appropriate scope.
Banks already have in place model oversight and governance processes for models subject to regulatory approval, but the order of magnitude increase in the number of models within the scope of the proposed principles implies a significant resource stretch for teams that are in some cases already struggling with existing supervisory modelling requirements, including on internal ratings based (IRB) repair, hybrid mortgage models, and preparation for Basel 3.1 implementation.
Firms will need to take advantage of the risk sensitivity and proportionality built into the PRA’s proposals, to ensure that lower risk and less material models are subject to lighter touch oversight. Furthermore, not every component of a MRM process requires qualified, experienced statisticians, and firms should seek to identify aspects of their workflows that are amenable to automated solutions. The overall process may be time consuming, but it should bring transparency to decision-making and present opportunities for firms to rationalise what may be unnecessarily diverse and fragmented models across all areas of their operations.
Firms should look to develop remediation plans on the back of their implementation programmes, identifying opportunities to improve the consistency of model inputs and outputs by consolidating data sources and amalgamating models.