By Henry Umney, CEO, ClusterSeven
Auditors and regulators are upping the ante and demanding more thorough and stringent approaches to Model Risk Management (MRM) from financial institutions globally.In Europe, institutions are adopting Targeted Review of Internal Models (TRIM) regime; in the UK there’s the SS 3 18; and in the US, SR 11 7 is growing in importance for MRM.
The focus of outside scrutiny of models has moved from model validation – i.e. is the structure, design and function of the model understood, tested and documented? – to encompassing the comprehensive governance of models, including change control, access control, auditability and reporting. This also now extends to the models and calculators that feed the models, as well as the technology platforms that underpin the entire model environment.
The problem with existing GRC systems for MRM
GRC systems and /or in-house risk management systems are commonplace in regulated financial institutions and are typically used to manage model risk frameworks. Though not without issues. These systems typically lack the flexibility to capture the complexities of MRM programmes. The problem is further exacerbated as the models, tools and calculators use data and resources from the controlled corporate IT environment – as well as the less controlled ‘Shadow IT’ landscape, which is primarily independently operated by the individual business units themselves. All this combined, severely restricts the effectiveness and compliance of MRM programmes in institutions.
Additionally, MRM programmes evolve, as new modelling capabilities and more powerful models emerge. While flexibility and agility are of essence, making changes to traditional GRC systems frequently requires intervention from the respective third-party solutions’ vendor or IT. Consequently, the expense is substantial, and the lead times are lengthy. To overcome these, institutions often resort to manual processes (e.g. using email for confirmations of changes/approvals), creating further issues for both the users and management.Full transparency of changes to the models, tools and calculators as required by the business,auditors and regulators is compromised by such manual and informal processes.
Due to the ever-increasing scale and scope of models, constrained budgets and resources, together with the enhanced regulatory environment, institutions are seeking to enhance the management of their MRM, while also finding ways of streamlining it. However, with a large proportion of the models, tools and calculators being created by end users, with little centralised control, organisations are struggling to even create an accurate inventory. One bank’s original inventory of 300 models now stands at close to 3,000 models, five years on. It is an indication of how rapidly models, tools and calculators multiply in institutions. This situation is likely reflected in most financial institutions.The constraints on budgets and skills add to the challenge as modelling teams are continuously being given more and more responsibilities, driven by the growing regulations and the business, but without the additional resources to undertake efficient and effective MRM.
Models are central to how financial institutions manage their business,investments as well as their product and service development. The risks and commercial value they underpin is significant. Neglecting to undertake proper MRM exposes institutions to operational, reputational and regulatory risk.
Squaring the circle with automation
The solution to the challenge lies in undertaking an all-encompassing approach to MRM, which includes:
- the creation, maintenance and validation of an enterprise-wide model inventory;
- the alignment of MRM with supervisory guidance and business objectives;
- the monitoring of policy and documentation standards, as well as sharing of fully auditable information.
Automation can enable financial institutions to build and continuously manage a central inventory of all the models, tools and calculators in the organisation. This will provide accuracy, consistency and transparency of the models, while also enabling them to monitor the criticality of each and tier the inventory based on the risk they pose to the business.
With the help of technology, institutions will be able to determine the data lineage and data interdependence of the models, tool and calculators across the enterprise. This capability is crucial to maintaining the accuracy and integrity of the applications. After all, models are developed, revised and decommissioned almost constantly and hence MRM can never be a one-off process or exercise.
Security and auditability are essential to MRM. Automation will provide the complete auditability as changes are made within the MRM environment.
Perhaps most crucially, automation will ensure there is effective model lifecycle management in an evolving model environment – a critical demand of the various regulatory frameworks. With automation, institutions can define points such as model attributes, workflows, algorithms and reports,which can to be updated and modified as the models themselves change. This kind of technology-led approach to MRM ensures that the standards applied to ALL models in the institution are consistent, accurate and achieved cost effectively.
A good place to start for financial institutions is to answer the questions – how is regulation affecting the organisation’s MRM plans? And should an error emerge, how is it likely to impact the business financially and reputationally – in addition to the regulatory consequences? This will then enable the institution to chart a course of action for MRM, based on its individual organisational needs.