Model Risk Management In Banking: You Are Vulnerable Without These 3 Lines of Defense
By Jenna Danko on Jul 02, 2014
As stated in a previous blog post, Time to Re-Model? A Look at Enterprise Modeling Platforms and R Usage in Banking, modeling cannot survive as an island within a financial institution. While a plethora of point solutions have been introduced into the market to meet specific analytical needs – from big data processing to visualization – financial institutions need a more strategic approach to modeling; one that is built, developed, and deployed on a unified platform. Furthermore, financial institutions must proactively monitor, assess, and fine tune model risk management processes on a regular basis ensuring proper model management.
Throughout the years, financial institutions have become heavily dependent on various models for risk calculations, performance management, anti-money laundering, fraud detection, credit risk management, etc. Advanced models are very useful when it comes to dealing with large amounts of complex data and decision making; however, when used incorrectly they can lead to drastic implications as well. There have been instances in the past where the lack of controls on use of models has led to financial losses, such as instances of huge losses and fines incurred by banks owing to lack controls on use of VaR and AML models. Nonetheless, there is no way that institutions can do away with the use of these models; however, the risks arising out of models should be effectively controlled.
As we all know, there has been a plethora of regulations lately and model governance certainly hasn’t been spared here. Basel, Dodd-Frank Act, Supervisory guidelines on model risk management by US Fed and OCC and the list goes on! Gone are the days when regulators were only looking for the accuracy of numbers reported by financial institutions. As of late, they are extending their supervision into the model governance process around model development, accuracy of input data and model documentation. Regulators have started viewing model malfunctioning and lapses seriously and imposing hefty fines on institutions.
How do you try to tackle this??
What you need to do is manage model risk processes effectively. Model risks can emerge for many different reasons:
- Improper model development
- Inappropriate use of the model
- Bad data
- Incorrect assumptions and methodology
- Poor implementation
Additional issues and challenges faced by financial institutions include:
- Silo’d approach towards risk management
- Lack of standardization around model data and governance
- No independence of model validations
- Ineffective model risk management processes
- Models deployed long ago are still in use with the assumption that the models are working as expected
This is all overwhelming! But with the three lines of defense, effective model risk management can be achieved!
1st Line of Defense – Model owners, developers and users of models must assume the responsibility to ensure that models are performing as expected. Risk management starts from the model development phase in the form of rigorous calibration, testing and documentation. Models should be moved to production only after satisfying that the model is performing as expected and serving the purpose for which it was developed.
2nd Line of Defense – Financial institutions must realize the need for effective model risk management and establish independent groups to exclusively deal with the management of model risks. Model validations should be performed by staff who have the necessary expertise and should not be part of the model development or model user group. Independence of validators is key to successful model risk management so that there is no bias while performing assessments. Validators during the course of validations need to ensure that the models are working as expected.
3rd Line of Defense – Financial institutions should implement an internal audit program to ensure effective model risk management and governance. Internal audit teams should assess the effectiveness of the model risk management program that is practiced within the organization and report pitfalls, if any.
Board of directors and top management of the institution should mandate the policies and procedures around model risk management. Top management’s supervision doesn’t conclude with prescribing policies rather the Board or the appropriate committee delegated for this purpose should be appraised on a periodical basis with updates about model risk management activities and pending material issues.
To further enhance model risk management beyond the three lines of defense, financial institutions must follow periodic risk assessments and model validation by independent third parties. Periodic risk assessments, such as back testing and outcome analysis, are critical for ensuring that model risks are detected in a timely manner and remedial actions are initiated. The timing of risk assessments should be driven by the materiality of the model in question. Model optimization and tuning should occur every 12-18 months depending upon the materiality of the model. This should be governed by the institution’s policy around model optimization.
There may be a need for establishing a central risk team to ensure that the risk assessments are being performed at periodic intervals by independent validation teams. Validation results must be logged and tracked meticulously. In addition, there should be a control mechanism put in place to ensure that overdue issues and actions are not left untracked.
Organizations need to have extensive documentation around the model risk management policies and procedures. Key assumptions that were considered during the course of model development need to be documented. Documentation should also address the necessary justifications that made the institution to follow certain assumptions and limitations.
If the model risks are not managed effectively, it could possibly lead to another disaster to the financial system.
Effective model risk management has become a key source of competitive advantage and a necessity for financial institutions to both survive and thrive. How does your organization tackle this massive challenge? I would love to hear from you to discuss further, comment below.
The views expressed herein are the views of the author and not necessarily the views of the employer.