Model Risk Management (MRM) frameworks are increasingly attracting the attention of auditors and regulators who are raising the bar in two key areas:
- Historically MRM has been focused on model validation, however regulators now expect an MRM programme to manage the entire model lifecycle.
- Focus has widened from the model to include the tools and calculators that the models rely on.
While most regulated financial institutions have GRC systems, or in-house risk management systems in place to manage their risk frameworks, these systems typically lack the flexibility to capture the complexities of manyt MRM programmes. This is not helped by the fact that there is also a recognition that these models, tools and calculators can use data and resources from both the – highly controlled corporate IT environment, and also the – less controlled ‘Shadow IT’ environment – run by business units themselves.
The lack of flexibility in these GRC systems can constrain MRM programmes, to the detriment of the business. Most MRM programmes are evolving, as new modelling capabilities, and more powerful models emerge. There is a premium on flexibility and agility. However making changes to these traditional GRC systems often requires involving the 3rd party vendor (or IT) to make these changes with long lead times and large expense. So, institutions typically resort to manual processes (e.g. resorting to using email for confirmations of changes/approvals) to overcome these short comings, in turn creating issues for users and management alike. These manual processes make it difficult to have full transparency of changes to the models, tools and calculators required by the business, and their auditors and regulators.
Institutions are being challenged with the increase in the scale and scope of models, and their regulations, while also looking to streamline, and enhance the management their MRM frameworks. With a large proportion of the models, tools or calculators being user-created, many financial institutions are struggling to even create an accurate inventory as numbers quickly multiply. One bank, whose original inventory of 300 models, five years on, now stands at close to 3,000 models, tools and calculators. This situation is potentially reflective of most financial institutions. Added to this, there is the challenge of constrained budgets, resources or skills in financial institutions to efficiently and effectively undertake comprehensive MRM.
Poor management of the model environment exposes financial institutions to operational, reputational and regulatory risk. Frameworks such as SR11-7 in the US, SS3 18 in the UK and TRIM in the EU have collectively raised the bar that stakeholders, management and regulators expect institutions to work towards.
How best to square the circle of enhanced MRM with constrained time and resource lies in taking a comprehensive and all-encompassing approach to MRM – including the creation, maintenance and validation of an enterprise-wide model inventory, the alignment of MRM with supervisory guidance and business objectives, the monitoring of policy and documentation standards, as well as sharing of fully auditable information.
Financial institutions can utilise automation to build and manage a central inventory of all the models, tools and calculators in the organisation. This provides an accurate, consistent and transparent platform that allows them to understand and monitor the criticality of each and tier the inventory based on the risk they pose to the business.
It also allows them to determine the data lineage and data interdependence of the models across the enterprise. This is essential for maintaining the accuracy and integrity of the applications as MRM isn’t a one-off process, as models are developed, revised and decommissioned almost constantly.
An automated approach helps underpin the model lifecyclemanagement which is essential to effectively managing an evolving model environment. It can create a framework that enables model attributes, workflows, algorithms and reports,for example, to be updated and modified as the models themselves change.
Automation also helps to meet the security and audit demands that current MRM demands, including full audit capabilities of changes within the MRM environment. Role-based security capabilities control access to the MRM environment to ensure segregation of duties and implementation of ‘four’ eyes review.
A technology-led approach to MRM will ensure that the standards applied to ALL models in the organisation are consistent. MRM is an area that institutions can’t ignore, the regulatory, financial and reputational consequences are far too serious.