Using technology to help meet model risk management requirements
On 17 May 2023, the Prudential Regulation Authority (PRA) published Policy Statement PS6/23, ‘Model risk management principles for banks’, in response to its earlier consultation paper CP6/22, which contains a new supervisory statement (SS1/23) on the topic. This statement sets out clear expectations for how firms should manage all of their models across the organisation and their associated risks. Firms that fail to comply with SS1/23 could face supervisory action from the PRA. As a result there will be an even greater workload placed on those responsible for models across the model lifecycle and the three lines of defence typically adopted (first line being business owners, second line the independent validation/risk management units with internal audit being the third line). This new policy comes into effect in 12 months time on Friday 17 May 2024. For organisations receiving permission to use internal models to calculate regulatory capital after 17 May 2023, they will have 12 months from the grant of that permission to comply with the expectations in SS1/23.
Technology has a key role to play in advancing the model risk management frameworks and capabilities within Banks and Building Societies, and help meet SS1/23 regulations. As firms are using more and more models to automate insights, actions and decisions there is a need to efficiently and effectively manage those models, which is now being demanded by the PRA. This is paramount given the limited resources available with the required skills and expertise in this specialised and sort after area. The increase in regulatory expectations in combination with the explosion in the number of models being developed and used is having a multiplicative effect on model risk management workloads. For example, firms with double the number of models along with double the regulatory rules and requirements will potentially have quadruple the amount of work to manage those models appropriately. However, increasing headcount by fourfold is often not an option. This is why Paragon started developing its Model Risk Management tool, Focus, around two years ago. Focus automates many of the manual tasks that are involved in model risk management, freeing up employees to concentrate on more strategic work.
SS1/23 requires firms to have an MRM framework in place that is based on 5 core principles:
Model identification and model risk classification
Governance
Model development, implementation and use
Independent model validation
Model risk mitigants
The new regulation is relevant to all regulated UK-incorporated banks, building societies and PRA-designated investment firms with internal model approval to calculate regulatory capital requirements. Whilst mandatory for these banks, the PRA states that all banks and building societies may find the proposed principles useful and are welcome to consider them to manage model risk within their firm. Once it has progressed its policy on “Simpler-regime” firms, the PRA will clarify how the policy on MRM will apply to banks without internal model approvals, although it notes that all firms, regardless of size, are expected to manage the risks associated with models where they are used.
The PRA considers model risk as a risk in its own right. The purpose of the SS is to support firms to strengthen their policies, procedures and practices to identify, manage and control the risks associated with the use of models (developed in-house or externally) including vendor models and models used for financial reporting purposes. Note that all models across the firm are in-scope. The definition of a model is broad – “a quantitative method that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into output. Both the input data and the output can be quantitative or qualitative in nature”.
Five key questions that firms can start to ask themselves with regards to improving their model risk management processes include:
1. Have I got a centralised and comprehensive model inventory with correct permissions and controls?
How do I ensure that my model inventory is consistently up to date?
Which information can be updated automatically rather than manually?
2. Can I quickly and easily report model statuses, model health and remediation activities to different audiences across the organisation? Is this automated?
3. How can automated workflows help with my standards, policy and procedures to ensure that models are developed, implemented, used, and maintained in a rigorous, sound and effective manner?
4. How can I quickly and easily demonstrate compliance when the PRA ask?
5. Which model risk management tasks can be automated and for which models or model types?
It is likely that taking advantage of a purpose-built software solution for MRM will address these questions (and more) to efficiently implement and run a strong and effective MRM practice.
The PRA’s desired outcome is that firms take a strategic approach to MRM as a risk discipline in its own right. If models do not perform as expected then firms and their customers can suffer adverse consequences. Strong management of potential model risks is designed to minimise and control such risks. The PRA is demanding that model risk is treated with the same focus, rigour and reporting as all other material risks in banks. The PRA’s expected outcome from this new regulation is a positive change in bank’s culture around MRM.
More regulation usually means more work to comply and to demonstrate compliance. Technology can ease some of this burden. If certain processes, controls, tasks, reporting and documentation can be automated, then not only can the work be completed more efficiently but also with a greater degree of rigour and management control, very much in line with the desired outcomes of the PRA.
To learn more about our Focus model risk management solution please click here