Risk Management & Analytics: Keeping up isn’t enough for model risk management

As new risks emerge, the role of the Risk Officers and Risk Managers has become far broader and more complex, covering everything from regulatory compliance, operations risk and credit risk to data management, advanced technologies and industry disruption. Because the industry is changing so rapidly, financial institutions are compelled to ask whether their financial risk leaders are keeping up, or more importantly, keeping ahead of the change. Moreover, if the institution is just keeping up, the follow-up question is whether this current pace is enough. In other words, does the institution have flexibility in its talent, organizational structure, process and policies to protect itself from evolving risks?

Specific to model risk management, advancements in data and analytics, machine learning and artificial intelligence (AI) place model risk management leaders in unchartered territory. A financial institution’s model risk talent must go beyond analytic and statistical aptitude. Not only are model risk executives expected to develop statistically sound models (backed by process and policies) to ensure that inaccuracies don’t generate a domino effect of risk across models or groups of models, but they must also be able to think strategically, understand emerging tools and technologies, adapt to new regulation, and anticipate disruptions and threats. Indeed, in model risk management (MRM), just keeping up is no longer enough.

When assessing your institutions model risk management program, ensure your institution is, at the minimum, adhering to best practices and standardizing what can be standardized to create efficiencies. Ideally, your institution will also be making strategic moves to build a mature and modern MRM program. By standardizing key processes and policies, and by remaining adaptable, MRM can keep up and ahead of change.

How Standardized is Your MRM?
Using industry standard best practices, a financial institution can cover all the foundational requirements needed to remain compliant, streamline model risk communication and create efficiencies.

Here are a few ways to evaluate whether you have standardized some components of your MRM program:

Document and Centralize Your Model Risk Management (MRM) Policy
An effective MRM policy addresses all facets of risk modeling and measurement and serves as a foundation for effective model risk governance. While documentation seems like the least obvious way to create a more standardized model risk management approach, it plays a critical role in aligning business unit managers and stakeholders to key model risk management and measurement processes. A structured, centralized and consistent MRM policy, including documents, materials, processes, measurement, and stakeholders, allows model developers across an organization to understand and comply with the policy, reduce confusion and facilitate learning and training.

Ensure Roles and Responsibilities are Defined and Implement a Strong Communication Strategy
Roles and responsibilities need to be well defined and documented in a financial institution’s MRM policy to ensure all stakeholders understand their role and level of accountability. In a typical MRM org structure, and according to model risk guidance, the ultimate responsibility for risk falls on the Board of Directors.  However, regular communication between model risk management, the board is necessary to ensure that risks and exposures are brought to the board’s attention and promptly addressed.

While the board may delegate oversight and day-to-day tasks to senior management, treasury and other various business units, it must ensure that all key players are communicating exposures to them regularly and conversely receiving guidance from the board on how to assess and manage the risk. By defining roles and ensuring the communication lines are open across business units, risk committees and key stakeholders, financial institutions can better prioritize model risk projects, assess model risk effectiveness and ensure best practices across the organization.

Effectively Track Models
Various business units across an organization may develop models and not report them to the MRM team, creating blind spots for model risk management. As stated in previous articles, tracking and cataloging all financial models from a single location single location enables the institution to prioritize models and better understand how they are interdependent. To ensure the catalog of models is complete, the executive team must buy in on model risk to ensure that it adds value to the organization.

As a part of model tracking, your MRM should track model dependencies, tools and feeders systems to identify downstream and upstream risks and the risk of miscalculation in reporting. Model tracking is key to creating a standardized process within your MRM.  This requires understanding and sound documentation to identify dependencies and critical reports being produced.

How Adaptable is Your MRM?
While it is critical to have policies and documentation to address all key model risk elements, it is just as important for an institution to remain open to change. The ability to successfully adopt emerging tools and approaches to better manage risk, or adjust policies and procedures to meet new risks or regulatory change, will not only differentiate an organization but will ensure that the organization keeps ahead of potential model risks.

Here are a few ways to evaluate whether your MRM program is adaptable:

Track Model Dependencies
If an institution is not designed to accept and manage changes to models, it can create new risks within the institution. Consider that the Current Expected Credit Loss (CECL) standard spans across areas such as credit, treasury, capital planning, and regulatory reporting. If one downstream assumption changes, all the models and related tools (such as capital planning tools) are affected. Recognizing that models change will improve the stream of communication between model risk management and affected stakeholders. While having a structured tracking mechanism in place is critical, consistent communication to the stakeholders of a model’s output and changes to assumptions is also important as it communicates to stakeholders that improvements to a model may require these stakeholders to make downstream model changes.

Maintain Flexibility in Policies and Processes to Incorporate AI and Machine Learning Model Validation
Regulators are trying to figure out how to deal with AI from an SR 11-7 standpoint (model validation regulation) but it is a tricky and unprecedented use of statistical algorithms. Since machine-learning model validation continuously self-learn and utilize unsupervised techniques, there is amibguitiy how to handle these model during validation. This ambiguity creates inherent risk in the model process. Until new regulation is incorporated, SR 11-7 still fundamentally holds. A process that reorganizes the validation process for an AI or Machine Learning could still be acceptable with various statistical techniques and modified model validation processes, but your internal policies have to be adaptable to incorporate it. 

Are There New Key Roles to Consider in MRM?
As change occurs in how models are developed, regulated and validated, it is important to consider whether your institution has the resources and tools to address risks associated with this change. Since it is no longer a question of “if” but “when” an institution decides to start using machine learning or AI to improve model performance, it may be time to consider adding new roles such as a data scientist, a validation team skilled in machine learning, or a new risk committee focused on emerging trends with a Chief Data Analytics Officer at the board level.

While introducing new talent may not necessarily change how an institution responds to systemic risk, it may be able to mitigate some of the risks associated with data misuse or model inaccuracies.

Click here to subscribe to Situs Newswatch.

Thank you for choosing the Situs Newswatch. If you want to see your company here or have an idea for coverage, please respond to this email or email inquiries@situs.com for more information.