Model risk management in an increasingly complex world


Like stress testing, model risk management is one of the current ‘hot topics’ in banking. Discussed extensively at a recent risk executive roundtable in Amsterdam, it is clear that the issue is exercising minds to a considerable degree. What’s more, it is also only likely to become more important in a world with a growing number of regulations, including stress testing and IFRS 9. Increased complexity means more models to be calculated, and that, in turn, means that model governance becomes more and more important.

Defining and understanding model risk

Model risk is the risk inherent in using models to predict and forecast demand and requirements, or in decision-making more generally. European regulations define two main types of model risk. The first is underestimation of requirements for funds, resulting from the use of internal models. The second is the risk of losses resulting from the use of models (whether properly or otherwise) in decision-making processes.

Models are, of course, only as good as the data that goes in, and the assumptions that are made to create them. Once the data quality drops, and/or the data is out-of-date, or the assumptions are too far from reality, and the quality of the model also drops away. Model monitoring and management, are therefore vital, not least because new regulations will soon require institutions to be able to explain the basis of crucial decisions to customers.

Model governance requires organisations to be able to provide information about the history, documentation, approvals and changes to models over time, and make this available to external stakeholders. Many organisations are reaching the conclusion that they may need a model governance committee to oversee model monitoring, and to ensure that everything is documented properly. The issue of the number of models that may be generated over time is also causing concerns, particularly how anyone will be able to maintain an overview, and ensure that models are suitably updated and/or retired.

Regulation, expectation and locality: A varying picture

The issue of model risk management is complicated by the fact that local regulators may take different views of its importance, and also the speed with which change is required. This is particularly challenging for banks with multiple subsidiaries in different regimes, especially if they use the same models.

For example, the United Arab Emirates was behind the rest of the world in adopting an internal ratings-based approach. The local regulator was much more relaxed, and there was no guidance on IFRS 9, although this was the catalyst for starting work on model risk management. However, the first draft of the guidance, recently published, has suggested that IFRS 9 models should be externally validated, which has inevitably put banks under pressure. The guidelines also state that stress testing models should be validated; local conversations suggest that this is likely to be largely duplicate work, and therefore wasted effort. An initially relaxed approach may not always be good.

Appetite, expertise and risk

There is another huge set of challenges in model risk management, which might broadly be defined as cultural. They include issues such as defining the appetite within the organisation, and particularly within the board, for model risk management. This dictates whether to do the bare minimum, or take advantage of the requirements, and get something of value for the organisation. It seems likely that being able to link governance to how value can be created, and measure its impact, will be an essential step in this process.

Challenges in #ModelRiskManagement might be cultural incl. issues such as defining the appetite within the organisation. #RiskModelling Click To Tweet

This is also linked to the issue of who is using the models and how. With increasing regulatory requirements such as IFRS 9, many more board members are now exposed to modelling who would not previously have been affected. Their understanding and appetite for model risk management may, not unreasonably, be lower than those who are more familiar with the process.

Another linked issue is resources. Data cannot be processed entirely automatically, and everything has a cost. With a large number of regulatory requirements to be met, and the scope and number of models expanding exponentially, the question of where to target resources is becoming more urgent.

Consolidating and synchronising

Banks are already moving to combine IFRS 9, stress testing and Basel systems. This seems like a good opportunity to move model monitoring and risk management to a more consolidated level. This may not be easy, at least at first glance, but it is likely to be pay dividends in future, especially for the work of the model governance committee.

Tags IFRS9

About Author

Thorsten Hein

Principal Product Marketing Manager

Thorsten Hein is a Principal Product Marketing Manager in the Risk Research and Quantitative Solutions Division at SAS Institute. He specialises in global risk management operations insights in both banking and insurance, focusing on risk and finance integration, IFRS, Solvency regulations and regulatory reporting. He helps risk management stakeholders to go beyond pure regulatory compliance and drive value-based management to maximise business performance, using his wide experience to deliver both business relevance and technical coherence.

1 Comment

  1. Haris Ali khan on

    risk management is necessary for all type of business organizations. requirement gathering from lay people is the big risk for organization.

Leave A Reply

Back to Top