Financial institutions continue to face increasing pressure in a highly regulated landscape, including an ever-increasing and regular requirement for model validation in the context of ECB requirements and regulation such as CCAR, FRTB, and IFRS9 models.

An increased appetite for risk mitigation and sophisticated forecasting has encouraged banks and other financial institutions to create new risk models, measuring everything from capital adequacy, liquidity, pricing and exposure, which each require thorough model validation. This growth has led to even greater scrutiny from the regulators on the risks posed by the actual models themselves. Institutions now face the challenge of how to implement effective governance frameworks and model risk management systems to deal with this increased regulatory pressure.

Product valuation, risk, and other varieties of model are at the very heart of what financial institutions do, and how they operate. The growth and evolution of risk models in different business areas has led to a wide range of approaches as well as numerous documentation and validation standards. This creates additional risk, posing questions whether these models have inadequate or inaccurate data for the inputs, incorrect thresholds, poor design, or are misused.

The danger for institutions is that is that they could incur reputational damage if the outputs from the models are not fully understood, or incorrectly applied due to a lack of understanding on the model’s potential limitations or there are implementation errors.

Despite the increasing acknowledgement of model risk there are no globally defined industry standards on managing it. Although the Office of the Comptroller of the Currency (OCC) has issued guidance and the Comprehensive Capital Analysis and Review 2015 (CCAR 2015) expects American bank holding companies (including subsidiaries of foreign banks) to provide a comprehensive inventory of models used in their capital planning projections, the European guidelines, where they exist, are unclear and non-specific.

Banks are now building on the OCC guidelines with new policies and there is a growing interest in aggregating the model risk across the enterprise, as well as assessing the risk in isolation, based on models performing distinct tasks. In this context it is essential that every financial institution has an adequate model risk management and governance framework in place.

Model Risk Management and Governance Framework

The model risk management and governance framework should encompass the entire lifecycle and usage of the model. This will involve the framework covering a number of databases, systems, and business units and it is therefore important that the framework is controlled from a central point and that the business processes across the differing functions are clearly understood with defined control points. The requirements for the framework include:

• Clearly defined ownership and management boards separate from model validators, model risk raters and model developers
• Policies and procedures
• Comprehensive model inventories
• Development, testing, and deployment guidelines
• Validation of model assumptions, usage and inputs / outputs
• Model risk rating
• Ongoing monitoring of model applicability
• Maintenance and change
• Exception reporting
• Tracking of usage and control procedures to prevent misuse
• Supplementary analysis of information to cross check model output
• Auditing of the process and framework

Most banks do not have a single, clear, inventory of all the models in use. As it is largely down to the individual institution to decide what is actually a model, it is recommended that a ‘root and branch’ assessment is undertaken across all business units to capture all potential models before assessing them and creating the inventory. Once the inventory is known to be complete each model should be assigned a risk rating.

A key part of model risk management is measuring the model risk and assigning a rating to each model, so that the actual and relative risks of the models within the inventory are well understood. Model risk may be considered as ‘severity of failure’ and as ‘likelihood of failure’. A model with a higher risk rating should be subject to a more stringent monitoring process with a tight tracking and reporting regime. Change control and reviews should also be linked to the model’s calculated risk rating and the relative risks for each model should be easily accessible on an integrated dashboard view of the model inventory.

All models will have limitations, since no model can be all encompassing. There will also be areas that will be deliberately left out of the model, as they will be viewed as being irrelevant for the specific model purpose. Limitations should be taken into account when measuring the model risk, and if there are material limitations then that should be priced into the risk profile e.g. by adjusting capital adequacy.

The use of the model itself should be monitored, with control points and exception reporting on any misuse with regular validation of the models to ensure the data, assumptions, limitations and remediation are current and appropriate.

Regular model development and validation, including comprehensive and robust testing and documentation, requires specialised resources. The retention of these resources on a permanent basis is placing a growing financial burden on many banks. As a consequence, outsourcing solutions for model validation and governance are gaining popularity.

An outsourced model validation managed service essentially comprises offshore or nearshore model validation specialists and SMEs, with the following key processes, steps, and artefacts:

• Assessment and validation of the existing model descriptions and assumptions
• Validation of model assumptions and drivers
• Model inputs and outputs
• Model test plan with test cases
• Boundary value tests
• Model test results
• Documentation of model test packs and results

When considering this problem from a best practice perspective, what is needed is a model validation function, or service, to ensure consistent, reliable and efficient execution of these critical tasks. The service should be highly scalable with a mix of resources to provide complete flexibility to the service consumer.

GFT has a model validation managed service which provides these tasks and comprises resources with proven expertise in this rapidly changing landscape, supported by validation process and documentation templates.

Conclusion

The use of models is increasing within banks and they are now being used across the enterprise with applications spanning trading, risk and C-suite decision making.

It is now recognised that these risks should be mitigated by adequate controls, not least because regulators are becoming more aware of the major pitfalls that could come with incorrect or malicious usage of models.

The model validation lifecycle is key to the successful mitigation of model risk, but the skillsets and numbers of internal resources required to do so, can place a high financial burden on banks, which can be alleviated by utilising experienced and qualified outsourced and managed services.