What is a Model?
By definition, a model is a mathematical approximation of scenarios that is used to analyze and forecast prices, events, risks, relationships, and future outcomes. It is formally defined as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”[1. While there are several related regulatory guidance and notices, the core guidance is found in OCC SR-11-7, Supervisory Guidance on Model Risk Management (http://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf). The Federal Reserve has similar guidance (http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf). Most recently, the OCC released requirements in its publication Dodd-Frank Act Stress Testing (DFAST) Reporting Instructions OCC Reporting Form DFAST-14A December 2014 http://www.occ.gov/tools-forms/forms/bank-operations/DFAST-14A-Template-Instructions.pdf.]
Models are used across industries to analyze, predict, and represent performance and outcomes that impact operations and business strategy. A range of departments, functions, and roles rely on models as a critical foundation of business processes that support long-term strategic planning as well as day-to-day tactical decisions. They are used pervasively to:
- Analyze business strategies
- Inform decisions
- Identify and measure risk
- Value exposure in financial products or positions
- Conduct stress testing
- Assess adequacy of capital
- Manage client assets
- Comply to internal limits
- Measure and maintain controls and oversight
- Meet financial and regulatory reporting requirements
- Provide input into public disclosures.
When Models Fail
While the common understanding of models is that they have three components – input, processing and reporting – the reality is that there are multiple parts to each of these component areas. Multiple components within input, processing, and reporting connect to each other and have an array of data and analytics. Adding to this complexity is the human and process elements intertwined throughout the business use of models that weave together a variety of manual processing and technology integration elements needed to run the model.
Organizations have become highly dependent upon models to support critical business processes and decisions. However, models come with risks when internal errors or misuse results in bad decisions. Model risk is the potential for adverse consequences from decisions based on incorrect or misused models and leads to financial loss, poor business and strategic decision-making, and damage to a financial service organization’s brand. It is ironic that the very tools often used to model and predict risk can be a significant risk exposure themselves.
Models, inappropriately used and controlled, bring a number of risks to the organization, because of:
- Dynamic and changing risk and business environments.
- Lack of governance and control of models and their components (e.g., spreadsheets).
- Not understanding the variety of inputs beyond the processing component of the model.
- Errors in input, processing, and reporting.
- Misuse of models for purposes they were not designed for.
- Misrepresentation of reality within models.
- Limitations in the models.
- Pervasiveness of models and their use.
- Big data and GRC interconnectedness.
- Inconsistent development and validation of models.
Increasing Pressure on Model Risk Management
Increasing model risk combined with a cavalier approach to models has led to increasing regulatory requirements and scrutiny in the governance and use of models. The Federal Reserve Comprehensive Capital Analysis and Review (CCAR)[2. http://www.federalreserve.gov/bankinforeg/ccar.htm] has taken into account the growth and use of models and the need for greater regulatory oversight. Most recently, the OCC released detailed model governance and risk management requirements in December 2014: Dodd-Frank Act Stress Testing (DFAST) Reporting Instructions OCC Reporting Form DFAST-14A December 2014.[3. http://www.occ.gov/tools-forms/forms/bank-operations/DFAST-14A-Template-Instructions.pdf] This has further defined requirements for model risk management and specifically calls out the scope of end user computing applications in model risk.
A Firm Foundation for Model Risk Management
Model governance and risk management has not historically been a strategic priority for organizations. Without a structure to govern models, risk exposure has grown and the result is increasing regulatory pressure. Organizations should not see model risk management as simply a regulatory obligation; model governance enables strategic decision-making and performance management.
To effectively manage model risk, organizations need a structured approach to:
- Model risk governance. A well-defined model governance framework to manage model risk that brings together the right roles, policies, and inventory.
- Model risk management lifecycle. An end-to-end model risk management lifecycle to manage and govern models from their development, throughout their use in the environment, including their maintenance and retirement.
- Model risk management architecture. Effective management of model risk in today’s complex and dynamic business environment requires an information and technology architecture that enables model risk management.
Best Practice: Organizations Need to ‘Model’ their Models
Models are complex and have a plethora of data and technology pieces. Being able to document these pieces and layout how they function and operate together has become critical to maintaining a model inventory and documentation. The mature model risk management program will leverage enterprise architecture and business modeling technologies to provide an accurate model inventory with detailed documentation of the components and how they function.
Utilizing enterprise architecture and business modeling technologies allows the organization to define all the pieces to models, maintain an accurate model inventory, ensure that models are built from standard and approved IT components and identify where exceptions lie, and provide a visual representation and documentation of the model and how it functions. It is through the ability to ‘model’ the models that the organization then accurately manages information and technology architecture for model risk management.
Have a question? If you are an organization that is facing the challenges of Model Risk Management, utilize GRC 20/20 to get your questions answered. As part of our research we offer complimentary inquiries to get your question answered and point you in the direction of who provides the write technology and solutions to solve your model risk management needs.
Want to read more? This post by The GRC Pundit is from a longer research piece on Model Risk Management in the Financial Services Industry.