Model Governance and Model Risk Model Governance and Model Risk

Models are increasingly being used in different areas of banks. Risk management models and pricing models for financial instruments come to mind first. However, the scope of modelling and linked processes (such as algorithms and Artificial Intelligence) is fast expanding and should also be considered. This article argues that the increasing reliance on models requires a sound model governance and model risk management framework for business reasons as well as to comply with supervisory requirements such as the ECB TRIM Guide.

When calculating Pillar 1 capital requirements, banks have faced a choice between adopting the standardised approaches defined in Basel capital adequacy rules, and developing more sophisticated `internal' modelling approaches. The wide variety and complexity of Pillar 1 modelling practices gives rise to concerns that internal models have become too opaque, are being applied in areas with limited data, and result in a lack of comparability.

First started in 2016 and still ongoing, the ECB TRIM initiative is designed to harmonise supervisory practices in the SSM with regards to internal models, to verify that such models are compliant with regulatory requirements, and to reduce unwarranted variability in capital requirements.

One part of the TRIM initiative, which banks have recently received feedback letters on, relates to overarching topics of Pillar 1 model governance and model use. These `general topics' have been the subject of dedicated supervisory visits and deep-dive review of policies, documentation and institutional practices.

The scope of general topics is wide-ranging, spanning areas such as governance, validation, Internal Audit, and third party services. We have observed the following items as among the most common in the findings letters:

• Limited or missing model risk management framework. Only a small number of institutions have developed overarching model risk management frameworks covering all items listed in the TRIM Guide, including a definition of `model', a robust model inventory, and an appropriate independent model validation approach. Many institutions can point to model management practices for IRB models but other risk and finance models are sometimes found to be lagging. 
• Evidence of appropriate model governance, e.g. roles and responsibilities for model approval and change being clearly defined and evidenced. In particular, approval of related risk policies often falls below the expected standards.
• Permanent Partial Use (PPU) and IRB roll-out monitoring and assessment. In many cases, the basis for PPU approval has not been periodically reassessed and confirmed. Conversely this form of review can be used to identify instances where data is now limited (such as run-off portfolios) and model robustness could be challenged.
• Coherent application of validation measures. Institutions should thoroughly and frequently validate their input data, and, where appropriate, make consistent use of benchmarks and quantitative thresholds. 
• Appropriate coverage and frequency of internal audit. Whether due to inadequate resourcing or planning, some institutions are unable to evidence an audit of all material aspects of the rating systems and their operations. 

It should be noted that the ECB findings span a number of areas and degrees of severity; in some cases there may be breaches of the CRR which are dealt with separately to cases where there is misalignment to the TRIM Guide. The most material deficiencies may point to failings of internal governance or risk management and impact on SREP scores - with potentially adverse effects on capital requirements.

It is expected that specific points raised in the ECB letters are discussed with the bank's JST, however banks should not expect specific instructions on what `good' looks like. It is more common to examine peer and industry practice as a benchmark, and to develop actions from these.
Regardless of the type of deficiency, one of the most important activities will be to ensure clear responsibility and accountability actions. This can only be successful if banks understand the underlying rationale of the expectation. An institution which treats these letters as a compliance checklist runs the risk of developing short term solutions with limited strategic benefit and scope.

The initial TRIM Guide was published in February 2017 and is a key step in European supervisory harmonisation. A revised Guide for the general topics is expected to be published for consultation in the coming months, so further changes are expected. We expect TRIM to have consequences in banks beyond 2019, setting a standard that banks will need to continually evaluate themselves against.

European standards for model governance and model risk management is still maturing - in particular when compared to the US Guidance on Model Risk Management¹ (SR 11-7). Looking ahead, the rapid expanse of digitalisation and automation of modelling solutions will require ever stronger control frameworks, not only to comply with supervisory requirements but also as a business necessity. To avoid falling behind the curve, banks should start considering model risk as a risk similar to any other, requiring identification, controls, and accountability.

¹Supervisory Guidance On Model Risk Management (PDF 293 KB)