Principle two – Firms should have an effective governance framework, policies, procedures and controls to manage their model risk

As with all risks within a financial institution, model risk requires a framework within which it should be managed.  This involves robust governance, policies, procedures and controls in place to manage model risk.

At all levels of the organisation, those involved in creating, using, overseeing and controlling models have a part to play

Board of Directors & Senior Management responsibility

The Board of Directors needs to establish the framework for model risk management and senior management are responsible for its implementation. It is senior management who should allocate roles and responsibilities for model risk management to model owners, users and control and compliance functions.  Because they are making decisions based on the model output, the board of directors and senior management should provide challenge to the model outputs, understand the model capabilities and its limitations and the potential impact of model uncertainty for the most material models.

Model risk management policies

A comprehensive suite of model risk management policies will cover model definitions, model development standards, model change implementation, use, validation, review and sign off.  The policies will need to set out the appropriate governance and challenge frameworks, and the roles of responsibilities as described above. Policies should also describe how the models will be reviewed, validated and their ongoing use monitored.

Model developers, owners, users and control functions

It is for the model developers to develop, evaluate and document their models and, potentially, they could also be involved in ongoing monitoring of the models and periodic reassessment and re-evaluation, to ensure that they remain fit for purpose. The model owners should be accountable for model use and performance, which necessitates being responsible for ensuring that the models are appropriately developed, sound of concept, implemented and used as intended, have undergone appropriate evaluation and approval and are recorded and maintained in the model inventory. It is for the model users to understand the limitations of the model and take these into consideration when using the output of the model. The control function should be granted the authority to restrict the use of the model and monitor those limits on model use, should this be appropriate.

Internal Audit 

Internal Audit should assess the overall effectiveness of the model risk management framework. IA should evaluate and independently verify whether model risk management practices are comprehensive, rigorous, and effective.  This includes the work of the compliance function in its oversight of model risk management.

Use of external resources

If external resources are used for any model development, validation, or review activities, firms should be able to verify that these are conducted in accordance with their model risk management standards. Designated internal staff should be responsible for the work delivered by the external party, and should be able to address any issues identified either with model development or as a result of model validation. 

Models in and of themselves can appear quite complex and very often are.  However, managing the risks around models is really no different in methodology to managing any other risk.  

Our model risk and risk assurance teams work with many financial services clients, both PRA and non-PRA regulated to ensure that they have the right policies, procedures, controls and review cycles in place. 

If you would like further information or a conversation about mitigating model risk at your organisation then please get in touch with Jon Pepper or Alistair Hynd

Related industries

Model risk

Back in April, the PRA published its Supervisory Statement (SS 3/18), setting out its expectations as to the model risk management practices that firms should adopt when using stress test models. We explore what each of the principles mean, and more importantly what the pitfalls are, and how you can make sure you don’t fall foul of the regulator.

Find out more