Before advancing on what Model Risk Management is, it is imperative to first understand what a model is. A model is a quantitative and mathematical system or approach employed in the processing of input data; it processes the input into quantitative estimates. Below, MRM is expounded.
Model risk management (MRM) refers to the overseeing of risks defined by potential adverse consequences from decisions based on incorrect or misused models. The aim of model risk management is to employ techniques, practices or behaviours that will identify, measure and mitigate model risks - the potential of model error or wrongful model usage.
Financial institutions such as banks and insurance companies are highly reliant on credit, market and behavioral models for diverse purposes that cut across almost all their daily activities, and these models have become a core component of risk management and operational efficiency. These institutions primarily make money by taking risks; they maximize models to evaluate risks, understand customer behavior, define funding requirements, assess capital adequacy, make investment decisions, and manage data analytics. Implementing an effective model risk management framework is a requisite for organizations that are heavily reliant on quantitative models for operations and decision making.
Why does model risk occur?
There are two main reasons why model risk occurs. It is either because the model is not fit for purpose, or because there are theoretical and/or implementation errors resident in it. Intrinsically, model developers are responsible for thorough documentation during model development and this has to remain up-to-date as the model and its application environment changes. The effort and long period of time that documentation takes are the reason model users and developers who are very knowledgeable about the models may not be keen to document. In order to eradicate or at least reduce the chances of a model risk’s occurrence, incentives should be provided by banks for the developers to create complete and effective model documentation. Additionally, banks are to make certain that other participants in model risk management activities document their work, including benchmarking, outcomes analysis, ongoing monitoring, and process verification.
More so, the information regarding the selection of a given model and the validation that follows it should be documented by the line of business or other decision makers. For instance, when banks use models from third parties (like vendors), they should make certain that apposite documentation of the third-party approach is available to ascertain the apropos validation of the model.
A typical regional bank has about one hundred models in production and large tier 1 investment banks have over 3000 models. This number increases yearly by approximately 15%. Perchance one model fails, banks are susceptible to losing billions of dollars. The increasing complexity of models resulting from the introduction of advanced analytics tools, such as ML, is driving the necessity of active model risk management. It is imperative to note that these risk evaluation models used by financial institutions to estimate the amount of risk to take are mathematical models.
When financial markets are developing, margins are usually large and complexity stays on the low end, with models remaining fit for the purpose for which they were created. Nevertheless, as the market matures, these models will no longer be able to encapsulate the dynamics precisely. When this happens, banks and other institutions that use these models are led to underestimate their risks. This is an instance of very subtle model risks. They are elusive since your model is, mathematically, a “correct model”, but as the context in which it is applied is wrong, it brings about massive disasters. This is why regulators require model validation and model risk management in banks.
Who does MRM interest?
The category of people who are most concerned about model risk management are those in the risk departments of banks, insurance companies, asset management companies, some government institutions like VDAB - the Flemish Employment and Vocational Training Service, and, generally speaking, companies that maximize (ML and traditional) models in high-risk contexts. Such companies can be non-financial companies in HR, logistics, energy, healthcare, etc. sectors. An example in the HR sector is Amazon’s AI recruiting tool.
Model failures and MRM regulations
A typical example of a bank at loss on account of the failure of a risk model is JPMorgan’s loss of over $6 billion in 2012 owing to an error in a credit model resulting from lack of governance; this incident is the so-called London Whale Trading Incident. A similar case can be seen in the 2008 Great Financial Crisis. Banks were losing a lot of money because of their use of wildly simple copula models in estimating the risk on mortgage portfolios.
Supervisory and regulatory inspection of models is intensifying as a consequence of risk model failures. More meticulous and extensive sets of requirements have begun to surface. While most financial institutions tend to execute their Model Risk Management (MRM) techniques based on the US Federal Reserve/OCC’s SR11-7 guidelines requirements, other noteworthy recent initiatives are the papers from the Bank of England (BOE), the European Central Bank's Target Review of Internal Models (TRIM), and Prudential Regulation Authority (PRA). These are highly imperative for banks and other financial institutions to ensure effective model risk management.
MRM in improvement of profit and loss (P&L)
To a considerably large extent, model risk management is driven by capital reduction, loss avoidance, and cost reduction. The capital reduction, loss avoidance, and cost reduction targets become more challenging to meet yearly. This is owing to the introduction of new types of models like AI, the war on talent, and the new regulatory frameworks. As a result, many financial institutions search for ways to industrialize model risk management. Undoubtedly, model usage is highly imperative and is set to heighten, as the rapidly escalating trend of digitalization and the incorporation of machine learning (ML), big data, and artificial intelligence (AI) elevates the complexity and number of models much more. Through demonstrating to regulatory bodies that their MRM is on point, financial institutions can avoid expensive capital add-ons.
Pivotally, the correct use of sophisticated models is essential to making the model right financial or business decisions. Failures in model implementation and usage can result in both reputational damage and direct financial losses, even as the hastiness with which model risk issues can surface is also increasing significantly. Loss avoidance and cost reduction are accomplished chiefly from the eradication of defective models and the increment of operational efficiency in model validation and development. Through active model risk management, financial institutions can drive cultural change and turn MRM into a value driver.
Furthermore, active model risk management reduces the rising modeling costs, addressing disintegrated model processes and ownership ascribed to high numbers of complex models. This can help organizations save millions. With a better understanding of their model landscapes, banks are capable of aligning their model investments with business priorities and risks. Alongside the reduction of model risk and management of its impact, MRM is also capable of reducing some P&L unpredictability. The all-inclusive effect proliferates institutional risk culture and model transparency. High-priority decision-making models can then receive resources reallocated to them from cost reductions.
Model risk management framework and the four pillars of model risk management
To effectively manage model risks, an organization has to build a model risk management framework. A model risk management framework simply stipulates how the risks in models are set to be managed. Irrespective of the size and structure of an organization, regulators requisite that enterprise MRM frameworks encompass all pivotal facets of the MRM life cycle with distinctly allocated roles and responsibilities. In semblance with more general risk management frameworks, model risk management provides an exhaustive elucidation of four pillars below:
- Model risk identification and assessment: what is a model in my organization?
- Model risk governance: what processes do we put in place (e.g. 3 lines of defence)
- Model risk validation - measurement and mitigation: independent review (check data, perform benchmark, backtest)
- Model monitoring and reporting: monitor what is running in production
The potential value of sophisticated or mature MRM outstretches well beyond regulatory regimes’ satisfaction. Hence financial institutions need to make certain that their MRM frameworks are rigorously capturing this value. They have to begin by first looking more closely at the prospective value at stake. In present practice, these respective facets of model risk management above are typically carried out as part of the duties of the model validation function, and not separately.