A recent paper, authored by widely regarded model risk experts, highlights the often ignored elephant in the room. Models can be, and often are, developed by end users utilizing Excel spreadsheets and other end user tools.
“Often deployed in desktop-type environments, qualitative models are frequently embedded in spreadsheets or are programmed and run in software such as SAS or SQL. These types of tools are called end-user computing tools (EUCTs).”
“Now consider a qualitative model deployed in Excel. Once more, from an MRM perspective, the model is reviewed based on the firm’s MRM framework, which includes a review of the model implementation—in this case, in Excel. From an operational perspective, the Excel spreadsheet must also follow the applicable standards to ensure that it operates as intended. The answer to the question posed above, then, is that this model is both a model and an EUCT.”
This presents serious challenges for model risk management teams.
First, maintaining visibility on all EUCTs is difficult. They are often hard to find and accurately inventory. They are easily copied and distributed with little regard to access or managing multiple versions or variations of the same file.
Next, EUCTs are typically developed by users with little knowledge or regard to professional application development methods. Applications created by software developers use software development life cycles (SDLC) like waterfall or agile methodologies. These methods help ensure the quality and integrity of the final product.
Recall this part of the earlier excerpt:
“…the Excel spreadsheet must also follow the applicable standards to ensure that it operates as intended.”
Although MRM teams have a clear framework in place, the EUCT will not. The typical spreadsheet developer won’t employ frameworks or development life cycles. EUCTs deemed important, critical and/or even a model, far outnumber models developed by pros. This is another serious issue with EUCT-based models.
Finally, model risk management is a very manual operation requiring large teams of highly educated talent. Expanding this manpower approach to a company’s entire EUCT population would be unrealistic. Whether managing quantitative models or other business spreadsheets, there is opportunity to improve efficiency.
The answer to this problem is automation through technology. Apparity’s team of experts have decades of experience helping organizations manage the full life cycle of their critical EUCTs. By extension, this includes models developed in EUCTs.
We will be publishing a series of blog posts to further expand on this topic. Model risk managers will learn how to leverage technology to help understand and manage EUCT risk once and for all. Key aspects will include:
- Inventory development and management
- Risk assessment and logic inspection
- Monitoring and audit trail
- Issue identification and management
