The handbook outlines what bank examiners should be focused on when scrutinizing national banks, federal savings associations, federal branches of foreign banks, and community banks. Five key areas are addressed. Read on for highlights of the OCC’s 109 page booklet.
Note: AI, third- party risk management, and supporting IT systems are also discussed in the booklet but will not be covered here.
Interdependence Between the Eight Categories of Risk
The OCC identifies eight categories of risk, which include:
- Strategic risk
- Operational risk
- Reputation risk
- Compliance risk
- Credit risk
- Liquidity risk
- Interest rate risk
- Price risk
Of the eight categories, operational risk is the main risk associated with model usage. There are varying levels of interdependence between the categories and bank examiners must be aware of and assess this interdependence.
Model Risk Management Scope & Complexity
The bank’s model risk management program (MRM) must be proportionate with the scope and complexity of model usage. The overall robustness of the program should also be tailored to the material impact of business decisions. This includes model usage, regardless of how mature the model development life cycle may be. Also, the overall governance framework must be appropriate to the size and complexity of the bank’s operations.
Thorough model governance includes:
- Policies and procedures
- Board and management oversight
- Internal controls
- Internal audit
- Risk assessment
- Model inventory
- Data management
The OCC also shares that many banks have adopted the three lines of defense system. On the other hand, small banks usually integrate model risk management and internal controls to the first line of defense. The OCC recommends additional controls when model development and model validation teams report up to the same manager. An example of additional controls includes an escalation process to address conflicts up to a management committee.
Model Development, Implementation, & Use
The OCC also draws attention to end user computing (EUC) tools that are used to implement models. Excel spreadsheets are specifically used as an example. Algorithms, formulae, code/ script, software, and IT systems that implement models should be examined thoroughly. These supporting tools should have rigorous controls for quality, accuracy, change management, and user access. They should also be auditable and have updates tracked in a change log.
Model Validation & Reporting
Models should be validated before being implemented. The validation process should be comprehensive, and the overall level of effort should be appropriate to the potential model risk. Banks should also have a change management process to validate updates to existing models before implementation.
For models that were implemented without full validation, appropriate compensating controls should be in place to mitigate risk.
A sound model validation process includes:
- Access controls
- Continuous risk assessment controls
- Inventory completeness
- Development and implementation process management
- Integrity monitoring processes
- Third party risk management
- Internal audit reporting and oversight
Bank examiners will also evaluate model validation documentation, issues identified via validation, and the actions taken/ prescribed to address issues. Other model validation activities examiners will look out for include:
- Evaluation of conceptual soundness (transparency and explain-ability)
- Ongoing monitoring
- Process verification (data lineage, etc)
- Model benchmarking
- Outcome analysis
Feedback and reporting are also equally important. Banks should have an effective process to address feedback from model users. There should also be a process to assess model usage over time. This can be achieved through reports.
MRM reports may include:
- The number of high-risk models
- Model status tracking
- Underperforming models
- Models that have not been validated
- Models that require re-validation
MRM & EUC Applications
On average, 35% of all models used in banking are built using one or more EUC application. As a result, they are all subject to the same scrutiny as any other model. As the OCC has outlined, EUC tools are not an exception when evaluating a bank’s model risk management efforts.
Despite the OCC’s guidance, banks often do not include EUC application- based models in the strict controls and oversight of models built within the bank’s IT function. Compliance can only be assured if these actions are implemented and monitored independently of the model and the model owner:
- User activity
- Version tracking
- Change management
- Data lineage controls
Apparity’s EUC risk management platform is purpose- built to meet and evidence the oversight that bank examiners are required to affirm.