SR 11-7 provides supervisory guidance on model risk management (MRM). Initially published in April 2011, the Supervisory Guidance on Model Risk Management applies to banks supervised by the US Federal Reserve Board (the Fed) and the Office of the Comptroller of the Currency (OCC).
The Fed acknowledged that quantitative models are increasingly used for regulatory and business decision making processes. Previously, model guidance from the OCC and the Fed focused on model validation. Consequently, with SR 11-7 they sought to provide more comprehensive guidance on further areas of concern.
SR 11-7 guidance on model risk management covers three key aspects:
- Model development, implementation and use
- Model validation
- Governance, policies and controls
The Fed and OCC make it clear that MRM efforts be appropriate to a bank’s size and model risk exposure. For example, smaller banks using fewer and less complex models can have a smaller MRM program than a larger bank. Keep this in mind, as it’s applicable to every facet of a bank’s MRM program.
How is a model defined in SR 11-7?
In SR 11-7, a model is defined as a:
“…quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”
Furthermore, models typically consist of three components:
- Data/information inputs
- Processing
- Reporting
How do banks use models?
In essence, models are simplified representations of real-world scenarios. Without a doubt, they play a big role in a bank’s business and financial decision-making processes. For example, banks use models for:
- Identifying and measuring risks
- Stress testing (DFAST & CCAR, etc.)
- Assessing capital adequacy (Basel III, etc.)
- Financial or regulatory reporting requirements (SOX, etc.)
- Investment/ trading strategies
What is model risk?
Many of these activities are critical. Model risk come from a variety of sources and result in incorrect or misused model outputs with very negative consequences— poor decision making, financial loss, supervisory / regulatory enforcement action, and reputational damage to name a few.
Model risk occurs for two main reasons:
1. Errors
A model containing fundamental errors (calculations, formulae or any other quantification activity) produces inaccurate outputs. Also, errors can be introduced through a model’s application of theory, sampling design, selection of inputs, integrated IT systems, etc. Subsequently, these errors can exist at any period from design to implementation.
2. Inappropriate/incorrect use
A model leveraged outside of its intended use can also present risk— even if the model is sound, produces accurate outputs and meets design objectives. Examples of inappropriate use include:
- Using simplifications that don’t aptly capture the real-world event being modelled
- Reusing existing models for new products or markets
- Not updating models to account for market condition or consumer behavior changes
How do you identify model risk?
Conducting a risk assessment helps identify the level of risk a model possesses and determining appropriate validation activities. For each model, assess the level of:
- Complexity
- Uncertainty of inputs & assumptions
- Use
- Materiality (potential business impact if something were wrong)
Additionally, the Fed and OCC recommend assessing model risk at an aggregate level. This includes assessing data lineage of model dependencies and any other factors that impact more than one model and their outputs.
About model risk management (SR 11-7)
Approach model risk management, like other types of risk— through three key activities:
Identify every model used
Risk assess the model to understand the level of risk
Control model risk by validating models that present higher risk
Your MRM framework will facilitate this process via an effective challenge approach.
Effective challenge is considered the guiding principle of most risk management frameworks. The approach facilitates critical analysis by objective subject matter experts who can identify model limitations and assumptions. Then, taking this information, SMEs can introduce changes needed to address deficiencies.
With this purpose in mind, utilize effective challenge in every aspect of the MRM program.
Developing an MRM framework
The bank’s board of directors and senior management must be the ones to establish an MRM framework fitting into the broader risk management function.
While the board is ultimately responsible, execution and maintenance of the MRM program will fall to senior management. Thereafter, senior management, directly and through relevant committees, must report on MRM compliance regularly to the board.
Additionally, the board or senior management must review the framework annually to ensure it’s followed consistently and rigorously. Consequently, update the framework as needed to account for any changes in market conditions, internal strategies, industry practices, etc.
To develop an effective model risk management framework, align the framework with SR 11-7 guidance, namely around:
- Defining roles & responsibilities
- Defining processes (Model development, implementation, use and validation)
- Documentation standards
- Model Inventory
- Internal audit
Caveat about EUCs & technology
Many banks continue to utilize spreadsheet-based models developed in-house and by 3rd party vendors, even as dedicated IT-controlled financial modelling tools are adopted more widely. Spreadsheets are considered an end user computing (EUC) application. Models developed with EUC tools often lack native controls and are prone to human errors, both malicious and accidental.
While SR 11-7 only briefly touches on EUC tools, the guidance it does provide aligns with EUC governance principles. Therefore, consider EUC tools as you assess the model environment.
Similarly, while technology is frequently mentioned throughout SR 11-7, there’s no section dedicated solely to enablement via technology. Technology must serve as a backbone in enabling your MRM framework. Models are already complex, requiring high levels of rigor in testing and documentation by highly qualified individuals. Trying to manage model risk through manual efforts distracts from creating robust and reliable models to begin with.
Technology will help increase efficiency and ensure integrity in data and reporting, ultimately helping to reduce risk.
Next Steps
In brief, much of the model risk guidance presented in SR 11-7 is common industry practice. However, the Fed and OCC caution banks to ensure their MRM practices align with SR 11-7.
Creating an MRM framework is daunting, as it relies heavily on subject matter expertise. However, creating a draft framework will help identify areas that need greater planning and input from experts.
Get started creating your own MRM framework with our free guide. It provides a high-level view about the key aspects of an MRM framework aligned with SR 11-7 guidance.