Models typically represent one of the most important tools that management rely on to make critical business decisions and ensure the company is performing as expected. Many companies have already established a model risk management (MRM) framework.
The framework serves as a foundation to establish controls and reduce operational risk over your most important models. The MRM program may also register and track critical models and will factor in regulatory compliance requirements.
However, this alone is not enough to classify your MRM program as reliable.
Models are often built and maintained in end user computing (EUC) applications. These tools, such as Excel spreadsheets, often have inadequate built-in MRM controls, which increase the risk of an error causing significant downstream effects.
End User Application-based Models
EUCs are flexible, powerful tools that allow users to create purpose-built applications and models. Furthermore, they don’t require any IT resources to develop, allowing users to quickly go from concept to full production model. It’s no wonder end user applications are ubiquitous in most organizations.
However, EUCs have inherent risk due to their lack of native controls and are prone to human error and fraud. Coupled with their widespread use, many organizations are unaware of these risks. That is until they become the target of regulator enforcement action(s).
Operational MRM
If your internal controls around end user applications is lacking, so will the reliability of your model risk function. A model risk program that is not operational is inconsistent at best. At a minimum, achieving operational MRM requires:
- Setting up and maintaining a model inventory
- Capability built within the model validation team
- Established plans for validation of critical models and assessment of all models
- Perpetually monitoring your models and MRM landscape
Yet this is easier said than done. Further, it becomes even more complex if you have a large population of EUC-based models. You will encounter a few challenges in making your model risk program operational.
Challenges in Operationalizing MRM
Many highly regulated companies do not allocate adequate time, money, or resources to successfully make their MRM program operational.
The reluctance to invest is often due to:
- Assumption of effectiveness due to lack of failures
An MRM technology solution was implemented when the regulatory environment was in its infancy. Without any evidence of a significant audit failure, senior leadership assume their MRM program is working well. Other programs rely on manual controls and attestations that don’t always stand up to regulatory scrutiny. - Ignorance of the evolving regulatory landscape
Since the early 2010’s, there has been an influx of new model risk mandates issued around the world. How can your organization stay ahead of the constantly evolving regulatory landscape? - Inadequate insight and reporting of compliance failures
A lack of insight into failures is dangerous, particularly when versioning and change management controls are mandated. Version and change management controls are often difficult to get right. File and folder level controls often don’t aggregate to a central dashboard or reporting mechanism.
MRM Failures
By failing to address these challenges, you may encounter a range of deficiencies and/or failures.
- Changes to high-risk models will be undetectable
- High-risk models will not be identified until an audit or review
- High-risk models that have not been validated will be in production use
- Model data lineage cannot be evidenced for compliance requirements
- Data governance efforts will be less effective
- Policies and procedures will quickly become outdated with the release of new regulatory mandates
- Deficient model validation practices will result in controls failure and/or a data governance breach
- Inadequate controls will lead to misstatements, causing financial, reputational, and other losses
With so many points of failure, how can you overcome these MRM operational challenges?
MRM Expertise
Having a dedicated team of experienced MRM subject matter experts is critical to stay informed of the newest or amended regulations. Aside from the regulatory landscape, SME’s will also be aware of the latest techniques and tools for managing model risk.
An adequately staffed and experienced model validation team must be retained and invested into. Whether it’s made up of internal staff, outsourced firms, or a combination of both.
MRM Technology
Relying on “1.0” legacy software will not provide you with comprehensive and efficient controls for your high-risk models.
Today’s generation of tech features robust reporting and automation tools. This provides new insight of your high-risk models and greater efficiency in managing controls. Furthermore, next-gen tech is being used to push EUC-based models to dedicated IT-managed platforms. This helps to further reduce risk.
Lastly, tech platforms can also help broader organizational efficiency. A centralized tool can also unlock value in other places of the organization. For example, credit loss models can be managed to comply with CECL requirements. Marketing contact spreadsheets can be tracked for GDPR compliance.
The central platform also provides tools to all three lines of defense. This ensures there’s no disconnect between what model owners, compliance teams, and auditors see.
Learn how to leverage technology
In summary, the best way to ensure a comprehensive MRM program is to combine powerful technology with MRM expertise.
As a next step, download our model validation lifecycle guide. It covers automated tracking, data lineage, and controls for all your critical models. It’s supported by real world examples, sample workflows, and conceptual representations to help illustrate the operationalization of MRM. Get your copy now.