Banking and Financial Services White Paper What Banks Must Do for Effective Model Risk Management
About the Authors Manohar Mennekanty Manohar Mennekanty is a Risk Management Consultant with the Banking and Financial Services (BFS) business unit at Tata Consultancy Services (TCS). He has around nine years of experience in banking, financial, and IT services. His current responsibilities include program and delivery management in the implementation of the Governance, Risk, and Compliance (GRC) suite of products, Basel III, and risk management projects. Manohar holds a Master's degree in Business Management from the Loyola Institute of Business Administration, Chennai, India, and a Bachelor's degree in Electrical and Electronics Engineering from Anna University, Chennai, India. Preeti Sinha Preeti Sinha is a Risk Management Consultant with TCS' BFS business unit and has around 10 years of experience in the GRC domain. She has worked with banks and other financial institutions across India, North America, and Europe, in areas of credit risk, pandemic risk, stress testing, and other regulatory standards. Sinha's current responsibilities include management of model risk, Comprehensive Capital Analysis and Review (CCAR), Dodd-Frank Act Stress Test (DFAST), and other finance risk integration projects. She holds a Post Graduate diploma in Banking Technology Management from the Institute for Development and Research in Banking Technology, Hyderabad, India, and a Bachelor's degree in Applied Electronics from Lady Amritbai Daga and Smt. Ratnidevi Purohit College, Nagpur, India.
Abstract The emergence of new financial instruments, complex trades, and increased regulatory scrutiny are some of the factors that are driving banks to embrace complex financial models. However, this reliance on models comes at a price. Improper management of models exposes banks to several risks, as decision-making processes are heavily dependent on these models and their outputs. It is crucial for banks to have a structured approach to manage model lifecycles and address related risks. Therefore, regulatory bodies like the Office of the Comptroller of the Currency (OCC), Federal Reserve Bank, and the Basel committee have issued supervisory guidance to manage model risk. This paper proposes what could be the basic building blocks of a comprehensive model risk management framework, which will help banks identify, address, and holistically manage risks related to financial models.
Contents Introduction 5 Impediments to Effective Model Risk Management 5 The Building Blocks of an Ideal Model Risk Management Solution 6 How Banks Should Approach this Strategic Initiative 8 Conclusion 8
Introduction In today s complex and dynamic business environment, financial models are vital for banks and financial institutions to function effectively. From day-to-day decision making to strategic management decisions, firms rely heavily on the outputs of financial models. In recent years however, there have been instances of model risk having a significant impact on the financial world, amounting to multi-billion, and even multi-trillion dollar losses. An analysis of these high profile losses reveals that irrelevant assumptions, mispricing, lack of controls, and improper usage are the key reasons for model failure. Consequently, regulators are making model risk management mandatory by including appropriate requirements under Basel III and the Dodd-Frank Act. Regulators including the OCC, Federal Reserve, and the Prudential Regulation Authority (PRA) now require banks to demonstrate model control and governance. Going by increased industry awareness and concerns around model risk, we envision this area to gain key focus, and receive a lot more attention from the executive management, in the times to come. Impediments to Effective Model Risk Management In the wake of considerably high dollar losses attributed to the use of inaccurate financial models, regulators and business stakeholders are increasingly demanding that banks and financial firms institute mechanisms to improve their model risk management. Advanced mathematical and statistical models are important tools for banks and financial services firms to make accurate decisions and keep business risks in check. However, these decision enablers come with risks of their own and therefore need a comprehensive management strategy. Here are some aspects that make model risk management somewhat challenging: Developer-user mismatch: Model users often lack in-depth knowledge of the technical nitty-gritty of the models they deploy, and model developers may not have a holistic view of how their models will eventually be used by the firm. This mismatch results in some inconsistencies or anomalies in financial models, which make their management difficult. Absence of a dedicated model risk management team: Management of model risk by the functions using or developing the models may not be entirely objective. However, this is a common practice at most financial firms, and it often results in ineffective management of model risks. Siloed management of risk models and associated information: Model risk managed by individual functions, disconnected from each other at either the individual business unit or the sub-unit level, makes it difficult to assimilate and manage an enterprise-wide model inventory. Disintegrated environment also makes it difficult to compile information for management reporting. Moreover, models are often siloed into either risk or finance functions, but impact both these areas. Without risk and finance integration, model risk, which has a visible effect on the performance of a financial firm, cannot be accurately assessed. 5
Absence of an organizational philosophy to define model risk appetite: The absence of an organizational directive on what qualifies as model risk and what is the organization s risk appetite, defined across multiple dimensions like model lifecycle processes, specific factors, and risk mitigation plans, is a key challenge. Inadequate data quality: Aside of making models error-prone, lack of clear documentation and poor quality input data make the assessment of model risk quite difficult. Absence of a multi-stakeholder collaborative model management platform: The absence of an inclusive model risk management platform that comprises senior management and the board of directors, regulators, external and internal auditors, and shareholders, is another challenge. This hampers organizational visibility into the entire lifecycle of a financial model, and offers little clarity on the responsibilities and accountabilities of various stakeholders. Non-standard framework: As a concept, model risk management is gaining prominence gradually, which means that financial firms more or less have a fragmented approach to it. This translates to the existence of organizationspecific non-standard frameworks, which make it difficult to identify and assess the sources and magnitude of different types of risks. The Building Blocks of an Ideal Model Risk Management Solution Given the complexity of model risk management, and the increasing regulatory pressures on financial institutions, firms must explore automated solutions to address inherent challenges and streamline the overall process. An ideal model risk management solution should ensure compliance with regulatory standards and provide a comprehensive view of model risk within a bank or a financial services firm (see Figure 1). Model risk governance and control Model lifecycle management Model risk identification and assessment Model risk profiling Integration with modelling tools Model inventory Dashboards Figure 1: Features of an Ideal Model Risk Management Solution (Source: TCS Internal) An ideal model risk management solution should include the following components: Model risk governance and control: Establish distinct model ownership, control and compliance roles, as well as ensure consistent practices for model development, documentation, validation, monitoring, and review across all 6
business units. The solution should provide controls to prevent the usage of unauthorized models that are not compliant with the organization s internal policies, or those that have not been approved for use. Model lifecycle management: Adopt a structured approach to define distinct guidelines for all phases of a model lifecycle, right from initiation to retirement. The solution should enable financial firms to create a comprehensive workflow and approval mechanism for effective management of the model lifecycle. Model risk identification and assessment: Define each model s risk appetite using a flexible scoring methodology. This methodology should factor in the sources of risk to allow the categorization of models as per risk score bands. This will help assess their status with regard to the pre-established risk appetite threshold values. Further, the validation frequency of models should be decided based on their corresponding risk scores. Model risk profiling: Gain a clear understanding of key risk areas across all dimensions of the model risk management framework, with associated thresholds, categorization of severity, and appropriate mitigation plans. Model inventory: Maintain and manage a single repository of all the models used across various lines of business in an organization. This will ensure easy access to consistent and accurate information, for effective management and operational efficiency. Integration with modeling tools: Integrate the model risk management solution with various statistical and validation tools to further strengthen the solution and facilitate control over model misuse. Dashboards: Incorporate elaborate dashboards to give all stakeholders a 360 view of model associated risks, specific business objectives, and key performance indicators (KPIs), enabling timely decision making. An ideal model risk management solution, as discussed above, is sure to benefit banks and financial services firms in more ways than one, such as: Better decision making: A comprehensive single view of all models will lead to better decisions when it comes to strategy formulation, regulatory reporting, and improving operational efficiencies within the bank. Effective model governance: An enterprise standard model governance structure, which will be applicable to all business lines, will facilitate a central point of control and review for banks model risks. Comprehensive information management: A golden repository of all enterprise-wide models used across various lines of business will ensure that all systems, units, and users get consistent and accurate information to support their data needs. It will also facilitate efficient model risk governance by ensuring traceability through a complete audit trail of all the changes associated with a particular model, such as versions, documentation, uses, approvals, and so on. Robust model lifecycle management: A model lifecycle management framework that provides a controlled and structured way of model maintenance will set out guidelines for all phases of the model lifecycle, right from design and development to deployment and application. It also defines guidelines for use, validation, governance, control, and documentation of all the models across an enterprise. The documentation aspect in particular, will play a key role in effective model validation. Cost reduction: An automated solution reduces the costs and errors associated with manual decision-making. For instance, an automated solution can easily maintain a global inventory of models, generate alerts for model 7
validation commensurate with the pre-defined organizational risk appetite, and more. This will also result in an error-free, cost-effective way to keep a track of all versions of a model. The solution can trigger alerts whenever a model is misused; for instance, an alert will be sent if a model has not been updated for 12 months after it was first developed. How Banks Should Approach this Strategic Initiative Banks should look at embracing a holistic model risk management solution, in accordance with their organizational risk philosophy and appetite. We suggest they start with an understanding of the current state of their model risk management function and how it links to the overall risk appetite. They should then assess the gaps and design a target state solution that will allow the executive management to view how models are applied across the enterprise and what risks they are likely to pose. Banks can pilot the program with a specific business unit, and use the results from this initiative to devise an enterprise-wide strategy that is best suited to meet the model risk management goals of the organization. Banks can choose to implement a customized or an as is prototype of model life-cycle management. Whichever be the case, the solution should offer comprehensive risk management across the various stages of model lifecycle. Additionally, banks should ensure that the model risk management solution assigns stakeholders with responsibilities and accountabilities for specific tasks in each phase, and tracks and records their work status. It should also rate the models as they pass through various lifecycle stages, assign risk sensitivities based on the sources of risks, and manage and update the model inventory. This inventory will gradually become the single source of truth that gives an accurate, clear, and complete picture of the bank s organizational model risk. The solution should be easily integrated with a bank s internal reporting applications and document management systems for it to be fully effective. Conclusion By and large, managing model risk within banks has so far been limited to model testing and validation. However regulators have broken the traditional way of looking at model risk management; the focus has shifted from model validation to a more holistic approach that comprises development, implementation, and use of models. As a result, regulators have mandated banks to broaden the scope of their model risk management programs and adopt a solution that is more extensive and rigorous. Such a solution should help financial firms understand all the aspects of model risk, such as identifying the sources of risk, assessing risk scores (calculating individual or aggregate business unit-wise risk scores), and managing model lifecycles with appropriate governance and controls. We believe that an ideal model risk management solution will enable firms to establish the limit on model use and monitor model performance, while facilitating periodic validation. Banks and financial services firms worldwide are looking to optimize business performance through better model risk management, governance, and compliance. Implementing a comprehensive solution that supports end-to-end model risk management will help organizations achieve strategic goals, improve the correlation between risk and performance, ensure timely regulatory compliance, and increase market reputation and investor confidence. 8
About TCS' Banking and Financial Services Business Unit With over four decades of experience in partnering with the world's leading banks and financial institutions, TCS offers a comprehensive portfolio of domain-focused processes, frameworks, and solutions that empower organizations to respond to market changes quickly, manage customer relationships profitably, and stay ahead of competition. Our offerings combine customizable solution accelerators with expertise gained from engaging with global banks, regulatory and development institutions, and diversified and specialty financial institutions. TCS helps leading organizations achieve key operational and strategic objectives across retail and corporate banking, capital markets, market infrastructure, cards, risk management, and treasury. TCS has been ranked #1 in the 2015 FinTech Rankings Top 100 of global technology providers to the financial services industry, by both, FinTech Forward (a collaboration of American Banker and BAI) and IDC Financial Insights. TCS has also been recognized as a 'Leader' and a 'Star Performer' in Everest Group's 2015 PEAK Matrix report for Capital Markets Application Outsourcing (AO), as well as a 'Leader' in the 2015 PEAK Matrix report for Banking Application Outsourcing (AO). Contact For more information about TCS Banking and Financial Services Unit, visit: http://www.tcs.com/industries/banking/pages/default.aspx Email: bfs.marketing@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburner: http://feeds2.feedburner.com/tcswhitepapers About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and TM assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at www.tcs.com IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2015 Tata Consultancy Services Limited TCS Design Services I M I 12 I 15