By Mark Levonian, Nick Kiritz and Miles Ravitz
Earlier this year, the FDIC announced it was adopting the guidance on model risk management issued jointly by the Federal Reserve and Office of the Comptroller of the Currency in 2011, which sets supervisory expectations for the three lines of defense for managing model risk.
The FDIC had already been applying the guidance for some time to the larger and more complex institutions under its regulatory purview. But with the agency’s formal adoption of the guidance, all FDIC-supervised banks with assets greater than $1 billion are now covered, a sign that the agency will soon increase its scrutiny of MRM at a broader set of banks.
Supervisory expectations for MRM
The guidance promotes a principles-based approach to MRM. It begins by defining “model” and “model risk,” clarifying that model risk should be assessed and managed like any other type of risk. One of the guiding principles for MRM is “effective challenge,” which involves engaging in critical analysis of models and then using those models to identify limitations or deficiencies and make appropriate changes. Also incorporated into the guidance is the important consideration of “materiality”—that is, that the rigor and extent of risk management activities should depend on the potential impact of the risks associated with any use of models.
Disciplined model development, implementation and validation practices are also key to controlling model risk. For firms using third-party models, the guidance emphasizes the need for rigorous validation of acquired models, noting that model developers and users have important roles to play in ensuring that models are used appropriately and subject to effective challenge and controls. This focus on the role of model development and model use in MRM marks a change from previous guidance, which emphasized model validation (although validation is still important).
Meeting MRM expectations
According to the guidance, MRM frameworks and activities should “be commensurate with a bank’s risk exposures, its business activities, and the complexity and extent of its model use.” Put simply, it will require different levels of response from different banks. Ultimately, the expectation will likely be that all banks over $1 billion in assets have or develop suitable MRM frameworks.
FDIC-supervised institutions that are new to these expectations should review any MRM frameworks and practices already in place and then evaluate them against the requirements of the guidance. Banks can meet the FDIC’s expectations for implementing an MRM program by:
- Designating an individual who clearly has responsibility for MRM
- Understanding the supervisory definition of a model, and how to distinguish models from other analytical tools
- Understanding the concept of model risk
- Creating and maintaining a comprehensive model inventory using a suitable inventory system
- Developing MRM framework documents, including a model-risk policy and implementing procedures that have—at a minimum—procedures for model development, model validation, and model inventory
- Developing tools to support the MRM framework, including a tool for model risk tiering and templates for model development and validation documentation
- Implementing a plan to bring existing models into compliance with the new MRM framework by remediating any gaps in model documentation and validation
An effective MRM program takes time to develop, and banks that adopt a thoughtful, staged approach to implementation are most likely to succeed. They can begin by performing detailed self-assessments and formulating risk-based remediation plans to close any MRM gaps. Done right, a more mature MRM framework that is consistent with the guidance will enhance overall risk management and make models more effective as an element of bank management and decision-making.
Mark Levonian is managing director at Promontory Financial Group, where Nick Kiritz is director and lead expert for model risk management and Miles Ravitz is principal.