Developing risk sensitive model risk management practices tailored to individual model requirements

By Chris Smigielski, Director, Model Risk Management, Arvest Bank

What, for you, are the benefits of attending a conference like the Model Risk Management USA and what have attendees learnt from your session?

There are many benefits to attending a conference like Model Risk Management USA. This will be a great learning event because CefPro conferences are top-notch. I can always expect that the venue and logistics will be excellent. The presentation topics are well researched and relevant. The presenters are some of the best practitioners in the industry that share key insights through their materials and in interactions throughout the conference. The attendees are interesting to speak with and have insights that they share through great conversations. For me, there is so much to learn and bring back with me to implement in my own model risk program.

In my session, I discussed why the traditional model risk program must adapt to the changing banking landscape. I shared my experiences with model turnover and an expanding model inventory, challenges in model validation and model governance; where it may be headed and some ideas on how to continually adapt the program to keep in compliance. In my presentations, I always gave first-hand examples and invited attendees to share their own as well so we could all learn from each other.

What key considerations need to be made when developing risk sensitive model risk management practices?

The concept of a risk-based approach is a long-standing risk management principle and is a necessity when dealing with the volume and volatility in the model inventory. New regulatory initiatives like stress testing and more recently CECL generate batches of models that replace legacy approaches and those new models require validation prior to implementation. The model governance and validation calendars usually operate at full capacity and the addition or introduction of batches of models creates challenges to timeliness, not to mention staffing. The risk-based approach considers the control framework, including type of validation needed and other risk-based considerations, to maintain program standards and compliance with guidance.

How can risk professionals effectively tailor model governance to individual requirements?

Risk professionals can be more effective if the governance requirements are well thought out and model details are well-known. For that to happen, model governance should have good working relationships with model owners & users and have great knowledge of models under their purview. At the end of the day, we are risk managers who are responsible for an effective control framework to manage model risk. Our task is not to ease the program requirements but to find ways to meet requirements with the resources we have by adapting approaches to effectively manage model risk.

What are the key benefits of efficiently scheduling validation frequency based on risk sensitivity?

As I mentioned earlier, the model governance and validation calendars normally operate at full capacity already, and the addition or introduction of batches of models creates challenges to work product timeliness and staffing. The key benefits of efficiently scheduling validation frequency helps the program adapt to these validation and governance requirements in the face of inventory volatility and volume bursts. Whereas the ‘cookie cutter approach’ would order a full validation or a specific procedure at a regular time interval, a risk-based approach to validation considers the materiality, model changes and performance monitoring, for example, and what specifically needs to be validated without wasting unneeded effort on elements that have not changed or do not require revalidation. The result is effective model risk management that is both cost effective and timely.

What do you see ahead for the future for model risk?

The trajectory for model risk has been quite steep in my opinion. By that, I’m referring to the evolution of model risk in practice. The SR 11-7 (and OCC 2011-12) guidance was written just after the financial crisis and it clearly outlines a model risk framework that we have deployed with interpretation since 2011. The control framework concept has, and continues, to be adapted to the changing landscape of new regulatory initiatives and modelling techniques. Qualitative models, rules-based tools, artificial intelligence and machine learning applications (and others) have all qualified themselves for model governance because of the potential impact of (model) failure or misuse.

Looking ahead, I believe there will be a continued evolution of model risk, perhaps in such a way as to be a common thread or major theme across all risks in the risk appetite. The elevation of model risk management would then be appropriate for the governance of all bank automation including models, applications and tools NOT administered and governed by the IT department.