Managing the continuous evolution of model risk with increased digitalization

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Chris Smigielski, Director of Model Risk Management, Arvest Bank

What are the key building blocks to digitalization?

There are three terms to be familiar with: Digitization, Digitalization, and Digital Transformation.  The Financial Industry is currently going through a wave of innovation driven by digitalization in various forms.

Digitization – According to Gartner’s IT Glossary, “Digitization is the process of changing from analog to digital form”.  That might involve converting handwritten or typewritten text into digital form.  Digitization is important both for dealing with analog information as well as ‘paper-based’ processes – where ‘paper-based’ is nothing more than a metaphor for analog.  Digitization refers to creating a digital representation of physical objects or attributes.  For instance, we scan a paper document and save it as a digital document (e.g., PDF).  So, digitization is about converting something non-digital into a digital representation or artifact. Digitization is foundational.  This is the connection between the physical world and software and has been ongoing since the 1960’s.  Digitization is an enabler for all the processes that provide business value because of the need for consumable data.

Digitalization refers to enabling or improving processes by leveraging digital technologies and digitized data.  Therefore, digitalization presumes digitization.  Digitalization is the use of digital technologies to change a business model or the process of moving to a digital business. A simple example of this could be automating manual tasks using process automation.  Digitalization increases productivity and efficiency while reducing costs.  Digitalization improves an existing business process or processes but doesn’t change or transform them.  That is to say, it takes a process from a human-driven event or series of events to software-driven. 

Digital Transformation is really business transformation enabled by digitalization.  The “digital” moniker is a little bit of a misnomer because the essence of digital transformation is the changing of business processes enabled or forced by digitalization technologies.  An example of digital transformation is a shift from local control of physical processes to remote monitoring and control of those same processes.  We digitize both information and processes of a business, and digitally transform the business and its strategy. Each one is necessary but not sufficient for the next, and most importantly, digitization and digitalization are essentially about technology. Digital transformation is about the customer experience.

What AI/ML approaches are generating the biggest operational risk consequences?

According to Forrester, many consumers started using digital channels to manage their finances and tried digital payment methods for the first time during the pandemic. Artificial intelligence (AI) and machine learning (ML) approaches are foundational drivers to many customer experience solutions offered today. These appear as cutting-edge applications or existing models with enhanced AI/ML components. Chatbots use machine learning and natural language processing (NLP) to deliver a near-human-like conversational experience. New technology has the potential to be integrated more deeply into every facet of financial services delivery and bank operations, whether it is a natural language processor (AI chatbot) deployed as a customer service tool or an AI/ML approach within a software application. Regarding AI & ML, model explainability and interpretability are two issues which are key challenges to the first line business and model risk governance.

This wave of operational risk consequences is happening because an AI process or ML model cannot be simply substituted in place of a less automated process because the technology, security, data, and algorithms used may create newer unintended consequences that were not present previously. For example, using alternative data in a credit decisioning model must be tested for fairness, bias, and disparate impact because the expanded variables may unintentionally describe a protected class. The information technology (IT) environment supporting the bank’s models must have appropriate internal controls for new interactions with Fintech’s or credit companies.

How are regulatory expectations regarding model risk across the risk appetite changing?

AI/ML approaches are foundational drivers to many customer experience solutions offered today. These can appear as new applications or with enhanced AI/ML components within existing applications. A wave of other non-model uses of AI can be seen in robotic process automation (RPA) that have the potential to drive huge cost savings across the company.

Examples of AI uses in banks include fraud detection and prevention, marketing, chatbots, credit underwriting, credit, and fair lending risk management, robo-advising (i.e., an automated digital investment advisory service), trading algorithms and automation, financial marketing analysis, cybersecurity, Bank Secrecy Act/anti-money laundering (BSA/AML) suspicious activity monitoring and customer due diligence, robotic process automation, and audit and independent risk management.

Some AI may meet the definition of a model noted in the MRM Supervisory Guidance. While AI outputs are not always quantitative in nature, AI is typically based on complex mathematical techniques. Regardless of how AI is classified (i.e., as a model or not a model), the associated risk management should be commensurate with the level of risk of the function that the AI supports.  Model Risk guidance initially targeted quantitative estimates or output that is quantitative in nature, which was most likely found in in Credit, Interest Rate, Liquidity, & Price risks.  Updated expectations also find model risk impacting Operational, Compliance, Strategic, and Reputation risks as well.  Models, tools and algorithms used across the risk appetite introduce risk because of the consequences they may present if they are wrong.

Can increased digitalization within model risk enhance collaboration and integration across other areas, such as third-party risk, change management, and RCSAs? Are there any examples of this you have seen?

The OCC Booklet published in August 2021 explains that Operational risk can increase when the information technology (IT) environment supporting the bank’s models does not have appropriate internal controls.  Security weaknesses, including poorly constructed application program interfaces (API’s) and weaknesses in the controls for the access, transmission, and storage of sensitive customer information, could expose a bank to increased operational risk.  Weak or lax controls can compromise the confidentiality or integrity of sensitive customer data.  Third-party risk management weaknesses related to a bank’s use of third parties providing models or related products and services could increase operational risk, particularly when management does not fully understand a third-party model’s capabilities, applicability, and limitations. New technologies, products, and services, such as AI and data aggregation, can increase third-party access to banks’ IT systems.  Poorly drafted contracts could increase operational risk.  Important considerations include the ability of the third party to resell, assign, or permit access to the bank’s data and IT systems to other entities and how the data will be transmitted, accessed, and used.

Collaboration, therefore, is necessary to identify and assess these risks that can ‘fall between the silos.  Model Risk professionals can drive those conversations to promote an awareness of the emerging risks throughout the existing risk culture and processes at a financial institution.  In my own institution, Model Risk has collaborated with Enterprise Risk Management, Compliance and Data Science to elevate this awareness.  Additionally, we have strengthened operational risk assessments and third-party contracts to anticipate these newer risk elements.

Chris will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.

You may also be interested in…

Have you made your free account? 

Melissa will be speaking at Risk Americas 2023 in NYC on May 22-23.