Collaboration of three lines of defense for effective oversight and validation of model risk
Kerri Anderson, Assistant Director of Model Risk Management, Northwestern Mutual
Below is an insight into what can be expected from Kerri’s session at Advanced Model Risk USA 2023.
The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Can you provide an overview of the role of the lines of defence in model risk oversight and validation?
There are many stakeholders involved in model risk management, with accountabilities which should be clearly outlined in a model governance or model risk management policy. Generally, model risk management follows the traditional three lines model, with the people closest to the models—handling the data, developing the models, inputting assumptions, designing the algorithms, producing the output, consuming the output, developing performance thresholds, monitoring performance, maintaining and updating the models—being members of the first line. In terms of model risk management, members of the first line own the risk and are responsible for ensuring the appropriate controls are in place, complying with the internal model governance policy, any applicable external regulations, and the company’s risk appetite.
The second line are members of the model risk management team, including model governance and model validation. Model governance, at a high level, is responsible for developing the model risk management policy, maintaining the model inventory, ensuring that model issues are responded to in a timely fashion, and providing transparency on model risk within the organization. Model validation is responsible for providing effective challenge to models and ensuring their use is appropriate for the given business need.
The third line is internal audit who are responsible for assuring that the company is executing consistently with its model risk management framework, taking into consideration industry best practice and regulatory requirements, and is appropriately sized for the level of risk that the company’s use of models poses.
Transparency, to me, is more than just strong and clear communication. It is awareness, alignment, and frequent collaboration between stakeholders that is reflected in the interdependent and overlapping processes of the organization. Effective model risk management involves several stakeholders across the three lines, and as we’re seeing with recently released and developing AI risk-management frameworks, robust model risk management expands outside the walls of the traditional MRM team and involves adjacent second-line teams including privacy, data governance, IT security, and vendor management, just to name a few.
Model risk management is far more than just a policy or a model inventory. It is beyond an annual attestation or “check the box” exercise to document compliance. It requires clear understanding of the roles and responsibilities of each of the stakeholders for a given model. Robust model risk management depends upon collaboration and transparency across multiple areas of a company to ensure that the appropriate controls are implemented for the given risk for each model throughout its lifecycle.
How can organizations ensure they align their LoD with data, audit and compliance?
There are a number of ways in which a company can design their model risk management program or framework. Generally, the design should be aligned with that of other traditionally second-line teams such as data governance and compliance that may already be established within the company and should build connections or dependencies with these teams that have existing processes where it makes sense.
To establish a model risk management program, a company should look to existing model risk management frameworks to understand the various risk-related controls to be established and then work to name the model stakeholders in order to clearly assign accountabilities to each. Again, efficiencies can be gained when aligning to other established processes within the company. It all comes down to communication, collaboration, transparency, and agreement upon the need for the various controls that are right-sized for the company and its unique use of data and models.
What are the benefits of developing a control framework for advancing technology?
While model risk management can sometimes feel like “just one more thing” or “someone who’s trying to slow me down” to business areas that are focusing on innovation, the truth is that we’re all working on the same team, and risk management is in place to help protect the company from unnecessary risk. A robust risk management framework enables faster decisions and more vigorous innovation by setting up clear processes, guardrails, and guidelines so that innovation teams know what’s a “go” versus what’s a “proceed with caution” or where more guidance is needed. The framework also assists teams in identifying when to reach out to others and who to contact who can aid in ensuring that the work the innovation teams are doing is within the risk tolerance of the company. Or if the work is not within the established risk tolerance, the framework gives innovation teams a direct path of escalation to leaders who can make risk-informed decisions and potentially allow the teams to move forward.
How can institutions ensure Integration across teams?
The keys to successful alignment and integration of a model risk management program include:
- Communication, awareness, and alignment – starting at the executive level – of the need for establishing or evolving the model risk management framework
- Ownership and participation in establishing or updating roles and responsibilities to increase stakeholder buy-in
- Mapping of processes to aid in identification of interdependencies to gain efficiencies
- Engagement of model stakeholders including
- First line: model owners, model developers, model users, model maintainers
- Second line: model governance, model validation, privacy, legal, compliance, data governance, security, vendor management
- Third line: internal audit
- Clear ownership of individual processes
- Established and documented policies and processes to aid in understanding and compliance
- Model risk and data literacy training for all parties