Validation and Governance of the use of AI and machine learning models to increase efficiency

By Paul O’Donovan, Director, US Model Governance, BMO Financial

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I’ve worked in Model Risk Management (MRM) for the majority of my 12+ year professional career – covering roles in Model Validation, Model Governance, and as a Model Developer/User  – working on a broad range of models including Basel, Stress Testing, PPNR, and Treasury. I have also spent some time at the Federal Reserve working on supervisory processes for CCAR as well as MRM supervision of large banks.

After completing my MBA in 2016, I took a role at BMO focused on Model Governance. While the role began with a focus on the Bank’s US program, it quickly evolved into more Enterprise responsibilities. When the use of AI and Machine Learning became more prevalent, there was a need within the MRM team to address some of the governance related aspects that come along with that. Part of my MBA was focused on Big Data solutions and the systems and architecture to support it, so it became a natural focus for me within my current role. While this work is ongoing, I am also focused on MRM Reporting, Oversight, and seeking out process efficiencies to improve the overall effectiveness of MRM practices while continuing to meet regulatory expectations.

What, for you, are the benefits of attending a conference like the Model Risk Management USA and what have attendees learnt from your session?

MRM USA is an excellent opportunity to network with industry peers and hear practical and actionable insights that you can take into your own work. The breadth of topics covers a wide range of practices in MRM and, given the current regulatory and economic environment, will help think about MRM in the context of balancing risk management with building leaner and more efficient modelling functions. There have been a lot of advancements in MRM practices since the publication of SR 11-7, and the continued emergence of more advanced modelling capabilities brings more opportunities, but also more challenges for MRM.

With the expanding use of AI and Machine Learning, I offered my thoughts on some of the key decisions modelling teams need to make in trying to optimize the risk and return paradigm in this evolving area. I shared some insights on what makes validation more challenging in the context of AI and ML, and what some of the practical implications are for maintaining a strong MRM function. My hope is that people took some practical tips from my presentation and started to think about the strategic risk/return trade off in the context of AI/ML, and not just focus on the MRM aspects.

 Please describe some of the challenges involved in building an enhanced governance framework?

MRM has always had a challenge in managing the “cliff effect” for what qualifies as a model (and, hence, MRM requirements). The decision of what constitutes a model has been inherently more complex than it should be, and that is exacerbated by some of these new and evolving capabilities. The rapid adoption of AI and ML is introducing models into corners of the organization that are not accustomed to MRM or necessarily understand MRM requirements. As this growth happens in non-traditional areas, identifying models in time and making sure they are subject to MRM becomes a real challenge. An enhanced governance function needs to establish a true Enterprise-wide set of definitions and standards and, critically, must now be more integrated than ever with other business and second line functions to enforce these standards.

The other critical challenge in trying to build an enhanced governance framework is People. The role of governance is becoming increasingly technical and specialized. An enhanced governance function must now be at a much more granular organizational level, driving conversations between various risk functions on the appropriate ways to measure and manage risk. This means that People within effective governance functions must have a much more general skill set and knowledge beyond MRM and SR 11-7. They must also be more equipped to liaise between senior management and MRM to ensure an appropriate level of information is being shared throughout the organization.

In your opinion, what key considerations need to be made when bringing model risk management to the next level?

In my opinion, I think the key is recognizing that the full spectrum of risks associated with models can no longer be managed solely within MRM. Within your organization, MRM will be a thought leader in the technical aspects of future modelling solutions but managing the risk of some of these new models will take a coordinated effort across the Enterprise. With the potential for models to have a series of new features (for example, self-update, be deployed in cloud environments, consortium models where data is shared among institutions), risks arising from the use of models extend beyond MRM. A number of non-financial risk management functions will need to have a better understanding of MRM – Information Security, Fraud, Operational Risk to name a few.

Creating this coordinated approach is a significant challenge but one that will be necessary to have an effective MRM process that understands the model end-to-end. It also establishes a discipline and set of standards for management of non-model AI. Bringing MRM to the next level should happen as part of a broader Risk Management evolution where the right question to ask is not “Is this a Model?”, but rather becomes, “How do you control the risks with this piece of technology?”.

 What do you see ahead for the future for AI & machine models?

There is no doubting that AI/ML is the future and is already permeating every aspect of our daily lives. In terms of modelling, capabilities and technology continue to make it easier for companies to build and deploy AI – the key will be whether that can be done ethically or if we will continue to see a rising trend in privacy, bias, and information security issues.

Specifically for banks, I think we are at an inflection point in terms of AI and Machine Learning – and the ultimate success and depth of usage is going to depend on a few factors:

1. Internally managing the risk/return trade-offs appropriately to build confidence with senior management and users around the true utility of these models;
2. Developing and retaining talented modellers in an environment where the talent pool is small and the level of competition is extremely high;
3. Being appropriately risk-based in MRM. This mean internally having the Policies and procedures to promote the use of AI/ML as well as having flexible expectations and support from Regulatory bodies.

I believe that AI/ML modelling can drive efficiency and profitability for firms that deploy it in the right way and take a measured, well-governed approach to its implementation. In the not-so-distant future, AI/ML will be necessary for doing business and firms that are slow to adopt it now will face a costly and steep challenge to catch up. In particular, banks’ ability to compete with smaller, nimbler FinTech firms means that effective MRM needs to be an enabler in the organization to promote the speed to market if AI/ ML models.