The UK’s Prudential Regulation Authority (PRA) has published detailed principles for banks to follow on managing their model risk.
The PRA’s supervisory statement published on 17 May contains few surprises, according to several market participants, who suggested the consultation process initiated last year had given a clear indication that robust standards were likely to follow.
Banks within the scope of the guidance, which covers all banks with internal model approval to calculate regulatory capital requirements for either credit risk, market risk or counterparty credit risk, will have one year to implement the principles from 17 May 2024.
While reaction to the intent of the principles has been largely positive, there is also a recognition that their implementation will require a lot of work.
“Model risk, while potentially substantial, often flies below the radar. However, we are aware, based on past experiences such as the Global Financial Crisis, that it can yield devastating consequences. Therefore, it is crucial to elevate the focus on model risk to a higher, strategic level,” says Evgueni Ivantsov, chairman of the European Risk Management Council.
He adds that while he believes “it deserves a rigorous standard and an allocation of substantial resources” and that he “fundamentally agree[s] with the regulatory approach”, he anticipates that “many firms will face challenges in meeting very high standards within the timeframe set by the PRA”.
At a high level, the PRA has said that it would like banks to “take a strategic approach to model risk management [MRM] as a risk discipline in its own right.”
More specifically, the supervisory statement outlines principles for banks to follow in five areas: model identification and model risk classification; governance; model development; implementation and use; independent model validation; and model risk mitigants. The PRA says that these principles are “intended to support firms to strengthen their policies, procedures, and practices to identify, manage, and control the risks associated with the use of models”.
Speaking on the day the principles were published, Catarina Souza, head of model development and review division at the Bank of England, Prudential Regulation Authority commented: “What we have seen in many cases is that model risk is not managed as effectively as we would like”, including in areas such as model validation or levels of senior leadership engagement.
Ms Souza highlighted that one of the most important envisaged outcomes for the principles is to “generate senior management involvement, and for them to consider model risk as a risk on its own”.
Adding further detail about the strategic approach the PRA would like to see, she said: “We believe that can only be done through a cultural change across an organisation. That’s one of the reasons why the model risk management principles are overarching, they’re meant to cover all models across the organisation. What we intend is an enterprise-wide view.”
Senior management and board responsibility
Increased senior accountability is one of the most notable aspects of the principles. They include a requirement for a named individual or individuals to be accountable for “overall oversight to ensure the effectiveness of the MRM framework” as a specific senior management function (SMF) under the Senior Managers Regime.
In addition to senior management accountability for model risk governance, the supervisory statement also places clear responsibility with boards.
Mr Ivantsov feels clarifying the responsibility and accountability at a senior level is a helpful development, but observes these requirements could be challenging in relation to the board.
“It is noteworthy that the regulator now emphasises the necessity for explicit ownership and accountability of SMF regarding model risk,” he says. “Previously, it could have been assumed that the chief risk officer [CRO] held overarching responsibility, but it was not always explicitly stated.
“One of the most formidable challenges, in my opinion, lies with the board. While the CRO’s responsibilities for MRM align closely with their role, the board faces a new task. Based on the PRA’s statement, the board should establish a comprehensive MRM framework and provide challenge to the outputs of the most material models, understand the capabilities and limitations of models and potential impacts of poor model performance. That’s a pretty big ask for people who may not necessarily have a professional risk management background.”
David Asermely, global product lead, model risk and AI governance, at analytics software company SAS comments that in the past “unfortunately some organisations perhaps did not take model risk management as seriously as they should have”, which is a significant issue because “many bank failures have had their roots in model risk management failures”.
He adds: “One of the things that is really laid out very clearly by the PRA is board-level understanding, accountability and responsibility, and also defining a senior management function that is responsible for this and for educating the board as appropriate. That does raise the profile of model risk, and to my mind that is something that was needed.”
Mr Asermely recognises the complexities that firms will need to overcome to implement the guidance but believes one year is an appropriate timeframe in which to do this, particularly given the importance of this issue and that much of the detail had already been signposted in last year’s consultation paper.
He suggests for many firms this will involve upgrading the systems and processes they use to manage model risk away from relatively basic tools like spreadsheets, in a lot of cases, to more sophisticated systems which document all of their models. Creating a comprehensive model inventory is one of the PRA’s requirements within the supervisory statement, along with more detailed categorisation requirements for models.
This is crucial, he believes, to enable firms to efficiently and effectively test how changing market conditions, and other factors, impact their models, for example, changing interest rates. “Having these processes and systems in place for managing models provides the capability for firms to navigate dynamic market conditions, and it makes doing it across thousands of models straightforward, rather than having to seek out documentation for each individual model,” he says.
AI and models
It is also notable that the PRA’s guidance has been published at a time of rapidly increasing interest in artificial intelligence (AI) and large language models. Although the text of the supervisory statement itself does not refer to AI, the PRA did make clear reference to this area in its consultation paper last year, and suggested that the principles should be considered to apply to all models including those using AI.
Jan Larsen, president of global risk and research solutions at analytics company CRISIL, believes this topic is particularly significant given the tension between this rapidly evolving area and the PRA’s desire to impose high standards for model risk management.
“This guidance is coming at the precise moment that we’re seeing huge leaps in large language models. There’s a tremendous amount of interest in how those models can be leveraged for a wide array of banking functions, but they’re also the models for which model risk management practices are least mature.”
He suggests that the PRA’s approach of not imposing specific requirements around AI-related models is understandable. “I think the PRA is doing exactly what it has to do, which is giving itself room for agility to respond to a rapidly evolving phenomenon,” he says.
As for whether the requirements will lead to the kind of cultural change that the PRA is envisaging, Mr Ivantsov is optimistic but adds: “Because the document is quite prescriptive, some banks might treat the implementation process as a tick box exercise. This would contradict the essence of the principles, which, in my view, is the most crucial aspect.”
Another potential challenge relates to banks having staff in place with the right skills and experience in areas such as model validation, where the principles have introduced more stringent requirements.
“It’s not a prerequisite to have a PhD to work in a validation department. But I don’t think I’ve ever seen a validation department that didn’t have PhDs,” says Mr Larsen. “You’re talking about people with advanced education in areas where there’s a lot of demand, from a lot of different industries. So, it does feed into a labour market challenge. And, it’s possible that that some banks will have to look at new locations to fill some of those roles.”
For the moment, the principles only cover banks with internal model approval to calculate regulatory capital requirements, rather than all UK-regulated banks, as previously envisaged. The PRA has not provided a date for when broader guidance will be published for the wider industry. However, its policy statement published on May 17, alongside the supervisory statement, states: “The PRA will provide an update on the approach for all other firms, including ‘Simpler-regime Firms’, at a future date, once the definition of a ‘Simpler-regime Firm’ has been finalised.”