Building the Foundation: Key Steps for Launching Model Risk Management at Financial Institutions

In 2011, the Federal Reserve and the Office of the Comptroller of the Currency (OCC) jointly released the Supervisory Guidance on Model Risk Management (SR 11-7), formally defining supervisory guidelines for managing the risk associated with banks’ use of models. While the initial focus was kept to banks with assets greater than $10 billion, the FDIC’s adoption of the guidance in 2017 extended SR 11-7’s purview to FDIC-supervised institutions (those with $1 billion or more in assets), and regulatory scrutiny has been increasing ever since.

The purpose of this article is to provide a general understanding of model risk management (“MRM”) and serve as a roadmap for institutions looking to establish a model risk management program. We will begin with a high- level overview of MRM, then discuss key processes required for initial implementation of an MRM function. Understanding the three lines of defense within financial institutions, and where model risk management fits, is essential. For institutions with robust operations, MRM resides within the second line of defense, although it consistently works alongside both the first and third lines.

Here’s how it works in each line:

1. First Line of Defense (Operational Management): The first line of defense includes business units and operational teams that are responsible for developing, implementing, and using models. They manage day-to-day risks, including ensuring that models are properly developed, tested, and applied.
2. Second Line of Defense (Risk Management and Compliance): This is where model risk management formally resides. The second line provides oversight, guidance, and monitoring of model risk activities. This includes:
   • Establishing model governance
   • Validating models to ensure they are operating in accordance with management’s expectations and comply with both internal and external standards
   • Identifying, assessing, and monitoring model risk across the organization
3. Third Line of Defense (Internal Audit): Specific to MRM, the third line is responsible for performing independent reviews of the entire MRM framework. Third line audits the effectiveness of both the first and second lines, ensuring that MRM policy, governance, and procedures are followed and that the second line’s model validation activities are both technically sufficient and independent.

Now that we have a general understanding of MRM’s role within the organization, we can begin to discuss the initial processes required to set up a model risk management function.

Establish a Model Risk Management Policy

The first key element of any model risk management program is implementing a board-approved policy, cementing the role of model risk management within the organization. The policy should cover, at a minimum the following areas:

• Scope and Purpose of the Policy
  • This section should include adherence to SR 11-7.
• Governance and oversight
  • List governing committees and their responsibilities starting from the Board of Directors down to the Committee with direct model risk management oversight.
• Roles and responsibilities
  • Define the responsibilities of the lines of business and identified roles within each. This section may be included within governance, depending on each institution’s policy.
• Framework Elements
  • Outlines key processes for effective model risk management, including maintaining a comprehensive model inventory, conducting regular risk assessments, validating models, and ensuring thorough documentation. It also covers escalation procedures for unresolved issues, risk reporting, and validation requirements to ensure robust oversight of model integrity and usage.
• Definitions
  • Any MRM-related terms that requires defining for those unfamiliar with MRM functions, processes, or terminology.

Identify Model “Candidates”

Next is the process of identifying potential models, or “model candidates”. The easiest, and often most straightforward, way to go about this is through an attestation sent to the leaders of each department within the institution. In order to capture more and miss less, it’s best to be conservative and ask for everything meeting the definition of both a non-model tool and a model. The attestation process should be repeated regularly, with the frequency depending on the maturity of the MRM program. Typically, it will take place more frequently at first (quarterly or semi-annually) before transitioning to a less frequent process (annually) as business units become more comfortable with what could constitute a “model”.

Make Model Determination

Once the attestation process is complete and all model candidates have been reported, each candidate will need to be assessed to determine whether or not it meets the definition of a model. A typical assessment will first ask for general information including the purpose of the model candidate and how it is used. The candidates will then be evaluated on three main model components.

• Inputs
  • Are the inputs subject to uncertainty?
  • Are assumptions used in the model?
• Processing
  • Does the model candidate apply advanced statistical, economic, financial, or mathematical theories or techniques to process input data into outputs?
• Output and Reporting
  • Is there a model candidate output or reporting component that informs business decisions or processes?
  • Is the model candidate used repeatedly?
  • Are outputs from the model candidate in the form of estimates?

Each institution will have their own process for making their final model determination, but typically:

• If the answer to at least one question in each of the sections above is “yes” then you likely have a model.¹

‍¹ It is prudent to note that while we consider this to be the most straightforward method, incorporating language from SR-11-7, it is not errorproof. Interpretations of what qualifies as a model can differ, not only across institutions but also among regulators, leading to varying definitions and expectations.

Model Inventory

The inventory serves as a centralized source of detailed information about each model. At the very minimum, your inventory will consist of the following models:

• Bank Secrecy Act / Anti-Money Laundering
• Current Expected Credit Loss
• Interest Rate Risk
• Liquidity Risk / Contingency Funding Plan

According to SR-11-7, “the inventory should describe the purpose and products for which the model is designed, actual or expected usage, and any restrictions on use.” Other information that should be recorded in the inventory includes, but is not limited to: Model name, model risk level, classification, owning department, model owner (person or position responsible for the model), model developer, model users, frequency of model usage, type and source of model inputs / underlying model components, model output reporting and intended use, date model was developed, last validation date and rating, next validation date, and any policy exceptions.

Perform Model Risk Assessment

Each model must undergo a risk assessment to determine its risk level. This process varies by institution and can be either quantitative or qualitative, focusing on factors like materiality, reliance, and complexity. Key areas evaluated include regulatory impact, earnings impact, operational impact, financial statement impact, strategic impact, decision-making impact, quantitative process utilized, use of external data, and integration with other models. Risk levels typically range from three to five tiers, depending on the institution's MRM framework.

Determine Validation Cadence

The model risk level determines the frequency at which a model will be validated. An example of validation cadences we see institutions deploy is as follows:

• High Risk – Annual
• Moderate Risk – Every 2 Years
• Low Risk – Every 3 Years

In summary, for institutions building out Model Risk Management (MRM) functions, establishing a solid foundation is essential. This includes setting up key processes like defining governance structures, creating a model inventory, and implementing a risk assessment framework. By focusing on these foundational steps, institutions can build a strong MRM function from the ground up, ensuring effective oversight and regulatory compliance. These initial elements are critical not only for meeting regulatory requirements, such as SR 11-7, but also for preparing the institution to identify, manage, and mitigate model risks within their organizations. While there are many other processes and complexities to address, these steps are key to getting the program underway. With this foundation in place, institutions will be well-equipped to expand their MRM capabilities as they grow and encounter increasingly complex risks.

Ready to learn more? Contact our team below.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.