The potential sources of error in constructing a model “is the key point in determining how to handle model risk,” said Suresh Gopalakrishnan, Principal, Business Information Management, at Capgemini Financial Services. He was the first of two speakers on the topic of model risk management (MRM) in the post-financial crisis regulatory regime, and was speaking at a webinar organized by the Global Association of Risk Professionals on April 24, 2014.
Model risk is very wide-ranging. “What about inadequacies in models?” he asked. “Do they cover black swan events? What about aggregate risk? Is model risk in fact part of operational risk?”
The broad paradigm for dealing with financial risk consists of four parts: identify, measure, manage or control, and monitor.
The first part involves creating a risk inventory to identify financial risks, business risks, operational risks (such as reputational or regulatory) and “unknown risks.”
For the second part, there are three ways to measure risk: risk control and self assessment (RCSA); use of models; and expert judgment. Models have been in use in certain companies for many years—for pricing and forecasting, for example—and now they will be developed to estimate the likelihood and the impact of risk. “Quantification is a hot topic in research,” noted Gopalakrishnan.
For the third part, the company must “decide, based on ranking, how to manage or control risk: accept, avoid, mitigate, or transfer, such as buying insurance,” he suggested. Management and control of risk involves determining thresholds and buffers for model risk.
The fourth and final step is periodic monitoring and validation, as well as reporting and communication. The monitoring stage involves auditing, testing, and reporting.
For each risk (and for each of the 4 steps), the first, second and third lines of defense could/should be identified. These may comprise people/process/technology or any combination of these. Technology is involved in all four parts because it is used to track model inventory, create a document repository, manage workflow, and standardize reporting.
Gopalakrishnan described the 5-step process of a model lifecycle:
- Model users define requirements.
- Model development occurs in-house, or through external vendors. “These act as the first line of defence.”
- Validation occurs in the MRM team. This is the second line of defence.
- Implementation, which is the domain of the information technology group.
- Monitoring and retirement, usually the domain of the model owners.
The model lifecycle, seen from the “dataflow perspective,” involves procurement of quality source data, preparing the data, and using it throughout model development, management, and deployment.
“Assumptions in methodology are a source of model risk,” Gopalakrishnan said, noting that “you make inclusive and exclusive choices for data” that will govern the best region of fit. “You must use the model within the [correct] operating limits.”
A big challenge in MRM is “how to rank or classify in terms of riskiness.” Best practices mandate the development of a model risk governance charter and framework that is ratified at the Board level.
The near future will show risk managers “how a robust MRM framework can impact decision making,” said Gopalakrishnan. The current state is 80 percent inefficient or manual work; the future state should involve no more than 20 percent. An ambitious, but worthy, goal indeed. ª
Click here to read about the second presentation on model risk. ª
Click here to view the webinar Model Risk Under the Post-Crisis Regulatory Regime.