Model Governance

Model risk governance is more than demonstrating compliance by aligning policies with regulatory guidance, documenting any deviations, ensuring procedures support policies, and maintaining consistent enterprise-wide practices.

But let’s start with the guidance and compliance. For specific, well-written guidance, like SR 11-07 with its 179 “should” statements, it may be challenging, but it’s also straightforward. However, with SR 11-07 replaced by a much shorter SR 26-02 and its vaguer 21 “sound practice” statements, there seems to be greater uncertainty today than at any time in the past 15 years. (See SR 26-2 to SR 11-7 Mapping: From 21 ‘Sound Practices’ to 179 ‘Shoulds’ for our mapping.

We have built MRM programs from the ground up at institutions under intense regulatory pressure. This includes at Regions, where the Federal Reserve ranked us as the top model risk management department in its horizontal review as part of the 2014 CCAR exercise. We know what a well-governed MRM function looks like because we built one under maximum scrutiny.

To operationalize 26-02, we mapped its “sound practice” statements to 11-07’s “should” statements. That makes it easy to see that what to do hasn’t really changed.

How to Govern Models and Reduce Risks

Maintain distinct procedures for development, governance, and validation, with large firms potentially requiring separate development procedures for different model types, e.g, loss forecasting, ALM, credit scorecards, etc.

We design governance frameworks and provide communication, training, and staffing solutions. Though implementing proper model risk governance requires upfront investment, it delivers long-term value through more strategic and efficient development and better, adaptable models at reduced costs. Get your money’s worth.

Executives at banks with less than $30B in assets may conclude that they’re free-and-clear of the guidance. We don’t quite see it that way and still recommend governance around models that affect the organization’s biggest reports and risks, like CECL, asset-liability management/structural interest rate risk, and anything with legal implications, e.g., anti-money laundering/bank secrecy act/etc.

Now that we’ve explained how to satisfy bank supervisors, consider that the biggest advantage to effective model risk governance isn’t mere compliance. It’s knowing that your most important models, which are used for the biggest decisions in the bank, represent what they purport to represent, and are developed and processed cost-effectively, i.e., that you’re getting your money’s worth from expensive associates or vendors. If that’s your purpose, then (1) the program will pay for itself, and (2) compliance will be a free byproduct.

1. Effective Model Risk Management

We have built compliant MRM programs twice at CCAR banks under intense regulatory pressure, and reviewed existing MRM functions at credit unions ranging with over $20 billion. Our engagements go beyond gap analysis and policy writing — we can participate in implementation, including hiring. We have directly participated in the interview and selection process for MRM managers at major institutions. When we are finished, the program is staffed and running, not just documented.

One note on our philosophy: the best outcome of good governance is not a clean exam. It is models that work — that are transparent, maintainable, and actually improve decision-making. Governance that produces compliant but useless models has failed at the harder task.

2. Risk Management

Turn what too frequently is mere risk reporting into true risk management that leads to prevention, insurance or contingency actions. From top–e.g., board risk appetite frameworks based upon scenario analyses–to bottom, effective governance means clear communication of strategies and tactics to reduce either the possibility of loss or the anticipated magnitude of loss.

Risk management is crucial to both value creation and value preservation and should be managed as such. It’s easy to grow. Sound risk governance provides intelligent growth.

3. Data Governance

Good data governance is far less bureaucratic than it seems. As developers, we know that if the data set is good enough for modeling, then its good enough for every other use. The converse isn’t true. The only question is how to formalize it.

We speak about data governance from direct experience as model developers. Two-thirds of every development engagement we undertake is data preparation — not because that is the natural cost of modeling, but because data governance was not implemented properly when the data was originally collected. We have seen clients in the middle of a multi-platform CECL migration discover their production systems were never updated to reflect the developmental data infrastructure built years earlier. We have seen institutions send a vendor’s developmental dataset to an acquiring institution rather than their own. These are not edge cases. They are predictable consequences of treating data governance as a compliance requirement rather than as a source of competitive advantage.

Good data governance is less about documentation and more about creating a clear chain of accountability between the people who produce data and the people who use it. We help institutions build that chain.

The answer is by matching data suppliers with data demanders, i.e., users, in transparent, formal and efficient ways. Data governance shouldn’t be about satisfying regulatory requirements. It should be about turning facts into reliable and representationally-faithful information, which is a, if not the, source of a firm’s competitive advantage.