Governance
What is Governance?
Governance answers the following question:
“How do you turn regulatory guidance into consistent,
repeatable actions that comply with said guidance?”
For well-written guidance, like SR 11-07, consistency with it can get the firm close to good management and even best practices.
Typically, one provides evidence of compliance by showing that the firm’s policies closely reflect the guidance–with any deviations identified and well-documented–that procedures fully support the policies and that enterprise-wide, actions and practices follow procedures.
While firms may have one model risk management policy, larger firms frequently have separate policies for development and validation. Because the tasks are so distinct, all firms should have separate development, governance, and validation procedures. In fact, large firms may have separate procedures for each type of model development. We have written and reviewed (and implemented) all types of procedures.
The Three Branches of Governance
We can help build all parts of an effective and efficient model risk management program that easily meets supervisory expectations, and do it cost-effectively. We did twice at CCAR banks that were facing intense regulatory pressure.
However, our best advice is: development and rework are expensive; so, demand solid development that delivers transparent, zero-defect models. Good governance doesn’t generate perfect models. It does generate compliant, transparent, cost-effective models–whether they’re built internally or provided by vendors.
Turn what too frequently is mere risk reporting into true risk management that leads to prevention, insurance or contingency actions. From top–e.g., board risk appetite frameworks based upon scenario analyses–to bottom, effective governance means clear communication of strategies and tactics to reduce either the possibility of loss or the anticipated magnitude of loss. Anything else is busy work and uneconomical.
Risk management is crucial to both value creation and value preservation and should be managed as such.
It’s easy to grow. Sound risk governance provides intelligent growth.
Good data governance is far less bureaucratic than it seems. As developers, we know that if the data set is good enough for modeling, then its good enough for every other use. The only question is how to formalize it.
The answer is by matching data suppliers with data demanders, i.e., users, in transparent, formal and efficient ways.
Data governance shouldn’t be about satisfying regulatory requirements. It should be about turning facts into reliable and representationally-faithful information, which is a, if not the, source of a firm’s competitive advantage.
Our Advantage
We can write each component of an overall governance framework and help solve all types of problems through well-designed communication, training, and staffing services.
While building and implementing an appropriate model risk governance framework may seem expensive, it is important to realize that it is a long-term investment that will lead to better strategic and operating decisions through both more effective and efficient model development: better, more adaptable models at lower costs.
Three Common Governance Mistakes
Typically firms make one of these three mistakes –
1. The policies and procedures are
too broad and over-simplified.
2. The policies and procedures are
way too detailed and over-complicated.
3. Failure to execute the policies
and procedures that are necessary.
The first and second are the extremes of the policies and procedures spectrum. Either case makes it difficult to show that actions comply with the guidance−the first, because too much is left to interpretation, which leads to confusion, and the second, because there is too little consistency, which also leads to confusion.
Frequently, the former comes off as simplistic whereas the latter appears academic, out-of-touch, bureaucratic or irrelevant. (Kind of like counting the number of model risk angels that can fit on the head of a pin.) Policies and procedures should satisfy Goldilocks: neither too big or too small, too hard or too soft.
The third type of governance mistake is the failure to execute (what may otherwise be) sound policies and procedures. Frequently these failures exist in the governance function itself, particularly in validation. The causes of this type of failure include: (i) a lack of commitment by executive management; (ii) the unwillingness of governance and validation managers to perform their responsibilities per the governance framework; and (iii) the inability of the validation staff to perform credible inspections.