You are here

Model Risk Management: Making Sure You’re Prepared

Written By: Rita Lucivero, CISA, CFE

The FDIC announced on June 7, 2017, that it would be adopting the supervisory guidance on managing Model Risk that was previously issued by the Federal Reserve and the OCC in 2011.  You may have heard about this guidance in conjunction with AML Data Validations, but with this new adoption, the Federal Reserve, OCC and FDIC banks will all be held to a higher standard regarding model oversight.  This has left many institutions questioning what proper model oversight is and how they move forward. 

Understanding Model Risk
Model risk is the potential for error or adverse consequence from decisions made based on misused or incorrect model output reports.  Poor model reporting can lead to financial loss, poor business and strategic decision-making, and potential damage to your institution’s reputation.

There are two major contributing factors to model risk. The first is that fundamental errors within the model can cause inaccurate outputs. This can be anything from poor data imports into the model to poor set-up of the model at implementation. The second major factor relates to the use of the model itself. Data may be flowing into and out of the model correctly, however, failure to understand and use this data in the proper fashion can result in model risk. 

Model Risk Assessment & Inventory
Your Institution should be identifying what models are employed in your environment. Create an inventory to capture all models and risk assess each one based on the magnitude of their associated risks.  While not an all-inclusive list, these common risk factors should be considered in your assessment:

  • Model Complexity
  • Input Volatility
  • Model Use
  • Financial Impact
  • Business Decision Impact
  • Model Design 

Model Validation
As you have probably experienced, your regulator has asked you to validate your AML software model. Your AML model is just one of many models you may need to validate in your environment. The validation of a model should verify that the model is performing as expected and along with your Institution’s business use.  When considering what approach to take for validating a model, consider the following:

  • The resources used to validate the model should be independent and have the appropriate expertise.
  • The extent of the validation will depend on the complexity of the model and the risks pertaining to it.
  • During years that you aren’t having an outsourced validation performed, you should do an internal review to verify there are no significant changes to the model.

Model Risk Policy
A Model Risk Policy should incorporate all of the items that you see above. The Policy should outline your Institution’s methodologies for the model inventory and risk assessment. In addition, your policy should also outline frequency and extent of model validation based on risk.

If you find yourself questioning what model risk oversight is, you’re not alone. The guidance has been around since 2011 but hasn’t become widely required until now. For a more detailed explanation of the topic, check out How to Build Better Models to Avoid Model Risk.  Putting all of these components in place will put you ahead of the game (and your regulators!) in model risk management.

To discuss your specific model validation needs, contact Rita Lucivero, CISA, CFE, IT Assurance Senior Consultant, at 617-261-8185 or rlucivero@wolfandco.com.