MRM | BSA/AML | Model Validation | Model Assumptions

This rate environment is different and every decision matters. Are your models up to the task?

People generally don’t get too excited about model validation – it’s akin to taking one’s car to the mechanic. However, would you think it is a good idea to never bring your car in for a tune-up? Of course you wouldn’t. In fact, you would most likely bring your car to the best mechanic you can find: someone you can trust to find anything that’s wrong, make it run better, and give you the confidence it will get you where you need to be. And the same should hold true for your key risk models and getting the right validation performed.

Regulatory Perspective

The regulatory approach to model validation has continued to grow and evolve over the past decade-plus. Model risk management guidance has expanded in practice since it was first published in 2011, with horizontal review from examiners and validators resulting in a trickle-down of best practices across the industry (the FDIC adopted the model risk management guidance in 2017 and the OCC further expanded its oversight with the publication of the Comptroller’s Handbook on Model Risk Management in 2021). Broader risk management initiatives have also been adding new emphasis, including on enterprise risk management and operational risk management. Meanwhile, data, technology, model usage, and complexity have all been developing.

Therefore, while previous regulatory attention had primarily been focused on large and mid-sized institutions, expectations for community banks and credit unions are now ramping up, with several key areas of focus:

• Data and assumption management, including data sufficiency and reliability, assumption support, and sensitivity testing

• Governance, with attention paid to documentation, change control, and risk limits

• Ongoing performance monitoring

• Alignment with an institution’s model risk management framework

• Identification of sub-model use

• Validation

With that focus in mind, regulatory attention paid to model risk management has become more prevalent. To enhance your model risk management framework, focus on some of these areas the regulators have noted as concerns in recent exams:

• Model inventory: inventories are found to be incomplete with no updating process in place

• Effective challenge: validations do not demonstrate sufficient rigor for risk models

• Model validations: not all models were validated, and in some cases the validators lacked the requisite independence to adequately ensure a model was performing as intended

• Model documentation: model documentation was incomplete or out of date, and/or lacking detail on assumptions support, model development, and enhancements as well as overlays / overrides

Validation Scope and Rigor

One fact has become increasingly clear in the current environment: a traditional “audit-like” validation is not sufficient to meet regulatory expectations. Whereas audit may simply pose a yes-or-no question as to whether the institution is meeting a requirement, a validation digs deeper to determine whether policies, processes, and procedures are sufficient given the size and complexity of the institution. A solid validation will take into account:

Governance and process framework

• Policies

• Model purpose and use, architecture, and limitations

• Core methodologies

• Documentation

Model input – data and assumptions

• Data sources and sufficiency

• Data management, quality, and reliability

• Assumptions: accuracy, reasonableness, and support & sensitivity testing

Model processing – underlying theory, analytics, and mathematics

• Modeling system

• Model mathematics and formulae

• Selection of model drivers

Model report component

• Reporting: content, frequency, distribution, and effectiveness

In reviewing these aspects, a simple “check-the-box” validation falls short. The goal of a validation should not be to just find errors, but rather to combine with effective challenge to help uncover model deficiencies and strengthen the process.

Effective challenge

Regulatory guidance on model risk management defines effective challenge as “critical analysis by objective, informed parties that can identify model limitations and produce appropriate checks. Effective challenge depends on a combination of incentives, competence, and influence.”

• Incentives are better when there is greater separation of challenge from the model development process, when compensation practices are well-designed, and when effective challenge is part of the corporate culture.

• Competence means the right technical knowledge and skills are in place to provide appropriate analysis and critique.

• Influence involves explicit authority, stature, and high-level commitment to ensure actions are taken to address any modeling issues.

For the most part, effective challenge is inconsistent and limited throughout the industry. The best validations ask tough questions, always taking care to thoroughly document the process and learnings.

Data Management

Effective modeling starts with quality data, but data shortcomings can undermine model reliability and user confidence. Data management best practices shared by high performers include:

• Taking the time to understand and document all aspects of the data including source/type/location, scrubbing, reconciliation, management, and security

• Documenting all data exploration and testing processes

• Differentiating input subject to change control v. normal operations

• Testing data aggregation impact on model results

• Leveraging centralized data initiatives as much as possible (many models utilize the same data; having a central location for model owners to maintain data that has been validated and to ensure continuity across models is helpful and often overlooked)

Assumptions Management

“Close enough” is not “good enough” when it comes to model assumptions. Assumptions must be supported both qualitatively and quantitatively, and be specific to your institution. Further, they should also be evaluated and updated regularly, including reviews at ALCO with active participation by individual business lines. Documentation, ongoing monitoring, sensitivity testing, and stress testing are all critical components that should be included in assumptions development and support.

When managing assumptions, some of the important questions to be able to answer should include:

• What are our key assumptions?

• Are these assumptions based on actual experience? Peer analysis? Expert judgment?

• How much can these assumptions vary?

• Who is reviewing and approving the assumptions?

• When is it necessary to revisit and possibly recalibrate our assumptions?

Deposit Assumptions

Among the most important (and impactful) assumptions for an institution are those that relate to deposits. Yet while they have the greatest potential impact, deposit assumptions are also notoriously the hardest to validate. Assumptions related to factors such as rate sensitivity, core v. “hot” money, and retention/decay on non-maturity deposits are key to an institution’s success. Therefore they should be substantiated with activity tracking and deposit studies and analyses making sure to include sensitivity and stress testing.

High-performing institutions understand the importance of defensible assumptions, and incorporate these practices to ensure reliability:

• Document how assumptions are developed, supported, reviewed, and approved

• Describe the sensitivity testing process, including which tests were performed and how results are communicated

• Formalize the review and approval process for key assumptions

• Ensure clarity with respect to overrides and overlays

• Leverage a centralized assumption management process, if possible

Ongoing Monitoring

Ongoing monitoring helps confirm that a model is implemented appropriately and used as intended. Changes in products, exposures, activities, clients, or market conditions can all necessitate possible adjustments to – or even replacement of – a current model. Types of ongoing monitoring include:

• Data testing

• Reconciliation of inputs and outputs

• Back-testing

• Assumption back-testing and sensitivity testing

• Tracking and adjusting open model risk management findings

• Challenger modeling and benchmarking results against other models/sources

An important piece of this is also determining who in the organization is responsible for ongoing monitoring. In many cases, the answer will be the model owner, who usually has the best understanding of the model and access to the needed data and tools. Model risk management personnel and vendors can also help contribute to monitoring.

Ongoing monitoring provides confidence that models work as intended. The most effective processes include:

• Developing a formalized process to evaluate data, assumptions, and output

• Automating the ongoing monitoring process, where possible

• Documenting all ongoing monitoring procedures, including defining all tests/analyses, establishing thresholds, and documenting actions to be taken in case of a breach

Governance

Model governance framework goes beyond just a process and controls or “change control” document. It is important to also consider reconciliation, third-party vendor risk, and policies/risk limits.

Model documentation is a critical component to model risk management success. It should be considered an evolving document that:

• Summarizes the model’s purpose, use, risk rating, limitations, etc.

• Provides corporate memory

• Serves as a blueprint for validation

• Defines ongoing performance monitoring (OPM) tests and thresholds

• Allows model risk management to look at models horizontally to identify common data and assumptions, as well as model interdependencies

When implementing an effective model risk management framework, ensure model governance:

• Documents all governance-related aspects of the model and its process

• Includes all roles and responsibilities throughout the organization

• Provides details on change control

• Includes testing procedures

Model Purpose and Use

The right validation makes sure that a model has not been implemented to do something it wasn’t designed to do. To confirm that models serve their intended purpose and have not been broadened beyond their original abilities, top institutions:

• Clearly distinguish the model’s purpose and use

• Document the theory behind the model

• Define the mathematical construct of the model

• Outline all data and assumption considerations

• Reference any regulatory or accounting guidance used

Purpose of the Validation

When you consider all of these factors, what is the ultimate purpose behind your model validations? Why is it important to treat validation as more than just a “check-the-box” exercise?

Quite simply, validation should be seen as a key component of strategy development for the institution. It creates clarity around important balance sheet management topics such as interest rate risk, liquidity, capital/earnings, and credit. Absent a robust validation process, misinformation, “over-information,” or “under-information” can lead to incorrect and/or sub-optimal decisions.

Validations that demonstrate effective challenge, apply adequate rigor, and go beyond “checking the box” increase confidence throughout the risk management process. Improving model inputs results in better model performance – and better model performance leads to greater reliability in model outputs. When key stakeholders have greater confidence in the results models provide, it leads to better strategic discussion and decision-making, which makes a critical difference, particularly in today’s challenging environment.

ABOUT THE AUTHOR

Mark Haberland is a Managing Director at Darling Consulting Group. Mark has over 25 years providing balance sheet and model risk management education and consulting to the community and mid-size banking space. A frequent author and top-rated speaker on a wide array of risk management topics, Mark facilitates educational programs and workshops for numerous financial institutions, industry and state trade associations, and regulatory agencies.

© 2023 Darling Consulting Group, Inc.