UK Banking MRM-Verordnung
UK Banking MRM-Verordnung

MRM-Schwächen: Britische Aufsichtsbehörde weist auf große Modellierungsrisiken für 2022 hin

Henry Umney |

There are few areas in financial services that have had to repeatedly adapt and change as much as modeling teams over the last 18 months. They’ve helped their business units navigate the challenges of mitigating risks and the business’s day-to-day management.

Sind Sie übermäßig exponiert? Spreadsheet-Risiko und Einhaltung gesetzlicher Vorschriften

An in-depth webinar on EUCs and Shadow IT

These teams have had to deal with unprecedented economic contraction in the global economy, substantial government economic intervention, as well as a complex and confused economic recovery.

These have been far from ideal conditions to develop, validate and manage the models that will provide the insight senior managers need to make fully informed decisions. These conditions make it challenging to give the evidence of good practice Model Risk Management (MRM) that auditors and regulators need to see.

The UK’s Prudential Regulatory Authority (PRA) recently issued a letter detailing the thematic findings of written auditor reports. It was sent to all the CFOs of UK-regulated banks, and covered a range of issues, including MRM.

The modeling analysis was comprehensive, focusing on the impact of COVID-related economic data on models in the short term and long term. It also covered the steps institutions had to take to apply manual changes to modeling results, to help staff understand the model results when comparing similar results in more benign conditions.

Addressing MRM weaknesses

While the letter highlighted how companies had enhanced the model risk management, there remained weaknesses in how models were documented, how stretched modeling resources were, and how ad-hoc data and models, tools and calculators were used to help formulate the results.

The PRA is sympathetic to the challenges that overstretched modeling teams face in delivering valuable results in a challenging operational and economic situation.

Nonetheless, the letter reinforces the raised expectations for managing model risk in the future. The PRA also recently issued a similar letter to UK Banking CEOs, where issues around the use of uncontrolled models in regulatory reporting were flagged as needing management attention and action.

Those based outside the UK cannot rest on their laurels. The US Office of the Comptroller of the Currency (OCC) recently issued its new MRM Handbook, and will likely look into the same issues.

Squaring the circle

The letter to CFOs serves to highlight the depth of detail regulators now go into when assessing MRM weaknesses. It also helps to highlight the extent to which hard-pressed modeling teams remain reliant on manual and ad-hoc processes.

These are significant issues for banks because of the ever-increasing reliance on models and the constraints they face with skills and expertise. Modeling is complex, and making the best use of the available expertise is key while still meeting the needs of the business and regulators.

How can institutions square this circle?

Automation is already a crucial part of modeling processes.  But the needs of the business and the expectations of regulators regarding MRM weaknesses are encouraging institutions to see how to best automate the management of the ad-hoc models and data. The expectation is to have the same levels of control and transparency as applied to corporate IT applications.

Die primary tool of these ad-hoc models is the Excel spreadsheet, as its power, flexibility and widespread use makes it the ideal tool. Excel also features in the tools and calculators that banks utilize to support their modeling processes. Other applications like SAS, Python, or MATLAB may also be used, often outside the control of the corporate IT function

As for Excel, the critical issue is that there are no controls in Excel to bring it into par with corporate IT applications.

What steps should you take to address MRM weaknesses?

The first step is to create a centralized model inventory. This will provide the foundation for managing the critical Excel-based models. This capability allows managers to understand their Excel-based models at a glance, regardless of where they are located. It also provides a document repository that helps the document management process that regulators expect to see.

The next phase is discovery, where the mission-critical model spreadsheets can be identified from the vast spreadsheet estate found in any financial institution. These need to encompass spreadsheets found on PCs and laptops and file shares, SharePoint environments, and cloud computing environments. Whether other spreadsheets or other data sources, links to these model spreadsheets need to be identified and monitored.

The critical issue is that there are no controls in Excel to bring it into par with corporate IT applications.

The last phase is proactively monitoring the modeling spreadsheets. This will highlight issues including missing data, errors, and broken links, so they can be identified and addressed before they have a material impact on the business. This capability also allows for changes to be monitored, by user and approver. This ensures the audit trail needed to provide the transparency institutions are expected to provide.

The other modeling applications we mentioned, like SAS or Python, lend themselves well to inventory-based, self-service attestation-based management. Users can retain the ability to use them as they need to, while also providing the transparency and auditability needed by the institutions and regulators.

Mitratech offers a range of proven and robust MRM solutions that are proven in practice with some of the most demanding financial institutions in the world. Quick to implement and nearly as quick to deliver to value, they can help institutions of all sizes meet management and regulators’ higher expectations.

Verwalten Sie Ihre Schatten-IT-Tabellenkalkulationen

Mit ClusterSeven können Sie die Kontrolle über die in Ihrem Unternehmen versteckten Endbenutzer-Computer übernehmen, die ein verstecktes Risiko darstellen können.