Why Critical Spreadsheets Are Actually Models (and Require Risk Governance)
It used to be that only the largest financial institutions were impacted by model risk governance (MRM). Today, in addition to these, over 100 DFAST banks are implementing model risk governance.
Also, MRM is now being demanded by widely by both auditors and regulators. For instance, in Europe, institutions are adopting Targeted Review of Internal Models (TRIM) regime; in the UK there’s the SS 3 18; and in the US, SR 11 7 is growing in importance for MRM.
Inventories of models, which are essentially simplified representations of real-world relationships among observed characteristics, values and events; are expanding dramatically as files are found that encompass all financial aspects of business areas – everything from derivative and financial instrument pricing and valuation; securitization; credit loss modeling through to risks associated with trading and financial reporting.
With models covering so many scenarios, financial institutions experience a number of difficulties related to their governance, suggesting that perhaps they aren’t equipped to manage the burden the discipline imposes. Things such as incomplete model inventory, inconsistencies in approaches to modeling, poor model tracking and version control, inadequate validation, poor model accuracy, multiple implementation systems and so on are hindering good model risk governance.
Furthermore, end-user computing (EUC) applications such as spreadsheet-based models and calculators that feed the models are also ‘models’ and so require governance. According to SR 11-7, “the term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”
A growing need for visibility
With some inventories now approaching over 3,000 models, financial institutions are struggling to gain complete visibility of these applications, while regulators expect organizations to apply the same model governance principals to all model types, including the business-critical spreadsheets. Today, spreadsheet and EUC governance specifically features in numerous regulatory frameworks including Dodd-Frank Act Stress Testing, Sarbanes Oxley Act, BCBS239, Prudential Practice Guide and many more.
Additionally, the scope of MRM has expanded from model validation historically – i.e. is the structure, design and function of the model understood, tested and documented – to encompassing the comprehensive governance of models, including change control, access control, auditability and reporting.
Of course, GRC systems are widely deployed in regulated financial institutions, but there can’t always deliver against the stringency of regulatory requirements. These systems typically lack flexibility to adapt. Making changes to traditional GRC systems frequently requires intervention from the respective third-party solutions’ vendor or IT. The lead times are lengthy, and the expense is substantial too.
So, to overcome this, institutions often resort to manual processes (e.g. using email for confirmations of changes/approvals), creating further problems for users and management. The problem intensifies as the models, tools and calculators use data and resources from the controlled corporate IT environment – as well as the less controlled EUC landscape, which is primarily independently operated by the individual business units themselves. All this combined, severely restricts the effectiveness and compliance of MRM programmes in institutions.
Asking critical questions
To achieve full transparency and an end-to-end approach to MRM, financial institutions need to square the circle with automation. Such an all-encompassing approach needs to include everything from the creation, maintenance, and validation of model inventory (enterprise-wide), alignment of MRM with supervisory and regulatory guidance, through to monitoring of policy and documentation standards and fully auditable information sharing.
This kind of technology-led approach to MRM ensures that the standards applied to all models in the institution are consistent, accurate, and achieved cost-effectively. They can determine the data lineage and data interdependence of the models, tool and calculators across the enterprise. It helps with maintaining the accuracy and integrity of the applications too as models are developed, revised and decommissioned almost constantly. MRM isn’t a one-off process or exercise.
To trigger such an approach to MRM, perhaps financial institutions should start by asking themselves critical questions such as:
- How is regulation affecting the organisation’s MRM plans?
- Does the firm have in-built flexibility and agility to adapt to evolving regulatory requirements?
- In the event of an error in regulatory and compliance processes, what is the potential impact to the business operationally, financially and reputationally – in both the short term and the future?
With this kind of insight and in-depth understanding, financial institutions can plot a well-tuned MRM strategy and plot a course of action to meet the requirements of the business in the most efficient and productive way possible – while minimising risk.