The PRA & Regulatory Reporting: Model Risk Management
One area the recent letter from the UK’s Prudential Regulatory Authority (PRA) to the CEOs of the UK’s banks and building societies highlighted was model risk management (MRM) use in the reporting process. What do we mean by this?
Predictive models are a core element of many regulatory frameworks to calculate results in a stressed business environment. Institutions have modeling teams who manage models under the PRA’s SS3/18 model risk management (MRM) framework. However, the fragmented nature of regulatory reporting means that there are likely to be many models with regulatory applications that fall outside the scope and control of MRM teams.
The PRA’s research identified the lack of controls applied to models. Without adequate controls, changes can be made without record, which increases the risk of misreporting. The lack of controls may also point to sub-optimal management processes elsewhere in the management of models, including supervision, documentation, and the consistent application of MRM policies across the business.
MRM in banking
Models in banking come in many forms.
Spreadsheets can feature as EUC applications, where users utilize spreadsheets’ power and flexibility to create software applications outside the control and influence of the corporate IT function. The use of EUCs in firms is not unusual.
Spreadsheets can be used as reference data sources, collecting information from a range of core systems across the bank; as calculators to generate the data used to populate the reports; as models to help create results required in some reports; or they can be used in the reconciliation process to collect, review, and modify the final regulatory results, as firms apply their expert judgment in their’ final mile reporting’.
However, the lack of controls and transparency inherent in spreadsheets means that data can be overwritten without warning, data errors can be missed, or links to other applications and data sources can be broken without anyone realizing. In regulatory reporting, the risk of submitting a misreport caused by these errors to the PRA is significant.
Other EUC models based on platforms including SAS, MATLAB, and Python are popular too.
The PRA will likely focus its future scrutiny on these more insecure EUC-based models. So, what can an MRM team do to respond positively to the PRA’s expectations?
The fragmented nature of regulatory reporting means that there are likely to be many models with regulatory applications that fall outside the scope and control of modeling teams.
How to manage your EUC models
The first step is to create a centralised model inventory, which provides the foundation for effective model management and control. An inventory provides you with a model framework that proactively monitors the models. It provides a repository of the documents that define the use, design, and ownership of a model. It provides the basis for the workflow approval process that is a crucial element of the change management the PRA will expect to see.
The next stage is proactively monitoring your models. Regular attestation processes allow users to confirm the status of their models and highlight any changes and developments that need to be flagged to the management, risk and compliance teams, and the PRA. Firms should not ignore spreadsheet based models in this monitoring and change control process firms can leverage automation to be able to see where issues, errors, and missing data feeds may impact your ability to deliver accurate regulatory results to the PRA. These alerts form the basis of reports that provide visibility for risk, compliance, and management teams that the PRA pointed out needed enhancement.
With the inventory and controls in place, the final phase is discovery, where you ensure the veracity of the inventory to ensure it captures all models in use – in particular those managed by end users (e.g. spreadsheet models). Best practice – the expectation of the PRA – will require banks to search the entire IT estate, on PCs, file partitions, SharePoint sites or cloud computing environments. The risks of missing a model which could be a key spreadsheet are too significant. The widespread use of EUC models in every business process requires powerful, scalable, and robust search capabilities.
Mitratech offers a range of EUC spreadsheet risk management solutions and MRM solutions that are market-leading, proven, and used by some of the most demanding institutions. Our solutions are powerful, scalable, and quick to deploy, offering institutions a practical way to address the needs of the business and the PRA.