What are DQMs, and why are we talking about them?
SS1/23 brought DQMs to banks’ attention and set a timeline on model risk management (MRM) compliance for May 2024. Are you ready?
The PRA’s recent supervisory statement (SS)1/23 has made some significant changes to the ways that financial institutions think about model risk management (MRM). Most significant among these changes are the updates regarding deterministic quantitative methods, or DQMs.
While in the past there has been reference to a wider ecosystem of tools and non-models, SS1/23 demands financial institutions to identify DQMs and subject them to more stringent governance, along the lines of how traditional models are already governed.
But really: what is a DQM?
In SS1/23, the PRA has provided a broad and expanded definition of models to include DQMs. The supervisory statement explains: “For the purposes of the expectations contained within this SS, a model is defined as a quantitative method that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into output.” While traditional models are generally understood to be stochastic, or non-deterministic subsets of quantitative methods, the broader definition in SS1/23 includes DQMs, or deterministic quantitative models, as a subset of models.
These newly identified models may be owned by IT, but they aren’t always. They can look like spreadsheets, custom applications, and more, and can be owned by end-users. Between the ubiquity of DQMs and the fact that they have not been otherwise governed by the MRM teams, this new statement demands that financial institutions reassess their model risk in light of this expanded definition.
Why are they important?
Currently, most DQMs are governed according to the same guidelines that IT uses to govern its applications: by virtue of access controls, change controls, and role-based permissions. But many should be subjected to MRM controls. Firms must understand DQMs in terms of their use cases: what are these models used for? When DQMs are used for financial reporting purposes, liquidity, forecasting, capital, and other functions, they demand to be governed to a higher standard. Proper governance of these DQMs requires that their controls and tests respond to the business purpose the method serves, the methodologies underpinning it, and the assumptions in place that support its functionality.
How should firms address SS1/23’s changes for DQMs?
Firms must demonstrate some form of compliance by May 17, 2024.
On the one hand, teams can get started and make fast gains by looking at the DQMs they have already identified and evaluate the level of governance they currently apply. If a DQM is subject to IT-esque governance, companies can perform a “governance up-lift” by beginning to ask what kind of controls and testing must be carried out throughout the DQM lifecycle, as well as what kind of monitoring must take place.
On the other hand, one of the difficulties of these new requirements for DQMs is that not all DQMs are known. Accordingly, teams must engage in discovery in order to identify these additional DQMs, document them, and classify each according to objective standards. Following documentation, teams can risk rank the DQM by scoring impact and complexity, and then host this information in their inventory. Different DQMs will require different governance structures: some will demand highly scrutinized controls, while others will need less.