Against a background of increasing reliance on models and scenario analysis to assess future risks, the UK’s bank regulator, the Prudential Regulation Authority (“PRA”), has published a supervisory statement on “Model risk management principles for banks” (“SS1/23”). SS1/23 applies to UK banks, building societies and larger PRA-designated investment firms that use internal models to arrive at regulatory capital requirements for credit, market or counterparty credit risk. The PRA considers that other firms, including third-country firms operating in the UK through a branch, may find the contents “useful” and invites their participation.
SS1/23 sets out the five key principles that underpin a robust model risk management (“MRM”) framework and associated policies, procedures and practices, including at board level:
1. Model identification and model risk clarification
Firms should adopt the definition of a model set out in SS1/23 to give a basis for determining their MRM framework, maintain a comprehensive model inventory that facilitates the provision of necessary management information for reporting model risk and helps identify model inter-dependencies. Models should be tiered on a risk-based materiality and complexity basis that is subject to periodic validation.
2. Governance
Strong governance oversight should promote a top-down MRM culture through setting clear model risk appetite, and the MRM policy should be board-approved with an accountable individual assuming responsibility in the form of a designated senior management function.
3. Model development, implementation and use
The model development process should be robust, with appropriate standards for design, implementation, selection and performance measurement. Regular testing should lead to remediation of any limitations and weaknesses.
4. Independent model validation
Ongoing, independent and effective validation processes should provide effective challenge to model development and use.
5. Model risk mitigants
Firms should establish policies and procedures for the use of model risk mitigants to remedy under-performance and use independent reviews to ensure the adequacy of post-model adjustment.
Before SS1/23 came into effect on 17 May 2023, firms were expected to conduct a self-assessment of their MRM frameworks and remediate any shortcomings. These self-assessments should be updated at least annually and remediation plans reviewed and updated regularly, with board updates on remediation progress. The holder of the senior management function accountable for MRM is responsible for the actioning of remediation plans, and while routine sharing of the plans and self-assessments with the PRA is not expected, firms should be in a position to provide these upon request.