Does GDPR need to be centre stage in operational risk management?
Prudential Regulation Update – a regular view on new developments
Prudential Regulation Update – new model requirements for stress testing
22 May 2018
Prudential regulation is changing. Its complex nature means that updates to existing guidelines and new principles are constantly being developed. All regulated firms face the challenge of understanding these developments in the context of their own business model, and to implement them in a timely manner.
In this blog, we explore the recent increase in the Prudential Regulation Authority’s (PRA) expectations of model risk management relating to the use of stress testing models.
The PRA's expectations form four principles that detail what each firm must do to comply. The requirements are proportional with the largest firms to be held to the highest standards. However, any firm that performs stress testing as part of their ICAAP will need to enhance their governance, implement new risk policies, and consider the challenging requirement of additional specialist resource needed to perform independent validation.
Stress testing focus
In April 2018 the PRA released a Policy Statement (PS7/18) and Supervisory Statement (SS3/18) delivering expectations on firms to improve the control and governance of the models used in stress testing activities. These principles will apply to all regulated firms, not just those participating in the Bank of England’s (BoE) annual concurrent stress testing (CST) exercise.
The PRA will assess adherence through their qualitative review practice during CST, and through a firms Supervisory Review and Evaluation Process (SREP) during their assessment of risk management and controls and management governance and culture. The policy is implemented from 1 June 2018 with the expectation that all firms will perform a self-assessment against the principles in ICAAPs from 1 January 2019.
A proportional approach
The rigour and level of assessment required will be different between firms. Clearly, a large firm participating in the Bank of England’s annual CST exercise will be held to greater scrutiny than smaller firms with simpler balance sheets where stress testing activities are predominately performed during an ICAAP. However, it is likely the implementation of these principles will be more of a challenge for the smaller firms. The CST participants all use the Internal Ratings Based (IRB) approach to measurement of credit risk. Consequently, they must already demonstrate a robust framework to address model risk management.
Following material pronouncements on model governance in early feedback, CST firms should be treating their stress testing models with the same rigour as IRB. The new requirements will likely be an enhancement to an existing framework rather than an entirely new control system.
Smaller firms, particularly those that use the Standardised Approach (SA) to credit risk, are far less likely to be able to leverage the existing experience of their staff or an existing control framework. While PRA expectations will reflect this, the change will still be more significant. The lead time required to implement the appropriate governance framework and controls means this should be a current focus.
The new principles
The PRA define four principles that must be addressed:
- Principle 1 – Banks have an established definition of a model and maintain a model inventory
Firstly, agreeing and documenting precisely what constitutes a model. The guidelines encourage firms to construct their own definition specific to their own risk framework. Firms should consider calculation methods, mechanisms, significance of qualitative judgements and relationships to other models. There is also an expectation to ensure and record where calculations not captured under the model definition are controlled elsewhere within the risk framework.
The models should be centrally recorded and controlled with key information about the models position in the model lifecycle, governance process and who is responsible for its development, use and output.
Defining a model can be a tricky process. There is a fine balance between a narrow definition that captures enough calculations to meet PRA expectations and a broad definition that captures every spreadsheet in the entire firm. The new framework will become quickly overburdened if the latter is implemented. Diluting the effectiveness of the control in this way would mean the key risks this system intends to address may not receive adequate focus.
- Principle 2 – Banks have implemented an effective governance framework, policies, procedures and controls to manage their model risk
The key requirement in the policy is that firms produce policy and procedure to manage their model risk for stress testing models. This needs to be underpinned by a governance process that ensures responsibility for every aspect of model risk is assigned and is reportable through to board level.
Distinct roles and responsibilities need to be defined. The relationship between the first and second lines of defence should be clear and relevant to the ongoing management of the risk. The oversight of internal audit must be sought and their influence clear in any policy or process.
Defining the reporting line to the board is a significant requirement. A key theme in the PRAs approach to assessing a firms ICAAP submission is understanding the boards involvement and influence in the stress testing process. The requirement to define responsibility for model risk provides opportunity to ensure that the board are making decisions with a full appreciation of the consequence to the firm’s capital position.
- Principle 3 – Banks have implemented a robust model development and implementation process and ensure appropriate use of models
Ensuring models have been built to a consistent standard in a manner that can be easily demonstrated and controlled requires the policy and framework from principle 2 to be prescriptive and clearly cover the key elements defined in principle 3. Firms must consider the design, data used, assumptions and judgements, calculations and adherence to regulation when implementing stress testing models. and to clearly document how this has been achieved. The approach to ongoing monitoring must also be clearly defined and agreed.
This principle is a proportional requirement. Smaller firms will need to assess the materiality of each model and ensure that the level of rigour applied to the development is appropriate. Materiality can be defined in several ways but must be quantified, for example, looking at the proportion of the balance sheet it represents, or the profit/capital impact that model error may cause.
- Principle 4 – Banks undertake appropriate model validation and independent review activities to ensure sound model performance and greater understanding of model uncertainties
The policy and approach in principle 2 must also cover the firms process for ensuring that the models are fit for purpose and perform as they were designed. The scope and process for validation must be defined. The responsibility for validation must be clear and this must be independent from the design, build and implementation.
The requirement for independence in the validation of models may be particularly challenging given the complexities of stress testing models and the specialist skills and experienced required to perform a competent assessment.
This principle is also considered a proportional requirement. Assessing a model’s materiality is crucial in defining the validation and ongoing monitoring requirement. This may mean that a lower materiality model is assessed less frequently but should still meet all the criteria defined in the firm’s policies.
For more information or advice on any of the three hot topics raised in this regulatory round-up, please email [email protected].