What is a risk model?

Your definition will affect your future

Financial services firms use multiple models to meet a variety of regulatory and financial reporting standards (such as IFRS 9, CECL and Basel guidelines). With increased scrutiny on model risk, bankers must establish a model risk management program for regulatory compliance and business benefits.

Is a calculation a model? Is a spreadsheet a model? Is the computer-based implementation of a mathematical solution to a problem a model? These are questions that rest heavily on the minds of bankers these days. Why, you ask?

The answer is found in regulatory guidance from the US and Europe on model risk management. If you are a banker, depending on your definition of what constitutes a model, you may or may not need to do some extra work to comply with evolving regulations and guidelines.

Models are useful things to have around, and many businesses have come to rely on them for certain applications – some of which expose the bank to significant risks. Predictive models fall into this category. In finance, examples include loan approval using credit scoring and hedging models using swaps and options to manage the balance sheet while protecting liquidity and determining capital adequacy.

Validity and governance

All models, especially high materiality models, must be scrutinized and challenged by model validation teams that are not involved in their development or use. Fundamentally, these model validators must determine whether a given model is fit for the purpose intended. They must understand the business environment and the business objectives the models were designed to support. They must also gauge the uncertainty due to unobservable or unreliable inputs.

And let's not forget about usage. Models that are perfectly developed and implemented can be applied to the wrong customers, financial instrument or set of transactions. Validators must carefully examine these areas, again keeping in mind the business context, as they perform their assessments.

Banks must develop and maintain effective model governance. Doing so entails creation of a model risk management (MRM) framework that includes:

  • Clear vision articulated from executive management.
  • Risk appetite.
  • A testing regimen and validation process.
  • A clear definition of roles, responsibilities and resource needs.
  • Documentation. 

It's crucial to maintain an inventory of models and to allocate sufficient resources to them. You will want to know that models are understood and that the risk exposures they represent are quantified for present and future operation. You'll also need to properly manage and maintain models to ensure that all of your models – as well as their input data and key underlying assumptions – are continuously verified.

From the top down

This is a tall order, and it rightfully involves the board of directors and executive management, who must establish and direct an enterprisewide model risk management program. How can directors decide on the proper allocation of resources to MRM? Much of the answer these days comes from regulators. But practicalities and experience will ultimately dictate what is truly necessary and what constitutes a waste of time.

Banks, and all businesses exposed to model risk, need to have a robust model risk framework that promotes consistent MRM standards across the firm. What would that look like? It must:

  • Be efficient.
  • Report on the entire program (aggregate as well as detailed performance measures from the bottom up).
  • Establish appropriate limits on model risk.
  • Perform stress testing, incorporating extreme use cases.
  • Facilitate risk mitigation and measurement of model risk before and after mitigation.
  • Measure residual model risk based on model performance and traced to risk sources.

The future is here

Overall model complexity is on the increase, and firms – especially banks – are taking greater model risks because of their increasing reliance on and expanded use of models. This trend will likely continue, fueled by greater computing power, more sophisticated and powerful business solution software, the pace of change in business, and the ever-present pressure for better and faster decisions.

Technology is an important partner in regulatory compliance, and it connects model risk reduction to tangible benefits. SAS solutions and tools provide transparency into the modeling process, options elected, assumptions made and results obtained – all in an intuitive and thoroughly documented computing environment.

Business and regulatory expectations are high. Are you ready?


serious man working at computer

Download our free paper

Managing Models and Their Risks is a report from GARP and SAS that explores the benefits – as well as the operational and enterprise risks – of models. Learn how to address new challenges and increase your risk management effectiveness as you rely on increasingly sophisticated models to keep pace with a fast-evolving landscape.

5 questions you should ask about your MRM strategy:

  1. Have you established a definition of a model?
  2. Do you have a complete inventory of models to show your regulator?
  3. Can you quantify the exposure each model represents?
  4. How confident are you that you have sufficient controls in place to manage the risks?
  5. Have you established, and has your board approved, an MRM framework?
  6. In the aggregate, how much of your institution's capital could be wiped out due to bad or misused models?