Stress testing model risk management: New challenges for firms
04 February 2019
2019 marks a major step forward in the regulation of model risk management (MRM), with the PRA intensifying its supervisory scrutiny on firms’ stress testing MRM practices.
The PRA’s Model risk management principles for stress testing (SS3/18) sets out the expectation that firms should undertake a self-assessment of their stress test MRM practices. SS3/18 took effect from 1 June 2018, with some recent updates on 28 November 2018 when a PRA document was published alongside the Bank of England 2018 stress test results. This is now the standard for stress testing MRM which firms should evaluate their frameworks against.
More importantly, the PRA has an explicit requirement for firms to report the findings of their assessments in their Internal Capital Adequacy Assessment Processes (ICAAPs) from 1 January 2019 onwards. While the PRA is expected to apply this requirement proportionately taking into account their size, complexity, risk profile and the relevance of stress test models, all firms will also have to conduct their ICAAP preparations with greater rigour.
The PRA’s new stance towards stress testing MRM has material implications for firms’ broader risk and capital management frameworks. Firms will now be subject to closer scrutiny on this. It means that some firms could face a risk management and governance (RM&G) scalar as part of their PRA buffers to cover the risks posed by material deficiencies in their stress testing MRM. Depending on the severity of the weaknesses identified, the PRA may also introduce more stringent model validation and internal audit requirements.
The PRA emphasises that firms’ ICAAPs should include an adequate coverage of models that drive their stress tests, with identified model limitations. This is a significant task for all firms as stress testing covers a vast array of models in calculating both Tier-1 Capital and Risk Weighted Assets.
The PRA also requires firms to base their forecasts under stress scenarios on well supported judgements and assumptions, including through the use of appropriate empirical data or benchmarking analysis. While this is not new, this means there will be renewed PRA scrutiny and firms should address any data reliability issues by improving their data sources and the related IT infrastructure.
The PRA’s other concern is that some boards do not have adequate understanding of the limitations in their key models and the potential impact of model uncertainty in their outputs. This means that boards should expect scrutiny of their understanding of the limitations of models.
Senior management and Boards should be more involved in the MRM process, with oversight of appropriate policies and processes. In particular, they should ensure that they have model governance control procedures in place across the model lifecycle, with clear identification of responsibilities for model validation and delegation of authority.
These requirements could present challenges for those larger firms that already have robust risk management and controls frameworks in place. But for smaller firms, the implementation could be even more onerous given most of them use vendor models which can be less transparent. So all firms would be well advised to focus on MRM now.