SS1/23: Model Risk Management Principles for UK Banks

As you have probably heard, the Prudential Regulation Authority (PRA) has released its Policy Statement (PS) 6/23 concerning the management of model risk. This policy statement is the PRA’s feedback on the responses to the Consultation Paper (CP) 6/22 that set out the expectations for banks’ model risk management programmes. It is a landmark statement that will have a tremendous impact on how UK banks, building societies and investment firms who possess internal models will have to manage model risk. The enforcement of this policy statement and its associated Supervisory Statement (SS) 1/23 will commence on 17 May 2024.

In this article, our Model Risk Management (MRM) domain expert at Yields.io, Efrem Bonfiglioli, provides a concise overview of the crucial regulatory expectations outlined in SS1/23 and their impact on the management of model risk within financial institutions. 

What are the key changes from CP6/22?

Effective management of model risk demands strategic planning and technical capabilities. The final release of the MRM principles by the PRA not only establishes a deadline for adoption in the upcoming year but also prompts the question: Have there been any updates in light of industry feedback that was gathered after the release of the Consultation Paper CP6/22?

While foundational elements such as the definition of a model and some overarching governance principles remain unchanged, some amendments have been made to the policy. Several elements that we consider particularly noteworthy include:

  • Alterations to Principle 1.3 (c) to clarify that the choice of factors determining model complexity (for model tiering) is not prescriptive;
  • Adjustments to Principle 2.2 to clarify the responsibilities of the Senior Management Function (SMF); 
  • Edits to Principle 3.3 to specifically include dynamic and cumulative small parameters adjustments (e.g. for ML models) as part of model change management.

In the PS6/23 document, the PRA has also clarified that the guidance in the policy will initially only apply to banks that have secured approval for their internal models intended for regulatory capital purposes. As the PRA advances its policy concerning simpler-regime firms, it will provide further guidance on how the MRM policy will be implemented for banks without internal model approvals. 

SS1/23 in a nutshell

The PRA aims to assist firms to develop and implement sound model risk management policies, practices and procedures. Prompted by shortcomings in current MRM practices, including regulatory model permissions and board oversight, SS1/23 is also a response to the rising usage of models in areas like stress testing and regulatory reporting.

Although the PRA has offered comprehensive guidance on the principles outlined below, this blog post primarily emphasizes the practical challenges that financial institutions may encounter when striving to achieve compliance. The supervisory statement is organised around five principles that are critical for establishing a robust MRM framework and managing the associated risk effectively across all models and risk types. The main aspects of these principles are:

Principle 1: Model identification and model risk classification

  • Principle 1.1 (b) – [WHAT?] When it comes to model identification, firms will need a robust and auditable triage process for considering models that are in the scope of MRM with consistent decisions and conclusions. [WHY?] It is important that everyone defines models in the same way, so that all business lines make the distinction between tools and models consistently. 
  • Principle 1.2 (a) and (b) – [WHAT?] The model inventory should be company-wide and dynamically capture model interdependencies. [WHY?] In risk management, we need to be able to aggregate risk together so that we can identify risk concentration and perhaps discover offsetting effects. 
  • Principle 1.3 – [WHAT?] Model owners should evidence how they selected the risk drivers used to determine the model’s tier. Independent reviewers should verify this tiering. [WHY?] Model tiering enables an organization to implement proportional measures relative to how much risk a model carries. Since higher tiers will require stricter controls, the first line might be slightly biased towards lower tiers. This is why the second line should carefully review this process. 

Principle 2: Governance

  • Principle 2.1 (a) and (b) -The MRM framework should be applicable company-wide but granular enough to understand idiosyncratic model risk aspects. Requirements should be a function of the model tier (e.g. to set validation and ongoing monitoring frequency). 
  • Principle 2.1 (d) – [WHAT?] Aggregate model risk measures (e.g. KPIs) should be available to feed the model risk appetite for informed management decisions. This will also lead to more robust reporting capabilities (which should also include monitoring reports – see Principle 4.4). [WHY?] KPIs for model risk are both qualitative (e.g. complexity) and quantitative (e.g. performance). Especially the quantitative measures may vary quickly, which puts strong emphasis on the need for proper monitoring reporting. 
  • Principle 2.4 – Roles and responsibilities are clearly defined, documented and enforced throughout the model lifecycle.
  • Principle 2.6 (b) – Third-party vendor models are subject to the same MRM standards as internal models. 

Principle 3: Model development, implementation and use

  • Principle 3.1 – [WHAT?] Model purpose, modelling choices and model limitations should be defined and be transparent to model users. [WHY?] Many model risk incidents happen because model users rely on models that are not fit for purpose. This is why it is critical that model users are made aware about any known limitations of the model, and properly understand what use case the model has been created for. 
  • Principle 3.3 (b) and (c) – Performance tests should be defined and results should be made available, including for (cumulatively observed) material model changes.
  • Principle 3.5 – Model development documentation should be kept up to date and should cover data, methodology, testing and limitations.

Principle 4: Independent model validation

  • Principle 4.1 (b) and (c) – Both independent initial review and periodic re-validation are needed. The validation team also has shared responsibility for ongoing monitoring (e.g. reviewing results and requesting developers to further investigate). 
  • Principle 4.4  (c) and (d) – Model monitoring should include benchmarking (e.g. by running models in parallel), sensitivity analysis and outcome analysis. Regular reports should be produced.

Principle 5: Model risk mitigants

  • Principle 5.2 – Usage restrictions should be defined and be transparent to users, and remediation of model issues should be tracked and follow an auditable process.
  • Principle 5.3 – Temporary approvals for the usage of unvalidated models should be captured within an auditable process.

Achieving compliance with technology?

The first step towards becoming compliant with SS1/23 is to update (or create) a company-wide model risk management framework. Once that document is in place, technology can help in at least four different dimensions:

  • To provably enforce compliance with the framework
  • To organise all data and introduce processes in a uniform matter
  • To generate consistent and up-to-date reports
  • To automate the testing and monitoring of the models

Stay tuned in the upcoming weeks as we delve deeper into how the Yields MRM platform effectively addresses the PRA’s requirements. Yields.io has updated its best practice framework to be compliant with SS1/23. This framework has been translated into a default configuration of the Chiron platform. By offering this default configuration to our clients, we give organizations a head start in achieving compliance with regulatory standards. 

Subscribe to the Yields Newsletter

Stay ahead with expert articles on MRM and AI risk topics, in-depth whitepapers, and Yields company updates.