Prudential Regulation Authority Rulebook

3.1

The board of directors and senior management of firms are ultimately responsible for establishing a sound MRM framework to ensure key business decisions relevant to a firm’s safety and soundness are supported by sound and appropriate model output, and consistent with the board’s defined model risk appetite. While the scope and depth of MRM frameworks may vary across firms, certain core principles are fundamental to ensure effective MRM practices. These principles form the basis of the expectations in this supervisory statement.

Firms should have an established definition of a model that sets the scope for MRM, a model inventory and a risk-based tiering approach to categorise models to help identify and manage model risk.

Firms should have strong governance oversight with a board that promotes an MRM culture from the top through setting clear model risk appetite. The board should approve the MRM policy and appoint an accountable individual to assume the responsibility to implement a sound MRM framework that will ensure effective MRM practices.

Firms should have a robust model development process with standards for model design and implementation, model selection, and model performance measurement. Testing of data, model construct, assumptions, and model outcomes should be performed regularly in order to identify, monitor, record, and remediate model limitations and weaknesses.

Firms should have a validation process that provides ongoing, independent, and effective challenge to model development and use. The individual or body within a firm responsible for the approval of a model should ensure that validation recommendations for remediation or redevelopment are actioned so that models are suitable for their intended purpose.

Firms should have established policies and procedures for the use of model risk mitigants when models are under-performing, and should have procedures for the independent review of post-model adjustments.

3.2

The MRM principles are supported by a number of sub-principles and encompass all elements of the model lifecycle. The PRA expects firms to meet the high-level model risk management principles, as well as the individual sub-principles set out in the ‘Model risk management principles for banks’ section of this SS.

3.3

The MRM principles represent core risk management practices for all models and all risk types. The practical application of the principles by all firms should be commensurate with their size, business activities, and the complexity and extent of their model use. For example, for firms with a smaller number of models or less complex models, maintaining a model inventory should be less burdensome, and the criteria for classifying models into tiers can be materially simpler than for firms with a wider range of models or more complex models.

3.4

The framework should also be applied proportionately within each firm. The rigour, intensity, prioritisation, and frequency of model validation, application of risk controls, independent review, performance monitoring and re-validation are expected to be commensurate with the associated model tier assigned to a model. 

3.5

The PRA considers that active senior management and board involvement in firms’ MRM governance processes are key to robust and effective MRM practices. Strengthening the accountability of firms and individuals for managing model risk should improve the engagement and participation of senior management and boards which in turn will drive a successful implementation of MRM.

3.6

The PRA therefore expects firms to identify and allocate responsibility for the MRM framework to the relevant SMF(s) most appropriate within the firm’s organisational structure and risk profile as part of Principle 2. Firms should ensure the responsibilities in the SMF(s)’ Statement of Responsibilities are updated to reflect this.

3.7

The expectations in this SS are also relevant to models used for financial reporting purposes. The PRA considers that the effectiveness of MRM for financial reporting is relevant to the auditor’s assessment of, and response to, the risk of material misstatement as part of the statutory audit, including its understanding of a firm’s processes for monitoring the effectiveness of its system of internal controls and its understanding of a firm’s control activities.

3.8

The PRA expects firms to ensure a report on the effectiveness of MRM for financial reporting is available to their audit committee on a regular basis, and at least annually. To facilitate effective audit planning, the PRA expects firms to ensure that this report is available on a timely basis to inform their external auditor’s assessment of, and response to, the risk of material misstatement as part of the statutory audit.