Model Risk Management A Southeast Asia Perspective
Model Risk Management The Current Landscape There is currently no substantive guidance with respect to Model Risk Management in the Southeast Asia region, which creates the opportunity for the market to define and advance industry practices ahead of regulations. Introduction At a basic level, model risk can be defined as the potential for loss as a consequence of decisions based on the output of a financial model. Losses may arise due to: Fundamental Errors a model produces inaccurate results when compared to the design objective and intended use; and Incorrect use use of the model is not aligned with its limitations and assumptions. Various factors such as, but not limited to, input data, model development conditions and model implementation affect the model output, which informs management s decision-making. With the increased use of and dependence on complex models for pricing financial derivatives or regulatory capital calculations, model risk is emerging as a prominent type of risk in its own right. Zero tolerance of model risk akin to operational risk is neither achievable (due to complexity) nor desirable (from cost-efficiency perspective). Rather, model risk appetite needs to be calibrated and the exposure managed to a risk-efficient level similar to market and credit risk. Governance of models throughout their lifecycle and internal risk ratings become key. Model Risk Management (MRM) then takes on responsibility beyond traditional model inventory, validation and controls like periodic reviews. With MRM frameworks designed for the future, organisations can advance their model risk-related activities from a compliance-exercise to proactive assessment and management of model risk. 2
Regulatory Landscape In Southeast Asia, there is currently no substantive guidance with respect to MRM. The Monetary Authority of Singapore (MAS) and other regional regulators have notions 1 within their supervisory guidance with respect to model governance, organisation, testing, validation and acceptance yet lack definitive requirements. Regional regulators and the wider industry have looked to American 2 and European 3 regulators for probable baseline requirements and best practices. This provides certain advantages: Banks in the region can learn, incorporate and enhance industry best practices. Banks can engage with local regulators as they build infrastructure to ensure current and ongoing compliance. OCC 2000-16 First Definition of models and Model Risk 2006 CEBS GL 10 New Validation Requirements BCBS 2010-11 Introduction of a Leverage Ratio as a safeguard against Model Risk CRD IV/CRR 2013 36 Technical criteria concerning the organisation and treatment of risks including Model Risk Bank IT Circular 285/2013 Management Body must understand all of the business risks, management in banks Recommendation on Model Risk TRIM Guide Feb-2017 What about the future regulatory framework? BCBS 1988-06 Introduction of credit risk and asset risk weights. Amendment to incorporate market risks BCBS 2004-06 Valuation adjustments where appropriate, Model Risk Bank of Spain 2008-14 Banks need to consider valuation adjustments for Model Risk OCC-Fed 2011-12 SR -11-7 First Supervisory Guidance on Model Risk Management EBA RTS 2013 on Prudent Valuation Valuation adjustments on Model Risk Quantification EBA SREP CP/2014/14 Integration of Model Risk as part of Pillar II TRIM RTS/2016/03 Structure of 3 lines of defence PRA Stress Test Model Management Principles 3
The Industry Landscape Whilst there is an absence of definitive model risk requirements in Southeast Asia, American and European regulators have increased scrutiny and pressure on financial institutions response to model risk. The industry has ramped up investment in MRM capabilities by increasing headcount in respective areas and establishing robust MRM frameworks. Increased pressure by regulators on model risk, governance, controls and documentation amplified by increasing scope, complexity and dependence on models is a material cost driver. The attempt by industry to curb these costs has led to outsourcing model validation and other related efforts to offshore low-cost locations or third party vendors. The trade-off for lower costs is reduced control and oversight of the process. Banks in Southeast Asia find themselves at the cusp of MRM developments as they are not yet bound by prescriptive regulatory requirements. This is a unique opportunity to look to global industry peers and assess the appropriate approach forward to adapt and incorporate MRM as a risk management tool. Deloitte s Perspective A lot has been done in the name of MRM and respective regulatory compliance, particularly in the US and Europe. We believe this expertise can be leveraged to benefit banks in Southeast Asia to create a customised and balanced MRM framework, which is both complianceeffective and commercially efficient. Further, the current absence of regulatory requirements implies that organisations can maintain a dialogue with local regulators during design and implementation to help establish industry norms and ensure compliance moving forward. Regulatory developments are usually reactive measures resulting in increased compliance costs after periods of losses or reduced profitability due to a catalyst like a market crisis or operational incidents. The growing presence of model risk calls for proactive development of a robust and effective MRM and governance framework that can help organisations manage risk without the need to experience a major and expensive catalyst. Acknowledging and embedding MRM into the organisation as part of the daily operations and management decision-making allows banks to break the perspective of it being limited to a compliance exercise. Advanced use of data and analytics can further aid derivatives of internal risk ratings and self-improvement of models, and have a positive impact on profitability. 4 The unique features of the SEA region and its institutions call for bespoke and custom approaches to MRM. Tested knowledge and expertise from American and European markets can be tailored to best fit the region and the risk profile of the respective bank. Simply mirroring a western model has its limitations; a careful balance between costs and control must be struck to best fit local and regional perspectives and culture.
Evolution of Model Risk Management Model Validation Model Risk Control Model Risk Management Model Validation: The traditional scope for model risk is comprised of model validation and periodic review. In essence, when a new model was created it went through an approval and validation process after which it would be periodically tested for its appropriateness. This is an ineffective control processes, which takes a lagging, reactive and snapshot approach to potential emerging problems: A model failure or weakness may only be spotted upon review or at time of failure, or not at all. Backtesting techniques as detective measures, post-facto and statistical, again may fail to surface the specific or thematic issues of models. Furthermore, model documentation and audit trails are heavily scrutinized by regulators and are a challenge to maintain. Appropriateness and applicability of a model during selection become crucial as the testing of such is limited to the reviews. Model Risk Control: As an advance, activities around model risk are expanded to form a tighter and more timely closed control framework for model risk by introduction of model lifecycle management. As an example, detective processes on operational aspects of model uses were established across an organization such as regular reports of all pricing models used, to ensure they are to the latest versions and are appropriate for the product. A more systematic approach to validation and testing promises more successful capture of model failures, and with reference to the actual use cases such as stress testing. Such systematic testing further informs a more comprehensive understanding of potential P&L impacts on the actual portfolio of financial instruments across a range of models. Model Risk Management: The three lines of defence are fundamental to sound governance and organization, further help to establish clear management transparency and accountability for model risk. Deployment of algorithms for pro-active model improvement suggestions. In this light, model risk controls can be supported and enhanced with technology. For example, model lifecycle management tools ensure consistent and timely approach to process and document most aspects of model risk control. 5
Future of Model Risk Management Besides more effective, timely and proactive controls however, the natural progression of Model Risk Management is to leverage design principles and analytics. MRM as a tool for risk optimiation creates a new opportunity to define and manage risk appetite. The key difference arises from reporting and use of data proactively. The instrumental design change is to fully integrate and embed challenger and benchmark models upstream into production environments. Frequent runs for a variety of models and calibrations creates proactive insights: Generation of analytics to review model performance. Pattern analysis to identify exceptions for review. Deployment of algorithms for pro-active model improvement suggestions. Stress testing and scenario analysis for regulatory requirements. In such a data-driven setup, model review is no longer a periodic assessment, but a more powerful and integral part of production. Use of machine learning and robotics also becomes feasible through the generation of data and exception management, which can enhance self-improvement capabilities and better management of internal model risk ratings. Big data analytics can be upgraded to smart data. Conclusion Deployment of an enhanced MRM framework in the region is arguably simpler as banks can design and implement infrastructure that best suits their needs, structure and capabilities. Using design principles and leveraging analytics, regulatory compliance becomes an afterthought as risk management is embedded in the daily operations and decision-making. 6
Key Contacts Contributors Michael Rey Managing Director Financial & Regulatory Risk Singapore Mobile: +65 9837 4076 Email: mrey@deloitte.com Siddharth Agarwala Associate Regulatory Risk Singapore Key Contacts Benny Koh Partner Regulatory Risk Leader Southeast Asia Mobile: +65 9368 9898 Email: bekoh@deloitte.com Timothy McAndrews Managing Director Regulatory Risk United States Mobile: +1 646 385 6783 Email: tmcandrews@deloitte.com Nadège Grennepois Director Risk Advisory France Mobile: +33 6 80 48 65 78 Email: ngrennepois@deloitte.fr 01. MAS guidance is available primarily in the Risk Management section of the Regulatory and Supervisory Framework. There are no specific sections pertaining to model risk or its management. http://www.mas.gov.sg/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management.aspx 02. The US Federal Reserve s (Fed) guidance stems primarily from SR 11-7: Guidance on Model Risk Management. https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm 03. The Bank of England Prudential Regulation Authority s (PRA) guidance stems primarily from the principles around stress test model management. http://www.bankofengland.co.uk/ pra/documents/about/letter270317.pdf 7
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/sg/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax & legal and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 264,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. About Deloitte Southeast Asia Deloitte Southeast Asia Ltd a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. Comprising approximately 330 partners and 8,000 professionals in 25 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal entities. About Deloitte Singapore In Singapore, services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates. 2017 Deloitte & Touche Enterprise Risk Services Pte Ltd