[author: Henry Umney]
Predictive models are a core element of many regulatory frameworks to calculate results in a stressed business environment. Institutions have modeling teams who manage models under the PRA’s SS3/18 model risk management (MRM) framework. However, the fragmented nature of regulatory reporting means that there are likely to be many models with regulatory applications that fall outside the scope and control of MRM teams.
The PRA’s research identified the lack of controls applied to models. Without adequate controls, changes can be made without record, which increases the risk of misreporting. The lack of controls may also point to sub-optimal management processes elsewhere in the management of models, including supervision, documentation, and the consistent application of MRM policies across the business.
Models in banking come in many forms.
Spreadsheets can feature as EUC applications, where users utilize spreadsheets’ power and flexibility to create software applications outside the control and influence of the corporate IT function. The use of EUCs in firms is not unusual.
Spreadsheets can be used as reference data sources, collecting information from a range of core systems across the bank; as calculators to generate the data used to populate the reports; as models to help create results required in some reports; or they can be used in the reconciliation process to collect, review, and modify the final regulatory results, as firms apply their expert judgment in their’ final mile reporting’.
However, the lack of controls and transparency inherent in spreadsheets means that data can be overwritten without warning, data errors can be missed, or links to other applications and data sources can be broken without anyone realizing. In regulatory reporting, the risk of submitting a misreport caused by these errors to the PRA is significant.
Other EUC models based on platforms including SAS, MATLAB, and Python are popular too.
The PRA will likely focus its future scrutiny on these more insecure EUC-based models. So, what can an MRM team do to respond positively to the PRA’s expectations?
With the inventory and controls in place, the final phase is discovery, where you ensure the veracity of the inventory to ensure it captures all models in use – in particular those managed by end users (e.g. spreadsheet models). Best practice – the expectation of the PRA – will require banks to search the entire IT estate, on PCs, file partitions, SharePoint sites or cloud computing environments. The risks of missing a model which could be a key spreadsheet are too significant. The widespread use of EUC models in every business process requires powerful, scalable, and robust search capabilities.
[View source.]
© Mitratech Holdings, Inc
Refine your interests »