Model Risk Management Guidance | Federal Housing Finance Agency
PageContent
ADVISORY BULLETIN
AB 2013-07
Model Risk Management Guidance
Purpose
This advisory bulletin replaces Federal Housing Finance Agency Advisory Bulletin 2009-AB-03 (Validation and Documentation of Models and Related Controls on Internal Processes). The earlier advisory bulletin provided guidance on model risk management for the Federal Home Loan Bank (FHLBank) System. This guidance’s scope includes Fannie Mae and Freddie Mac in addition to the FHLBanks and the Office of Finance (collectively, the Regulated Entities).[1] A Regulated Entity’s model risk management framework should reflect the entity’s size, complexity and extent of model use and level of risk exposure. Large, complex entities that develop their own models should have an appropriately rigorous framework in place. Both Fannie Mae and Freddie Mac are considered to be large, complex enterprises for purposes of this bulletin. As less complex entities, based on the current extent and scale of their model development, the FHLBanks should have a framework that is commensurate with their model use and risk exposure.
This advisory bulletin sets the minimum thresholds, based on the extent and scale of each Regulated Entity’s model development, for the Federal Housing Finance Agency’s supervisory expectations for model risk management by outlining the framework of baseline control and governance requirements. This bulletin is intended to be applied using a risk-based approach to models, model-based applications, modeling processes and significant end-user computing tools that are used to help make key business and financial decisions. Regulated Entities should apply the same principles outlined in this advisory bulletin to internally-developed and vendor-provided models, whether used and managed in-house or externally by a vendor.
This advisory bulletin draws on FHFA’s supervisory experience at the Regulated Entities and is consistent with related guidance issued by other federal financial regulatory agencies.[2]
Background and Key Points
The Regulated Entities use models in a variety of areas including but not limited to financial instrument valuation, compliance, capital reserves measurement, loss allowance, financial reporting, and market and credit risk measurement and control. Although models are often essential, reliance on inaccurate or inappropriate models may lead to poor or costly decisions.
Effective risk-based model risk management entails a comprehensive approach in identifying risk throughout the model lifecycle. A Regulated Entity should embed a risk management framework in its policies, procedures, roles and responsibilities of model stakeholders, and a well-coordinated committee structure. This framework promotes periodic monitoring and reporting of model risk horizontally and vertically across a Regulated Entity. It envisions the placement of stronger process control where risk arises; an appropriate organizational structure to promote transparency of risk; an independent model risk management group; and clear direction from a Regulated Entity’s compliance units, senior management, and its board of directors (the board). The board’s risk committee sets the model risk appetite at the corporate level. Model stakeholders including model users, developers, owners, and oversight groups should have clear accountabilities to promote compliance with model risk limits and management guidelines.
This framework incorporates recent trends in model risk management. Specifically, it adopts the practice of managing inherent model risk at the source – the assignment of model risk management responsibilities to model developers, owners and users. Also, the framework expands the risk management group’s role from one solely performing validation activities to one that is more proactive in risk identification and measurement. Additionally, the framework recommends that the board and senior management exercise oversight through working groups and committees. Working groups and management committees provide model stakeholders forums in which to discuss model issues and approve mitigating actions. The framework likewise expands the assurance function of internal audit in large, complex enterprises to include continuous monitoring of model controls and an enhanced ability to review the effectiveness of the validation function. For less complex entities, internal audit’s role could be more limited and focus on compliance with relevant policies and procedures.
Critical to the success of managing model risk is full ownership by model developers, owners and users of the responsibilities of managing risk consistent with the view that model risk is a risk management responsibility rather than a compliance obligation. Model risk is best managed at its source through a structured and disciplined approach in model development, testing, implementation, validation, and use. This is executed through a formalized control framework with a highly specific set of control procedures and standards present through the model lifecycle. Model owners and developers manage risk through proper development and implementation of models in accordance with these guidelines. Similarly, the model user takes guidance from specific control procedures to ensure that the model is used appropriately and all manner of model use is reported and inventoried. Examples of control guidelines include model documentation standards, model performance standards, model change and control procedures, and technical model development standards to guide model implementation.
An independent model risk management group provides a secondary layer of control by identifying and measuring residual model risk via its model validation, periodic review, and ongoing monitoring activities.
Senior management and the board perform vital governance and oversight functions through their review and approval of proposed remediation or mitigation approaches. Management committees provide the appropriate forums where corporate model strategies are discussed and management approves short-term model risk mitigation actions and longer-term model risk remediation approaches. At large, complex enterprises, internal audit assesses the design and effectiveness of the overall model risk management framework through its model and business process audits and its assessment of the validation function’s effectiveness.
In establishing this framework, senior management should ensure that roles and responsibilities are clear and that model risk issues are identified and reported horizontally and vertically across a Regulated Entity. Clear accountability is needed to ensure that model stakeholders have the proper incentives to manage their respective risk areas.
Senior management should create an appropriate organizational structure to promote effective organizational challenge of models. Key elements of having effective organizational challenge to models include findings management, performance tracking, reporting, and an escalation process. The independent validation group should be adequately staffed and have the requisite skills and experience to assess the conceptual design of the modeling approach. Model risk should be transparent and reported to the board and senior management. Remedial actions should be timely and escalation procedures clear. All stakeholders, including modelers, model users and independent validators, should participate actively to influence model development planning and prioritization. The support of senior management and the board is vital in promoting a culture of collaborative model risk awareness across a Regulated Entity.
Regulated Entities should customize their model risk management framework based on the extent and complexity of model use and their level of risk exposure. Large, complex enterprises that develop their own models should have a more rigorous and extensive framework in place. Less complex and smaller entities should design their framework to ensure minimum supervisory requirements are met in a cost-effective manner.
See Attached for FHFA Model Risk Management Guidance Handbook
[1] Although the Office of Finance is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended, for purposes of convenience, this advisory bulletin includes the Office of Finance when referring to the Regulated Entities collectively, unless otherwise noted.
[2] Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency. Supervisory Guidance on Model Risk Management. OCC 2011-12 (April 4, 2011).