The Prudential Regulatory Authority’s Supervisory Statement SS3/18 concerning model risk management principles is the latest in a long line of financial industry guidance that started with OCC 2011-12, The Federal Reserve’s SR 11-7 and others. Although it is highly focused on the models used for determining capital adequacy (stress testing) in UK banks, and the principles are sound, it is not good news for model risk managers.

How do you comply with yet another regulation without additional resources? 

Leveraging today’s modern, model inventory software-as-a -service can free up resources and provide higher value add to the business by providing a much clearer view into where their model risks lie and what is being done to mitigate them.

The guidance recommends yet another self-assessment and documentation requirement on a group of people that is chronically over-worked and under-resourced. When looking at the role of a model risk manager, three perennial challenges come into view that are easy to talk about but harder to overcome.

Model Inventory

Maintaining a model inventory is simple in concept and much harder in practice. Establishing the initial inventory has its challenges, especially given the fact that the line of business usually isn’t enthusiastic about taking the time to document their model usage. For many in the line of business, they would prefer that you just go away thank you very much. But the “maintain” piece is what is really difficult. Keeping a model inventory accurate and up to date takes a lot of work, a lot of chasing down various owners and users. And it never ends; the task is continuous. Whatever your periodic update timing is (quarterly, annually etc.), all the risk metadata data needs to be refreshed and then reported on. That consumes a lot of people resources.

Defining a “Model”

As with model inventory, agreeing on a definition of what constitutes a model is a seemingly simple concept that is much harder to do in the real world. As mentioned, the natural tendency of most model owners and users is to keep their model out of the inventory because it means less work for them. Certain model types e.g. impairment models would be hard to hide but what about a more non-descript feeder model? How does a model risk manager establish that such a model even exists and should be in the inventory? In many of the banks we work with, a “model” can be a process that consists of a series of models connected to produce an output (e.g. expected loss). Documenting that is time consuming and difficult. And finally, just because a particular application may not be a “model” in the strictest sense of the regulatory definition, if it is complex and material as part of a critical business process, it should be part of your inventory. Even though it may not be a regulatory mandate per se, it’s still a significant risk. Including high-risk EUCs in the inventory is good risk management practice but it takes more time and thus it usually is not done.

Resource Constraints

With the explosion of robotic process automation and machine learning technologies, the market demand for data scientists and those who have the necessary skills for validation far exceeds supply. Simply put, there just aren’t enough “quants” to go around. Assessing the data used to develop a model, testing and model validation are all specialized skills. In addition, no Model Risk Manager is an island. They rely on coordination between developers, owners, and users. Given that maintaining the segregation of duties is necessary to satisfy regulations and internal policy, how can one person (or even a small team) handle this tremendous workload? In most companies, justifying additional headcount is difficult. Justifying headcount in order to meet the latest layer of regulatory recommendations that won’t create profit is even more difficult. The answer is technology in the form of semi-automated, model inventory-as-a-service software.


Today’s model risk inventory systems are very well suited to addressing these resource constraints. Utilizing secure cloud technology, the risk metadata for the existing inventory can be on-boarded in less than thirty minutes. Please note: The models themselves stay behind your firewall and are not stored in the cloud. The manual process of updating the information at the required intervals can now be automated - so can all of the compliance and risk reporting tasks. Other software tools can be utilized to assist with model validation and can provide the objective evidence needed by internal audit. These modern tools are a far cry from the first generation of software solutions aimed at this issue.

In closing, more regulation is not good news for the model risk manager. Apart from job security, there isn’t much upside for you. However, I strongly suggest that you invest some time in exploring how technology can be used to make this seemingly impossible task possible. Leveraging today’s modern, model inventory software as a service can free up resources and provide higher value add to the business by providing a much clearer view into where their model risks lie and what is being done to mitigate them.

To learn more, download our white paper --> SS 3/18 Model Risk Management Principles for Stress Testing .