ERM encompasses the strategy, programs and processes that make it possible for organizations to identify, monitor and address potential risks. Institutions that pursue a comprehensive approach to risk management are better positioned to manage uncertainty and risk while generating value to the organization. Two areas — model risk management and cybersecurity — illustrate the need to coordinate activities across the full breadth of the institution to manage risk effectively.
Model risk management and stress testing
- Guidance from the Federal Reserve Board and OCC calls for better implementation, usage, validation and governance of risk models to manage the operational risks associated with model usage and deployment and to support decision-making.
- Although institutions are devoting significant time and resources to model risk management, they must seek to improve their agility to respond effectively to shifting market conditions.
- By coordinating model risk management efforts with those of risk and compliance departments and improving data management capabilities, banks can be well-placed to mitigate risk and perform well on stress tests.
Trends and developments from the past year
In March 2014, the Federal Reserve released results from the stress testing conducted by the capital plans of large bank holding companies (BHCs) and foreign-owned banks (FOBs). The aim of the annual reviews is to ensure that large financial institutions have robust, forward-looking capital planning processes that account for their unique risks, and to help ensure that they have sufficient capital to continue operations throughout times of economic and financial stress.
For CCAR, the Fed reviewed the capital plans of 18 U.S. BHCs and rejected just one. However, two FOBs (out of four) found that their capital plan didn’t meet the standard. These findings can have far-reaching implications: Institutions that fall short can’t distribute dividends until demonstrating improvement, which significantly restricts capital management strategies. Further, banks whose plans don’t meet CCAR standards must devote additional resources to address outstanding issues and commit additional capital to bring their plans up to acceptable levels. The regulations have already made an impact on capital holdings. According to the Fed, the 30 large BHCs that took part in CCAR in 2013 increased their aggregate Tier 1 common capital from $460 billion in Q1 2009 to $971 billion in Q4 2013, while their Tier 1 common ratio for these firms has more than doubled, reaching a weighted average of 11.1%.
Under Section 165(i)(2) of the Dodd-Frank Act, banks with total consolidated assets of more than $10 billion must condu annual stress tests, which the OCC uses to assess a bank’s risk profile and capital. Results from this year’s DFAST review found that just one of the 12 BHCs breached the minimum Tier 1 common ratio of 5%.Regulatory changes
In October 2014, the Federal Reserve issued a final rule that adjusts the due date for capital plan and stress test results from BHCs with total consolidated assets of $50 billion or more. Beginning in 2016, these BHCs must make their submissions on or before April 5.
In October 2014, the European Central Bank (ECB) released results of its stress test of the eurozone’s 130 biggest banks.9 The ECB’s study found that 13 banks fell short of baseline levels for capital, down from 25 banks at the end of 2013. Collectively, the number of underperforming institutions, which included four Italian and two Greek banks, need to stockpile an additional €10 billion ($12.5 billion) to cushion themselves against any future crises. In an independent review by the European Banking Authority, all 20 banks exceeded capital requirements.
Banks are working around the clock to improve their capital management process and model risk management and prepare for stress tests. In many cases, executives will need to devote increased resources to model development, validation and governance. As BHCs have already transitioned to the Fed’s annual framework, banks with $10 billion to $50 billion in assets will now need to develop and implement strategies to manage compliance effectively:
Validation, both quantitative and qualitative, is fundamental to mitigating model risk. Assessing whether models are performing in line with their designed objectives and business usage should include an evaluation of conceptual soundness, ongoing monitoring and outcomes analysis. Generally, validation should be embedded into the model life cycle and performed by different parties. Independent validation can be performed by internal audit or third-party vendors that aren’t responsible for development or use and do not have a stake in a model’s output.
Documentation. Banks must document their policies and processes in sufficiently granular detail. Without this level of information, an institution’s model risk management will not enable reviewing parties unfamiliar with a model to understand how it operates, its limitations and its key assumptions. In addition, regulators expect financial institutions to provide extensive documentation on their model risk management efforts.
Governance. An emphasis on model governance begins with the appropriate participation of the C-suite and board. As part of their overall responsibilities, a bank’s board and senior management must ensure that its model risk management framework aligns with and supports its broader risk strategy. Since the models are often interconnected — that is, assumptions in one model could have a profound impact on other parts of the organization — the board should develop a holistic view of the bank’s aggregate risk. A framework should include standards for model development, implementation, use, validation and governance. As part of an appropriate “three lines of defense” approach, model risk management activities should involve the business and corporate functions that develop, use and monitor models. For example, risk and finance functions are typically involved, along with internal audit, treasury and marketing.
Efficiency and agility. Model risk management and stress testing rely on huge amounts of data, and having access to upto- date information is critical. Therefore, banks can improve the efficiency and agility of their risk activities by selecting and implementing technology solutions and systems to support effective data management. Having the right tools can enable banks to automate and streamline key processes; deploy relevant risk, operational and financial data; and apply required business and risk analytics.
<< Back to Controlling costs through compliance optimization Forward to Cybersecurity: A moving target >>