The picture captures the essence of the 3 elements of any model. First, what is a model?
A model is a process that takes the values of some (ultimately) observable data, called the input, and through a specified relationship generates the value of some new observable data, called the results. Note that the input may be either observable data say the USD CAD FX rate, or the Euro interest rates, or client sentiment, or it can itself be the results of a model like say an obligor rating, which itself is the result of a rating model. This chain, from observable data through a series of feeder models that generate intermediate results that then feed the next model up the chain, can be quite lengthy, however at the bottom of the chain is observable data, ie some measurement about some aspect of the world.
Now that we understand what a model is, as risk managers, we are interested in knowing what exposures are created by using a model, how we can controls need to be put in place to contain the potential financial and reputational loss within our Risk Appetite, what type of financial and operational resilience we need to be in place to rapidly recover when one of the exposures materializes into a financial or reputational loss and what governance structure we need to ensure that the first three are properly implemented and meet regulator expectations. This is nothing but ECRG applied to Models.
So what are the exposures in Model Risk? We are looking for the adverse events associated with the use of a model that would result in a financial or reputational loss. Pause for a few minutes, think and identify such events, and then MECE them.
There are really only two categories of events: the model can be wrong or the wrong model was used. And the Model can be wrong because it was not properly specified, which includes not specifying the right data for both calibration and input and not having the right relationship ship beetn the input data and the result. In addition, the model can be wrong if it is not implemented correctly. For example, a pricing model specifies that the input 5 year interest rate be squared but it is coded (either in a spreadsheet or some other software application to be multiplied by. then although the specification is correct the implementation would be wrong and as a result, the model would be wrong.
An example of using the wrong model is applying the right model for pricing US MBS to price Canadian MBS. Since Canadian mortgages have very different characteristics and features to those of US mortgages, a different model is required for these two different types of MBSs.
Another example of using the wrong model is using a model that is right for normal market conditions being applied to stress environments. or a model that is right for consumer marketing that is right for Bommers applied to Gen Z.
In short, the types of exposures for Model risk fall into 3 categories:
Specification, Implementation, and Applicability.
Specification: Defining the model's purpose, design, and requirements.
Implementation: Translating the specification into a functional model, usually coded in some app
Application: Using the model for its intended purpose. use of the model is restricted to certain products under specified conditions
Identifying the types of exposure is the first step but next we need to assess the amount of the exposure, even if this sizing is qualitative such as high, medium, or low, or another qualitative scheme such as large medium, or small.
The amount of exposure can also be separated into 2 components the likelihood of an adverse event happening and the amount of loss should one of those events happen. As with loans, the likelihood of an adverse event happening can be captured through some rating model.
Can you think of what features would be included in a model risk rating model?
Comments