Financial Regulation

Model RiskRisk Management (SS1/23)

What is SS1/23?

Model Risk Management in compliance with SS1/23 is the set of prudential standards defined by the Prudential Regulation Authority (PRA) for UK firms to recognize, measure and control risks associated with models in decision making process. This requires governance, validation and control checks to be in place in order for the models to be current, accurate, reliable and appropriate.

OVERVIEW OF SS1/23

There are increased Model Risk Management (MRM) requirements for financial institutions following the Prudential Regulation Authority’s Supervisory Statement SS1/23 – Model Risk Management Principles for Banks; coming into effect on 17 May 2024. All banks and building societies need to have, and adhere to, sound frameworks covering every facet of model risk. T3 Consultants offers expert consultancy services that assist regulated firms in understanding and fulfilling SS1/23 obligations over the whole lifecycle of models (from gap analysis to full implementation) and as such, remain in alignment with the PRA’s expectations for the management of model risk, as a separate risk specialism.

GOVERNANCE & OVERSIGHT

Effective model risk management requires a strong governance framework. SS1/23 states the expectation that the board and senior management will instil a culture of model risk management from the top down. The board is required to define an explicit model risk appetite, approve a comprehensive MRM policy and allocate responsibility for the overall framework to an accountable Senior Management Function (SMF). This includes well understood roles and responsibilities (including the 3 lines of defence), and a regime of reporting on model risk. Internal Audit will be expected to conduct periodic independent assurance on the effectiveness of the MRM framework. T3 Consultants work with firms to develop governance structures in accordance with this — from drafting MRM charters and policies, to establishing model risk committees and reporting lines — ensuring that the firm’s leadership is fully capable of overseeing model risk in accordance with the regulatory guidance.

Board Leadership & Risk Appetite: Defining and setting the firm’s model risk appetite and policies, and overseeing model risk exposure at board level.
Senior Management Accountability: Allocating a specific SMF (e.g. Chief Risk Officer) to roll out and maintain the MRM framework, with documented responsibilities in their SMR Statement of Responsibilities.
Policy, Roles & Committees: Introduction of a company-wide Model Risk Management Policy and procedures. Establishment of accountabilities for model owners, users, validators, and oversight committees (e.g. Model Risk Committee) to ensure clarity of ownership and responsibility.
Internal Audit & Assurance: Assigning Internal Audit to independently confirm the effectiveness of the MRM framework (e.g. annually), to provide assurance that the governance and controls around models remains effective

T3 can assist in the updating or authoring of governance papers, committee terms of reference, and with training to boards and management on their increased responsibilities under SS1/23.

Want to hire

SS1/23 Compliance Expert?

Book a call with our experts

Book Now

Model Develoment & Lifecycle Management

Banks should “own” the whole model lifecycle including model development, implementation, usage, monitoring and on to retirement. For SS1/23 the implementation of strong model development standards, that each model is a good designed, well tested and correctly used tool, is needed. It involves documenting how the model is supposed to be used, its design and what its assumptions are, to use the model only with high-quality data and to test thoroughly before the model goes into production. All models – whether built in-house or sourced from vendors – should be executed in a controlled IT environment and be under regular performance monitoring. Any identified limitations or deficiencies should be formally flagged and actioned in a timely manner. We assist clients in defining end-to-end model lifecycle procedures to preserve model fitness-for-purpose over time.

Model Design & Documentation

All models need to have a defined purpose and robust structure. We assist in the development of templates for the documentation of model methodology, theory behind it, and key assumptions and limitations in detail to the extent that an independent expert could review and understand the operation of each model.

Data Usage & Testing

Data quality is key. Companies must show that the data used in development is applicable and representative, we assist in creating the standards to ensure the quality of the data and the validation checks (back-testing, stressing of assumptions) during the development to ensure the model behaves according to specifications over a range of conditions.

Implementation & Change Control

We help set up governed deployment processes for models – peer review, change control for model updates, keeping a version history, etc. Models are deployed to secure, tested environments (or with strong EUC controls if spreadsheets or EUC tools are used).

Ongoing Monitoring

After a model is deployed “into production,” the model’s performance has to be monitored continuously. We collaborate with you to establish key performance indicators and monitoring thresholds (e.g. accuracy stats, threshold deviations) to quickly spot when the model is starting to degrade or drift. When the model does start to drift, or if issues arise, there are procedures to re-calibrate or rebuild the model, as necessary (in conjunction with the validation and governance teams).

Independent Model Validation

SS1/23 states that banks should have an independent model validation unit to ensure a model is objectively challenged at the development and implementation stage by parties not responsible for those areas and periodically throughout the model’s lifecycle. A comprehensive validation programme should evaluate the model’s conceptual soundness, its data quality and integrity, its outcomes, and its limitations. Validation results should be communicated to the management. Models should not be used until shortcomings are rectified or mitigated. High-risk models should be re-validated more often (e.g. annually), and low-risk models on a multi-year basis, in a proportionate manner. T3 Consultants provide significant experience building and reviewing validation frameworks – guaranteeing the completeness, objectiveness and regulatory alignment of your validation.

Framework & Policies

We assist in the creation of a validation policy describing coverage, criteria and regularity of model validations, including specifying validation standards for different model tiers (such as level of scrutiny, type of test, level of documentation).

Initial and Ongoing Validation

For new models and material changes, we develop procedures for thorough independent backtesting prior to implementation by management. For models in production, we implement periodic re-validation procedures (e.g. tied to materiality or risk rating) to ensure the ongoing appropriateness of the model, performance, and assumed parameters.

Expert Review & Testing

Our experts can lead or perform validations, including: literature review, benchmark comparisons, re-performance testing, and code/check implementation review. We make certain validation reports properly articulate all model weaknesses and suggestions.

Findings Remediation & Tracking

We establish process for governing the tracking of validation findings and remediation activities. This may involve a findings log, management action plans, and a governance committee to track timing for issue resolution. This “makes validation not only a mechanism for identifying gaps, but a mechanism for continual improvement”.

Data Quality & IT Infrastructure

Robust data and IT infrastructure underpin good model risk management. SS1/23 stresses the need to employ relevant and reliable data in model building and to operate models on secure and well-managed IT systems. Banks have to make sure that the data input to models (e.g. historical data, external data) is accurate, complete and appropriate for the context in which the model will be used. Data constraints must be identified and addressed. Similarly, the models must run on IT systems with adequate access control, change management, testing, etc. to ensure no errors or downtime. This applies to ‘End-user computing tools’, (e.g., spreadsheets, EUC applications), if they are considered to be a model and would be captured by MRM if they were. Leverage T3 Consultants to fortify your data governance and IT operations to serve the complete model lifecycle.

Data Governance

We help clients set up model data governance standards (including tracking data lineage, quality assurance on the input data, and regular validation of data sets employed in models). Good quality data is one of the most effective ways of reducing model risk as output of the model would be a true representation of the reality.

IT Environment & Model Platforms

We review the IT infrastructure supporting model development and execution (from sandbox development environments through to end production systems) and make recommendations to harden these platforms, fully test them and back them up. Instances of such recommendations could include specialized model execution environments or databases for large or complex models (e.g. AI/ML models).

EUC Controls

Acknowledging that most banks also rely on end-user tools for modelling (e.g. Excel, Access, Python scripts), we assist in the roll-out of controls to ensure that “model” spreadsheets or EUCs are identified, tested and subject to change control in the same way that larger models are. This fills a blind spot related to less sophisticated tools that can yet bear material risks.

Integration & Automation

T3 will advise on alternative technology solutions such as model inventory systems or workflow tools to assist in the semi-automation of model risk (e.g. tracking review dates, sign-offs, performance metrics). Having the right infrastructure allows companies to more effectively govern model risk over multiple lines of business and types of models.

WHO DOES IT IMPACT?

SS1/23 affects financial firms handling client assets.

Banks & Building Societies

Insurers

PRA-Designed Investment Firms

Gwendoline Grollier – T3 Partner

SS1/23 Implementation Support & Expertise

Implementing the wide-ranging requirements of SS1/23 can be challenging – but T3 brings proven expertise to streamline this journey. Our team has extensive experience in model risk management frameworks and has worked with firms globally on regulatory compliance projects.

Gap Analysis: Initial gap analysis of your existing model risk management framework to SS1/23 principles. The gap analysis will highlight any areas of non-compliance or weakness (e.g. absent policies, inadequate validation frequency) and will deliver a roadmap of remediation actions.

Policy Development & Review: From our policy templates through to Model Risk Management Policy, validation standards, data governance policies, governance charters, our consultants draft and / or enhance to meet pragmatic standards. All documentation is reviewed and amended to be consistent with the wording / spirit of SS1/23 through a lens of your firm’s organisation.

Implementation plan: T3 will deliver a pragmatic and sequenced implementation plan for all required changes ahead of the regulatory effective date, focusing on key high-impact gaps, and establishing clear timing for the development of inventories, training of staff, and testing of new processes. We will work with your project management teams to embed this roadmap within your wider compliance plans.

Audit Prep & Regulatory Liaison: T3 also supports the documentation and evidencing required for a regulatory review or internal audit. This includes providing transparent audit trails for model approvals, validation findings, and policy sign-offs. If the regulator comes asking, we help you develop strong and defendable responses, evidencing all the work undertaken in meeting the original regulatory and audit requirements.

Ready to strengthen your model risk management framework?

Get in touch with T3 to discuss how our SS1/23 advisory services can support your organisation. We offer an initial consultation to understand your needs and propose a tailored plan for compliance. Use our contact form or call us at +44 20 8087 0917 to schedule a meeting with our risk management experts.

Want to hire

SS1/23 Compliance Expert?

Book a call with our experts

Book Now