Are Your Critical Spreadsheets Actually Models?
By Jeremy Condie, Vice President Americas, ClusterSeven
It used to be that only the largest financial institutions were impacted by model risk governance. Today, in addition to these, over 100 DFAST banks are implementing model risk governance. Furthermore, inventories of models, which are essentially simplified representations of real-world relationships among observed characteristics, values and events; are expanding dramatically as files are found that encompass all financial aspects of business areas – everything from derivative and financial instrument pricing and valuation; securitization; credit loss modelling through to risks associated with trading and financial reporting.
With models covering so many scenarios, organizations are experiencing a number of difficulties related to their governance, suggesting that perhaps they aren’t equipped to manage the burden the discipline imposes. Things such as incomplete model inventory, inconsistencies in approaches to modelling, poor model tracking and version control, inadequate validation, poor model accuracy, multiple implementation systems and so on are hindering good model risk governance.
Contributing to this is the growing recognition that spreadsheets and a variety of end user computing (EUC) applications are a fundamental part of the model risk governance process. In fact, often business-critical spreadsheets are models in their own right and are used by organizations, in addition to enterprise systems for accounting, risk management, underwriting, trading, and tax. With some inventories now approaching over 3,000 models, enterprises are struggling to gain complete visibility of these applications, while regulators expect organizations to apply the same model governance principals to all model types, including the business-critical spreadsheets.
Today, spreadsheet and EUC governance features in numerous regulatory frameworks including Dodd-Frank Act Stress Testing, Sarbanes Oxley Act, BCBS239, Prudential Practice Guide and many more. Fundamental to the accuracy of governance models is accurate data. Regulators are therefore demanding visibility of the data lineages between the models including spreadsheets across organizations’ information supply chain.
Manually undertaking such an exercise is almost impossible, a ‘wide lens’, technology-led approach is needed. This will enable organizations to determine the data sources and the lineages among the files; create an inventory categoried by the level of risk associated with the business-critical spreadsheets and models; and then track and monitor their use – all supported by an audit trail to demonstrate data quality, accuracy and integrity to the regulators.
ClusterSeven and Protiviti conducted a webinar on Model Risk Governance, which you can now see on-demand.