The Office of the Comptroller of the Currency (OCC) recently released a new booklet titled Model Risk Management, which is an addition to the Safety and Soundness series within the Comptroller's Handbook.
This booklet covers a wide range of topics. However, we'll be focusing on the third-party risk management sections as they relate to vendor models and model risk management activities.
Third-Party Risk Management Areas of Focus
Selecting Vendor Models
The OCC gives guidance on what to consider when selecting vendor models. The processes should be appropriate for the organization's model risk management program and the following information should be collected:
- Developmental evidence: Used to verify that the model is appropriate for the organization's products and risk exposures, this evidence should detail the model's components, design and intended use. It should also include information on the data used in the model's development, such as the use and effect of alternative data.
- Appropriate testing results: These results are needed to prove that the vendor's products work as expected.
- Limitations and assumptions: The vendor should also document when and how the model's use might cause issues.
- Ongoing monitoring and outcomes analysis: Vendors should be expected to perform ongoing performance monitoring and disclose the analysis of the outcomes with their clients. The vendor should also affirm that modifications and updates will be made over time, as needed.
- Model implementation: Finally, the organization should obtain clear instructions on implementing the model, including details on the parameter or threshold decisions.
External Activities
The handbook acknowledges that an organization can decide to engage third parties to help perform certain model risk activities, including the following:
- Validation and review of the model
- Support of internal auditing activities
- Functions related to compliance
- Reports of the third-party model certifications or validations. These reports should identify the model aspects reviewed and highlight any potential weaknesses within financial and economic circumstances when applicable. They should also determine if adjustments or controls are needed.
Internal Responsibilities
While third parties can perform certain model risk activities, model risk management is still an internal process. Organizations are expected to validate their use of vendor products. The OCC further states that organizations are responsible for certain activities, such as:
- Determining if the third party's work meets the standards and controls defined in its model risk governance framework
- Confirming that the scope of work has been completed by the third party, as defined in the contract or agreement
- Identifying and assessing any issues to ensure that they're quickly addressed
- Ensuring that the completed work is incorporated into its model risk management and third-party risk management processes
A key takeaway from these sections on third parties is that organizations should have as much internal knowledge as possible if the vendor contract is terminated or the vendor goes out of business. The organization must understand and evaluate the results of these activities performed by the third party. While at the same time establishing a contingency plan for a situation when the vendor model isn't available or can no longer be supported.
.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
