The loneliness of the model risk manager

Does your board really care about model risk?

Not in the abstract, or in carefully scripted assurances that governance is robust and controls are strong. The better question is whether the board, and the leadership beneath it, truly understands models as critical decision-making tools that need to be treated with care, because their weaknesses can affect capital, pricing and risk appetite. 

It’s a question some senior model risk executives ask themselves, and an unease they are willing to share with a journalist. But a number of them also admit it’s not something they would dare ask openly inside their banks. That disconnect is telling. 

If model risk teams flag up a material problem, waiting for a supervisory nudge looks like a failure of management judgement

This is not to say boards think model risk is unimportant. They know what they are meant to think about it – and, in a formal sense, they do. But in many banks, model risk is treated as a necessary but cumbersome control function – one that exists largely to satisfy regulatory expectations and keep adverse supervisory findings at bay.

As long as nothing appears visibly broken, senior attention often drifts elsewhere. Even when model risk teams identify problems – sometimes quite serious ones, Risk.net has learned – the issues can struggle to gain traction at the top. Warnings from model risk or internal audit departments may be noted, but rarely trigger urgent action unless regulators step in.

Perhaps this lies behind the split over the US Federal Reserve’s touchstone 2011 guidance on model risk management, SR 11-7. Presumably at the behest of its board members – senior executives of large US banks – the Bank Policy Institute industry group has advocated scrapping SR 11-7, prompting cries of alarm from the same banks’ model risk managers.

To be fair, even some risk managers acknowledge there’s a logic to this. A model risk executive at a large US bank says it is inevitable that banks prioritise functions that generate revenue and returns. Boards, they note, are not there to elevate every control function above the commercial engine of the firm – a reality that applies across all businesses, not just banking. In that sense, model risk was never likely to outrank revenue generation, business expansion or client strategy in the competition for senior attention.

That is why some of the frustration inside model risk comes with a degree of resignation. But understandable prioritisation can easily harden into something less defensible: a habit of waiting for regulators to force action. Over time, that can foster a culture in which serious weaknesses linger until an external authority makes them impossible to ignore. If model risk teams flag up a material problem in a model central to the business, such as capital or credit underwriting, waiting for a supervisory nudge looks like a failure of management judgement.

In some firms, the problem runs deeper. Model outputs are not always applied as evidence that might change a decision. Instead, they are treated as machinery expected to support decisions already made. When outputs highlight an inconvenient truth, the instinct is sometimes to pressure the model risk team until the result looks more palatable, rather than focusing questions on the business team. This is reverse-engineering comfort from a tool that is meant to impose discipline.

Which leads to the obvious question: if model risk teams want more (supportive) attention from boards, how can they get it?

Remaining relevant

Model risk executives say relying on the traditional script of governance, challenge and regulatory expectation is no longer enough. Those things still matter, but they rarely command sustained attention on their own. To stay relevant, model risk increasingly has to speak in the language that boards already use: efficiency, automation, scalability and execution.

That does not mean pretending the function is a profit centre, but rather, recognising how priorities are set inside banks. Many boards are focused on doing more with leaner resources, simplifying processes and deploying artificial intelligence to improve operational efficiency. Model risk teams that show they can support this agenda – for instance, through automated testing, faster validation cycles and more streamlined governance – are more likely to be heard. The key message is that good control does not have to mean operational drag.

Yet this creates an awkward tension. AI promises speed, automation and scale – themes that boards are eager to embrace. But AI systems are still models – often particularly complex and opaque ones at that. If institutions treat model risk as a secondary control function, rather than a core decision discipline, the gap between what banks believe their models are doing and what they are actually doing could widen. In an era of rapid technological adoption and easing regulatory pressure, that disconnect may prove costly.

The good news is that risk culture is not uniform across banking. In conversations with practitioners, some banks came up repeatedly as places where model risk teams felt their work was taken more seriously, rather than merely tolerated. Barclays and JP Morgan were often mentioned in that vein.

According to those conversations, the experience of model risk managers appears to depend heavily on the tone from the top – and particularly on the background of senior leadership. These sources argue that banks whose chief executives or chief risk officers (CROs) are more comfortable with quantitative questions tend to send a different message through the organisation.

“If a bank doesn’t really believe in independent risk challenges, it will often appoint someone from the business as CRO – someone who ‘understands us’ and will make sure risk doesn’t get in the way. That’s the wrong way to choose a CRO,” says a former model risk head at a large US bank.

Barclays might be a case in point. Chief executive CS Venkatakrishnan was previously the bank’s CRO, and before that, he worked in the risk division of JP Morgan as well. Model risk executives say that kind of career trajectory helps determine how their functions are viewed within the organisation.

“In banks that take risk governance seriously, the CRO is picked precisely because they are independent, have strong views and are willing to push them,” says the former model risk head. 

And when that happens, they add, it tends to generate a consistent stance on the importance of risk functions across the C-suite.

Editing by Philip Alexander