Our first four articles on IRR Management provided insights into the requirements, challenges and best practices involved with creating and implementing an effective IRR management system. This article addresses the equally important processes involved with the ongoing governance and maintenance of these systems.

Changes that are both internal and external to the bank can render the assumptions and processes used to calculate and measure interest rate risk obsolete in surprisingly short order. That is why one of the highest priorities for regulatory examiners performing an IRR management examination is to review audit and model validation reports to ascertain the effectiveness of the bank’s IRR controls and monitoring processes.

IRR Controls

The controls used to measure performance and test the effectiveness of risk management processes and personnel are at the core of any effective risk management system. These controls include ongoing monitoring and testing for quality control and assurance, internal and external audits, and risk and control assessments. The management and staff that carry out the control processes need to be independent from the business units that they are monitoring.

Staff that report to the asset liability management committee (ALCO) or treasury/finance unit, risk management and/or compliance, and internal and external auditors are usually all involved in reviewing and testing IRR processes and validating the reasonableness of model assumptions and integrity of the risk calculation and measurement processes.  Smaller banks will often use third party external auditors or consultants to perform these reviews.

Model Risk Management

IRR model risk represents the possibility of erroneous decisions being made as the result of inaccurate outputs from IRR models. These inaccuracies could be the result of errors in the model design, inaccurate model inputs, incorrect assumptions used in the model, or inappropriate use of the model due to a lack of understanding of the model’s limitations or intent.

An effective model management program includes policies and procedures around model development, implementation and use, and ongoing revalidation and governance. These policies and procedures should assign responsibility for model oversight and the processes for testing model integrity and accuracy and should be reviewed and approved at least annually by the board.  The policy should require independent review at regular intervals with appropriate documentation of the results and any resulting corrective actions.  Internal audit should review the effectiveness of the bank’s overall model risk management program.

Management is also expected to conduct due diligence when engaging third party vendor models to ensure that a credible independent party has validated the model and should perform their own validation of their use of the model.  The reasonableness of the assumptions used by the model should be reviewed and a contingency plan should be developed in case the model becomes unavailable.

IRR model validation and monitoring should include:

  • Confirming the model is reliable and appropriate for the bank’s risk profile and appetite.
  • The reasonableness of the model’s scenarios and assumptions (including senior managements review and approval of key assumptions).
  • Data input accuracy, completeness, and timeliness.
  • Outcome analysis, such as back-testing of the model’s projections against actual results and performing root cause analysis on any discrepancies.
  • Evaluating if internal or external business or market changes require adjustments to the model.

In SR 11-7: Guidance on Model Risk Management, the Fed stated that, “A guiding principle throughout the guidance is that managing model risk involves “effective challenge” of models:  critical analysis by objective, informed parties that can identify model limitations and produce appropriate changes. Effective challenge depends on a combination of incentives, competence, and influence.” The guidance also identifies three core elements of model validation as:

  • Evaluation of Conceptual Soundness to “ensure that judgment exercised in model design and construction is well informed, carefully considered, and consistent with published research and with sound industry practice.”
  • Ongoing Monitoring to “confirm that the model is appropriately implemented and is being used and performing as intended.”
  • Outcomes Analysis to compare model outputs to actual outcomes.

Conclusion

IRR risk management oversight should be a critical part of every bank’s overall risk management monitoring and review process and include robust policies, procedures, and controls. As a process that is heavily dependent on models, an effective IRR model management process is an essential element of any IRR risk management program and should include participation from the board and senior management, treasury and finance, risk management, compliance, and internal and external auditors.

Doran Jones can provide the regulatory compliance and risk management expertise combined with extensive technological knowledge and experience to design and implement a cost-effective solution that will increase efficiency and lower risk by upgrading your risk and compliance systems or identifying and remediating gaps in existing processes.

Contact us to learn how a strategic partnership with Doran Jones can provide you with cost-effective solutions by leveraging our expertise with these and other critical risk and compliance functions.