Model Risk Management Principle For Banks

Prudential Regulation Authority
Appendices to CP6/22 – Model risk

management principles for banks
Consultation Paper | CP6/22
June 2022
Bank of England | Prudential Regulation Authority Page 1
Contents
Contents 1
1: Draft Supervisory Statement – Model risk management principles for banks 2

Introduction 2
Background 3
2: PRA statutory obligations 31
© Bank of England 2022
Prudential Regulation Authority | 20 Moorgate | London EC2R 6DA

1: Draft Supervisory Statement – Model risk

management principles for banks
Introduction
1.1 This Prudential Regulation Authority (PRA) Supervisory Statement (SS) sets out the
PRA’s expectations for banks’ model risk management (MRM). The PRA considers model
risk as a risk in its own right.
1.2 This SS is relevant to all regulated UK-incorporated banks, building societies and PRA-
designated investment firms (hereinafter ‘firms’).1 Although the expectations do not apply to
third-country firms operating in the UK through a branch, the PRA considers that those firms
may find the proposed principles useful, and are welcome to consider them to manage model
risk within their firm. Credit unions, insurers, and reinsurers are not in scope of the MRM
expectations in this supervisory statement.
1.3 The purpose of this SS is to support firms to strengthen their policies, procedures, and
practices to identify, manage, and control the risks associated with the use of models,
developed in-house or externally, including vendor models,2 and models used for financial
reporting purposes. The principles are designed to complement, not supersede, existing
supervisory expectations that have been published for selected model types. Firms should
continue to apply the supervisory expectations relevant to them and their particular models.
1.4 The SS is structured around five high-level principles designed to cover all elements of
the model lifecycle. The principles set out what the PRA considers to be the core disciplines
necessary for a robust MRM framework to manage model risk effectively across all model
and risk types. The PRA’s desired outcome is that firms take a strategic approach to MRM as
a risk discipline in its own right.
1 While we use the term ‘firms’ in this document to collectively refer to banks, building societies and
designated investment firms, the term ‘banks’ will be used in the title to make it clear that the
expectations do not apply to insurers.
2 Vendors and external consultants may find this supervisory statement useful as it sets out the PRA's
minimum expectations for firms’ own MRM frameworks.
Background
The use of models
1.5 Firms’ use3 of models cover a wide range of areas relevant to its business decision-
making, risk management, and reporting. Business decisions should be understood here as
all decisions made in relation to the general business and operational banking activities,
strategic decisions, financial, risk, capital, and liquidity measurement and reporting, and any
other decisions relevant to the safety and soundness of firms. Firms' increasing reliance on
models and scenario analysis to assess future risks and the evolution of sophisticated
modelling techniques highlights the need for sound model governance and effective MRM
practices. Inadequate or flawed design and implementation, and inappropriate use of models
could lead to adverse consequences.
Quantitative methods and models

1.6 A wide variety of quantitative calculation methods, systems, approaches, end-user
Computing (EUCs) applications and calculators (hereinafter collectively ‘quantitative
methods’) are often used in firms’ daily operations, ie output supports decisions made in
relation to the general business activities, strategic decisions, pricing, financial, risk, capital
and liquidity management or reports, and other operational banking activities. Good risk
management practices involve quantitative methods that support business decisions being
tested for correct implementation and use.
1.7 Models are a subset of quantitative methods. The output of models are estimates,
forecasts, predictions, or projections, which themselves could be the input data or
parameters of other quantitative methods or models. Model outputs are inherently uncertain,
because they are imperfect representations of real-world phenomena, are simplifications of
complex real-world systems and processes (often intentionally), and based on limited sets of
observations. In addition to testing for correct implementation, for models, good risk
management practices involve:
i. the applicability to the decisions they support being verified; and
ii. the validity of the underlying model assumptions in the business context of the
decisions being assessed.
1.8 For the purposes of the expectations contained within this SS, a model is defined as a
quantitative method that applies statistical, economic, financial, or mathematical theories,
techniques, and assumptions to process input data into output. Input data can be quantitative
3 Model use is defined here as using a model’s output as a key basis for informing business decisions.
and/or qualitative in nature or expert judgement-based and the output can be quantitative or
qualitative. A working definition of a model is important as it brings consistency and clarity for
firms implementing MRM frameworks.
1.9 However, advances in technology and data processing power increasingly enable
deterministic quantitative methods such as decision-based rules or algorithms to become
vastly more complex and statistically orientated, conditions that would typically entail
challenge to their applicability in supporting important business decisions. Understanding the
potential impact the use of models and complex quantitative methods could have on firms’
business and safety and soundness is therefore equally important.
Model risk
1.10 Model risk is the potential for adverse consequences from model errors or the
inappropriate use of modelled outputs to inform business decisions. These adverse
consequences could lead to a deterioration in the prudential position, non-compliance with
applicable laws and/or regulations, or damage to a firm’s reputation. Model risk can also lead
to financial loss, as well as qualitative limitations such as the imposition of restrictions on
business activities.
1.11 Models’ outputs may be affected by the choice and suitability of the methodology, the
quality and relevance of the data inputs, and the integrity of implementation and ongoing
scope of applicability of a model. The continued suitability of the model may also be impacted
by changes to the validity of any assumptions supporting the model’s use case (eg the
macro-economic assumptions encoded in the model, or assumptions about the continued
relationship between variables in historical data) or inappropriate use.
1.12 Individual model risk increases with model complexity. For example, the PRA would
expect higher model risk for more complex models that are difficult to understand or explain
in non-technical terms, or for which it is difficult to anticipate the model output given the input.
Similarly, higher uncertainty in relation to inputs and construct, eg complex data structures,
low quality or unstructured data would increase model risk, including models where the
results and findings cannot be easily repeated or reproduced. Overall (aggregate) model risk
increases with larger numbers of inter-related models and interconnected data structures and
data sources.
Model risk management and the model lifecycle

1.13 Model risk can be reduced or mitigated, but not entirely eliminated, through an effective
MRM framework. Effective MRM starts with a comprehensive governance and oversight
framework supported by effective model lifecycle management.
1.14 The model lifecycle can be thought of as being made up of three main processes:
i. the core modelling process - model development, implementation and use;

ii. model validation – the set of activities intended to verify that models perform as
expected, through:
a) a review of the suitability and conceptual soundness of the model (independent
review);
b) verification of the integrity of implementation (process verification);
c) ongoing testing to confirm that the model continues to perform as intended
(model performance monitoring); and
i. Model risk controls – the processes and procedures other than model validation
activities to help manage, control or mitigate model risk.
1.15 The sequence of modelling-validation-control activities describes the various stages in a

model’s lifecycle.
Diagram: the model lifecycle
Organisational structures, validation and control functions

1.16 Establishing the roles and responsibilities for the three main model lifecycle processes is
firm-specific and depends on a firm's business model and structure of business lines. The
primary roles are usually defined as follows:
i. The model owner is the individual accountable for a model's development,

implementation and use, and ensures that a model's performance is within
expectation. The model owner could also be the model developer or user.
ii. The model user(s) is the individual(s) that relies on the model's outputs as a basis for
making business decisions. Model users typically identify an economic or business
rationale for developing a new model and/or the need to change or modify an existing
model, and may be involved in the early stages of model development and ongoing
monitoring activities.
iii. Model developer(s) is/are the team or individual(s) responsible for designing,
developing, evaluating (testing), and documenting models.
1.17 Large firms often establish a designated model risk function (MRM function) within their
risk management or compliance departments. The MRM function may be separate from the
model validation function in which case they have distinct responsibilities. The MRM function
is usually responsible for creating and maintaining the MRM framework and risk controls.
Where firms do not establish a designated MRM function, the responsibilities for the MRM
framework and risk controls are usually assigned to individuals and/or model risk committees
(or a combination). Regardless of the structure of firms’ business lines, the effectiveness of
MRM control functions is affected by their stature and authority, for example to restrict the
use of models, recommend conditional approval, or temporarily grant exceptions to model
validation or approval.
1.18 The validation function’s primary responsibility is usually to provide an objective and
unbiased opinion on the adequacy and soundness of a model for a particular use case.
Validators should therefore not be part of any model development activities, nor have a stake
in whether or not a model is approved. Ensuring model validators’ impartiality can be
achieved in various different ways, eg having separate reporting lines, and separate incentive
structures from the model developers, or an independent party could review the test results
to support the accuracy of the validation, and thereby confirm the objectivity of the finding of
the independent review.
1.19 Regardless of the model type, risk type, or organisational structure, effective MRM
practices are underpinned by strong governance and effective model lifecycle management,
consisting of robust modelling, validation and risk control processes.
Overview of the principles

The MRM principles
1.20 The board of directors and senior management of firms are ultimately responsible for
establishing a sound MRM framework to ensure key business decisions relevant to a firm’s
safety and soundness are supported by sound and appropriate model output, and consistent
with the board's defined model risk appetite. While the scope and depth of MRM frameworks
may vary across firms, certain core principles are fundamental to ensure effective MRM
practices. These principles forms the basis of the expectations in this supervisory statement.
Principle 1 – Model identification and model risk classification

Firms have an established definition of a model that sets the scope for MRM, a model
inventory and a risk-based tiering approach to categorise models to help identify and manage
model risk.
Principle 2 – Governance
Firms have strong governance oversight with a board that promotes an MRM culture from the
top through setting clear model risk appetite. The board approves the MRM policy and
appoints an accountable individual to assume the responsibility to implement a sound MRM
framework that will ensure effective MRM practices.
Principle 3 – Model development, implementation, and use
Firms have a robust model development process with standards for model design and
implementation, model selection, and model performance measurement. Testing of data,
model construct, assumptions and model outcomes are performed regularly in order to
identify, monitor, record, and remediate model limitations and weaknesses.
Principle 4 – Independent model validation
Firms have a validation process that provides ongoing, independent, and effective challenge
to model development and use. The individual or body within a firm responsible for the
approval of a model ensures that validation recommendations for remediation or
redevelopment are actioned so that models are suitable for their intended purpose.
Principle 5 – Model risk mitigants
Firms have established policies and procedures for the use of model risk mitigants when
models are under-performing, and have procedures for the independent review of post-model
adjustments.
1.21 The MRM principles are supported by a number of sub-principles and encompass all
elements of the model lifecycle. The PRA expects firms to meet the high-level model risk
management principles. Other than ‘simpler regime firms’, firms are also expected to meet
the individual sub-principles set out in the ‘Model risk management principles for banks’
section of this SS.
Proportionality
1.22 The MRM principles represent core risk management practices for all models and all
risk types. The practical application of the principles by all firms should be commensurate
with their size, business activities, and the complexity and extent of their model use. For
example, for firms with a smaller number of models or less complex models, maintaining a
model inventory should be less burdensome, and the criteria for classifying models into tiers
can be materially simpler than for firms with a wider range of models or more complex
models.
1.23 The framework should also be applied proportionately within each firm. The rigour,
intensity, prioritisation, and frequency of model validation, application of risk controls,
independent review, performance monitoring and re-validation are expected to be
commensurate with the associated model tier assigned to a model.
1.24 In addition, firms that qualify as a simpler-regime firm4 should apply Principle 1
(establish the model definition, keep an inventory and classify models) in full, but should only
focus on the following basic elements of Principle 2, (Governance):
i. The board approves the MRM policy and appoints an accountable individual to
assume the responsibility to implement a sound MRM framework that will ensure
effective MRM practices.
ii. Firms should have clearly documented policies and procedures that formalise the
MRM framework and support its effective implementation.
iii. Internal Audit (IA) should periodically assess both the effectiveness of the MRM
framework.
iv. Boards and senior management retain responsibility for the management of model
risk when the firm uses externally developed models, third-party and vendor
products.
1.25 Simpler-regime firms5 should identify if there are any models that have a material
bearing on business decisions, and which are complex in nature (it is anticipated that a
simpler-regime firm will have a limited number or possibly no such models). These firms are
expected to apply Principles 3, 4, and 5 only to those models identified as having a material
bearing on business decisions, and where these models are complex in nature. Furthermore,
where simpler-regime firms identify specific models where Principles 3, 4, and 5 should be
applied, they are expected to focus on meeting the highest-level outcome as described for
4 As defined in CP5/22 ‘The strong and simple framework: a definition of a simple-regime firm’, noting
that this is a working term that might be revised in due course:
https://www.bankofengland.co.uk/prudential-regulation/publication/2022/april/definition-of-a-
simpler-regime-firm.
5 ‘Simpler-regime firms’ are not expected to have any IRB models.
each Principle, and only need to apply the individual sub-principles where this is necessary to
achieve this objective.
SMF accountability for model risk management framework
1.26 The PRA considers that active senior management and board involvement in firms’
MRM governance processes are key to robust and effective MRM practices. Strengthening
the accountability of firms and individuals for managing model risk should improve the
engagement and participation of senior management and boards which in turn will drive a
successful implementation of MRM.
1.27 The PRA therefore expects firms to identify and allocate responsibility for overall MRM
to the relevant SMF most appropriate within the firm’s organisational structure and risk profile
as part of Principle 2. Firms should ensure the responsibilities in the SMF’s Statement of
Responsibilities are updated to reflect this.
Financial reporting and external auditors
1.28 The expectations in this SS are also relevant to models used for accounting purposes.
The PRA considers that the effectiveness of MRM for financial reporting is relevant to the
auditor’s assessment of, and response to, the risk of material misstatement as part of the
statutory audit, including its understanding of a firm’s processes for monitoring the
effectiveness of its system of internal controls and its understanding of a firm’s control
activities.
1.29 The PRA expects firms to report on the effectiveness of MRM for financial reporting to
their audit committee on a regular basis, and at least annually. To facilitate effective audit
planning, the PRA expects firms to ensure that this report is available on a timely basis to
inform their external auditor’s assessment of, and response to, the risk of material
misstatement as part of the statutory audit.
Implementation and ongoing self-assessment
1.30 The implementation date of this policy is 12 months following its publication.
1.31 By the implementation date of the policy, firms applying the principles are expected to
conduct an initial self-assessment of their implemented MRM frameworks against these
principles and, where relevant, to prepare remediation plans to address any identified
shortcomings.
1.32 Self-assessments should be updated at least annually thereafter and any remediation
plans should be reviewed and updated on a regular basis. Both the findings from the self-
assessment and remediation plans should be documented and shared with firms’ boards in a
timely manner. Firms’ boards should be updated regularly on remediation progress. Firms
that qualify as a simpler-regime firm should complete an initial self-assessment and
thereafter at an appropriate frequency that could be less frequent than annual.
1.33 The relevant SMF accountable for overall MRM should be responsible for ensuring
remediation plans are put in place where necessary with clear ownership of any necessary
actions. Firms are not expected to share the remediation plans or self-assessment routinely
with the PRA, but should be able to provide them upon request.
Model risk management principles for banks

Principle 1 – Model identification and model risk classification
Firms have an established definition of a model that sets the scope for MRM, a model
inventory and a risk-based tiering approach to categorise models to help identify and manage
model risk.
Principle 1.1 Model definition
A formal definition of a model sets the scope of an MRM framework and promotes
consistency across business units and legal entities.
a) Firms should adopt the following definition of a model as the basis for determining the
scope of their MRM frameworks:
A model is a quantitative method, system, or approach that applies statistical,

economic, financial, or mathematical theories, techniques, and assumptions to
process input data into output. The definition of a model includes input data that are
quantitative and / or qualitative in nature or expert judgement-based, and output that
are quantitative or qualitative.
b) Notwithstanding the above definition, where material deterministic quantitative

methods such as decision-based rules or algorithms that are not classified as a model,
have a material bearing on business decisions6 and are complex in nature, firms
should consider whether to apply the relevant aspects of the MRM framework to these
methods.
6 Business decisions should be understood here as all decisions made in relation to the general business
and operational banking activities, strategic decisions, financial, risk, capital and liquidity measurement,
reporting, and any other decisions relevant to the safety and soundness of firms.
c) In general, the PRA expects the implementation and use of deterministic quantitative
methods not classified as models to be subject to sound and clearly documented
management controls.
Principle 1.2 Model inventory
A comprehensive model inventory is maintained to enable firms to: identify the sources of
model risk; provide the management information needed for reporting model risk; and help to
identify model inter-dependencies.
a) Firms should maintain a complete and accurate set of information relevant to manage
model risk for all of the models that are implemented for use, under development for
implementation or decommissioned.7
b) While each line of business or legal entity may maintain its own inventory, firms should
maintain a firm-wide model inventory which would help to identify all direct and indirect
model inter-dependencies in order to get a better understanding of aggregate model
risk.
c) The type of information the model inventory should capture include:
(i) the purpose and use of a model. For example, the relevant product or portfolio,
the intended use of the model with a comparison to its actual use, and the model
operating boundaries under which model performance is expected to be
acceptable;
(ii) model simplifications and limitations. For example, risks not captured in model
and limitations in the data used to calibrate the model;
(iii) findings from validation. For example, indicators of whether models are
functioning properly, the dates when those indicators were last updated, any
outstanding remediation actions; and
(iv) governance details. For example, the names of individuals responsible for
validation, the dates when validation was last performed, and the frequency of
future validation.
7 The rationale for decommissioning a model could help inform or improve future generations of model
development or improvements or the decommissioned model may be used as a challenger model itself.
Principle 1.3 Model tiering
Risk-based model tiering is used to prioritise validation activities and other risk controls
through the model lifecycle, and to identify and classify those models that pose most risk to a
firm's business activities, and/or firm safety and soundness.
a) Firms should implement a consistent, firm-wide model tiering approach that assigns a
risk-based materiality and complexity rating to each of their models.
b) Model materiality should consider both:
(i) Quantitative size-based measures. For example, exposure, book or market

value, or number of customers to which a model applies; and
(ii) Qualitative factors relating to the purpose of the model and its relative importance
to informing business decisions, and considering the potential impact upon the
firm’s solvency and financial performance.
c) The assessment of a model's complexity should consider the risk factors that impact a
model’s inherent risk8 within each component of the modelling process, ie the nature
and quality of the input data, the choice of methodology (including assumptions), the
requirements and integrity of implementation, and the frequency and/or extensiveness
of use of the model. Where necessary (in particular with the use of newly advanced
approaches or technologies), the complexity assessment should consider risk factors
related to:
(i) the use of alternative and unstructured data,9 and
(ii) measures of a model's interpretability,10 explainability,11 transparency, and the

potential for designer or data bias12 to be present.
8 Inherent risk is the risk in the absence of any management or mitigating actions to alter either the risk’s
likelihood or impact.
9 Data, usually unstructured and non-financial data, not traditionally used in financial modelling, including
satellite imagery, telemetric or biometric data, and social-media feeds. These data are unstructured in
the sense that they do not have a defined data model or pre-existing organisation.
10 The ease or difficulty of predicting what a model will do, ie the degree to which the cause of a decision
can be understood.
11 Defined here as the degree to which the workings of a model can be understood in nontechnical terms.
12 When elements of a dataset (or as a result of model design) are more heavily weighted and/or
represented than others, producing results that could have ethical and/ or social implications.
d) The firm-wide model tiering approach should be subject to periodic validation, or other
objective and critical review by an informed party to ensure the continued relevance
and accuracy of model tiering. Validation or review should include: an assessment of
the relevance and availability of the information used to determine model tiers; and the
accurate recording and maintenance of model tiering in the model inventory.
e) Individual model tier assignments (including materiality and complexity ratings) of

models should be independently reassessed as part of the model validation and re-
validation process, and should include a review of the accuracy and relevance of the
information used to assign model tiers.
Principle 2 – Governance
Firms have strong governance oversight with a board that promotes an MRM culture from the
top through setting clear model risk appetite. The board approves the MRM policy and
appoints an accountable individual to assume the responsibility to implement a sound MRM
framework that will ensure effective MRM practices.
Principle 2.1 Board of directors’ responsibilities
The firm-wide MRM framework is subject to leadership from the board of directors to ensure
it is effectively designed.
a) The board of directors should establish a comprehensive firm-wide MRM framework

that is part of its broader risk management framework and proportionate to its size and
business activities; the complexity of its models; and the nature and extent of use of
models.
b) The framework should be designed to promote an understanding of model risk, on

both an individual model basis as well as in aggregate across the firm, and should
promote the management of model risk as a risk discipline in its own right. The
framework should clearly define roles and responsibilities in relation to model risk
across business, risk and control functions.
c) The board should set a model risk appetite that articulates the level and types of
model risk the firm is willing to accept. The model risk appetite should be proportionate
to the nature and type of models used. Firms’ model risk appetite should include
measures for:
(i) effectiveness of the design and operation of the MRM framework;
(ii) identifying models and approving their use for decision making;
(iii) limits on model use, exceptions and overall compliance;
(iv) thresholds for acceptable model performance and tolerance for errors; and
(v) effectiveness of use of model risk mitigants and oversight of the use of expert
judgement.
d) The board should regularly receive reports on the firms’ model risk profile against its
model risk appetite. Reports should include qualitative measures describing: the
effectiveness of the control framework and model use; the significant model risks
arising either from individual models or in aggregate; significant changes in model
performance over time; and the extent of compliance with the MRM framework.
e) The board is expected to provide challenge to the outputs of the most material models,
and to understand: the capabilities and limitations of the models, the model operating
boundaries under which model performance is expected be acceptable; the potential
impact of poor model performance; and the mitigants in place should model
performance deteriorate.
Principle 2.2 SMF accountability for model risk management framework
An accountable SMF is empowered to have overall oversight to ensure the effectiveness of

the MRM framework.
a) Firms should identify a relevant SMF most appropriate within the firm’s organisational
structure and risk profile to assume overall responsibility for the management of model
risk, and the execution and maintenance of the MRM framework. The relevant SMF
should be the most senior individual with the responsibility for the risks resulting from
models operated by the firm. Firms should ensure the Statement of Responsibilities of
the accountable SMF reflects the specific accountability for overall MRM.
b) The accountable SMF’s responsibilities regarding MRM may include:
(i) establishing policies and procedures to operationalise the MRM framework and
ensure compliance;
(ii) assigning the roles and responsibilities of the framework;
(iii) ensuring effective challenge;
(iv) independent validation;
(v) evaluating and reviewing model results and validation and internal audit reports;
(vi) taking prompt remedial action when necessary to ensure the firm’s aggregate
model risk remains within the board approved risk appetite; and
(vii) ensuring sufficient resourcing, adequate systems and infrastructure to ensure

data and system integrity, and effective controls and testing of model outputs to
support effective MRM practices.
c) Consistent with other risk disciplines, the identification of a relevant SMF with overall
responsibility for MRM does not prejudice the respective responsibilities of business,
risk and control functions in relation to the development and use of individual models.
Model owners, model developers, and model users remain responsible for ensuring
that individual models are developed, implemented, and used in accordance with the
firm’s MRM framework, model risk appetite, and limitations of use.
Principle 2.3 Policies and procedures
Comprehensive policies and procedures formalise the MRM framework and ensure effective
and consistent application across the firm.
a) Firms should have clearly documented policies and procedures that formalise the
MRM framework, and support its effective implementation. Firm-wide policies should
be approved by the board and reviewed on a regular basis to ensure their continued
relevance for: the firms’ model risk appetite and profile; the economic and business
environment and the regulatory landscape the firm operates in; and new and
advancing technologies the firm is exposed to.
b) Policies should cross-reference and align with other relevant parts of their broader risk
management policies, and align with the expectations set out in this supervisory
statement. Compliance with internal policies and applicable regulatory
requirements/expectations should be assessed and reported to the board of directors
on a regular basis.
c) Firms should establish policies and procedures across all aspects of the model
lifecycle to ensure that models are suitable for their proposed usage at the outset and
on an ongoing basis and to enable model risks to be identified and addressed on a
timely basis. At a minimum, the policies and procedures should cover:
(i) the definitions of a model and model risk, and any external taxonomies used to
support the model identification process;
(ii) the model tiering approach, including: the data sources used in the model tiering
approach; how model tiers are used to determine the scope, intensity and
frequency of model validation; the roles and responsibilities for assessing model
materiality and complexity; the frequency with which model tiering is re-
performed; and the process for the approval of model tiering;
(iii) standards for model development, including: model testing procedures; model
selection criteria; documentation standards; model performance assessment
criteria and thresholds; and supporting system controls;
(iv) data quality management procedures, including: the rules and standards for data
quality, accuracy and relevance; and the specific risk controls and criteria
applicable to reflect the higher level of uncertainty associated with use of
alternative or unstructured data, or information sources;
(v) standards for model validation, including: clear roles and responsibilities; the
validation procedures performed; how to determine prioritisation, scope, and
frequency of re-validation; processes for effective challenge and monitoring of the
effectiveness of the validation process; and reporting of validation results and any
remedial actions;
(vi) standards for measuring and monitoring model performance, including: the
criteria to be used to measure model performance; the thresholds for acceptable
model performance; criteria to be used to determine whether model recalibration
or redevelopment is required when model performance thresholds are breached;
processes for conducting root cause analyses to identify model limitations and
systemic causes of performance deterioration processes for performing and use
of back-testing;
(vii) the key model risk mitigants, including: the use of model adjustments and
overrides to reflect use of expert judgement; processes for restricting, prohibiting
or limiting a model’s use; how model validation exceptions are escalated;
(viii) the model approval process and model change, including clear roles and
responsibilities of dedicated model approval authorities, ie committee(s) and/or
individual(s), the governance, validation, independent review, approval and
monitoring procedures that need to be followed when a material change is made
to a model; the materiality criteria to be used to identify the potential impact of
prospective model changes.
d) The SMF with overall responsibility for the MRM framework should ensure the
adequacy of board-level policies for material and complex model types is assessed,
and supplemented with more detailed model or risk specific procedures as necessary
to deliver the firms overall risk appetite, including bespoke:
(i) standards for model development, independent model validation and procedures
for monitoring the performance of material and complex model types where the
control processes associated with these models substantially differ from other
model types; and
(ii) data quality procedures for data intensive model types to set clear roles and
responsibilities for the management of the quality of data used for model
development.
Principle 2.4 Roles and responsibilities
Roles and responsibilities are allocated to staff with appropriate skills and experience to
ensure the MRM framework operates effectively.
a) Firms should clearly document the roles and responsibilities for each stage of the
model lifecycle together with the requisite skills, experience and expertise required for
the roles, and the degree of organisational independence and seniority required to
perform the role effectively.
b) Responsibility for model performance monitoring and the reassessment of already

implemented models should be clearly defined and may be undertaken by model
owners, users, or developers. The adequacy of model performance monitoring is a key
area of consideration by model validators.
c) Model owners should be documented for all models. Model owners are accountable
for ensuring that:
(i) the model's performance is monitored against the firm’s board-approved risk
appetite for acceptable model performance;
(ii) the model is assigned to the correct model tier; has undergone appropriate
validation in accordance with the model tier; and providing all necessary
information to enable validation activities to take place;
(iii) the model is recorded in the model inventory and information about the model is
accurate and up-to-date.
d) Model users should be documented for all models. Model users are accountable for
ensuring that:
(i) the model use is consistent with the intended purpose;
(ii) known model limitations are taken into consideration when the output of the
model is used.
e) Model developer(s) should be documented for all models. Model developers are
accountable for ensuring that the research, development, evaluation and testing of a
model (including testing procedures, model selection and documentation) are
conducted according to firms’ own standards.
f) Model validation should be performed by staff:
(i) that have the requisite technical expertise and sufficient familiarity with the line of
business using the model, to be able to provide an objective, unbiased and
critical opinion on the suitability and soundness of models for their intended use;
(ii) that have the necessary organisational standing and incentives to report model
limitations and escalate material control exceptions and/or inappropriate model
use in a prompt and timely manner.
Principle 2.5 Internal Audit
a) Internal Audit (IA) should periodically assess both the effectiveness of the MRM
framework over each component of the model lifecycle, as well as the overall
effectiveness of the MRM framework and compliance with internal policies. The
findings of IA’s assessments should be documented and reported to the board and
relevant committees on a timely basis.
b) The IA review should independently verify that:
(i) internal policies and procedures are comprehensive to enable model risks to be
identified and adequately managed;
(ii) risk controls and validation activities are adequate for the level of model risks;
(iii) validation staff have the necessary experience, expertise, organisational

standing, and incentives to provide an objective, unbiased, and critical opinion on
the suitability and soundness of models for their intended use and to report
model limitations and escalate material control exceptions and/or inappropriate
model use in a prompt and timely manner; and
(iv) model owners and model risk control functions comply with internal policies and
procedures for MRM, and those internal policies and procedures are in line with
the expectations set out in this SS.
Principle 2.6 Use of externally developed models, third party and vendor products
a) In line with PRA SS2/21 'Outsourcing and third-party risk management'13 boards and
senior management are ultimately responsible for the management of model risk, even
when they enter into an outsourcing or third-party arrangement.
b) Regarding third party vendor models, firms should:
(i) satisfy themselves that the vendor models have been validated to the same
standards as their own internal MRM expectations;
(ii) verify the relevance of vendor supplied data and their assumptions; and
(iii) validate their own use of vendor products and conduct ongoing monitoring and
outcomes analysis of vendor model performance using their own outcomes.
c) Subsidiaries14 using models developed by their parent-group15 should:
(i) demonstrate that the parent-group has implemented an MRM framework and
model development and validation standards in line with the expectations set out
in this SS;
(ii) verify the relevance of the data and assumptions for the intended application of
the model by the subsidiary; and
13 SS2/21 'Outsourcing and third party risk management, March 2021:

https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-
and-third-party-risk-management-ss.
14 Including UK ring-fenced bodies.
15 UK group and/or non-ring-fenced bodies for UK ring-fenced bodies.
(iii) ensure the intensity and rigour of model validation is adequate for the model tier
classification determined relative to the risk profile of the subsidiary on a stand-
alone basis.16
Principle 3 – Model development, implementation and use
Firms have a robust model development process with standards for model design and
implementation, model selection, and model performance measurement. Testing of data,
model construct, assumptions and model outcomes are performed regularly in order to
identify, monitor, record and remediate model limitations and weaknesses.
Principle 3.1 Model purpose and design
a) All models should have a clear statement of purpose and design objective(s) 17 to guide
the model development process. The design of the model should be suitable for the
intended use, the choice of variables and parameters should be conceptually sound
and support the design objectives, the calculation parameter estimates, and
mathematical theory should be correct, and the underlying assumptions of the model
should be reasonable and valid.
b) The choice of modelling technique should be conceptually sound and supported by

published research, where available, or generally accepted industry practice where
appropriate. The output of the model should be compared with the outcomes of
alternative theories or approaches and benchmarks, where possible.
c) Particular emphasis should be placed on understanding and communicating to model

users and other stakeholders the merits and limitations of a model under different
conditions and the sensitivities of model output to changes in inputs to determine the
operating boundaries of the model.
Principle 3.2 The use of data
16 Materiality of a model relative to the risk profile and models used by a group could be assessed as
different from the materiality of the same model relative to the risk profile and models used by a
subsidiary.
17 The design objective(s) represent model performance target metrics such as measures for robustness,
stability, and accuracy for accounting provisions or pricing models, discriminatory power for rating
systems, and may represent a certain degree of predetermined conservatism for capital adequacy
measures.
a) The model development process should demonstrate that the data used to develop
the model are suitable for the intended use; and are consistent with the chosen theory
and methodology; are representative of the underlying portfolios, products, assets, or
customer base the model is intended to be used for.
b) The model development process should ensure there is no inappropriate bias in the
data used to develop the model, and that usage of the data is compliant with data
privacy and other relevant data regulations.
c) When the data used to develop the model are not representative of a firm’s underlying
portfolios, products, assets, or customer base that the model is intended to be used
for, the potential impact should be assessed, and the potential limitation should be
taken into account in the model’s tier classification to reflect the higher model
uncertainty. Model users and model owners should be made aware of any model
limitations.
d) Any adjustments made to the data used to develop the model or use of proxies to
compensate for the lack of representative data should be clearly documented and
subject to validation. The assumptions made, factors used to adjust the data, and
rationale for the adjustment should be independently validated, monitored, reported,
analysed, recorded in the model inventory, and documented as part the model
development process.
e) Interconnected data sources and the use of alternative and unstructured data18 should
be identified and recorded in the model inventory, and the complexity introduced by
interconnected data and increased uncertainty of alternative and unstructured data
should reflect in the model’s tier classification to ensure the appropriate level of rigour
and scrutiny is applied in the independent validation activities of the model.
Principle 3.3 Model development testing
a) Model development testing should demonstrate that a model works as intended. It

should include clear criteria (tests) as basis to measure a model’s quality (performance
in development stage) and to select between candidate models. Model developers
should provide the key outline of the monitoring pack (set of tests or criteria) that will
be used to monitor a model’s ongoing performance during use.
18 Data, usually unstructured and non-financial data, not typically used in financial modelling such as
social-media feeds. The data are unstructured in the sense that they do not have a defined data model
or pre-existing structure.
b) Model development testing should determine the operating boundaries under which a
model’s performance is expected to be acceptable.
c) Model development testing should assess model performance against the model’s
design objective(s) using a range of performance tests.
(i) From a backward-looking perspective, performance tests should be conducted

using actual observations across a variety of economic and market conditions
that are relevant for the model’s intended use.
(ii) From a forward-looking perspective, performance tests should be conducted

using plausible scenarios that assess the extent to which the model can take into
consideration changes in economic and market conditions, as well as changes to
the portfolio, products, assets, or customer base, without model performance
deteriorating below acceptable levels. This should include sensitivity analysis19 to
determine the model operating boundaries under which model performance is
expected to be acceptable.
(iii) Where practicable, performance tests should also include comparisons of the
model output with the output of available challenger models, which are alternative
implementations of the same theory, or implementations of alternative theories
and assumptions. The extent to which comparisons against challenger models or
other benchmarks have been conducted should be considered in the model’s tier
classification to reflect the higher model uncertainty.
d) Models with dynamic calibration20 should also recalculate performance test results
automatically each time calibration is done.
e) Model development testing should also be conducted for material model changes, and
should include a comparison of the model output prior to the change and the
corresponding output following the change to actual observations and outcomes (ie
parallel outcomes analysis).
Principle 3.4 Model adjustments and expert judgement
19 Evaluating a model's output over a range of input values or parameters.

20 Where parameter estimates are automatically recalculated over time.
a) Firms should be able to demonstrate that risks relating to model limitations and model
uncertainties21 are adequately understood, monitored, and managed, including
through the use of expert judgement.
b) The model development process should consider the need to use expert judgement to
make model adjustments that modifies any part of a model (input, assumptions,
methodology, or output) to address model limitations.
c) Where the model development process identifies a need for such model adjustments,
the adjustments should be adequately justified and clearly recorded in the model
inventory. The model inventory should record the decisions taken relating to the
reasons for model adjustments, and how the adjustments should be calculated over
time. The implementation of those decisions should be appropriately documented and
subject to proper governance, including ongoing independent validation.
d) Where such adjustments are made either to a feeder model whose output is the input
of another model or to a sub-model of a system of models, the impact of those
adjustments on related models should also be assessed and the relevant model
owners and users should be made aware of the potential impact of those adjustments.
Where the adjustment is material, it should be the subject of the independent
validation process of both models.
e) Where firms use conservatism to address model uncertainties, it should be intuitive

from a business and economic perspective, adequately justified and supported by
appropriate documentation, and should be consistent with the model’s design
objectives.
f) Model owners or developers should be able to demonstrate a clear link between

model limitations and the reasons for model adjustments, and be responsible for
developing and implementing clear remediation plans to address the model limitations
by better incorporating risks into models so that reliance on model adjustments will be
reduced over time.
g) Firms should have a process to consider whether the materiality of model adjustments
or a trend of use of recurring model adjustments for the same model limitations are
indicative of flawed model design or misspecification in the model construct, and
21 Model uncertainty should be understood as the inherent uncertainty in the parameter estimates and
results of statistical models, including the uncertainty in the results due to model choices or model
misuse.
consider the need for remedial actions to the extent of model recalibration or
redevelopment.
Principle 3.5 Model development documentation
a) Firms should have comprehensive, and up-to-date documentation on the design,

theory, and logic underlying the development of their models. Model development
documentation should be sufficiently detailed that an independent third-party with the
relevant expertise would be able to understand how the model operates, to identify the
key model assumptions and limitations, and to replicate any parameter estimation and
model results.
b) The model documentation should include:
(i) the use of data: a description of the data sources, any data proxies, and the
results of data quality, accuracy and relevance tests;
(ii) the choice of methodology: the modelling techniques adopted and assumptions
or approximations made, details of the processing components that implement
the theory, mathematical specification, numerical and statistical techniques;
(iii) performance testing: details of the tests or criteria that will be used to monitor the
model’s ongoing performance during use, and the rationale for the choice of tests
or criteria selected; and
(iv) model limitations and use of expert judgement: the nature and extent of model
limitations, justification for using any model adjustments to address for model
limitations, and how those adjustments should be calculated over time.
Principle 3.6 Supporting systems
a) Models should be implemented in: information systems or environments that have

been thoroughly tested for the intended model purposes and/or the systems for which
models have been validated and approved. The systems should be subject to rigorous
quality control and change control processes. The findings of any system and/or
implementation tests should be documented.
b) Firms should periodically reassess the suitability of the systems for the model
purposes and take appropriate remedial action as needed to ensure suitability.
Principle 4 – Independent model validation

Firms have a validation process that provides ongoing, independent, and effective challenge
to model development and use. The individual/body within a firm responsible for the approval
of a model ensures that validation recommendations for remediation or redevelopment are
actioned so that models are suitable for their intended purpose.
P4.1 The independent validation function
a) Firms should have a validation function to provide an objective, unbiased and critical
opinion on: the suitability and soundness of models for their intended use; the design
and integration of the system supporting the model; the accuracy, relevance and
completeness of the development data; and the output and reports used to inform
decisions.
b) The validation function should be responsible for the (i) independent review and (ii) the
periodic re-validation of models, and should provide their recommendations on model
approvals to the appropriate model approval authority.
c) While model owners are responsible for model performance, model users, owners,
and validators share the responsibility for (i) ongoing model performance monitoring
and (ii) process verification.
d) The validation function should operate independently from the model development
process and from model owners. Firms that have approval to use internal models for
the purposes of calculating their capital requirements are expected to demonstrate
independence through separate reporting lines for model validators and model
developers and owners, applicable across the MRM framework. All firms, including
firms without internal model approval that may not have separate reporting lines,
should have an independent party, such as internal audit, to, on a regular basis,
review the overall effectiveness of the model validation process and its outcomes. The
independent party should confirm that the model validation process is sufficiently
independent from the model development process.
e) The validation function should have sufficient organisational standing to provide

effective challenge and have appropriate access to the board and/or board committees
to escalate concerns around model usage and MRM in a prompt and timely manner.
Principle 4.2 Independent review
a) All models should be subject to an independent review to ensure that models are
suitable for their intended use. The independent review should:
(i) cover all model components, including model inputs, calculations, and reporting
outputs;
(ii) assess the conceptual soundness of the underlying theory of the model, and the
suitability of the model for its intended use;
(iii) critically analyse the quality and extent of model development evidence, including
the relevance and completeness of the data used to develop the model with
respect to the underlying portfolios, products, assets, or customer base the
model is intended to be used for;
(iv) evaluate qualitative information and judgements used in model development, and
ensure those judgements have been conducted in an appropriate and systematic
manner, and are supported by appropriate documentation; and
(v) conduct additional testing and analysis as necessary to enable potential model
limitations to be identified and addressed on a timely basis, and to review the
developmental evidence of the sensitivity analysis conducted by model
developers to confirm the impact of key assumptions made in the development
process and choice of variables made during the model selection stage on the
model outputs.
b) The nature and extent of independent review should be determined by the model tier
and, where the validation regards a model change, commensurate to the materiality of
the model change.
Principle 4.3 Process verification
a) Firms should conduct appropriate verification of model processes and systems

implementation to confirm that all model components have operated effectively and
been implemented as intended. This should include verification that:
(i) Model inputs - internal or external data used as model inputs are representative
of the underlying portfolios, products, assets or customer base the model is
intended to be used for, and compliant with internal data quality control and
reliability standards;
(ii) Calculations - systems implementation (code), integration (processing), and user-

developed applications are accurate, controlled and auditable; and
(iii) Reporting outputs - reports derived from model outputs are accurate, complete,
informative, and appropriately designed for their intended use.
P4.4 Model performance monitoring
a) Model performance monitoring should be performed to assess model performance

against thresholds for acceptable model performance based on the model testing
criteria used during the model development stage.
b) Firms should conduct ongoing model performance monitoring to:
(i) ensure that parameter estimates and model constructs are appropriate and valid;
(ii) ensure that assumptions are applicable for the model’s intended use;
(iii) assess whether changes in products, exposures, activities, clients, or market

conditions should be addressed through model adjustments, recalibration, or
redevelopment, or by the model being replaced; and,
(iv) assess whether the model has been used beyond the model operating
boundaries and whether this use has delivered acceptable results.
c) A range of tests should form part of model monitoring, including those determined by
model developers:
(i) benchmarking – comparing model estimates with comparable but alternative

estimates;
(ii) sensitivity testing – reaffirming the robustness and stability of the model;
(iii) analysis of overrides – evaluate and analyse the performance of model

adjustments made;
(iv) parallel outcomes analysis – assessing whether new data should be included in
model calibration.
d) Model monitoring should be conducted on an ongoing basis with a frequency

determined by the model tier.
e) Firms should produce timely and accurate model performance monitoring reports that
should be independently reviewed, and the results incorporated into the procedures for
measuring model performance (as per Principle 2.3(c)(vi)).
Principle 4.5 Periodic revalidation
a) Firms should undertake regular independent revalidation of models (typically less

detailed than the validation applied during initial model development) to determine
whether the model has operated as intended, and whether the previous validation
findings remain valid, should be updated, or whether validation should be repeated or
augmented with additional analysis.
b) The periodic revalidation should be carried out with a frequency that is consistent with
the model tier.
Principle 5 – Model risk mitigants
Firms have established policies and procedures for the use of model risk mitigants when
models are under-performing, and have procedures for the independent review of post-model
adjustments.
P5.1 Process for applying post-model adjustments22
a) Firms should have a consistent firm-wide process for applying post-model adjustments
(PMAs) to address model limitations where risks and uncertainties are not adequately
reflected in models or addressed as part of the model development process. The
process should be documented in firms’ policies and procedures, and should include a
governance and control framework for reviewing and supporting the use of PMAs, the
implementation of decisions relating to how PMAs should be calculated, their
completeness, and when PMAs should be reduced or removed.
b) The processes for applying PMAs may vary across model types but the intended
outcomes of each process should be similar for all model types and focused on
ensuring that there is a clear rationale for the use of PMAs to compensate for model
limitations, and that the approach for applying PMAs is suitable for their intended use.
22 Post-model adjustments (PMAs) will refer to all model overlays, management overlays, model
overrides, or any other adjustments made to model output where risks and uncertainties are not
adequately reflected in existing models.
c) PMAs for material models or portfolios should be documented, supported by senior

management, and approved by the appropriate level of authority (eg senior
management, risk committee, audit committee).
d) PMAs should be applied in a systematic and transparent manner. The impact of

applying PMAs should be made clear when model results are reported for use in
decision making with model results being presented with and without PMAs.
e) All PMAs should be subject to an independent review with intensity commensurate to

the materiality of the PMAs. The scope of review should include:
(i) an assessment of the continued relevance of PMAs to the underlying portfolio;
(ii) qualitative reasoning23 – to ensure the underlying assumptions are relevant, the
soundness of the underlying reasoning, and to ensure both are logically and
conceptually sound from a business perspective;
(iii) inputs – to ensure the integrity of data used, and to ensure that the data used is
representative of the underlying portfolio.
(iv) outputs and performance – to ensure the outputs are plausible. For recurring
PMAs, all means to assess performance (such as stress testing, back testing,
and benchmarking) should be evaluated with the most appropriate measures
selected.
(v) root cause analysis – to ensure a clear understanding of the underlying model
limitations, and whether they are due to significant model deficiencies that require
remediation.
f) PMAs should be supported by appropriate documentation, including:
(i) a clear justification for applying PMAs;
(ii) the criteria to determine how PMAs should be calculated and how to determine
when PMAs should be reduced or removed;
(iii) triggers for prolonged use of PMAs to activate validation and remediation;
23 Expert judgement will make use of more qualitative and expert reasoning to arrive at an estimate due to
the lack of empirical evidence to use as basis for a quantitative calculation to produce the estimate.
(iv) the approach to perform root cause analysis to identify specific improvements
that can be made to model development to reduce reliance on PMAs in future;
and
(v) criteria to determine whether or not, and when newly available data and/or new
techniques should be incorporated into existing models.
g) Firms should have a process to consider whether the materiality of PMAs, or a trend of
use of recurring PMAs for the same model limitations are indicative of flawed model
design, or misspecification in the model construct, and consider the need for remedial
actions to the extent of model recalibration or redevelopment to remediate underlying
model limitations and reduce reliance on PMAs.
Principle 5.2 Restrictions on model use
a) Firms should consider placing restrictions on model use when significant model
deficiencies and/or errors are identified during the validation process, or if model
performance tests show a significant breach has or is likely to occur, including:
(i) permitting the use of the model only under strict controls or mitigants; and
(ii) placing limits on the model’s use including prohibiting the model to be used for
specific purposes.
b) The process of managing significant model deficiencies, or inadequate model

performance should be adequately documented and reported to key stakeholders
(model owners, users, validation staff, and senior management), including recording
the nature of the issues and tracking the status of remediation in the model inventory.
Principle 5.3 Exceptions and escalations
a) For material models, firms should formulate the exceptions24 they would allow for
model use and model performance, and should implement formally approved policies
and procedures setting out the escalation procedures to be followed and to manage
these exceptions.
24 Exceptions are defined here as using a model when not approved for usage by the appropriate
oversight entity or not validated for use; a model is used outside its intended purpose; a model that
displays persistent breach of performance metrics continues to be used; or back testing suggests the
model results are inconsistent with actual outcomes.
(i) Exceptions for model use should be temporary, should be subject to post-model
adjustments (PMAs), should be reported to and supported by stakeholders and
senior management.
(ii) For model performance exceptions firms should have clear guidelines for
determining a maximum tolerance on model performance exceptions (deviation
from expectation), should be subject to appropriate risk controls (eg the use of
alternative models, heightened review and challenge, and more frequent
monitoring post-model adjustments) and mitigants (eg recalibrating or
redevelopment of existing methodology) once defined triggers and thresholds are
breached.
b) Firms should have escalation processes in place so that the key stakeholders (model
owners, users, validation staff, and senior management) are promptly made aware of a
model exception.
(i) the escalation process should describe the notification and reporting
responsibilities of model owners and validators in an exception event;
(ii) upon escalation of an exception event, firms should impose restrictions on the
model's usage; and
(iii) internal audit should maintain an ongoing review of the exception and escalation
process and performance to ensure it is being conducted in a manner that is
consistent with established policy.
2: PRA statutory obligations
The statutory obligations applicable to the PRA’s policy development process are set
out below. This CP explains the policy assessment of relevant considerations.
 Purpose of the policy proposals (FSMA s138J(2)(b)).
 Cost benefit analysis (FSMA s138J(2)(a) and (7)(a)); and

an estimate of those costs and benefits (if reasonable) (FSMA s138J(8)).
 Analysis of whether the impact on mutuals is significantly different to the impact on

other authorised firms (FSMA s138J(2)(c) and 138K).
 Compatibility with the PRA’s primary objectives (FSMA s138J(2)(d)(i), 2B and 2C).
 Compatibility with the PRA’s secondary competition objective (FSMA s138J(2)(d)(ii)

and 2H(1)).
 Compatibility with the regulatory principles (FSMA s138J(2)(d)(ii), 2H(2) and 3B).
 Have regard to the HMT recommendation letters (BoE Act s30B).
 Have due regard to the public sector equality duty (Equality Act s149).
 Have regard, subject to any other requirement affecting the exercise of the regulatory
function, to the principles of good regulation and when determining general policy or
principles to the Regulators Code (Legislative and Regulatory Reform Act 2006 s21 &
22)
 Have regard, so far as consistent with the proper exercise of those functions, to the
purpose of conserving biodiversity. Conserving biodiversity includes, in relation to
living organism or type of habitat, restoring or enhancing a population or habitat
(Natural Environment and Rural Communities Act 2006, s40).
 Consultation of the FCA (FSMA s138J(1)(a)).
 Where the consultation proposes a PRA rule change or amendment to onshored BTS
that affects the processing of personal data - consultation with the Information
Commissioner’s Office (article 36(4) General Data Protection Regulation).
 For UK Technical Standards Instruments only: FSMA s138J(1)(a) is replaced with:

consultation of the FCA and/or Bank, where that Regulator has an interest in the
technical standards (FSMA s138P(4) and (5)).
 For UK Technical Standards Instruments only: notice given to HMT of the consultation
on the UKTS (‘best efforts’ basis).
 For CRR rules only: subject to certain exceptions, have regard to:
relevant standards recommended by the Basel Committee on Banking Supervision

from time to time
the likely effect of the rules on the relative standing of the United Kingdom as a place
for internationally active credit institutions and investment firms to be based or to carry
on activities. For these purposes, the PRA must consider the United Kingdom's
standing in relation to the other countries and territories in which, in its opinion,
internationally active credit institutions and investment firms are most likely to choose
to be based or carry on activities
the likely effect of the rules on the ability of CRR firms to continue to provide finance to
businesses and consumers in the UK on a sustainable basis in the medium and long
term
the target in section 1 of the Climate Change Act 2008 (carbon target for 2050)
(s144C (1) & (2) FSMA – exceptions in s144E FSMA).
 For CRR rules only – explanation of the ways in which having regard to the matters
specified above has affected the proposed rules (s144D FSMA).
 For CRR rules only – publication of a summary of the proposed CRR rules
 For CRR rules only – consideration and consultation with the HMT about the likely
effect of the rules on relevant equivalence decisions (s144C (3) & (4) FSMA).

Model Risk Management Principle For Banks

Uploaded by

Copyright:

Available Formats

Model Risk Management Principle For Banks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Model Risk Management Principle For Banks

Uploaded by

Copyright:

Available Formats

Prudential Regulation Authority

Appendices to CP6/22 – Model risk

Consultation Paper | CP6/22

1: Draft Supervisory Statement – Model risk management principles for banks 2

2: PRA statutory obligations 31

© Bank of England 2022

Prudential Regulation Authority | 20 Moorgate | London EC2R 6DA

1: Draft Supervisory Statement – Model risk

Quantitative methods and models

i. the applicability to the decisions they support being verified; and

Model risk management and the model lifecycle

i. the core modelling process - model development, implementation and use;

1.15 The sequence of modelling-validation-control activities describes the various stages in a

Diagram: the model lifecycle

Organisational structures, validation and control functions

i. The model owner is the individual accountable for a model's development,

Overview of the principles

Principle 1 – Model identification and model risk classification

Principle 3 – Model development, implementation, and use

Principle 4 – Independent model validation

Principle 5 – Model risk mitigants

SMF accountability for model risk management framework

Financial reporting and external auditors

Implementation and ongoing self-assessment

Model risk management principles for banks

Principle 1.1 Model definition

A model is a quantitative method, system, or approach that applies statistical,

b) Notwithstanding the above definition, where material deterministic quantitative

Principle 1.2 Model inventory

c) The type of information the model inventory should capture include:

Principle 1.3 Model tiering

b) Model materiality should consider both:

(i) Quantitative size-based measures. For example, exposure, book or market

(i) the use of alternative and unstructured data,9 and

(ii) measures of a model's interpretability,10 explainability,11 transparency, and the

e) Individual model tier assignments (including materiality and complexity ratings) of

Principle 2.1 Board of directors’ responsibilities

a) The board of directors should establish a comprehensive firm-wide MRM framework

b) The framework should be designed to promote an understanding of model risk, on

(i) effectiveness of the design and operation of the MRM framework;

(iii) limits on model use, exceptions and overall compliance;

Principle 2.2 SMF accountability for model risk management framework

An accountable SMF is empowered to have overall oversight to ensure the effectiveness of

b) The accountable SMF’s responsibilities regarding MRM may include:

(ii) assigning the roles and responsibilities of the framework;

(iii) ensuring effective challenge;

(iv) independent validation;

(vii) ensuring sufficient resourcing, adequate systems and infrastructure to ensure

Principle 2.3 Policies and procedures

Principle 2.4 Roles and responsibilities

b) Responsibility for model performance monitoring and the reassessment of already

(i) the model use is consistent with the intended purpose;

f) Model validation should be performed by staff:

Principle 2.5 Internal Audit

b) The IA review should independently verify that:

(iii) validation staff have the necessary experience, expertise, organisational

b) Regarding third party vendor models, firms should:

c) Subsidiaries14 using models developed by their parent-group15 should:

13 SS2/21 'Outsourcing and third party risk management, March 2021: