New expectations for MRM: UK’s PRA releases SS1/23 Standard

In May 2023, the UK’s Prudential Regulatory Authority (PRA) released its long-awaited standard for Model Risk Management (MRM) Principles for Banks.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

With an implementation date of May 17, 2024, the pressure is now on for modeling, risk and compliance teams to quickly grasp the key principles of SS1/23 and find ways of embedding its requirements into their daily operational framework and their compliance processes. While SS1/23 only impacts UK institutions, those based elsewhere should also take heed.

Why is SS1/23 being introduced?                                                                        

SS1/23’s significance stems from the PRA’s operational resilience agenda, where it seeks to ensure that the UK financial sector can withstand a range of shocks – economic, political, civil, and many others.

SS1/23 reflects the fact that powerful computing capabilities have changed the way that institutions leverage models to help them manage a range of operational, business and regulatory issues.

However, data errors, operational issues, and flawed models expose institutions to a range of risks when making key decisions. These risks extend to the tools and calculators that modelling teams use to populate and enhance their models. SS1/23 standardizes a best-practice approach to MRM, which institutions will have to comply with as well as expand their definition of model risk management.

Who does SS1/23 impact?

SS1/23 primarily impacts banks, although it will likely impact insurers and asset managers, depending on some of their business models.

SS1/23 is mandated for institutions that are authorized to use Internal Models to calculate their regulatory capital, rather than using the Standardized Approach. However, those institutions not mandated to use SS1/23 are encouraged by the PRA to adopt it, as a good business practice.

The focus of SS1/23 is not merely regulatory capital models, it extends to models that have a material impact on the management of the business, whether its managing operational risks, or making significant management decisions, for example. Any model that can likely impact the operational resilience of an institution will likely be in scope.

What does SS1/23 compliance involve?

SS1/23 is a principles-based framework, so there is no ‘tick-in-the-box’ process to go through to achieve compliance. Instead, institutions will have to develop tools, systems and processes that will embed these principles into how they manage their model estate:

  • Principle 1: Model Identification and Risk Classification
  • Principle 2: Governance
  • Principle 3: Model Development, Implementation and Use
  • Principle 4: Independent Model Validation
  • Principle 5: Model Risk Mitigants

In practical terms, this means that institutions need to find a way to:

  • have a consolidated view of all their models, tools and calculators.
  • triage them into high, medium or low importance in the context of SS1/23.
  • implement a model approval process to ensure their model development and management process is adhered to.
  • provide an easy-to-manage external model validation process.
  • provide a centralized risk management and risk mitigation framework that meets the needs of the business and SS1/23.

Register for Mitratech’s online webinar with UK Finance, ‘SS1/23 comes into effect May 2024, is your Model Risk Management ready?’ on 5 July 2023, 2-3pm.