FCA Model Requirements

https://www.fca.org.uk/publications/multi-firm-reviews/ifpr-implementation-observations-concluding-report

BACKGROUND

In 2023, within the remit of observing on how firms are implementing requirements on the Internal Capital adequacy and Risk Assessment (ICARA) process & reporting under the Investment Firms Prudential Regime (IFPR), the FCA found that in some firms, there were significant failings in the 'application' of capital models for operational risk. Therefore, gave "...little assurance that these firms have adequate resources to mitigate harm". Below is a summary of models-related observations including good and poor practices firms should consider in order to strengthen their processes.

In section "4.4. Operational risk capital assessments" they summarise their findings as follows.

  • "Significant failings in the application of operational risk capital approaches may lead to insufficient resources to mitigate harm."
  • "We saw that many firms assessed operational risk capital using approaches that did not lead to adequate assessments of own funds for individual firms. Common failings include an incomplete assessment of risk from the point of view of an individual firm, inappropriate use of group models, and poor governance and oversight around complex modelling approaches.

An incomplete assessment of risks means that individual firms will not have enough resources to manage their own risks. The lack of adequate model risk governance caused some firms to use incorrect models or relatively complex approaches which led to incorrect or poorly understood results. Unless models are used appropriately and the results clearly understood, the firm does not have assurance that its resource assessment is adequate.

MIFIDPRU 7 requires that the management body of firms must ensure that adequate resources are allocated to the management of all material risks and to the use of internal models for those risks. Putting in place model risk governance, where models are used, helps ensure that any modelling approach remains fit for purpose. Without adequate oversight over model risk, firms cannot confirm that they hold the correct resources to mitigate harm from their operations.

GOOD PRACTICE

  1. There was clear linkage between enterprise risk assessment, the risk control self-assessment (RCSA) process, scenario analysis and operational risk assessment.
  2. The approach applied in assessing operational risk capital for an individual legal entity excluded any consolidation or diversification effects across different legal entities.
  3. The limitations of operational risk models (where used) were evaluated, and the approach applied was suited to the data available and the circumstances of the individual firm.
  4. Approaches were well understood, and results suited to the risks of the individual firm.
  5. Where a source of operational risk, for instance, cyber risk, was a potential trigger of several risks, there was a process to ensure risk assessments are comprehensive.
  6. Model risk governance, where models are used, was in place. The firm applied a policy of regular independent validation of operational risk models and approaches used to assess own funds requirements. Model validation was performed with changes on how the model was used.
  7. Subject matter experts were asked to assess loss scenarios which they can reasonably encounter in their career or lifetime (for instance, which may happen once in 40 years). Mathematical models were applied to use this information to extrapolate the loss, on which the capital was based, which happens less frequently (for instance, once in 200 or more years).

POOR PRACTICE

  1. The approach applied in assessing capital of an individual firm to mitigate harm from operational risk did not thoroughly consider the risks sustained by the individual firm.
  2. Firms, which were part of larger firm groups, used group operational risk models in individual ICARA processes without further examining whether these were fit for use by an individual firm.
  3. Operational risk approaches included complicated methodologies around the attribution of risks and harm which eventually led to a poor assessment of adequate resources.
  4. Others applied assumptions (for instance, scenario correlations) which were not fully explained or verified.
  5. Model execution was accompanied by operational missteps such as code errors, incorrect estimation of inputs, or inputting errors.
  6. Operational risk models were not independently validated for use by an individual firm.
  7. There was inadequate rationale for excessive diversification benefit (low correlation) particularly when only a subset of the identified material risks was used to estimate the capital.
  8. Group models were used by individual firms without going through the firm’s model risk governance to confirm appropriateness of application. Independent model validation performed explicitly removed from its scope the use of the model by an individual MIFIDPRU investment firm.
  9. Operational Risk models continued to be a black-box tool with the firm not able to ascertain the adequacy of the numbers they were feeding the model and what the model output was telling them.