Skip to main content

Model Risk Management – ‘The time for Internal Audit assurance is now’

Given the central role that models play in supporting firms’ risk assessment and management, and the weaknesses highlighted by the Prudential Regulation Authority (PRA) in firm’s model risk management (MRM) frameworks in recent years, MRM in UK deposit takers remains a regulatory priority. As a result of the increasing regulatory focus on the effectiveness of MRM practices and the remediation actions firms are taking, the need for Internal Audit (IA) functions to provide sufficient and robust assurance over Model Risk Management to their organisation’s boards has never been more important.

This blog follows our recent publication on From Principle to Practice: Model Risk Management takes effect which addresses the broader technical and practical implications for firms required to comply with the Supervisory Statement (SS).

To support the strengthening of MRM practices in firms, the PRA published its Policy Statement (PS6/23) on ‘Model risk management principles for banks’, with the policy and accompanying SS1/23 coming into force on 17 May 2024. Whilst the policy will only initially apply to banks with internal model (IM) approvals for regulatory capital purposes when it takes effect1, the PRA notes that all firms, irrespective of size, are required to manage the risks associated with their models and that non-IM firms which are subject to existing supervisory expectations around models (such as self-assessments and attestations) should continue to comply with them. It is also worthwhile mentioning that the PRA has said that elements of the principles will certainly be extended to non-IM firms as soon as an official definition of ‘Simpler-regime Firms’ is implemented in line with Consultation Paper (CP5/22)2– so non-IM firms should take note anyway.

The principles set out what the PRA considers to be the core disciplines necessary for a robust MRM framework to manage model risk effectively across all model and risk types. The PRA sees model risk as a risk that should be treated in the same way as other material risks in banks: model risk should be part of risk appetite and should be monitored and managed as seriously as any other material risk.

Equally crucial, given the increasing level of regulatory focus and requirements in relation to MRM, is the need for IA functions to provide periodic assurance on the effectiveness of their bank’s MRM frameworks and practices.

Before the policy takes effect in May 2024, firms are expected to conduct an initial self-assessment of their implemented MRM frameworks against the principles and, where relevant, to prepare remediation plans to address any identified shortcomings. However, given that the PRA’s final policy allows banks greater scope to interpret some of the requirements proportionally to their own business complexity and size, banks’ assessments of their proportional implementation of the principles and extent to which they are sufficiently rigorous, are likely to be areas of regulatory supervisory focus. IA, therefore, has a critical role to play in evaluating the level of rigour applied to bank’s self-assessments and providing assurance to the board in this respect. Importantly, this should occur prior to the PRA’s policy taking effect and on a regular basis going forwards, given the requirement for banks to update their self-assessments at least annually.

To re-enforce this, Principle 2.5 of the SS requires IA to periodically assess both the effectiveness of the MRM framework over each component of the model lifecycle, as well as the overall effectiveness of the MRM framework and compliance with internal policies. The findings of IA’s assessments should be reported to the board and relevant committees on a timely basis, with the scope of work required to be performed including the need for IA to independently verify that:

  • internal policies and procedures are comprehensive to enable model risks to be identified and adequately managed;
  • risk controls and validation activities are adequate for the level of model risks;
  • validation staff have the necessary experience, expertise, organisational standing, and incentives to provide an objective, unbiased, and critical opinion on the suitability and soundness of models for their intended use and to report model limitations and escalate material control exceptions and/or inappropriate model use in a prompt and timely manner; and
  • model owners and model risk control functions comply with internal policies and procedures for MRM, and those internal policies and procedures are in line with the expectations set out in the SS.

To meet the PRA’s expectations, the implications for IA are clear - IA needs to create more space and time in their plans to adequately address the requirements of SS1/23 on an ongoing basis and IA must ensure that it possesses or acquires the range of skills and expertise necessary to enable IA to provide effective assurance in these areas. Only then will key stakeholders, including firms’ Boards and the PRA, have real confidence and trust in the level of assurance being provided over firms MRM.

If you require any support or assistance with your IA review of your firm’s initial self-assessment of their implemented MRM framework, and review(s) of the effectiveness of the MRM framework and level of compliance with internal policies and procedures or would like to discuss this topic in greater detail, then please reach out to a member of our team.



1Banks that are applying to become IM banks will have 12 months from the date of approval of their IM application to demonstrate compliance with the principles. The PRA will update the industry as to how the principles will apply to non-IM banks once it has progressed its policy work on Simpler-regime firms.

2CP5/22 – The Strong and Simple Framework: a definition of a Simpler-regime Firm, published on 29 April 2022.