Skip to main content


Credit risk remains core to much of the financial services industry and firms’ risk management processes in this area remain an area of regulatory focus. Continued political and economic uncertainty in the UK means that stress testing also remains a key area for businesses.

Our view of the change in IA focus from prior year to now:


Regulatory challenges are forcing firms to re-examine the cost, efficiency, sustainability and transparency in the quantification techniques and systems used in the credit decisioning process. With the help of technology, firms are improving their end-to-end credit risk management process in order to address these challenges, for example:
•Some retail banks are commencing digital change programmes aimed at transforming the customer experience across the on-boarding journey.

•Commercial and corporate banking firms are focusing on making credit risk management processes more customer centric and efficient, implementing new fin-tech or cloud-based solutions, embedding processes, technologies and ways of working that will underpin the enablement of a more agile organisation.

IA's role

IA has an important role to play in providing assurance over new or changed credit risk management systems, with a focus on ensuring solutions are aligned to the firm’s strategic objectives, the scale and nature of its business and its risk profile. Examples of IA focus areas include:
•Credit risk management functionality.

•Risks associated with the use of alternative data sources such as Open Banking and small and medium-sized entity credit data sharing schemes.

•Third party risk management and data protection and privacy requirements associated with the use of financial technology and the use of Artificial Intelligence in decision-making and decision support models.

•Undertaking dynamic control testing processes over the components of the credit risk management framework (including risk appetites, automated lending processing including underwriting, early warning and watch list processes and collections and recoveries/ re-structuring).


In 2020, greater attention is expected to be given by firms to the adequacy of stress testing programmes. Regulatory developments are also expected to require focus over the year ahead as, for example the Bank of England, the Federal Reserve and the European Banking Authority (EBA) are all expected to reassess their respective approaches to concurrent stress testing for 2020 onwards.

IA's role

IA’s role should be focused on the following key areas:
•Review the level of coordination and cohesion in the firm’s stress testing approach.

•Review the readiness of stress testing approach including IFRS 9 and Climate Change being new topics to be addressed in the stress testing approach.

•Adequacy of timing of generation of stress results.

•Level of evidence of continuous process and methodological improvement.

•Adequacy of governance framework, risk management controls and documentation around processes and assumptions, in particular expert judgement and post-model adjustments.


Regulatory expectations for model risk management continue to evolve for all firms using models in their business, with the scope, breadth and depth of model development, use and oversight activities all increasing.

Supervisors will neither approve nor place reliance on the firm’s strategic and operational use of a model, including for risk assessment, capital planning and stress testing, unless satisfied with a firm’s model risk management.


IA's role

Regulators have specific expectations relating to IA’s role in Model Risk. IA is expected to carry out an overarching risk assessment of all aspects of model risk, drawing up multiyear IA programmes with targeted work plans structured to challenge the model governance framework and test the effectiveness of model risk controls. Particular areas of focus for IA should include:

 •Adequacy of the board’s oversight and challenge of models.

 •Independent model validation.

 •Adequacy of organisational maturity of model risk management.

 •Risks associated with the use of alternative data sources, third party risk management, data protection and privacy requirements associated with the use of financial technology in ecosystem type environments and the use of Artificial Intelligence in decisioning and decision support models.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey