Very good questions. I’ve come across this as well on operational resilience and
cyber, where the challenges are similar

Some thoughts on this (also with the ex-regulator hat on):

Management bodies should acknowledge the challenge and be thoughtful around
how to address this, e.g. through training; reporting; succession planning
etc. We recently heard from a regulator that they were worried that sometimes
these topics are ‘outsourced’ to one person on the exec/ Board who
understands it, whereas they are looking for broader skills and knowledge in
the group. Again I think this is important to acknowledge, including the fact
that building those muscles take time In terms of ‘evidencing’ appropriate oversight and challenge by the Board,
when supervisors look at meeting minutes they would expect to see critical
questions being asked and a level of discussion (rather than the Board just
‘noting’ things) The quality of the materials and reports being presented to the Board is very
important, both data, but also someone bringing out the ‘so what’ and in
particular where there are areas of judgement and uncertainty, and where
there are trade-offs

I have seen the following:

Percentage of the Business/Institutional portfolio in high transition risk sectors Proportion of the mortgage portfolio exposed to high physical risks (by 2050 under a 4-degree warming scenario is one specific example). Believe this is based on property level assessment and then some % increase in PD. Some reputational ones around ESG scores

However, I don’t believe anyone would set the thresholds at a level that would likely be binding. So skeptically, I think this is just for reporting and transparency at the moment – which is probably right given the limitations of climate risk modeling

We’ve seen a variant of this issue in US/Canada, with the large Canadian Banks generally having IRB approval at the Group level (including for their main US loan books) and their US subsidiaries being on standardized

In this case, there is no incentive for the US entity to seek IRB approval - but US regulators do care about the risk rating systems from a bank supervision perspective, which has raised some of the same questions about whether group models are suitable. Those banks have generally taken a view aligned to a previous poster, i.e., using local models for middle market and below, and trying to align to group models for larger companies and FI's

On the last point, I'll say that we've seen US regulators challenge the support for those decisions heavily, but at least in some cases it seems to have stood up to that challenge.  In one case where the bank's prior analysis and documentation didn't provide great support, they are being pushed to redevelop those as well, though they are trying to do so in a way that they can ultimately extend back to group as well, for a C&I model that was getting a bit long in the tooth anyway

I'll just flag that a Canadian bank who had decided to extend several of their existing "global" models to their US subsidiary based on similar logic, and while the logic makes sense broadly, they ran into significant issues with their US subsidiary’s regulator about the way they did it

I would primarily attribute the root causes of those issues to:

Operating model for how those decisions were taken and where they were reviewed and challenged – the Group development and validation teams led the substantive assessment of “fit-for-use”, and while there were some US stakeholders involved, the ones most involved were not very senior in stature, and often deferred to the expertise of Group.  But those US stakeholders then couldn’t / didn’t do a good job of credibly defending those decisions to their regulators, leading the regulators to question if US senior management had been sufficiently involved in determining that these models were appropriate for the US portfolio

The documentation they produced justifying and validating the use of these models in the US was a narrow “fit for use assessment”, which taken as a standalone artifact fell far short of the comprehensive model documentation and validation expectations of SR 11-7.  This led regulators to question the “effective challenge” provided by US model risk management and more broadly by US senior management

The short answer is yes they should definitely be included. The group risk report is the bare minimum that should be included for a GSIB in terms of internal reports and you can go from there

Will to share some pages on the latest interpretation of the scope of BCBS239 by the ECB. A bit more expansive that the traditional industry approach but that is really going to be the new bar. We also have a full BCBS239 benchmarking database that covers 20+ banks (including most European GSIBs) and all dimensions of BCBS239 so maybe your client wants to participate in it

There is certainly precedent for this in loss forecasting, given various companies that need to follow both IFRS9 and CECL at different legal entity levels, and/or to follow different stress testing guidance for different regulators.   I can’t think of a case where I’ve seen it for the primary credit risk rating models however (at least not for literally the same exposures receiving two different ratings)

Thanks a lot, this was very helpful!

Very interesting point. Would be great to know OW's experience with feedback from other players.

+1 for the Amazon model. Driving adoption is tough. Predicated on the issue that almost nobody reads slides before the meeting. Building in 5-7 minutes for content review while in the meeting can be effective even if it isn’t the rigid memo format at Amazon. For example, you can summarize key decision points up top, then a cascade of a few pages for all to review. Instead of driving to ideation this drives to outcomes

I agree, but wonder if there is something more here.

I have also seen such “findings” and in the two cases I saw, they were politically/ career minded where once the MRM team was fighting a past battle (comments on how the bank uses resources, and ones they didn’t get) and once where the MRM team lead wanted the lead modeler’s job (and was trying to make a point about how they would use resources). In neither case were such “resource” use findings actually anchored in trying to do MRM work…

I think most have been said already, but just for the record I have also seen a PD master scale being validated by MRM (US).

I’d say as mentioned, the guiding principle should be how you derive the scale. If it involves mathematical and statistical methods, assumptions etc. then it most likely falls under the “model” definition and should be validated. I would tie it to how you define a model internally and what the MRM policy says about it