Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- Legacy MRM platforms are failing under regulatory pressure, operational complexity, and outdated designs, driving an urgent need for overhaul.
- New regulatory demands and the rise of AI/GenAI models require next generation MRM capabilities with flexible data models, smart automation, and stronger governance.
- Selecting the right build or buy approach is a multi year strategic decision shaped by cost, integration needs, and differing archetypes across global, multinational, and national FIs.
In this article
In this articleinpage
MRM Challenges
A strategic overhaul of model risk management (MRM) is overdue for many financial institutions (FIs) today.
A series of major drivers ranging from regulatory mandates, business strategies and technology are making huge demands on the effectiveness and efficiency of existing model risk management platforms and processes.
Model Risk Management Challenges
In order for FIs to address these demands, they will have to determine the fitness of their existing MRM platform and approach and evaluate the best course of action to confidently meet the new demands. This could be via updates or upgrades to existing infrastructure or a shift to whole new tooling.
In this context, we examine critical considerations for the scenario where FIs decide more significant improvement is required, requiring replacement of all or large parts of the current MRM platform. In this situation, FIs are typically faced with a Build vs. Buy decision.
Traditionally, FIs have either custom-built solutions or adapted third-party Governance, Risk and Compliance (GRC) solutions to their needs. Now, however, there are viable “buy” options that include purpose-built platforms developed by model risk practitioners, in response to their first-hand challenges with using the traditional solutions.
Why the need to replace the MRM platform?
Issue backlogs have ballooned as outdated or poor system design results in an inflexible data model, hardcoded workflows and poor integration capabilities. Alongside these challenges, brand new requirements have built up too. The consequences are material – serious compliance shortfalls, user frustration and fatigue, and inaccurate and incomplete information on model risks from forced use of offline processes. In addition, the risk of system instability is growing, resulting from multiple ad-hoc modifications being made in response to short term critical issues. Given all of this, it is no wonder many FIs are looking to fundamentally revamp their MRM platform.
In UK, the regulator spelled out the new expectation in their January 2025 “Dear CEO” letter advising that FIs prioritize remediation of MRM to align with SS1/23. “Firms should continue to implement and embed changes to model risk management (MRM) to align with the principles in the PRA’s supervisory statement 1/23. Where shortcomings have been identified, firms should prioritise remediation as part of broader risk management improvements”. Firms’ Boards also have a role in assessing the overall approach to MRM and the quality of decision making based on model outputs.
Strategic Considerations
Revamping a firm’s MRM platform involves evaluating several key considerations.
Upgrading a firm’s MRM platform is a significant decision requiring a long-term view of at least 6- 8-years. This timeframe is relevant as transforming a firm’s MRM approach can typically be a 1- 2- year program and any solution should meet the needs of the organisation for at least three years and ideally five years thereafter in terms of strategic changes anticipated in the business model of the FI. Likewise, careful consideration of the sourcing options and their impact over long term is required as changing approach mid-project could be costly both in terms of investment outlay and demand on management’s strategic bandwidth. Sourcing options include:
- Building a bespoke inhouse solution
- Extension and adaptation of an existing GRC platform
- Sourcing modular components from various vendors for building the solution
- Licensing and configuring a vendor solution.
Design priorities
Design Considerations for an MRM Platform
Strategic changes in business model and regulatory Imperatives
Strategic changes anticipated in size and scale of operations and product/ business portfolio and regulatory triggers have a significant impact on the design of the MRM platform. They determine the complexity and diversity of regulatory regimes that need to be covered, types of models that need to be supported and the range of user types for the solution. These considerations then feed into the design of the data model, workflow customizations, reporting dimensions, granularity of user permissions, baseline back-up and recovery requirements as well as performance levels expected over the lifespan of the MRM platform.
Rollout of next generation model types
The rapid adoption of AI and Generative AI (GenAI) models in the industry is transforming both the volume and complexity of the model portfolio that needs to be supported by any MRM platform. They also bring some new and distinctive challenges. Given their nature, design of MRM platform must include additional features in terms of AI/GenAI specific model identification and tiering algorithms, additional model metadata, tracking of underlying optimization algorithms and hyperparameters and integration with ML/LLM DevOps. Significantly, AI and GenAI tend to be deployed in a much wider range of user areas giving rise to a broader range of business and governance stakeholders who need to be involved in MRM control processes. Flexibility is required as FIs test various alternatives for AI governance and control frameworks.
Enhanced User Experience
Enhanced user experience in navigating MRM platform has become paramount in achieving compliance and reducing reliance on offline MRM processes. Digital enablement of users through incorporation of new generation features into MRM solutions is key. These include smart workflow automations involving automated data population through document parsing, event driven updates, agentic AI driven reviews of low-risk use cases and use of generative AI tools for operational efficiencies in everyday tasks such as creating dashboards, querying historical data in MRM platform, comparing MRM policy changes, running validation test or drafting model documentation.
Data and IT infrastructure strategy
A firm’s data and IT Infrastructure strategy defines the preferred approach for the deployment of a new MRM platform and control over the code of the platform. This determines the openness to consider SaaS and cloud option vs. on-premises installation for data storage and system deployment. Integration with systems within and outside the MRM ecosystem is another factor which impacts MRM platform design. For example, integration with BI systems to support reporting on MRM risk and compliance status to the Board and Executive teams is a key requirement. Further connectivity with model monitoring and deployment systems has gained attention since it enables timely detection of adverse changes in risk score of models over the lifecycle.
Supply-side Factors
Sourcing considerations for the MRM Platform
Supply side considerations involve strategic analysis of various internal and external options to achieve, enhance and support the MVP on critical parameters of cost, time, quality, control and network design.
To properly evaluate the cost of revamp of an MRM platform, FIs consider the total cost of ownership (TCO). At the design and build phase there can be a good deal of uncertainty in the resources and timeframes in building an operable solution. While reference to other internal projects help, reasonable estimates for overruns should be included too.
A like for like comparison with vendor solutions offered as SaaS implies that the cost of internal build includes the opportunity costs of IT infrastructure for hosting and managing the platform built internally. Equally important are the costs of scaling up the solution in future to access wider number of features and to cover for increases in the number of users and models. The costs of SaaS option could shoot up and be very difficult to analyse in the absence of a clear list of non-negotiable requirements considering the service life of 5-8 years for the platform.
Finally, for a true TCO view, there are other material hidden costs which should be accounted too. These costs include leadership bandwidth and programme management resources including IT and MRM domain resources upfront and over the service line of solutions.
Designing, building and implementing a fully functional MRM solution typically takes 12–24 months, depending on the scale and complexity of the FI. A minimal viable solution might be operational after 6-9 months though this won’t be sufficient to meet all the business goals needed. In comparison, the new crop of specialist MRM vendor solutions can be configured and ready to go-live within 12-16 weeks in most organizations. However, the main caution on vendor solution is related to the time taken to accept third party software into the firm’s IT estate. This can be quite involved for on-premise installations, however with FIs increasingly deploying via cloud infrastructures or SaaS operating model, this issue is diminishing.
Choosing a ‘Build’ approach offers the benefits of full control over development and timing of future updates. This can be appealing to some FIs and key stakeholders. In contrast, taking a ‘Buy’ option puts the onus on the vendor to ensure all their customers’ needs are met. Vendors also can deploy upgrades and updates in a time efficient and low time overhead manner that does not require much leadership mindshare or mobilization of resources. However, a buy approach may not allow prioritization of idiosyncratic requirements that global FIs may have.
Almost as crucial as the direct functionality of the MRM solution (whether built in-house or supplied by a vendor) is the ability to easily integrate the solution with other platforms within and outside the MRM ecosystem of the FI. Connectivity is more straightforward with an in-house system, though it is surprising how hard it is sometimes to roll out if the main platform has been developed piecemeal over time. Many vendor solutions incorporate application programming interfaces (APIs) including ready-made interfaces for widely used reporting and ETL tools, to enable integration.
Emerging Archetypes
Three archetypes are emerging in MRM Governance Platform based on the considerations discussed before.
These are primarily determined by the size and spread of geographical operations of the FIs and therefore could be identified as archetypes for (i) Large global FIs (ii) Multinational FIs (iii) National FIs
For large global FIs, the target state solution must address diverse regulatory regimes, complex model portfolios, a global user base, and top tier security requirements including code ownership and portability between an on-premises and cloud deployed solution. It should be flexible enough to support a significant number of distinct and dynamic requirements of the large global FI upfront and over the life of the platform. The target state must support open network to provide a clear and dynamic view of aggregate model risk in the FI which can be achieved only through connectivity within the broader MRM ecosystem.
Multinational FIs have similar functionality requirements as global FIs though at a relatively smaller scale. Customizations are an important ask from this group, however this must be balanced with the extra overhead of bespoke functionality. The need has been recognized across the industry and is being consciously incorporated through options such as rich out-of-the-box feature set, multiple configurability choices, and lastly, a reliable and upgrade-friendly framework to develop and integrate custom components.
In comparison to large global and multinational FIs, national FIs, building societies and credit unions have more straightforward as well as overlapping requirements. On the supply side, this group has smaller MRM and IT teams limiting internal capacity to design, adapt or manage MRM platforms.. In this scenario, vendor solutions offer a credible option with a strong focus on essential compliance with applicable MRM regulations along with a rich out of the box configurable features. Finally, implementing a SaaS solution from vendor improves management of costs related to system support, as well as investments in IT infrastructure and MRM resources.
The right move
Whether an FI prefers a build solution, or the vendor option, ultimately selecting a new MRM platform approach will be a multifaceted decision. There are clearly trade-offs, and similar firms will arrive at different approaches for legitimate reasons. These trade-offs include the relative perceived ability of an approach to address some key challenges, including (i) meeting specific functional requirements (ii) implementing external software into the FI’s IT estate and (iii) adaptability of the solution to future requirements.
In addition, the decision is likely to be impacted by the current level of skilled resources within the organization, the extent of any regulatory pressure to improve the MRM set up and the ambition of the organisation to future proof its MRM approach against a fast-evolving modelling landscape. Thus, in our view a strategic initiative of upgrading the MRM platform requires close knit collaboration across stakeholders, diligence in planning and execution and consistent executive oversight to ensure a successful outcome.