The U.K.’s PRA is targeting enterprise spreadsheet risk in 2023 with its new regulation CP6/22, which is intended to come into force a year later.
When the PRA launched its consultation on the standard in June 2022, it cited the increased need for banks to respond more quickly in volatile markets, while also bringing the use of AI and machine learning in modelling under its scope, as key issues.
But the regulator is not just concerned with risks from emerging technologies. The PRA is also using CP6/22 to extend its oversight of the use of spreadsheets in Model Risk Management (MRM), as part of an enterprise-wide approach to supervision.
“The proposed principles cover all elements of the model lifecycle and would be applicable to all types of models that are used to inform key business decisions, whether developed in-house or externally., including vendor models,” the PRA consultation document said.
What is CP6/22?
CP6/22 draws heavily on the U.S. Federal Reserve’s 2011 Model Risk Management Guidance, SR 11-7, and supports existing regulations such as CRR, SS3/18 and SS11/13. It also looks at a far broader range of model risks and aims to eliminate weaknesses in existing models.
“The MRM principles are intended to address specific shortcomings currently observed in U.K. banks”, the PRA said.
Enterprise spreadsheet risk is one shortcoming CP6/22 is intended to overcome, with the PRA uneasy over the role that this standard piece of software plays in banks’ regulatory reporting processes and broader business activities.
Failures of spreadsheet risk management can cause numerous errors and the PRA is particularly concerned over the software’s vulnerability to over-writing and the need for careful documentation of key processes this creates.
The focus on the risk posed by spreadsheets emerged through the Bank of England’s regular stress testing program, which found a number of companies lacked a sufficiently robust control environment that would enable them to generate reliable and accurate returns.
“For example, some firms had not formally registered working files as EUCs and had no program of ongoing reviews of the underlying logic,” the PRA said in a letter to the industry following the review in 2021.
Under the new CP6/22 standard, EUC spreadsheet applications and calculators will be classified as models, even for something as simple as business expenses. All changes to spreadsheets classified as models will need to be authorized and recorded, which in turn will impact how these tools are employed by banks.
The first principle of CP6/22
The new standard is based on five basic principles and the first, “model identification and model risk classification”, requires that firms have “an established definition of a model that sets the scope for MRM, a model inventory, and a risk-based tiering approach to categorize models to help identify and manage model risk.”
What this means for banks was spelled out by the industry group, UK Finance, in its September response to the consultation, when it said the PRA’s proposals would massively increase the regulator’s oversight of firms’ spreadsheet use.
“This section has the potential to bring a large number of non-model tools used by banks into scope such as complex spreadsheets, virtually all IT systems and banking infrastructure, end user computer applications, as well as all calculations contributing to the financial accounts”.
UK Finance called for a more relaxed standard and while the PRA has yet to publish its response to the consultation, the fines levied on two U.K banks for spreadsheet-linked errors in April and December, respectively, suggest it is unlikely to ease its focus on spreadsheet risk in 2023.
How can firms prepare for CP6/22?
The timeline for CP6/22 implementation is relatively short, with the PRA’s consultation document saying that a draft supervisory statement is expected to be released in the first quarter of 2023.
Assuming the draft does not differ significantly from the consultation’s proposals there are a number of tasks banks need to complete ahead of its slated January 2024 start date.
According to U.K. bank CROs surveyed by UK Finance, finding the internal resources for independent model validation and internal audit under CP6/22 will present a significant challenge for firms. The trade body also highlighted the extra burden the new standard would place on smaller companies.
But whether banks are large or small, there are several steps they will all need to take to prepare for CP6/22.
Firms will need to assess their current MRM framework against the PRA’s five principles and use gap analysis to identify shortfalls. Once this is complete banks will need to set out a plan to remediate any issues that emerge.
This means that firms will require an up-to-date, risk-ranked inventory of EUCs, non-models, tools and calculators, and be able to demonstrate these inventories are complete, ensuring that appropriate control frameworks are in place.
With CP6/22 the PRA wants U.K. banks to take a strategic approach to MRM, “as a risk discipline in its own right”, and firms have 12 months to meet its expectations.