Prudential Standard 02-2023/BSD: Model Risk Management

BANK SUPERVISION DIVISION July 2023 Prudential Standard No. 02-2023/BSD Model Risk Management

Page 2 of 26 Contents PREAMBLE........................................................................................................................................5 LEGAL AUTHORITY AND APPLICATION................................................................................5

1. INTRODUCTION..................................................................................................................6
2. MODEL RISK MANAGEMENT FRAMEWORK...............................................................8 2.1. GOVERNANCE AND OVERSIGHT................................................................................8 2.2. MODEL RISK MANAGEMENT POLICY ....................................................................11 2.3. MODEL DEVELOPMENT ...............................................................................................14 2.4. MODEL VALIDATION ...................................................................................................16 2.5. MANAGEMENT INFORMATION SYSTEMS.............................................................19 2.6. INTERNAL CONTROLS AND INDEPENDENT AUDITS.......................................21 2.7. MONITORING AND REPORTING .............................................................................22
3. EFFECTIVE DATE...............................................................................................................26

Page 3 of 26 DEFINITIONS Model – In this Prudential Standard, a model is any quantitative methodology, system or approach that applies theoretical and expert judgement based on statistical, economic, financial or mathematical theories, technique and assumptions to generate a quantitative estimate through the processing of input. A model has three distinct components namely: i. Input – The input component of a model encompasses the data and assumptions used to develop the model; ii. The processor – This is usually a methodology constructed from mathematics, statistics, finance or economics and transforms inputs into estimates; and iii. Results / Reporting component – This is the output of the model which can either be quantitative or qualitative. Material model - model used to support key functional activities and decision making processes of a banking institution. Errors and / or improper functioning of such model will likely result in significant impact on strategic positioning and substantial financial losses in relation to capital. Model risk – This is the potential adverse consequences arising from decisions made based on the usage of incorrect inputs, assumptions, procedures and misinterpretation of model results. This can result in financial loss, poor business and strategic decision making or reputational risk. Model risk increases with greater model complexity and usage. Model user – a model user is a unit or individual who relies on the model output to make decisions. A model user is involved in the early stages of model origination as they specify the model characteristics for usage. Model developer – a model developer is a unit or individual involved in the designing, testing, implementation, ongoing monitoring and documentation of models. Model owner – a model owner is a unit or individual responsible for the model selection, development, initial testing, ongoing monitoring, outcome analysis, administering changes and documentation of model. Model reviewer – a model reviewer is an independent unit or individual responsible for model vetting, validation and reporting of findings and issuing of recommendations to the model approver. A model reviewer is also responsible for the identification of potential risks the model poses and issuance of guidance to the model developer and user on the appropriateness of the model for a defined purpose.

Page 4 of 26 Model approver – A model approver is a committee or individual responsible for approving the usage of a model upon reviewing the findings and recommendations of the model reviewer. Model validation – is a set of processes and activities intended to verify that a model is performing as expected, in line with the design objectives and business use. Back testing - This is a process of assessing the performance of the model using historical data. Model log – This is a document capturing all the developments that have been occurring within a specified model through its life span in chronological order. The document will also contain details of the individuals who performed changes to the model. Model register/inventory – This is a database of information concerning all the models that a banking institution has and has used. Internal models – This is a model that was developed and implemented internally by the banking institution. Internal models developed with external support – This is a model that was developed internally by the banking institution with assistance from external consultants. Group models – an external model used by the banking institution, sourced from within the group. Challenger model – This is a model developed to rival another already existing model for comparison of results and performance. External model – This is a model developed by an external consultant or vendor that is currently in use within the banking institution.

Page 5 of 26 PREAMBLE The Model Risk Management Prudential Standard provides guidance to banking institutions on adoption of appropriate model risk management practices that are in line with international best practice. The Standard seeks to promote sound development, implementation, and rigorous model validation as vital elements of model risk management. In line with the principle of proportionality, practical application of the Prudential Standard should be commensurate with a banking institution’s risk profile, its business activities, complexity and extent of model usage. LEGAL AUTHORITY AND APPLICATION This Prudential Standard is issued in line with Section 6(1) (c) of the Reserve Bank of Zimbabwe Act [Chapter 22:15], which gives the Reserve Bank of Zimbabwe the mandate to foster the stability and proper functioning of Zimbabwe’s financial system.

The Prudential Standard shall apply to all banking institutions licensed by the Reserve Bank under the Banking Act [Chapter 24:20] and the Building Societies Act [Chapter 24:02], and microfinance institutions licensed under the Microfinance Act [Chapter 24:30]. Reference to banking institutions in the Standard shall be taken to mean all the above institutions.

Page 6 of 26

1. INTRODUCTION 1.1. Banking institutions have become increasingly reliant on modelling in most aspects of their decision making. This has been driven by the increasing complexity and range of activities they are undertaking including, risk management, capital adequacy calculations, pricing of loans, stress testing, pricing and valuation of assets, and forecasting. 1.2. Models are key for strategic business planning as they facilitate informed decision making regarding the future direction of a business process, or system. Among other benefits, models can help identify bottlenecks in a business process, and can provide a means of tracking the specific value of a business activity, system, or service, by understanding the end-to-end process that it supports as well as the revenue produced by that process. 1.3. Regulatory standards such as the Basel capital standards have also supported the use of models in deriving key regulatory metrics. 1.4. Model usage is, however, associated with specific risks and costs. These include the risk of error in the process and choices of inputs, as well as measurement and interpretation of outputs. Inappropriate application of models may also generate financial losses due to, inter-alia, incorrect business decisions which may result in regulatory breaches or bank failure, as well as reputational damage to banks if outputs from models are not fully understood, or incorrectly applied due to a lack of understanding of the model’s potential limitations or implementation errors. 1.5. In view of the human and information technology resource capabilities required in the modelling process, there is need for boards of banking institutions and management to put in place appropriate model governance and risk management frameworks. The model risk management framework should include, Board and Senior management oversight, establishment of policies and procedures, setting up appropriate Management Information Systems, internal controls and independent reviews, monitoring and reporting that will enable the banking institution to manage model risk in line with risk management best practices. 1.6. The model risk management framework should cover all the aspects of the model life￾cycle phases. The figure below shows the phases in a typical model life cycle which are model origination, model development, pre-validation, independent review, model approval, model implementation, model monitoring and model retirement.

Figure 1: Model Life Cycle Adapted from Deloitte, Model Risk Management, 2017 Model Origination Model users put forward their need for a model and the purpose of the model . Model Development Data gathering and cleaning preparing it for use in the model development process. Model Pre-Validation Model developers conduct tests to ensure that the model is performing the way it is expected. Independent Review Conducted by parties that were not involved in the model development process. Model Approval Model is presented to management for assessment and approval. Model Implementation Involves uploading model into the production environment. Model Monitoring Monitoring the performance of the model Model Retirement Involves the decommissioning of a model from use.

2. MODEL RISK MANAGEMENT FRAMEWORK 2.1. GOVERNANCE AND OVERSIGHT 2.1.1. Banking institutions should implement best practices in model governance at every stage of the model risk management cycle. Board and Senior Management Oversight Board of Directors 2.1.2. The ultimate responsibility for model risk management in respect of all models, rests with the Board of Directors. The Board is expected to have sufficient knowledge about the models used in the banking institution. 2.1.3. The Board or a dedicated committee of the Board is expected to have oversight over: i. Determining the model risk management process, which should be consistent with the overall risk management system in place at the banking institution; ii. Approval of model risk management policy and its annual review to ensure adequate customisation to current circumstances, priorities and strategic direction; iii. Determination of the banking institution's scope of application of models; and iv. Controlling or setting the model risk appetite in line with the banking institution’s risk tolerance level. 2.1.4. With respect to material models, the Board or a dedicated committee should be responsible for approval of: i. the results of model validation; i. withdrawal and introduction of changes to models; and ii. monitoring the introduction of suitable remedial and corrective measures. 2.1.5. In order to execute its function effectively, the Board is required to receive and review, on an ongoing basis, and at least annually, the following information: i. List of material models used at the banking institution along with their materiality and risk level, direction of model risk and causes of changes over time;

Page 9 of 26 ii. Changes in the number of material models used, their scope of application and causes of the changes; iii. Key findings of performed monitoring, model validation and internal audits; iv. The status of recommendations (from monitoring, validation and audit) issued in the previous periods and the effectiveness of the undertaken remedial and corrective measures; v. Assessment of the level of the banking institution’s aggregate exposure to model risk in the context of the adopted risk tolerance level; vi. A list of planned measures in the management of models and the anticipated risk; and vii. Other important information in relation to effective performance of the tasks entrusted to the Board in relation to model risk management. Senior Management 2.1.6. Senior management should be responsible for the implementation of the model risk management framework. In particular, management is required to: i. Align the banking institution’s reporting structure with the model risk management policy and ensure adherence to high standards of governance; ii. Actively manage model risk making use of all available information; iii. Ensure availability of adequate and appropriately skilled personnel responsible for model risk management; and iv. Ensure availability of adequate Information and Communication Technology (ICT) infrastructure and access to data and information for the effective performance of tasks. 2.1.7. In implementing the Model Risk Management Policy, management should ensure appropriate internal controls which promote independence between model owners, model users and model reviewers. 2.1.8. Banking institutions should ensure they have a suitably qualified member of the risk management function who is directly responsible for: i. Coordinating the model risk management actions; ii. Obtaining all necessary information from internal stakeholders;

Page 10 of 26 iii. Ensuring accuracy and relevance of the model register and model materiality assessments; and iv. Ensure an integrated approach to aggregate model risk measurement, assessment and ongoing monitoring in the context of the adopted risk tolerance level. 2.1.9. Model risk can be measured using qualitative and quantitative factors. Qualitative factors such as uncertainty surrounding input data and assumptions, complexity of the model, type of model, significance of the model results, interactions with other models or tools, use of the model may considered in determining a model’s overall risk. Quantitative factors that can be considered in measuring model risk can include historical information on the magnitude of losses associated with model risk such as when model errors or model failures occur. 2.1.10. Management should ensure continuous assessment of skills available, and availability of resources required for effective model risk management on an ongoing basis. 2.1.11. Management should also ensure adequate succession planning in relation to model risk management which should, among other considerations, be informed by the institution’s business continuity strategy. 2.1.12. Banking institutions’ senior management is also expected to: i. Have direct supervision over the integrity of model risk management processes at the banking institution, ii. Ensure the development of adequate model risk management policies and procedures; iii. Have appropriate knowledge of the structure and functioning of models; iv. Regularly report on assessment of the model risk management processes as well as identified model risks to the Board or a dedicated Board sub￾committee; v. Initiate undertaking of appropriate remedial and corrective measures; and vi. Ensure that the set model risk tolerance levels for the various models in use in the banking institution are in line with the approved risk appetite levels. 2.1.13. Senior management should establish an independent review process for the model proposal, development and pre- validation stages of the life cycle of every model. The independent review should consider the adequacy of all documentation, whether all

Page 11 of 26 procedures were followed, and whether the resultant model meets the expectations set out at the model origination stage. In cases where anomalies are detected, the process should revert to any of the preceding stages based on the matter identified. 2.1.14. Every banking institution is required to establish a models approval committee. All members of the models approval committee should be independent of the model development and have adequate skills to review the pre-validation and independent review reports and determine whether the model will proceed to the implementation phase. 2.1.15. The banking institution is required to annually submit back testing and validation reports, model approval committee minutes, independent review reports and model technical documentation for material models which give adequate description of the models and implementation to the Reserve Bank of Zimbabwe for review. The submissions must be made by 31 March of the following year. The Reserve Bank of Zimbabwe can request additional information where necessary. 2.2. MODEL RISK MANAGEMENT POLICY 2.2.1. A banking institution is required to develop and implement policies and procedure manuals approved by the Board, outlining the processes of identification, estimation, monitoring, control and reporting of model risk. 2.2.2. The model risk manuals should set out the methodologies for the development, implementation, use and verification of the performance of models within the banking institution. 2.2.3. The manuals should also provide adequate details on the various processes undertaken at each stage in the model life cycle and should be clear and elaborate to the extent that suitably skilled and knowledgeable individuals can follow the processes defined in the manuals. 2.2.4. The model risk management policy should provide for the following: i. A generic definition of a model, which takes into account the various processes undertaken within the banking institution; ii. Principles and approaches to be used in model identification within the banking institution;

Page 12 of 26 iii. Minimum standards of model risk management within the banking institution that ensure transparency of the whole model risk management process at the operations and control level; iv. Appropriate organizational structures based on existing and new models in use within the organization, with clear reporting lines and responsibilities; v. Appropriate safeguards to prevent the use of models that do not meet specific quality standards or are characterised by excessive risk level; vi. Standardisation of the model risk management process by identifying core sub￾processes and unifying appropriate solutions at banking institution level, as well as establishment of model risk tolerance levels which are cognisant of the size of a banking institution’s operations; and vii. Adequate understanding of the risk levels posed by the models in use within the banking institution, with a hierarchy based on various metrics. 2.2.5. The model risk management policy should also ensure adequate coverage of the following: i. Models used and to be used within the banking institution for model risk management processes; ii. Formal processes of management of models and their risk on all stages of their life-cycle; iii. Requirements for the appropriate documentation of models; iv. Establishment of model risk tolerance levels and limits which are in line with the level of model usage within the banking institution; and v. The updating of the policy at regular intervals and when material changes have occurred that will impact the model risk management process. 2.2.6. The process of formulating the model risk management policy, resources and infrastructure mobilization and allocation should be guided by the following: i. The level and type of exposures the banking institution has to model risk; ii. The nature of banking activities; and iii. The complexity and scope of model usage in the activities highlighted in (i) and (ii) above. 2.2.7. Banking institutions should ensure that the procedures within the model risk management process are reviewed regularly and adjusted to align with changes in

Page 13 of 26 organizational structure, increase in model usage across the various business units, the risk level within the banking institution and the operating business environment. 2.2.8. Banking institutions should state the roles of specific individuals and structures within the model risk management process and their scope of work in the model risk management process. The tasks should include: i. The development of frameworks related to model risk management, the determination of the units responsible for carrying out reviews and the frequency of the reviews; ii. The creation of timelines for the various stages from model development through to reviews and decommissioning, informed by the performance of the model and environmental developments; iii. Ensuring that the banking institution has allocated adequate resources (financial, human and technological) at the model implementation stage; iv. Defining business needs and initiating the use of models for decision making at the banking institution; v. Defining the scope of model application, the usage and the limitations of the model, including determination of circumstances when the model and its results are not valid; vi. Identification of type and sources of data used by models, ensuring access to the right data at the stages of development, use and performance quality verification of the model; vii. Model origination, documentation and review of model conformity to internal and external requirements; viii. Model approval for usage and implementation into the production environment; ix. The process of model implementation in the production environment and documenting the implementation tests conducted; x. Approval of the results of the model implementation tests in the production environment, confirming that the model meets all the intended functionalities and operates in line with the test version of the model; xi. Performance of model validation and approval of the validation results; xii. Model monitoring and documentation of observed phenomena and the approval of the results obtained in the monitoring process; xiii. Drawing up a model log;

Page 14 of 26 xiv. Development of a model register / inventory; xv. Initiation of specific remedial or corrective measures in the case of deterioration of model performance quality; xvi. Assessment of model materiality, degree of susceptibility to model risk and the model risk levels; xvii. Creation of back-up copy of the model, the documentation and the source code; xviii. Upgrading and maintaining model code; xix. Updating the model, the code and related documentation to reflect any changes done, the scope of the changes and the impact they have on the results noting the persons responsible for the changes and the date the changes took effect; xx. Creation of the process of selection of external service providers of models and the scope of the services rendered; xxi. Perform quality assurance on the services provided by external suppliers; and xxii. Preparation of management information. 2.2.9. Personnel involved in the model risk management process should be adequately capacitated on internal policies and procedures that are related to model risk management. 2.3. MODEL DEVELOPMENT 2.3.1. To foster effective model development, banking institutions should develop a clear statement of purpose which aligns model development with the intended model use. 2.3.2. Banking institutions should adequately document the design, theory, and logic underlying specific models, supported by published research and sound industry practice. Mathematical specifications and numerical techniques and approximations should be explained in detail with particular attention to their merits and limitations. 2.3.3. Banking institutions must ensure that model components work as intended, appropriate for the intended business purpose, and conceptually and technically sound. The alternative theories and approaches considered during the model development process should be documented. 2.3.4. Banking institutions should rigorously assess the quality and relevance of data and other information used in the development of a model, and be able to demonstrate that such data and information are suitable for the model and consistent with the

Page 15 of 26 principle behind the approach and chosen methodology. The assessment process should be appropriately documented. 2.3.5. In instances where data proxies are used, banking institutions should identify, justify and document the data proxies. If data and information are not representative of the bank’s portfolio or other characteristics, or if assumptions are made to adjust the data and information, these factors should be properly tracked and analysed so that users of the model are aware of potential limitations. 2.3.6. An integral part of model development is pre-validation or testing, which involves evaluation of the various components of a model and its overall functioning to determine whether the model is performing as intended. Model testing includes checking the model's accuracy, demonstrating that the model is robust and stable, assessing potential limitations, and evaluating the model’s behaviour over a range of input values during the development stage. 2.3.7. Testing should be applied to actual circumstances under a variety of market conditions, including scenarios that are outside the range of ordinary expectations, and should encompass the variety of products or applications for which the model is intended. 2.3.8. Banking institutions should ensure that the development of the judgmental and qualitative aspects of their models is sound. Where statistical output from a model is modified by judgemental and qualitative adjustments, these should be clearly documented. Model Selection 2.3.9. A banking institution is expected to document the model selection process indicating the types of models considered. The documentation should contain information on the tests the banking institution conducted, results from the models and the selection criteria. 2.3.10. In instances where a banking institution is using external models, the institution is expected to acquire comprehensive knowledge and demonstrate understanding of the functioning of the models. 2.3.11. A banking institution should maintain adequate documentation in respect of all its models incorporating: i. The application of the model, results and decisions it influences;

Page 16 of 26 ii. The assumptions and model construction method. The documentation should include the advantages, disadvantages and limitations of the assumptions and model construction; iii. The input data the model uses; and iv. A report on model performance and the adequacy of the model for the role it is used for. 2.4. MODEL VALIDATION 2.4.1. Banking institutions should put in place appropriate model validation processes and activities intended to verify that models are performing as expected, with respect to their design objectives and uses. 2.4.2. All material models, whether they were internally or externally developed, should be subject to validation. The validation process should cover all components of the model which include the input data, modelling methodology, and reporting. 2.4.3. The validation techniques employed should be in line with the usage of the model, the complexity and materiality of the model, as well as a banking institution’s size and complexity. 2.4.4. The process of model validation should ensure that model risk is reduced through the following: i. Verifying that a model is performing as stated in the model development report; ii. Recommending areas of improvement at any stage of the model life cycle as appropriate; iii. Ensuring that recommendations for model improvement are implemented in line with their assigned risk levels; and iv. Ensuring that model risk management best practices are adopted and maintained. Independence 2.4.5. The model validation function should be independent from model development and use. The independence of the model validation function may be supported by separation of reporting lines, but ultimately should be evidenced by actions and outcomes. 2.4.6. A banking institution should ensure that the staff responsible for the validation activities are adequately capacitated to enable them to effectively discharge their duties. The criticality and complexity of a model determine the level of expertise and

Page 17 of 26 independence necessary for validation staff, as well as the scope and frequency of validations. The more vital or complex the model, the greater the need for frequent and detailed validations performed by independent, expert staff. 2.4.7. The size and complexity of a banking institution may warrant the establishment of an independent model validation unit. 2.4.8. The independence of the model validation function may be enhanced by ensuring that: i. the function has direct access to the board committee responsible for model risk management; and ii. model developers and model users are not part of the employee appraisal process or remuneration determination for model validators. 2.4.9. The model validation function should have sufficient authority in the banking institution to critique the model performance assertions and should be able to give recommendations as well as escalate its findings to the Board committee responsible for model risk management. 2.4.10. In situations where the scale and complexity of a banking institution’s operations do not support the establishment of a fully-fledged model validation unit, model validation can be performed utilising a peer review process. For instance, staff members that are responsible for the development of credit models may validate market risk models. 2.4.11. Internal audit function should review the validation that would have been undertaken in such a situation, to provide assurance that the validators were not involved in the development process and that the testing results support the accuracy of the validation. 2.4.12. Banking institutions with inadequate capacity to perform model validation may outsource the validation of their models to external validators who have the technical expertise to perform the function. Banking institutions that have engaged external validators should outline the following in their validation reports: i. reasons for seeking the services of an external validator; ii. qualifications and technical expertise of the external validator; iii. scope of services that will be provided; and iv. key deliverables.

Page 18 of 26 2.4.13. Where a banking institution engages an external validator, the responsibility for model risk still lies with the institution. The Model Validation Process 2.4.14. An effective validation framework should comprise both quantitative and qualitative techniques that encompass the following: i. Evaluation of conceptual soundness; ii. Ongoing monitoring; and iii. Outcomes analysis. 2.4.15. Banking institutions should ensure detailed documentation of the validation process covering, the validation methods used, procedures, tools, and goals. 2.4.16. Model performance tests should be conducted for every model in use within the banking institution. 2.4.17. The model validation process should review the conceptual and technical soundness of a particular model. Model validation should review the overall theoretical construction, key assumptions, data, and specific mathematical calculations, amongst other developmental aspects. These should be subjected to critical analysis and testing as necessary. In situations where there have been material changes to a model, validation should be conducted before a model is put into the production environment again. 2.4.18. The validation process should incorporate sensitivity analysis to test for the stability of a model, as well as ensure that the basis for the qualitative and judgmental assessments are clear and documented. 2.4.19. Banking institutions should continuously monitor models to determine the need for adjustment, redevelopment, or replacement of models (as a result of the impact of changes in products, exposures, activities, clients, or market conditions), and to verify that any extension of the models beyond their original scope is valid. Material changes to models should also be subject to validation. 2.4.20. Model limitations that would have been noted at the model development stage should be regularly assessed over time, as part of ongoing monitoring. The monitoring should continue throughout the life of the model.

Page 19 of 26 2.4.21. The validation process should include process verification checks (PVCs) that ensure all model components are functioning as designed and whether the current validation techniques are sufficient to identify any emerging model weaknesses. 2.4.22. PVCs should verify the quality of data used in the modelling process as well as the comprehensive checks of the computer code implementing the model. Particular emphasis should be directed to computer codes that are user-developed and used to manipulate large amounts of data as they are prone to model risk. 2.4.23. The validation process should compare a model’s outputs against actual outcomes to evaluate the performance of the model as well as identify any model weaknesses. 2.4.24. The validation process should also benchmark a model’s inputs and outputs to estimates from alternative internal or external data or models. In instances where discrepancies are beyond the set tolerance levels, an investigation should be conducted into the cause of the differences. 2.4.25. The model validation process and its frequency should be in line with the peculiarities of the model and the model’s risk level. In this regard, when developing a validation process, the banking institution should take cognisance of a model’s usage, development methodologies and risk factors that might impact model performance. 2.4.26. Banking institutions should validate material models at least once a year. In some exceptional cases, validation may be conducted less frequently or the scope of the validation process may be reduced with supporting reasons for the variations. The reduction in the validation frequency and scope should be approved by the board committee responsible for model risk management. 2.4.27. Where validation is not possible or the validation has been partially conducted due to lack of data and or other constraints, such information should be brought to the attention of the users, senior management, and other relevant parties and documented in the relevant model validation report. 2.5. MANAGEMENT INFORMATION SYSTEMS 2.5.1. Every banking institution is required to put in place a suitable management information system (MIS) that will aggregate all model risk management information and processes. 2.5.2. The MIS should have the following capabilities at a minimum:

Page 20 of 26 i. Enable tracking of all models within the banking institution from inception to retirement, listing the necessary documentation through the life of a model inclusive of origination documentation, validation reports, approvals and data used in model development; ii. Storage of all model codes and capturing of changes made to the codes, capturing the name, date and documentation used to effect the changes made to the code; iii. Aggregate the model risk information, from the various systems in the banking institution that rely on models and their results, for the calculation of performance indicators, key risk indicators and other metrics the banking institution developed for tracking model performance quality and alert when models are not performing as expected; iv. Allow authorised users to access and modify model information concerning the models, ensuring the information is up to date including the capturing of validation and audit reports concerning specific models; and v. Allow the reporting and escalation of model risk events across the affected stakeholders within the banking institution. 2.5.3. Access levels to the MIS system should be limited to individuals involved in the model risk management process to ensure that there is no tempering with data and codes. 2.5.4. The banking institution is required to put in place procedures for data quality management and ensure that: i. for all data that is obtained from automated processes, continuous checks are carried out to ensure the data quality is not compromised; ii. there are various data sources that can be used; and iii. data can be modified manually and changes are tracked through the use of a log. 2.5.5. Banking institutions should have current and complete information on the quality of the data being used for specific models and adequate information on the impact of data quality on the model risk level.

Page 21 of 26 2.6. INTERNAL CONTROLS AND INDEPENDENT AUDITS Model Risk Audit 2.6.1. Banking institutions should ensure that the model risk management processes are subjected to internal and external audit at least annually. The audit is expected to take into account all actions undertaken by the various participants who have influence on the model risk management process and the various phases of the model life-cycle. 2.6.2. Internal auditors must review the policies, processes, and tools used to control the risks and manage the environment related to models as well as the governance structures for model risk management. 2.6.3. The internal and external audit of the model risk management process should give particular attention to: i. The adequacy of the model risk management policy in relation to the risk of the models in the banking institution; ii. The division of tasks and the independence of processes of development, validation and use of models; iii. The usage of banking institution information and data for model risk; iv. The compliance of the model risk management process to the policies and procedures; v. The application of policies and procedures to monitor the model risk management process and other related activities that have an impact on model risk management; vi. The completeness and currency of the model register with particular attention paid to assessment of model materiality and model risk level; vii. The methods and management of access to the model codes and model change management; viii.The quality of management information contained in reports with special attention paid to the reporting of adverse results and the actions undertaken; ix. The identification of areas where complex models exist within the banking institution; and x. The coverage of the model risk management of the various types of models that exist within the banking institution.

Page 22 of 26 2.6.4. Banking institutions should ensure that internal auditors are adequately equipped with the necessary skills to: i. Analyse the quantitative aspects of models; ii. Assess the data quality, sources and other aspects related to data; and iii. Assess the quality of work done by the unit responsible for validation. 2.6.5. A risk-based approach to auditing the model risk management process may be adopted. The audit should review all the critical aspects of the model risk management process. 2.6.6. A banking institution may outsource the audit of models to complement the internal audit resources. When choosing an outside partner to undertake model risk assessments, the banking institution must ensure a qualified, competent, capable, and objective audit expert is hired. 2.7. MONITORING AND REPORTING Model Risk Identification… 2.7.1. Banking institutions are expected to identify the risk categories that potentially impact a given model and provide adequate documentation and information concerning the magnitude of the exposures and the controls in place. The assessment should include the following: i. The risk associated with modelling a phenomena highlighting the model limitation in the development phase and results thereof; ii. A detailed assessment of the risk arising from low quality data used in model development, the lack of access to relevant data, deficiencies that arise due to the processes of data extraction, processing, aggregation and storage. The assessment should indicate areas where the sample data size was insufficient, and where the frequency of the data was inadequate; iii. The risks that are associated with assumptions used in the development of the models; iv. The risk associated with the management of the models or the management of risk inherent in the models, the risk arising from low quality documentation, risks arising from model implementation, misuse of models, the estimated parameters and results generated; and

Page 23 of 26 v. The risk associated with the interdependence arising from the usage of the same data source, model development methodologies, model assumptions and the input data. Measuring and Monitoring Model Risk… 2.7.2. Banking institutions are required to perform ongoing model risk monitoring which should include: i. assessing the model performance quality, the direction and dynamics of changes in the quality based on the changing operating environment; and ii. assessing remedial and corrective measures in place and whether they have been implemented. The measures should be updated frequently to account for the changes observed in the model. 2.7.3. A banking institution should develop and document an approach for estimating the level of model risk in the institution, including an appropriate rating scale for the risk level. The estimation should indicate the level of risk in each model and the degree of susceptibility to model risk. 2.7.4. As part of measuring and monitoring of model risk, the banking institution is required to establish the following model risk controls: i. Criteria for model performance quality acceptance which has appropriate remedial and corrective measures; ii. Appropriate documentation of the model development process; iii. Clearly laid out procedures and controls for model implementation which ensure models can move from the model development to full implementation whilst ensuring that the models meet the intended functionality as set out in the originating documentation; iv. A model back-up system that is up to date for all the changes made to the code, documentation and processes; v. Strict user access to the model code and ability to edit the code. This should limit access to and ability to modify the code to a limited number of individuals, documenting the changes and robust tracking of model changes; vi. Management of the model at all phases of the model life cycle, with strict quality control;

Page 24 of 26 vii. Adequate controls for model risk at all levels of the organization; viii.Adequate and up to date model monitoring documentation; ix. Testing model performance; x. Comprehensive tests of model performance which are both quantitative and qualitative; and xi. Regular up-dating of the model risk level, including after each occurrence of circumstances that justify a change in the rating, and at least once per year. Model Performance Assessment… 2.7.5. Banking institutions are expected to have detailed procedures for the assessment of model performance quality. The procedure manuals should clearly articulate the steps that are to be adhered to in the process of model performance assessment taking into account the materiality and specificity of the model. 2.7.6. Suitable measures for assessment of model performance quality should be developed. The measures should be comparable across different model classes and should be interpretable through expert opinion. Further, the assumptions and conditions of applicable statistical tests should be recognized to avoid error in model assessment. 2.7.7. The model performance quality assessment is expected to take into account results from back testing and stress testing to assess the quality of the results that the model produces. 2.7.8. The following should typically constitute the banking institution’s documented information on the model performance quality assessment: i. Results from challenger models in certain aspects of the model for comparison with the model in use; ii. Statistical error analysis of model results; iii. Impact of change in model assumptions; and iv. Limitations in the applicability of the model. 2.7.9. Banking institutions are expected to perform model performance assessment at least once annually or when necessary guided by the frequency of usage of the model and changes in the operating environment that are deemed to have material impact on the models.

Page 25 of 26 Model Classification 2.7.10. Banking institutions should have a clear and documented procedure for the classification of models based on approved procedures and definitions. The classification procedure is expected to be cohesive, consistent, and reliable. The classification is also expected to be granular with classes not limited to: i. Internal models; ii. Internal model developed with external support; iii. Group models; and iv. Other. 2.7.11. For each model class and model, banking institutions should account for the origin of the model, the development phase, source of data used and methods used in development. Model Documentation 2.7.12. Banking institutions are expected to have the following documentation for all models: i. The model technical document which outlines the model description, source and scope of data used and a detailed assessment of the areas the model is in application in the banking institution. ii. The assumptions, their verification, model construction method, the parameters and calibration; iii. A detailed report on the results of the model implementation and tests conducted, frequency and scope of model performance quality testing; iv. Results from periodical model performance quality assessment. These reports should include continuous monitoring results, validation and internal audit findings; v. A detailed description of changes made to the model or any intentions to withdraw the model from usage; and vi. A guideline on how the model is to be used and the support available to the users. Model Register… 2.7.13. Every banking institution is required to maintain an inventory for all the models in use capturing the following information in respect of each model:

Page 26 of 26 i. the name, number and version of model; ii. the origin, scope of application and purpose of the model; iii. model materiality assessment; iv. location of source documents related to the model; v. assessment of the risk exposure level and the model risk level; and vi. schedule of future actions related to the model. 2.7.14. The model register should be updated when there are changes to ensure currency of the register. 2.7.15. The banking institution is required to maintain a model log which is updated on an ongoing basis. The log should contain information on material changes that have been made to the model and the individual who made the changes. The log should contain the following at a minimum: i. the metrics of the current and previous versions of the model; ii. model materiality assessment; and iii. reference to the location of source documents related to model risk management. 2.7.16. The model log should be developed in a way that enables third parties to fully trace the history of changes related to that model and their logic. 3. EFFECTIVE DATE 2.7.17. The effective date of the Prudential Standard shall be 3 July 2023. Questions relating to the Standard should be addressed to the Director, Bank Supervision Division, Reserve Bank of Zimbabwe.

RE S E RVE BANK OF ZIMBA B WE Reserve Bank of Zimbabwe 80 Samora Machel Avenue Box 1283 Harare, Zimbabwe Tel: (+263) 242700300 Email: info@rbz.co.zw Reserve Bank of Zimbabwe 93 Leopold Takawira Street Box 399 Bulawayo, Zimbabwe Tel: +263 8677002046 Email: info@rbz.co.zw