Risk Steering & Model Validation

Risk steering under CRR/CRD refers to the entire process by which a bank identifies, limits and actively manages its risks. This includes deriving risk limits from risk-bearing capacity, monitoring those limits in day-to-day business, and escalating when limits are breached.Core elements of risk steering:- Risk-bearing capacity concept (ICAAP/ILAAP) as the basis for limit derivation- Limit systems for credit, market, liquidity and operational risks- Risk appetite framework with clearly defined tolerance thresholds- Early warning indicators and traffic light systems for proactive risk management- Regular reporting to the management board and supervisory boardWithout functioning risk steering, banks face capital add-ons in the SREP process, BaFin special audits and ultimately restrictions on business activities.

The new MaRisk module AT 4.3.5 on the use of models requires all institutions to establish systematic model risk management. The requirements include:- Complete model inventory: All models used must be recorded, classified and assessed by materiality.- Independent validation function: Validation must be organizationally separated from model development, with its own reporting line.- Initial validation and regular re-validation: Every model must be validated before productive use and then re-examined at risk-appropriate intervals.- Documentation: Model assumptions, limitations, validation results and remedial actions must be fully documented.- Data quality assurance: The quality of input data must be systematically reviewed and monitored.A particular challenge: Models based on machine learning are also subject to these requirements, which brings additional explainability demands.

An effective limit system translates risk-bearing capacity into operational control metrics. The process follows four steps:1. Define risk appetite: Determine maximum risk tolerance at the overall bank level, derived from capital planning and business strategy.2. Limit allocation: Distribute the total risk budget across risk categories, business lines and individual limits — consistently across all management levels.3. Monitoring and escalation: Establish ongoing limit monitoring with defined traffic light levels (green/amber/red) and binding escalation processes when limits are approached or breached.4. Feedback loop: Regularly review limit utilization and adjust allocations to changing market conditions and business strategies.Consistency between risk-bearing capacity, risk appetite and the limit system is critical — gaps regularly lead to SREP findings.

Backtesting compares a risk model's predictions against actually realized losses and is the central quantitative tool of model validation.Application areas:- VaR models: Comparing predicted Value-at-Risk figures with actual P&L fluctuations (clean and dirty backtesting)- Credit risk models: Testing PD forecasts against realized default rates across rating classes- Stress test models: Plausibility checks of stress scenarios using historical crisis periodsRegulatory requirements for backtesting:- CRR requires at least

250 trading days observation period for market risk backtests- A traffic light system (green/amber/red) per Basel standards evaluates model quality- Too many exceedances trigger increased capital requirements (multiplier surcharge)Backtesting alone is not sufficient: it must be supplemented by sensitivity analyses, benchmarking and qualitative assessment.

More precise risk steering directly impacts capital efficiency because less unused capital buffer needs to be held:- More accurate risk measurement: Refined models reduce uncertainty add-ons in capital calculations and lower risk-weighted assets (RWA).- Optimized limit allocation: Risk-adjusted allocation of the risk budget directs capital to high-yielding business areas.- Better collateral valuation: More accurate LGD estimates reduce capital requirements in lending.- Fewer SREP add-ons: Institutions with demonstrably robust risk steering receive lower Pillar

2 surcharges.In practice, institutions with optimized risk steering achieve capital ratio improvements of

50 to

200 basis points — without needing to raise additional capital.

Risk controlling and risk steering are two closely linked but distinct functions in a bank's risk management:Risk controlling encompasses:- Risk identification and measurement using quantitative methods- Regular risk reporting to the management board and executive committee- Monitoring of limit compliance and early warning indicators- Provision of risk analyses as a basis for decision-makingRisk steering encompasses:- Setting risk appetite and risk strategy- Deriving and allocating risk limits- Active measures for risk limitation (hedging, diversification, risk reduction)- Strategic decisions on risk assumptionMaRisk requires organizational separation of both functions from the risk-taking business. In practice, however, both areas work closely together to ensure an end-to-end risk steering chain from risk appetite down to individual positions.

ADVISORI supports banks and financial services firms across all aspects of risk steering and model validation — from strategic design to operational implementation:- Gap analysis: Systematic review of your risk steering processes against CRR/CRD, MaRisk AT 4.3.5 and supervisory expectations.- Limit system design: Building consistent limit systems with pass-through from risk appetite to individual positions.- Independent model validation: Initial and re-validation of your risk models by certified experts using backtesting, benchmarking and sensitivity analyses.- Model risk management: Building the model risk management function including model inventory, validation strategy and governance structure.- Training and knowledge transfer: Enabling your staff to independently conduct validations and risk controlling tasks.Our consultants have years of experience in banking regulation and have successfully delivered risk steering and validation projects at institutions of all sizes.