Model Risk Management (MRM) is important for identifying, mitigating, and managing risks associated with models. Commonly addressed risks include implementation errors, incomplete or corrupt data, and inaccuracies in model inventories. MRM ensures comprehensive oversight of model risk throughout the entire model life cycle, adhering to both internal policies and external regulatory guidelines. Each stage in the model life cycle has specific users assigned to it, ensuring that access is appropriately restricted and not all users have access to everything. This role-based access is crucial for maintaining security and protecting sensitive information. In this blog, we will explore SAS Model Risk Management, showcasing how it balances robust security with operational efficiency by effectively managing classifications, dimensions, scope, roles, users, and security within the user interface.

SAS Model Risk Management, or SAS MRM on Viya is a model governance solution that follows a model throughout its entire life cycle. Its life cycle, for many cases, goes as follow:

Model lifecycle phases and roles: Create (Model owners & stakeholders), Development (model developers, owners, and stakeholders), Validation (model risk management group), Deployment (model developers, owners, and users) Production (model developers, owners, and users), and Retirement (model owners and users).

Within each phase of the model lifecycle are roles that need to be filled by your organization. These roles are crucial for ensuring that each phase is executed effectively by each model owner, stakeholder, model developer, and model user to make sure they are in compliance with regulatory standards. Each of these roles come with specific responsibilities that contribute to the overall success and integrity of the model lifecycle. By clearly defining these roles early on, organizations can ensure accountability and help identify potential risks early. This structured approach not only enhances model performance but also aligns with best practices in model risk management. 

Best Practices for Access Control in SAS MRM

There are two general ways that SAS MRM uses best practices to ensure secure and efficient access control. One way is through role-based access control or (RBAC). RBAC assigns permissions based on user roles within an organization, adding flexibility and the ability to support diverse roles and hierarchies, making it ideal for complex settings. For example, a model owner might have access to tools and environments necessary for creating and testing models, such as development servers and code repositories, while model users, like analysts may have access to the finalized models and the data generated by them. Each group can access the resources they need for their specific roles, without compromising security or efficiency.

Another way to maintain data integrity and confidentiality is by implementing positional security. This allows organizations to restrict access based on specific job positions within their organizational structure. For that added security, SAS MRM also offers positional security. The objects in the UI use positional security to stay aligned with MRM best practices. (Objects are just components that the solution uses to describe different functionalities and pages in the user interface.) Positional security takes a user or group and assigns them to these objects. In other words, users and groups will have capabilities scoped to specific positions per object. For instance, one user might only have permission to read and update the Model object within Company A, while another user might have similar permissions within Company B.

Implementing Access Control

1. Define Roles and Positions 2. Assign Permissions 3. Set Up Positional Security 4. Configure Classifications and Scope 5. Conduct Regular Audits and Reviews

 

 

To illustrate these five steps, let's use a financial institution, like Quantum Bancorp, as an example. Let's say that within the Retail Banking sector for Quantum Bancorp, they want to implement robust security measures to protect sensitive customer data.  

1. Define Roles and Positions

The first is to clearly define the roles and positions within your organization by identifying the specific responsibilities and access needs for each role and position.

Example: At Quantum Bancorp, roles within the Retail Banking sector include “Model Developer” and “Model User.” Model Developers are responsible for creating and testing financial models related to retail banking products, while Model Users analyze the data generated by these models.

2. Assign Permissions

Secondly, clearly define what each role needs to access.

 For instance:

• Model Developers: Need access to development servers, code repositories, and testing environments to create and test financial models.
• Model Users: Require access to finalized models and the data they generate for analysis, but not to the development tools or raw code.
• Analysts: May need access to specific data sets and reporting tools to perform their analyses.
• Managers: Might require access to a broader range of data and reports to oversee operations and make strategic decisions.

Example: Quantum Bancorp grants the following permissions to each role:

• Model Developers: Granted permissions to create, edit, and delete models.
• Model Users: Granted permissions to view and analyze models, but not to modify them.
• Analysts: Granted permissions to access specific data sets and generate reports.
• Managers: Granted permissions to access comprehensive data and high-level reports.

3. Set Up Positional Security

Implement positional security by assigning access based on job positions. This involves mapping users and groups to specific objects within the SAS MRM interface, ensuring they only have access to the data and functionalities relevant to their positions.

Example: Within the Retail Banking sector, an analyst focusing on personal loans can only access models and data related to personal loans. Similarly, an analyst focusing on mortgages can only access mortgage-related models and data.

 

4. Configure Classifications and Scope

In SAS Model Risk Management are settings that allow your organization to further refine access control. These settings are called classifications, dimensions, and scope within the user interface. They help in managing who can view or edit specific data. Each high-level category that you specify for a business object is called a dimension or a classification type. Classification types are hierarchical constructs that can have multiple levels. By default, all SAS MRM objects that use a workflow will require users to pick classifications before they can select Team members. Examples of classification types include entity, business line, model family, and geography.

Example: Sensitive financial models related to high-value loans are classified to restrict access to senior analysts and managers only. General financial reports on retail banking performance are accessible to all employees within the Retail Banking sector.

 

----- Classifications for a Specific Model Object ----

Dimensions:

Business Lines: Quantum Bancorp > Retail Banking

Geography: United States

Model families: Stress Testing > Credit > Retail

Scope: User (Christine) or Group (Risk Managers)

 

This classification ensures that sensitive data is only accessible to this specific group.

 

5. Perform Regular Audits and Reviews

Conduct regular audits and reviews of access controls to ensure they remain aligned with organizational changes and compliance requirements. This helps in identifying and addressing any potential security gaps.

Example: Quantum Bancorp conducts quarterly audits to review access permissions within the Retail Banking sector. During these audits, they ensure that only current employees have access to necessary systems and data and remove access for those who have changed roles or left the organization.

For more information on access control within SAS Model Risk Management, please refer to the documentation labeled Implement Access Control in the Administrator's Guide.

To remember:

Here are some questions to keep in mind when you are setting up user access for a given object instance:

Who wants access? Create groups and assign users to the groups.

What business objects are users allowed to access? Configure permissions and assign roles.

What classifications within the business object are users allowed to access? Assign a scope that is based on the classifications that you specify for the organization. 

Conclusion

In conclusion, SAS Model Risk Management is a powerful software that helps organizations manage the risks associated with their models. It ensures that models are created, tested, and used safely and effectively throughout the entire model lifecycle. By using role-based access control and positional security, only the right people can access sensitive information, which keeps the data secure and compliant with regulations. This organized approach not only makes operations more efficient but also ensures that models meet regulatory standards. Regular checks and updates help maintain the system’s integrity and adapt to any changes.

For more information on SAS Model Risk Management, click here.

To view more blogs about SAS Model Risk Management, click here.