Model risk is simply the risk that a model may be wrong. It may affect both valuations and risk asessments, and is a very significant problem for complex models.
There are several sources of model risk:
- risk that is entirely omitted from a model (unmodelled risk),
- simplifications in order to make it easier, or even just possible, to implement a model,
- inaccuracies in estimates of parameters,
- errors in the construction of the model itself, including conceptual errors,
- bad data, and rounding of numbers,
- errors in the implementation of a model.
A typical simplification would be the use of the normal distribution, which is mathematically easy to handle, but which is rarely a perfect fit: especially in finance where securities prices cannot fall below zero. A common problem (occurring in applications ranging from option pricing to value at risk), and one that is often not readily apparent, is that real distributions are fat tailed.
Model risk is most significant for complex models used to value derivatives. The complexity makes conceptual errors more likely, the need to code models to tun on a computer makes implementation errors (software bugs) a significant risk, the large amount of data needed makes estimation errors and bad data more likely.
Although the most obvious effect of model risk is on traders who misprice securities or mis-judge risk, it can also affect the financial reporting of institutions when large positions are mispriced. This, of course, only applies when the output of models is used on the balance sheet.
Model risk may be mitigated by testing: comparing the output of a model with known solutions (valuations or risk numbers), comparing a model with an older, well tested model, and testing boundaries: extreme cases that often have simple solutions, such as deeply in the money or out of the money options. See a more detailed discussion.
Good practices include those for maintaining software (documentation, keeping source code, etc.), and good internal controls (ensuring back-office independence, procedures for ensuring models used for reporting purposes are appropriate and tested).