What Is Model Risk Management?

What is Model Risk Management?

When a model produces a wrong answer—or is used in the wrong context—the consequences for a financial institution can be severe: bad lending decisions, regulatory penalties, or reputational damage.

Model risk management (MRM) is the discipline that prevents this. It's the structured process of identifying, measuring, and mitigating risks that arise when quantitative models produce inaccurate outputs or are misapplied across the model lifecycle, from initial development through to decommissioning.

Core Components of an MRM Framework

A model risk management framework is the structured set of policies, processes, and controls that governs how an institution identifies, assesses, and mitigates model risk across the model lifecycle.

A sound MRM framework, as expected by SR 11-7 and the 2026 OCC/FDIC revised guidance, includes five key components:

• Model inventory and tiering :  A centralized register of all models in use, classified by risk level, to drive proportionate oversight and resource allocation

• Independent validation :  Review of model design, data quality, and performance by a team separate from the model developers

• Ongoing monitoring : Continuous tracking of model performance in production to catch deterioration or drift

• Model governance : The accountability structure, policies, and oversight mechanisms that sit above day-to-day MRM operations

• Documentation and reporting : Comprehensive records of model development, validation findings, approved uses, and limitations, maintained for regulatory review

How To Design a Compliant MRM Framework

SR 11-7 is the starting point for any MRM framework. It sets out expectations for model inventory and tiering, validation requirements, ongoing monitoring, and governance structures. The 2026 OCC/FDIC revised guidance builds on this foundation, with particular emphasis on AI/ML models and the documentation of model limitations.

When designing the framework, institutions need to address several interconnected decisions. Getting these right early prevents gaps that are costly to fix once the framework is in operation:

• Define your risk appetite first. This drives tiering decisions and determines how much scrutiny each model receives. Without it, tiering becomes arbitrary.

• Establish clear model criteria. Teams need an agreed definition of what qualifies as a model. Ambiguity here leads to inventory gaps and validation blind spots.

• Build in validation independence. Validation teams must have genuine separation from model developers. Regulators look closely at this, and conflicts of interest — even informal ones — undermine the entire framework.

• Create escalation paths for findings. Validation findings need a documented route to the right decision-makers. A finding that sits unresolved in a tracker is not a controlled risk.

• Set review cadence by materiality. High-tier models warrant more frequent review. Applying the same cadence across the entire inventory wastes resources and misses the point of risk-based prioritization.

For institutions already managing a large model inventory, applying risk-based prioritization helps identify where tighter controls are needed first—rather than trying to uplift everything at once.

How Model Risk Management Works in Practice

Effective MRM is a set of interconnected functions that each address a different part of the model lifecycle. Here’s how it works:

Model inventory and tiering

A model inventory is a centralized register of every model in use across the institution. Maintaining a complete and accurate inventory is a regulatory requirement under SR 11-7, and it forms the foundation for every other MRM activity. If you don't know what models you have, you can't validate, monitor, or govern them.

Model tiering classifies each model by its materiality and risk level, which determines the depth of oversight applied. A Tier 1 model that directly influences significant capital or credit decisions requires full independent validation and ongoing monitoring. A lower-tier model with limited financial impact may qualify for lighter-touch controls, such as periodic review rather than annual full validation.

Model validation

Independent model validation is the evaluation of a model's conceptual soundness, data quality, and performance by a team that is functionally separate from its developers.

A robust model validation typically follows five steps:

1. Scope and terms of reference. Define what's being tested, the validation approach, and the specific risks being evaluated for this model type.

2. Data quality review. Assess whether input data is accurate, complete, representative, and appropriate for the model's intended use.

3. Conceptual soundness assessment. Evaluate whether the underlying methodology, assumptions, and theory are appropriate for the model's purpose.

4. Outcome testing and benchmarking. Test model outputs against historical data, alternative models, or benchmarks to assess accuracy and stability.

5. Documentation and sign-off. Produce a validation report with findings, limitations, and a clear approval recommendation, signed off by the appropriate governance body.

Model governance

Model governance and model risk management are often used interchangeably, but they're distinct functions. Governance is the accountability and oversight structure that defines the rules: policies, roles and responsibilities, risk appetite statements, escalation procedures, and board-level oversight. MRM is the operational execution of those rules across the model lifecycle.

AI and machine learning models

AI and machine learning models present challenges that traditional MRM frameworks weren't built for. A deep learning model used for credit scoring might deliver accurate predictions without offering an explanation that a validator or a regulator can interrogate.

The 2026 OCC/FDIC revised guidance addresses AI/ML models directly, signaling that regulators expect institutions to apply SR 11-7 principles while developing augmented approaches suited to their complexity. A compliance risk assessment process can help institutions identify where existing controls fall short of these emerging expectations before a regulatory review surfaces the gap.

Regulatory Standards for Model Risk Management

Model risk management in financial services is shaped by a multi-jurisdictional regulatory landscape. Understanding what each framework requires — and how they interrelate — is essential for institutions operating across borders.

• SR 11-7 / OCC 2011-12 (United States) : SR 11-7 is the foundational US framework for MRM, issued jointly by the Federal Reserve and OCC. It defines what constitutes a model, sets out the three components of sound MRM, and establishes the expectation for independent validation.

• OSFI Guideline E-23 (Canada) : The Office of the Superintendent of Financial Institutions (OSFI) sets out equivalent MRM expectations for federally regulated Canadian financial institutions. Guideline E-23 covers model identification and classification, independent review, ongoing monitoring, and governance requirements.

• EBA/GL/2021/05 (European Union) : The European Banking Authority's internal governance guidelines include model risk oversight requirements applicable to EU-regulated institutions. These serve as the regional counterpart to SR 11-7 for European financial entities, with particular emphasis on governance structures and accountability.

• ISO 31000:2018 : ISO 31000 provides the enterprise risk management principles and framework that underpin model risk governance and risk appetite setting at a global level. It's a useful reference for institutions seeking to align MRM with broader organizational risk management practices. The GRC standards landscape for financial services continues to evolve, and staying current with regulatory updates is a core part of sound MRM practice.