CSI Resources

people looking at iPad

Clearing Up the Confusion on Model Risk Management

  • by Keith E. Monson
  • Jun 30, 2016

If you’re like most bankers, you still get confused when it comes to model risk management. Why are examiners asking my bank to validate a model? What guidance should my bank follow? And what are the board’s responsibilities?

Despite the release of updated supervisory guidance on model risk management in 2011, there is still confusion about what rules to abide by. That’s because the Federal Financial Institutions Examination Council (FFIEC) did not issue the updated model risk management guidance. It was issued by only two of the prudential regulators—the Federal Reserve (FED) and the Office of the Comptroller (OCC). This means not all financial institutions are adhering to the same set of rules.

Why All the Guidance in the First Place? 

The most recent model risk guidance—issued by the OCC and the FED—defines the term model as “a quantitative method, system or approach that applies statistical, economic, financial or mathematical theories, techniques and assumptions to process input data into quantitative estimates.” It also “covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature.”

Whether your bank is using models for underwriting credit, safeguarding client assets or even measuring risk, model risk management primarily occurs for two reasons: 

  1. A model may have fundamental errors and produce inaccurate outputs when viewed against its design objective and intended business uses
  2. A model may be used incorrectly or inappropriately, or there may be a misunderstanding about its limitations 

Requirements for the Board of Directors and Senior Management

That’s why the board and senior management at your bank should follow the updated model risk management guidance. The board of directors—or a delegate—for FED- and OCC-regulated institutions must approve model risk management policies. And these policies should be updated as necessary, and reviewed annually, in accordance with the bank’s risk appetite.

It’s also important for senior management to be attentive to the possible adverse consequences (including financial loss) of decisions based on the use of models, by executing and maintaining an effective model risk management framework. Banks should inventory the number and types of models used to ensure all models have proper oversight. 

Create an Effective Model Validation Framework

To effectively manage these models, your model risk management policy should consider validation requirements. In its simplest form, an effective model validation framework includes three core elements:

  1. Evaluation of conceptual soundness, including developmental evidence
  2. Ongoing monitoring, including process verification and benchmarking
  3. Outcomes analysis, including back-testing

Someone who is not responsible for development of the models and does not have a stake in whether models are determined to be valid should perform model validation. This person could be a financial institution’s internal auditor or an independent party with the requisite knowledge, skills and expertise to perform model validation and with the explicit authority to challenge developers and users. 

Use Models to Support Strategic Decisions While in Compliance

Using models can help your bank with a broad range of activities, from measuring risk to determining capital and reserve adequacy. And if your bank’s management relies on models in its day-to-day functions and/or decision-making criteria, it’s essential to incorporate model validation processes.

Effective model validation framework will not only help to ensure the models are performing as expected and in line with the design objectives and business uses, they will help ensure your bank is following federal guidance.


Keith E. Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprise wide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions. His experience also includes assisting financial institutions as a compliance consultant and, most recently, as chief risk officer. Keith’s diverse background allows him to support financial institutions with the design and continued enhancement of core compliance practices that are sustainable, create consistency and provide flexibility.