SPONSORED CONTENT PRESENTED BY PROTECHT GROUP
By Jared Siddle
Director of Risk, North America, Protecht Group
Building a Robust Model Risk Program in the Age of AI
For banks, credit unions, and financial institutions, the complexity and interconnectedness of enterprise risks continue to increase. This is driven by several factors, including diversification of risk among financial institutions causing increased systemic risk which raises concerns for regulators, advancements in technology and artificial intelligence, changes in the regulatory landscape, and the ever-dynamic economic environment. This evolving uncertainty underscores the need for robust risk management frameworks that can adapt to and mitigate emerging challenges and enable organizations to take advantage of opportunities.
An evolving area of concern for many financial institutions lies at the intersection of Model Risk Management (MRM), the integration of Artificial Intelligence (AI) and Machine Learning (ML) in models, and their oversight by an Enterprise Risk Management (ERM) framework.
ERM serves as a guiding best practice for managing risks in a holistic and integrated manner. Model risk focuses on the risks associated with using mathematical models in financial decision-making.
Governance and regulatory reporting of model risk follows the same principles of ERM, summarized as Protecht’s vision of Risk in Motion – that risk is dynamic, always in motion, and its measurement should be consistent. The advent of AI introduces new dimensions to model risk, necessitating a reevaluation of traditional risk management practices.
Understanding and implementing strategies to navigate the risks of models within an ERM framework is paramount. As attendees expressed in a recent Protecht , model risk management is indeed a growing concern, with 70% of attendees agreeing that model risk management will impact their risk organization this year, and a majority of the audience addressing up to 200 or more models in their organization.
Modern Enterprise Risk Management
ERM represents a comprehensive approach to identifying, assessing, managing, and monitoring risks across an organization. In the financial sector, ERM’s scope encompasses a wide array of risks, including credit, market, operational, vendor, and strategic risks, among others. The goal of ERM is not merely to mitigate risks but to understand how these combined risks influence the organization’s ability to achieve its objectives.
Regulatory response to recent regional bank failures continues to reshape banking’s risk landscape, often demanding more rigorous risk assessment and reporting practices. ERM frameworks enable risk and compliance managers to adapt to changes, from risk assessment to dynamic dashboard reporting.
The role of ERM in providing a holistic view of risk is crucial. By integrating risk management practices across different departments and functions, ERM informs strategic decision-making. It enables organizations to balance risk and reward, ensuring that risk-taking activities align with the overall strategic objectives. This holistic approach is instrumental in fostering resilience and agility, allowing financial institutions to navigate uncertainties more effectively.
Model Risk: A Rapidly Evolving Use Case for ERM
At its most simplistic level, a model is based on a series of inputs, calculations, and outputs. In 2011, the U.S. Federal Reserve and the Office of the Comptroller of the Currency (OCC)’s SR11/7 guidance defined models: “A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”
Model risk addresses the risks associated with the use of these financial models, which are increasingly being applied to a variety banking operations including assessment of credit, market and operational risk, derivative and bond pricing, and financial forecasting. These models play a pivotal role in decisions from assessing credit risk to determining capital reserves and informing strategic investments.
As models become more complex and AI becomes more prevalent, the potential for model risk—arising from data bias, overfitting, and interpretability challenges—likewise increases. The imperative for model risk management stems from the potential for models to misrepresent reality, leading to incorrect decisions, financial losses, or regulatory non-compliance. For instance, a model that overestimates the creditworthiness of borrowers could result in higher default rates, adversely affecting the institution’s financial health.
So, it’s no surprise that within the broader ERM framework, model risk management has emerged as a vital area of focus. Best practices for model risk include maintaining a comprehensive model inventory, rigorous model validation techniques, the establishment of robust governance structures, and the importance of continuous monitoring.
- Model validation ensures that models are accurate, reliable, and appropriate for their intended use.
- Governance structures define roles and responsibilities, ensuring accountability and oversight of model development and use as well as data quality, accuracy, and integrity.
- Continuous monitoring helps identify and address model performance issues promptly, mitigating potential risks.
The Unique Challenges of Models and AI Algorithms
Financial models and AI algorithms introduce unique challenges for model risk management. The intricate nature of financial markets, coupled with the rapid pace of innovation in AI, means that models can quickly become outdated or unsuitable for new market conditions. AI algorithms, particularly those based on machine learning and deep learning, can be “black boxes,” offering little insight into how they derive their predictions or decisions.
“Model risk can occur when a model is used to predict and measure quantitative information, but the model performs inadequately. Poor model performance can lead to adverse outcomes and result in substantial operational losses,” an IBM report on Watson and responsible AI use acknowledged.
The risks of AI-driven models can arise from a variety of sources, including flawed or oversimplified assumptions, errors in model design or implementation, algorithmic bias, overfitting, and inadequate data sources. These all challenge traditional validation methods for models and raise questions about model reliability, transparency, and explainability.
That said, AI models do differ from traditional statistical models in their ability to handle vast amounts of data, learn autonomously, and improve their performance over time.
Adapting model risk management practices to address AI-specific risks is an imperative for maintaining the integrity and reliability of financial models and underscores the need for agile ERM and MRM frameworks.
Effective model risk management ensures that models are accurate, reliable, and compliant with regulatory standards including SR 11-7, OCC Bulletin 2011-12 on sound practices, Canada’s OSFI E-23 new consultation paper, as well as the European Union’s new legal framework on AI, Act 2025, even as regulatory oversight itself evolves.
Finally, ensuring the interpretability of AI models is crucial for gaining trust and understanding their limitations. This requires a multidisciplinary and forward-thinking approach to risk – indeed, emphasizing the idea of Risk in Motion – that combines expertise in data science, domain knowledge, and understanding of regulatory and ethical considerations.
By systematically managing model risk, organizations can make more informed decisions, avoid significant financial losses, and meet the expectations of regulators and stakeholders.
Best Practices for Building a Robust Model Risk Program in the Age of AI
A KPMG report for banks considering AI and ML models recognizes that while artificial intelligence is valuable for banks, and it is being used increasingly, its use comes with its own specific risks. “It is imperative for banks to develop a meaningful understanding of the technology, including its existing and potential uses within their organizations, and take a firm grip on the implications of AI from a risk perspective. Through various stages of the model lifecycle, financial institutions would need to keep their model risk management (MRM) practices up to date to manage the risks effectively,” the report states.
A robust MRM program begins with clear governance and policies that outline the standards for model development, validation, and use. This governance framework should address the specific challenges posed by AI, including ethical considerations and data governance.
Organizations should maintain a comprehensive inventory of all models in use, including AI algorithms, to facilitate effective risk management. Rigorous validation processes, tailored to the complexities of AI models, are essential for ensuring their accuracy and reliability.
Ongoing monitoring of model performance is critical, especially for AI models that evolve over time. Adopting a risk-based approach allows organizations to prioritize resources effectively, focusing on models that pose the greatest risk. Leveraging technology, including AI itself, can enhance the efficiency and effectiveness of MRM practices, enabling real-time risk assessment and management.
Who’s involved? Similar to ERM programs, model risk oversight from the top-down includes clear board oversight with at least annual reviews. Organizations need a documented model risk policy and potentially a clearly defined model risk appetite statement that is linked with Key Risk Indicators such as model performance (variance predicted vs. actual outcomes), the number of models failing a validation test, and the average age of models in use.
There should be clear roles and responsibilities defining who owns the models, who are the model developers, users and validators, and other control functions should be clearly articulated to achieve ownership and accountability for risks. Internal audit should be engaged as well, to give assurance that model risk frameworks and related controls are effective for AI/ML models.
Navigating Regulatory Compliance and the Future of MRM
The regulatory landscape for model risk is evolving in both in the United States, Canada, and globally. Regulatory bodies worldwide are updating standards and guidelines to ensure that financial institutions can harness the benefits of these technologies while safeguarding against their inherent risks. Adapting model risk programs to meet these new standards is not just about compliance; it’s about securing a competitive edge in an increasingly complex and interconnected financial ecosystem.
Future considerations for model risk management extend beyond regulatory compliance to encompass cybersecurity, the cultivation of talent and expertise, ethical AI use, and the pursuit of global standardization. These elements are crucial for building resilient financial systems.
The Role of Enterprise Risk Management Software in MRM
In this landscape, Enterprise Risk Management (ERM) software emerges as an indispensable supporting tool for modern model risk management. The right ERM software can transform the way organizations approach model risk, offering features that enhance risk management capabilities. Centralization of risk data, integration across various risk domains, automated monitoring, scalability, support for regulatory compliance, and clear dashboard visualization of an organization’s risk stance are just a few of the benefits that ERM software brings to the table.
- Centralization and data integration ensure that risk managers have a holistic view of the organization’s risk profile, enabling better decision-making and strategic planning.
- Automated monitoring allows for real-time detection of model anomalies or failures, while scalability ensures that MRM programs can grow and adapt alongside the organization.
- Moreover, ERM software designed with regulatory compliance in mind can significantly reduce the burden of adapting to new standards, providing templates, workflows, and reporting tools that align with regulatory requirements.
Turning Risk into Opportunity
I see a bright future for Model Governance and Oversight and MRM frameworks as Boards, Executives and organizations seek to use AI as a competitive advantage. Those leading in MRM will have an ability to harness the risks and rewards of this new technology. As financial institutions grapple with the dual challenges of innovation and risk management, the strategic advantage provided by effectively managing enterprise and model risks together becomes clear. It’s about turning potential vulnerabilities into opportunities for growth and differentiation in a crowded market.
As Risk in Motion suggests, the journey of risk management is characterized by continuous adaptation and innovation. As new technologies emerge and the regulatory landscape shifts, organizations must remain vigilant and proactive in their risk management strategies. The future of financial stability and success lies in the ability to anticipate, understand, and manage the risks associated with tomorrow’s opportunities.
In light of these challenges and opportunities, banks, credit unions and financial institutions are encouraged to embrace enterprise and model risk as strategic imperatives. The complexity of the modern financial ecosystem demands a comprehensive and integrated approach to risk management, one that leverages the best tools and technologies available.
Choosing the right partners and technology is crucial for navigating the future of risk management successfully. ERM software that offers the flexibility, scalability, and regulatory support needed for effective MRM can be a game-changer for organizations looking to thrive in an uncertain world.
As we look to the future, let us approach risk management not just as a regulatory requirement or a defensive strategy, but as a cornerstone of strategic planning and innovation. The path forward is clear: embrace complexity, invest in the right tools, and turn risk into opportunity.
For an in-depth review, watch Protecht’s on-demand webinar, Model Risk Management: The Next Hot Topic in Regulatory Compliance or talk to a risk expert at Protecht today.
Jared Siddle is a Qualified Risk Director who has been Head of Risk Management at three different companies, including two of the world’s largest asset managers. He has proven success in banking, fund management and other financial service companies across over 26 countries. Jared is passionate about Governance, Risk, Compliance & Sustainability. He is an expert at designing, developing, and executing customized enterprise-wide risk frameworks.
