Model Risk Governance Practices

Model risk governance—the systematic framework for controlling how pricing models are built, tested, and monitored—shows up in practice as inventory gaps that surprise regulators, validation backlogs that accumulate silently, and remediation findings that age past their SLAs without escalation. SR 11-7 (the Federal Reserve's foundational guidance on model risk management) established the expectation that every institution using models for material decisions must maintain a governance framework covering the full model lifecycle. The point is: governance isn't a compliance exercise you complete once. It's an operating discipline that either works continuously or fails catastrophically during the next examination.

TL;DR: Model risk governance requires a living inventory with tiered validation cadences, a layered control framework covering development through production, formal escalation with enforceable remediation SLAs, and audit-ready documentation that proves the framework actually operates—not just that it exists on paper.

Policy and Inventory Tiering (The Foundation That Everything Else Depends On)

The model risk policy is the single document that defines scope, ownership, and operating standards for every model in your organization. If this document is vague, everything downstream—validation scheduling, change management, escalation—inherits that vagueness.

Scope must be explicit. The policy covers all models used for pricing, valuation, risk measurement, or regulatory capital. This includes option pricing models (Black-Scholes, Heston, local volatility), volatility surfaces, yield curve construction, scenario generators, and any quantitative tool where output feeds a financial decision. Why this matters: regulators consistently find that institutions define "model" too narrowly, excluding spreadsheets, end-user computing tools, or vendor-provided analytics that actually drive material decisions. SR 11-7 deliberately uses a broad definition—any quantitative method that transforms inputs into outputs for decision-making qualifies.

Ownership has two distinct roles. Each model has a designated business owner (responsible for intended use, ensuring the model is appropriate for its purpose) and a model developer (responsible for implementation, calibration, and technical documentation). These roles must be separate from the independent validation function. The point is: if the person who built the model also validates it, you don't have validation—you have self-review. Independence isn't optional; it's the structural foundation of credible governance.

Documentation requirements are non-negotiable. Every model must have a model specification document covering methodology, assumptions, inputs, limitations, and intended use. Updates require version control and formal approval. The ECB's Targeted Review of Internal Models (TRIM) found that documentation deficiencies were among the most frequent findings across European institutions—not because the models were wrong, but because no one could demonstrate they were right without current, complete documentation.

Inventory Tiering (Why Not All Models Deserve Equal Scrutiny)

A tiering framework allocates governance resources proportionally to model risk. The standard approach uses three tiers based on materiality:

Why this matters: without tiering, you either over-govern low-risk models (wasting scarce validation resources) or under-govern critical models (creating regulatory and financial exposure). Tier 1 models receive annual full validation—independent replication, benchmark testing, stress analysis, and a formal report. Tier 3 models might receive a conceptual review every three years unless a trigger event (market dislocation, new product use, material calibration drift) forces an out-of-cycle review.

Inventory tracking must be current. Every model entry should include: model ID, model name, tier classification, business owner, model developer, production date, last validation date, next scheduled validation, open findings count and severity, and current status. A sample entry illustrates the standard:

The signal worth remembering: your inventory is the single source of truth that regulators will request first. If it's incomplete or stale, the examination starts on a negative footing regardless of how good your models actually are.

Control Framework (Layered Defenses Across the Model Lifecycle)

Controls operate at three distinct stages: development, validation, and ongoing monitoring. Each layer catches different failure modes, and no single layer is sufficient alone. The framework works because failures that slip through development controls get caught by validation, and degradation that develops post-validation gets caught by monitoring.

Development controls ensure that code entering production is correct and reproducible. This means mandatory code review before deployment (a second pair of eyes on the implementation, not just the methodology). It means unit testing against known benchmarks—if your Heston model can't reprice a vanilla European option to within acceptable tolerance of an analytic solution, it shouldn't reach production. Regression testing against the prior version ensures that updates don't inadvertently break existing functionality. The point is: development controls are cheap relative to the cost of a production pricing error. A code review takes hours; an undetected pricing bug can persist for months and generate material misstatement.

Validation controls provide independent assurance that the model is conceptually sound, correctly implemented, and fit for purpose. Independent replication of key calculations (rebuilding the pricing logic from the specification, not from the production code) tests both the documentation and the implementation simultaneously. Benchmark comparison against established libraries (such as QuantLib) or published academic results provides an external reference point. Sensitivity analysis identifies which inputs drive the largest output variation—and whether those sensitivities are economically reasonable. Stress testing pushes the model beyond normal operating conditions to identify boundary failures or numerical instability. Why this matters: validation is the control that regulators weight most heavily. A model that has never been independently validated is, from a regulatory perspective, an uncontrolled model—regardless of how sophisticated its methodology.

Ongoing monitoring controls detect performance degradation between formal validations. Daily pricing exception reports flag when model outputs deviate from market observables beyond defined thresholds. Monthly calibration performance reviews track whether model parameters remain stable or are drifting in ways that signal regime change or model inadequacy. Quarterly backtesting compares model predictions against realized outcomes—if your model consistently over- or under-predicts, monitoring should catch it before the next annual validation. The practical point: monitoring is what makes governance continuous rather than periodic. A model validated in January can degrade by March if market conditions shift materially.

Change Management (The Process That Prevents Uncontrolled Drift)

All model changes—whether methodology updates, parameter recalibrations, or infrastructure migrations—flow through a formal change management process. This is not bureaucracy for its own sake. It's the mechanism that maintains the integrity of your validation conclusions. If you change the model after validation without formal review, the validation is no longer valid.

The standard change management workflow operates in seven stages: change request with rationale, impact assessment (covering pricing, risk, and capital effects), validation review if the change is material, testing in a non-production environment, approval from the model governance committee, deployment with a documented rollback plan, and post-implementation monitoring for at least 30 days to confirm the change performs as expected. Each stage produces a dated, signed artifact that becomes part of the model's audit trail.

Escalation and Remediation (When Governance Finds Problems)

Governance frameworks that identify problems but don't enforce remediation are theater. The escalation and remediation process is where governance proves it has teeth.

Finding severity drives remediation timelines. Every issue identified through validation or monitoring receives a severity classification that determines the remediation SLA:

The point is: SLAs without enforcement are suggestions. Findings not remediated within their SLA must escalate automatically—first to the model governance committee, then to senior management. Repeated SLA breaches should affect performance evaluations for the responsible business owner and may result in model suspension (restricting the model's use until the finding is resolved).

The escalation path is deterministic, not discretionary. When a finding is identified, it enters the findings tracker with severity classification within 24 hours. The business owner receives notification immediately for High or Critical findings. The model governance committee is briefed at its next scheduled meeting (or convened ad hoc for Critical findings). A remediation plan with specific deliverables and dates is agreed within 5 business days of classification. Closure requires validation sign-off—the business owner cannot self-certify that a finding is resolved.

Sample Validation Timeline (What Annual Validation Actually Looks Like)

For Tier 1 models, annual validation typically requires 4–6 months from kick-off to committee presentation:

Why this matters: if you have 20 Tier 1 models requiring annual validation, you need validation capacity for approximately 10 concurrent validations running at any given time (assuming 6-month durations staggered throughout the year). Underestimating this resource requirement is one of the most common governance failures—institutions commit to annual validation cadences they can't actually staff.

Audit Readiness (Proving Governance Actually Operates)

Regulatory examiners and internal auditors don't just review your policy. They test whether the policy operates as described. The distinction between "having a framework" and "operating a framework" is the difference between passing and failing an examination.

The model inventory is the first document requested. It must be complete (every model, no exceptions), current (updated within 5 business days of any change), and accurate (tier classifications match actual materiality, validation dates match actual reports). If an examiner finds a model in production that isn't in your inventory, the examination has effectively failed before it begins.

The documentation package for each model must be assembled and current. This includes the model specification (current version, not the original), the most recent validation report, the findings log with current status for every open item, the complete change history since last validation, and performance monitoring reports (daily exceptions, monthly calibration reviews, quarterly backtests). The practical point: if assembling this package takes more than one business day per model, your ongoing documentation practices need improvement. Audit readiness should be a byproduct of operating the framework, not a separate preparation exercise.

Evidence of active governance means demonstrating that the model governance committee meets regularly, reviews material findings, makes decisions, and follows up. Meeting minutes should document attendees, models discussed, decisions made, and action items assigned. Senior management attestation—a formal sign-off that they have reviewed the model risk posture and accept residual risk—should occur at least quarterly. Training records for model users demonstrate that the people relying on model outputs understand the model's limitations and intended use.

Before a regulatory examination, assemble a summary package: the complete model inventory with tier classifications and validation status, a summary of all High and Critical findings with remediation status, a sample of recent validation reports (typically 2–3 representing different tiers and model types), and recent governance committee presentations showing active oversight.

Action Checklist (Governance Operating Rhythm)

These four items maintain continuous governance between formal validations and examinations:

• Update the model inventory within 5 business days of any change—new model deployment, tier reclassification, ownership transfer, or model retirement. Set calendar alerts 90 days before each scheduled validation to ensure adequate lead time for resource planning.
• Monitor remediation SLAs weekly—review all open findings every Monday, escalate any item within 5 business days of its SLA deadline, and report SLA compliance metrics to the governance committee monthly.
• Document every governance decision within 5 business days—committee meeting minutes, exception approvals, model suspension or reinstatement decisions, and senior management attestations. Undocumented decisions are, from a regulatory perspective, decisions that never happened.
• Report model risk posture to senior management quarterly—covering inventory changes, validation completion rates, findings aging, SLA compliance, and any emerging risks from market conditions or new product activity.

For calibration workflow details, see Model Calibration and Validation. For backtesting model accuracy, review Backtesting Pricing Models Against Market Data.