Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    process
    2 min read

    Model Risk Management

    Model risk management is the oversight of risks arising from models making decisions, including AI/ML models, ensuring they perform as intended.

    Model risk management (MRM) governs all types of predictive models, from statistical to AI/ML, ensuring they're fit for purpose.

    SR 11-7 (Federal Reserve guidance) defines model risk as: - Errors in model inputs, design, or implementation - Models used inappropriately or outside intended scope - Model outputs misunderstood or misused

    MRM framework: 1. Model Inventory: Catalog all models in use 2. Risk Tiering: Classify by materiality and complexity 3. Validation: Independent review of model performance 4. Monitoring: Ongoing performance tracking 5. Governance: Clear roles and responsibilities

    Lifecycle stages: - Development and documentation - Testing and validation - Implementation approval - Ongoing monitoring - Model changes and retirement

    Why It Matters

    Models that make incorrect decisions can cause significant financial losses, regulatory violations, and reputational damage. In financial services, SR 11-7 mandates formal model risk management, but the principles apply to any organization using models for consequential decisions. With the rise of AI/ML, MRM scope has expanded dramatically—organizations must inventory, validate, and monitor all models, including third-party AI services they consume.

    Key Points

    Required in banking (SR 11-7, OCC 2011-12)
    Applies to statistical, ML, and AI models
    Independent validation is critical
    Model inventory is foundational
    Expanded to cover AI/ML beyond traditional models

    Applicable Compliance Frameworks

    SOC 2ISO 27001

    Related Terms

    AI Risk Management

    AI risk management systematically identifies, assesses, and mitigates risks unique to artificial intelligence systems throughout their lifecycle.

    AI Governance

    AI governance is the framework of policies, processes, and controls that ensure AI systems are developed and used responsibly, ethically, and in compliance with regulations.

    Risk Assessment

    A risk assessment is a systematic process of identifying, analyzing, and evaluating potential threats to an organization's information assets.

    Frequently Asked Questions

    What is SR 11-7?

    Federal Reserve guidance on model risk management requiring banks to maintain robust frameworks for model development, validation, and governance.

    Does MRM apply to third-party models?

    Yes. Third-party and vendor models require the same governance. You're responsible for models you use even if you didn't build them.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    HIPAA Compliance

    Healthcare data protection requirements for PHI security

    Learn more
    Standard

    PCI DSS Compliance

    Payment card industry data security standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Model Risk Management?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms