Model Risk Management (MRM) is a critical function that helps ensure the responsible development, use, monitoring, compliance, and oversight of banking models. Many existing MRM frameworks already cover widely known risks, such as compliance with regulatory guidelines, conceptual soundness and methodology selection, various data risks, and the risks associated with chosen assumptions and known model limitations. However, these widely known risks only scratch the surface in today’s landscape and additional, often overlooked risks can cause significant blind spots.
For instance, the data underpinning a given model may unknowingly change over time, producing unreliable or inaccurate results. Or, model owners and users may begin to sacrifice explainability and transparency with the overreliance on—and inadequate understanding of—artificial intelligence (AI) and machine learning (ML) models.
Whatever the case, it is imperative for institutions to stay aware of hidden MRM risks and modify their programs to maintain continued responsible and ethical use of these models.
Understanding the Lesser-Known Risks
Model Risk Managers should both understand and prepare for the lesser-known risks within MRM to promote program sustainability. Although not an exhaustive list, below are several top-of-mind considerations in today’s landscape:
- Speed of risk outpacing model responsiveness
- What is hidden: Traditional models often assume gradual changes. However, the 2023 banking crisis highlighted how social media and digital banking can trigger instantaneous deposit runs and market shifts.
- Why it matters: Models that do not account for real-time behavioral dynamics may fail catastrophically under stress.
- Overreliance on AI and/or ML without explainability
- What is hidden: Many institutions are deploying black-box AI models without fully understanding their decision logic.
- Why it matters: This creates regulatory, reputational, and operational risk, especially if models are used in credit, fraud, or compliance decisions.
- Data drift and silent model degradation
- What’s hidden: Models may continue to run with outdated or shifted data distributions, e.g., post-pandemic consumer behavior, leading to silent performance decay.
- Why it matters: Without robust drift detection and retraining protocols, models may produce misleading outputs for months before detection.
- Shadow models and untracked tools
- What’s hidden: Business units may use unregistered models or spreadsheets for decision making, bypassing MRM oversight.
- Why it matters: These “shadow models” can introduce uncontrolled risk and regulatory noncompliance.
- Vendor and third-party model blind spots
- What’s hidden: Many banks rely on external models, e.g., credit scoring and fraud detection, without full transparency into their assumptions or data.
- Why it matters: If these models fail or are biased, your institution bears the risk but may lack the ability to validate or challenge the models themselves.
- Model interdependencies and systemic risk
- What’s hidden: Models often feed into each other, e.g., credit models into capital models, creating cascading risks.
- Why it matters: A flaw in one model can propagate across the enterprise, especially during stress scenarios.
- Regulatory lag and compliance gaps
- What’s hidden: Regulations are evolving, but AI/ML governance standards are still catching up.
- Why it matters: Institutions may be compliant today but vulnerable tomorrow if models do not meet emerging expectations for fairness, explainability, and auditability.
- Talent and oversight gaps
- What’s hidden: The complexity of modern models may be outpacing the available expertise in many risk teams.
- Why it matters: Without skilled validators and governance professionals, even well-designed models can become unmanaged risks.
How to Mitigate the Lesser-Known Risks
Although hidden MRM risks are unique and complex in nature, there are many ways that Model Risk Managers can mitigate the lesser-known risks to help safeguard agility and preparedness. Below is a non-exhaustive list of several hidden risk mitigation strategies:
- Continuously monitor any underlying model data and use rigorous quality controls.
- Because gradual data changes can cause inadvertent degradation of model performance, it is important to apply data quality controls that regularly monitor the data within the model and establish quality and performance thresholds that would signal a need for model recalibration.
- Institute robust training protocols to align all stakeholders and model users with objectives and best practices.
- Improper or unauthorized model use can have cascading consequences affecting an institution’s credibility and reputation, as well as model accuracy and data security. As such, it is critical to put training procedures in place for all users to help ensure that models are being used responsibly, and results are being accurately interpreted and communicated.
- Regularly review third-party vendor contracts to stay aware of any changes and updates to existing models in the inventory.
- Third-party developers and vendors regularly push model updates that may subject a model to more rigorous review and risk management. Reviewing contracts can help risk managers stay aware of any updates that may necessitate more scrutiny or oversight.
- Consider reassessment of talent on a regular basis to determine gaps in knowledge.
- Because models have varying degrees of complexity, internal teams do not always possess the expertise and skill coverage to use and interpret the model correctly, highlighting the importance of a regular reassessment of people and talent needs.
- Adopt a strong, frequent model identification process to differentiate tools from models.
- At the forefront of MRM is the process of properly identifying and cataloging models. Having a strong model identification process can help confirm that models are receiving the appropriate amount of review and challenge.
- Stay aware of changes and updates to regulatory guidance to maintain compliance.
- Regulations are changing all the time, and it is easy to fall out of compliance if regulatory changes go unnoticed. To mitigate the risk of noncompliance, it is important to continuously monitor the regulatory landscape and stay abreast of changing laws.
- Develop an AI-focused risk management strategy to handle the added complexity introduced with AI models and tools.
- As AI-driven models and tools are gaining popularity, it is important that risk managers enhance existing MRM programs to account for the added complexity of AI.
- Establish and socialize an MRM governance framework to promote cross-functional alignment with policies, procedures, best practices, and escalation protocols.
- Errors, misuse, and misunderstandings can occur at any stage of the model life cycle and any line of defense, which is why it is imperative that institutions develop a centralized governance framework and socialize all policies and procedures enterprisewide to safeguard appropriate model use.
Concluding Thoughts on MRM Frameworks
Models are mere representations of real-life scenarios and our reliance on their outputs introduces obvious risks; however, history has proven that not all risks are widely known and adequately managed. Model Risk Managers can strengthen the integrity of their programs by recognizing and mitigating not just the obvious risks, but the ever-evolving, lesser-known risks that continue to present themselves as we advance technologies, experience shifts in the talent pool, and navigate a continuously developing regulatory environment.
For more information or if you have any questions, please reach out to a professional at Forvis Mazars.