← Back to all briefings
Governance 6 min read Published Updated Credibility 40/100

Governance Briefing — September 25, 2025

By the September 2025 supervisory cycle the PRA expects embedded model risk governance, independent validation, and challenger evidence aligned to SS1/23.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Prudential Regulation Authority Supervisory Statement SS1/23 on model risk management has been fully applicable since 17 May 2024. By the September 2025 supervisory review cycle, the PRA expects banks and insurers to show an embedded model risk framework covering governance, lifecycle controls, independent validation, and challenger capability. Boards must evidence ownership of model risk appetite, senior management must prove sufficient resources and tooling, and institutions should demonstrate tangible reductions in model risk exposures, particularly across credit risk, capital, stress testing, and machine-learning models.

Supervisory focus in 2025

The PRA’s 2025 supervisory priorities letter and ongoing thematic reviews highlight five focus areas:

  • Inventory completeness. Firms must maintain accurate, end-to-end model inventories covering materiality tiers, dependency mapping, and links to regulatory reporting. Partial or siloed inventories are considered a breach of Principle 2 in SS1/23.
  • Governance and board engagement. Boards should receive regular MI on model risk appetite metrics, breaches, remediation, and emerging risks (including AI explainability). Minutes must show challenge and investment decisions.
  • Independent validation effectiveness. The PRA is testing whether validation teams have sufficient independence, expertise, and tooling to challenge AI/ML models, stress testing frameworks, and pricing engines.
  • Challenger models and benchmarking. Supervisors expect firms to operate challenger models or benchmarking exercises to validate key risk metrics and IFRS 9 provisions.
  • Use and change controls. Emphasis on post-model adjustments, override governance, and change management across the model lifecycle.

Failure to demonstrate progress can trigger section 166 skilled person reviews, capital add-ons, or limitations on model approvals (e.g., IRB permissions).

Governance structure

Board oversight. Boards should maintain a formal model risk appetite statement, refreshed annually, with quantitative and qualitative limits (e.g., aggregate model risk capital buffer, tolerance for models without current validation, thresholds for overrides). Board minutes should show review of MI dashboards, challenge on resource allocation, and approval of remediation budgets.

Executive ownership. Assign Senior Management Function (SMF) responsibilities, typically SMF1 (CEO), SMF4 (CRO), SMF11 (Head of Risk), or SMF2 (CFO) depending on structure. Maintain Statements of Responsibilities and reasonable steps evidence, including oversight of validation staffing and technology investments.

Committees. Establish a Model Risk Committee reporting to the board risk committee. Terms of reference should cover approval of methodologies, monitoring of remediation, and escalation of breaches.

Policies and standards. Refresh model risk management policies to align with SS1/23 definitions (model, tool, materiality). Include supporting standards for development, validation, deployment, monitoring, and decommissioning. Document connections to data governance, operational resilience, and AI policies.

Model lifecycle controls

Implement controls across each lifecycle stage:

  • Model development. Require documented business cases, data quality assessments, and design documentation. Apply model development standards covering feature selection, algorithm choice, performance metrics, and explainability.
  • Pre-implementation review. Operate approval gates requiring independent validation sign-off, model committee approval, and evidence that controls (access, versioning, monitoring) are in place.
  • Implementation. Enforce controlled deployment pipelines, configuration management, and peer review of code. Document test results and integration with production systems.
  • Monitoring and use. Maintain MI on performance metrics, stability indicators, overrides, and user feedback. Record override logs, rationale, and senior approvals. Implement automated alerts for threshold breaches.
  • Change management. Classify model changes (minor, major) with approval workflows, testing evidence, and back-testing. Maintain audit trails linking Jira/ServiceNow tickets to inventory entries.
  • Decommissioning. Document retirement plans, data archiving, and transition to successor models. Ensure dependent processes are updated.

Inventory and taxonomy

Maintain a centralised inventory that captures:

  • Model name, unique identifier, business owner, and technical owner.
  • Purpose, regulatory linkage, reporting outputs, and legal entity usage.
  • Materiality classification criteria and scoring.
  • Validation schedule, last validation date, next due date, and outstanding findings.
  • Dependencies on data sources, systems, and other models.
  • Use cases across business lines, including stress testing, capital planning, credit approval, pricing, and liquidity management.
  • Challenger model references and benchmarking results.

Integrate the inventory with GRC tooling, data catalogues, and change management systems. Apply access controls and audit logging. Boards should receive inventory completeness metrics (e.g., percentage of material models with current validations, number of unapproved models in use).

Independent validation and assurance

Validation standards. Align validation standards with SS1/23, covering conceptual soundness, data quality, outcomes analysis, implementation testing, and ongoing performance monitoring. Ensure AI/ML models include explainability assessments, bias testing, and robustness analysis.

Resourcing. Document competency frameworks, training plans, and recruitment strategies for validation teams. Demonstrate separation from model development, including reporting lines to the CRO and budget autonomy.

Validation reporting. Produce structured validation reports summarising scope, findings, limitations, recommendations, and risk ratings. Track remediation actions with due dates and accountable owners.

Internal audit. Plan independent assurance reviews focusing on governance effectiveness, adherence to policies, and closure of high-risk validation findings.

Challenger models and benchmarking

Document strategies for challenger models:

  • Identify material models requiring challengers (e.g., wholesale credit IRB, IFRS 9 lifetime expected credit loss, interest rate risk models).
  • Maintain documentation on challenger design, assumptions, and scope.
  • Compare outputs, sensitivity, and stability, highlighting divergences and management actions.
  • Incorporate external benchmarks or third-party data where challengers are not feasible.

Capture board discussions on challenger outcomes, capital impacts, and remediation plans.

Data, technology, and tooling

Model risk programmes rely on robust data and tooling:

  • Data governance. Integrate with enterprise data catalogues, define critical data elements, and maintain lineage from source systems to model inputs. Document data quality controls and remediation of data issues.
  • Workflow systems. Implement model lifecycle management platforms or workflow tools to track approvals, validation, and monitoring. Ensure integration with document management and ticketing systems.
  • Analytics environment. Provide controlled environments for development and validation with access control, code repositories, and reproducibility features.
  • Monitoring dashboards. Deploy dashboards showing performance metrics, validation status, overrides, and key risk indicators. Provide drill-down capabilities for regulators.

Metrics and reporting

Define KRIs and KPIs for board and senior management reporting:

  • Percentage of material models with current validation and risk rating.
  • Number of high or critical validation findings open beyond due date.
  • Frequency and impact of post-model adjustments or overrides.
  • Time to remediate validation findings.
  • Challenger coverage percentage across key portfolios.
  • Resource utilisation and backlog metrics (e.g., validation hours available vs required).

Set thresholds that trigger escalation and capture actions taken.

Regulatory engagement

Maintain a regulator engagement plan:

  • Track PRA information requests, onsite visits, and thematic review feedback.
  • Prepare an evidence pack with policies, inventory extracts, validation reports, board MI, and remediation trackers.
  • Document responses to supervisory findings, capital add-ons, or approval conditions.
  • Coordinate with internal audit and compliance to ensure consistent messaging.

Boards should review regulator feedback, approve action plans, and monitor delivery.

Culture, training, and accountability

Provide training for model developers, validators, users, and senior management covering SS1/23 expectations, ethical AI considerations, and governance responsibilities. Track completion rates and competence assessments. Embed model risk responsibilities into performance scorecards and remuneration policies, highlighting accountability for data quality, validation, and timely remediation.

Foster a culture that encourages challenge. Document forums where developers, validators, and users debate model limitations, with records of decisions and follow-up actions.

Pre-September 2025 checklist

  • Complete a comprehensive inventory reconciliation and validation schedule review.
  • Update the model risk appetite statement and ensure board approval with documented challenge.
  • Run dry-run supervisory walkthroughs using PRA thematic review questionnaires.
  • Close or re-baseline overdue validation findings with clear remediation evidence.
  • Refresh training programmes for model users and senior management.
  • Prepare regulator engagement packs with board MI, inventory extracts, and challenger model analyses.

Zeph Tech partners with regulated firms to mature PRA-aligned model risk frameworks, integrating inventory governance, validation tooling, and board-ready analytics ahead of the September 2025 supervisory reviews.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Model risk management
  • Financial regulation
  • Governance
Back to curated briefings