Model risk management

Prudential Regulation Authority Supervisory Statement SS1/23 on model risk management has been fully applicable since 17 May 2024. By the September 2025 supervisory review cycle, the PRA expects banks and insurers to show an embedded model risk framework covering governance, lifecycle controls, independent validation, and challenger capability. Boards must evidence ownership of model risk appetite, senior management must prove sufficient resources and tooling, and institutions should show tangible reductions in model risk exposures, particularly across credit risk, capital, stress testing, and machine-learning models.

Supervisory focus in 2025

The PRA’s 2025 supervisory priorities letter and ongoing thematic reviews highlight five focus areas:

• Inventory completeness. Firms must maintain accurate, end-to-end model inventories covering materiality tiers, dependency mapping, and links to regulatory reporting. Partial or siloed inventories are considered a breach of Principle 2 in SS1/23.
• Governance and board engagement. Boards should receive regular MI on model risk appetite metrics, breaches, remediation, and emerging risks (including AI explainability). Minutes must show challenge and investment decisions.
• Independent validation effectiveness. The PRA is testing whether validation teams have sufficient independence, expertise, and tooling to challenge AI/ML models, stress testing frameworks, and pricing engines.
• Challenger models and benchmarking. Supervisors expect firms to operate challenger models or benchmarking exercises to validate key risk metrics and IFRS 9 provisions.
• Use and change controls. Emphasis on post-model adjustments, override governance, and change management across the model lifecycle.

Failure to show progress can trigger section 166 skilled person reviews, capital add-ons, or limitations on model approvals (for example, IRB permissions).

Governance structure

Board oversight. Boards should maintain a formal model risk appetite statement, refreshed annually, with quantitative and qualitative limits (for example, aggregate model risk capital buffer, tolerance for models without current validation, thresholds for overrides). Board minutes should show review of MI dashboards, challenge on resource allocation, and approval of remediation budgets.

Executive ownership. Assign Senior Management Function (SMF) responsibilities, typically SMF1 (CEO), SMF4 (CRO), SMF11 (Head of Risk), or SMF2 (CFO) depending on structure. Maintain Statements of Responsibilities and reasonable steps evidence, including oversight of validation staffing and technology investments.

Committees. set up a Model Risk Committee reporting to the board risk committee. Terms of reference should cover approval of methodologies, monitoring of remediation, and escalation of breaches.

Policies and standards. Refresh model risk management policies to align with SS1/23 definitions (model, tool, materiality). Include supporting standards for development, validation, deployment, monitoring, and decommissioning. Document connections to data governance, operational resilience, and AI policies.

Model lifecycle controls

Implement controls across each lifecycle stage:

• Model development. Require documented business cases, data quality assessments, and design documentation. Apply model development standards covering feature selection, algorithm choice, performance metrics, and explainability.
• Pre-setup review. Operate approval gates requiring independent validation sign-off, model committee approval, and evidence that controls (access, versioning, monitoring) are in place.
• Implementation. Enforce controlled deployment pipelines, configuration management, and peer review of code. Document test results and integration with production systems.
• Monitoring and use. Maintain MI on performance metrics, stability indicators, overrides, and user feedback. Record override logs, rationale, and senior approvals. Implement automated alerts for threshold breaches.
• Change management. Classify model changes (minor, major) with approval workflows, testing evidence, and back-testing. Maintain audit trails linking Jira/ServiceNow tickets to inventory entries.
• Decommissioning. Document retirement plans, data archiving, and transition to successor models. Ensure dependent processes are updated.

Inventory and taxonomy

Maintain a centralized inventory that captures:

• Model name, unique identifier, business owner, and technical owner.
• Purpose, regulatory linkage, reporting outputs, and legal entity usage.
• Materiality classification criteria and scoring.
• Validation schedule, last validation date, next due date, and outstanding findings.
• Dependencies on data sources, systems, and other models.
• Use cases across business lines, including stress testing, capital planning, credit approval, pricing, and liquidity management.
• Challenger model references and benchmarking results.

Integrate the inventory with GRC tooling, data catalogs, and change management systems. Apply access controls and audit logging. Boards should receive inventory completeness metrics (for example, percentage of material models with current validations, number of unapproved models in use).

Independent validation and assurance

Validation standards. Align validation standards with SS1/23, covering conceptual soundness, data quality, outcomes analysis, setup testing, and ongoing performance monitoring. Ensure AI/ML models include explainability assessments, bias testing, and robustness analysis.

Resourcing. Document competency frameworks, training plans, and recruitment strategies for validation teams. Demonstrate separation from model development, including reporting lines to the CRO and budget autonomy.

Validation reporting. Produce structured validation reports summarizing scope, findings, limitations, recommendations, and risk ratings. Track remediation actions with due dates and accountable owners.

Internal audit. Plan independent assurance reviews focusing on governance effectiveness, adherence to policies, and closure of high-risk validation findings.

Challenger models and benchmarking

Document strategies for challenger models:

• Identify material models requiring challengers (for example, wholesale credit IRB, IFRS 9 lifetime expected credit loss, interest rate risk models).
• Maintain documentation on challenger design, assumptions, and scope.
• Compare outputs, sensitivity, and stability, highlighting divergences and management actions.
• Incorporate external benchmarks or third-party data where challengers are not feasible.

Capture board discussions on challenger outcomes, capital impacts, and remediation plans.

Data, technology, and tooling

Model risk programs rely on strong data and tooling:

• Data governance. Integrate with enterprise data catalogs, define critical data elements, and maintain lineage from source systems to model inputs. Document data quality controls and remediation of data issues.
• Workflow systems. Implement model lifecycle management platforms or workflow tools to track approvals, validation, and monitoring. Ensure integration with document management and ticketing systems.
• Analytics environment. Provide controlled environments for development and validation with access control, code repositories, and reproducibility features.
• Monitoring dashboards. Deploy dashboards showing performance metrics, validation status, overrides, and key risk indicators. Provide drill-down capabilities for regulators.

Key metrics

Define KRIs and KPIs for board and senior management reporting:

• Percentage of material models with current validation and risk rating.
• Number of high or critical validation findings open beyond due date.
• Frequency and impact of post-model adjustments or overrides.
• Time to remediate validation findings.
• Challenger coverage percentage across key portfolios.
• Resource utilization and backlog metrics (for example, validation hours available vs required).

Set thresholds that trigger escalation and capture actions taken.

Regulatory engagement

Maintain a regulator engagement plan:

• Track PRA information requests, onsite visits, and thematic review feedback.
• Prepare an evidence pack with policies, inventory extracts, validation reports, board MI, and remediation trackers.
• Document responses to supervisory findings, capital add-ons, or approval conditions.
• Coordinate with internal audit and compliance to ensure consistent messaging.

Boards should review regulator feedback, approve action plans, and monitor delivery.

Culture, training, and accountability

Provide training for model developers, validators, users, and senior management covering SS1/23 expectations, ethical AI considerations, and governance responsibilities. Track completion rates and competence assessments. Embed model risk responsibilities into performance scorecards and remuneration policies, highlighting accountability for data quality, validation, and timely remediation.

Foster a culture that encourages challenge. Document forums where developers, validators, and users debate model limitations, with records of decisions and follow-up actions.

Pre-September 2025 checklist

• Complete a full inventory reconciliation and validation schedule review.
• Update the model risk appetite statement and ensure board approval with documented challenge.
• Run dry-run supervisory walkthroughs using PRA thematic review questionnaires.
• Close or re-baseline overdue validation findings with clear remediation evidence.
• Refresh training programs for model users and senior management.
• Prepare regulator engagement packs with board MI, inventory extracts, and challenger model analyzes.

Partnering with regulated firms to mature PRA-aligned model risk frameworks, integrating inventory governance, validation tooling, and board-ready analytics ahead of the September 2025 supervisory reviews.

See also

Selected articles on related subjects.

Governance · Credibility 86/100 · August 28, 2025

Governance — Third-party risk

OSFI Guideline B-10 has been effective since May 2025, and federally regulated financial institutions now have one quarter to prove continuous oversight, concentration monitoring, and exit strategies before year-end…

Governance · Credibility 92/100 · March 14, 2026

SOC 2 for AI — AICPA Publishes AI Trust Services Criteria Establishing Audit Standards for AI System Controls

The American Institute of CPAs published AI Trust Services Criteria as an extension to the SOC 2 framework, establishing standardized audit criteria for AI system controls including data governance for training data…

Governance · Credibility 86/100 · March 31, 2025

Rbi It Governance Deadline

Reserve Bank of India’s IT Governance Master Direction reaches full compliance for NBFC-Upper Layer and payment operators, requiring board technology risk committees and independent assurance routines.

Governance · Credibility 92/100 · April 22, 2026

NIST Cybersecurity Framework 2.0 One-Year Adoption — 62% of Critical Infrastructure Organizations Report Partial or Full Implementation

One year after NIST CSF 2.0 release, adoption surveys indicate that 62% of critical infrastructure organizations have begun implementation, with 18% achieving full framework adoption across all six functions (Govern…

Governance · Credibility 96/100 · January 17, 2024

NYDFS Circular Letter No. 2 (2024) on insurance AI governance

NYDFS Circular Letter No. 2 (2024) obliges insurers to implement board-approved AI governance, fairness testing, vendor oversight, and annual attestations covering all external consumer data systems.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

September 25, 2025

Coverage pillar

Governance

Source credibility

86/100 — high confidence

Topics

Model risk management · Financial regulation · Governance

Sources cited

3 sources (bankofengland.co.uk, iso.org)

Reading time

6 min

Cited sources

1. Model risk management principles for banks (SS1/23) — Prudential Regulation Authority
2. Model risk management principles for banks (PS6/23) — Prudential Regulation Authority
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization