# AI/ML Model Risk Management Policy

| Field | Detail |
|---|---|
| **Organisation** | [Organisation Name] |
| **Document type** | Policy — approved, mandatory |
| **Framework basis** | SR 26-2 · OSFI E-23 · PRA SS1/23 · MAS · Treasury/CRI FS AI RMF |
| **Owner** | [Policy owner — e.g. AI Governance Lead] |
| **Approved by** | [Accountable executive / Board] |
| **Version / status** | v1.0 — DRAFT for adoption |
| **Effective date** | [Date] |
| **Next review** | [Date — at least annually] |
| **Classification** | Internal |
| **Prepared with** | autogovern.io — AI governance & risk templates |


## 1. Purpose

This policy defines how **[Organisation Name]** manages **model risk** — the risk of adverse consequences from incorrect or misused model outputs — across all models, expressly including **AI/ML models**, over their full lifecycle. It aligns with SR 26-2 (US), OSFI E-23 (Canada), PRA SS1/23 (UK) and MAS expectations, and operationalises the Treasury/CRI FS AI RMF.

## 2. Scope

Applies to every **model** used by [Organisation Name] — quantitative methods that turn inputs into estimates/decisions — used for credit, pricing, capital, AML/fraud, trading, or servicing, whether built in-house, vendor-supplied, or embedded. Supervised ML is in scope. **Generative and agentic AI** are governed under the AI Governance & AI Risk Management policies and this policy where they function as models; note SR 26-2 currently excludes GenAI/agentic from its formal scope pending an interagency RFI.

## 3. Definitions

| Term | Meaning |
|---|---|
| Model | A quantitative/algorithmic method that processes inputs into estimates, scores or decisions. |
| Model risk | Risk of adverse consequences from incorrect or misused model output. |
| Materiality / tier | The model’s risk rating driving validation intensity and oversight. |
| Validation | Independent assessment of whether a model is sound and fit for purpose. |
| Effective challenge | Critical, independent review with the competence, incentive and authority to change a model. |
| Ongoing monitoring | Continuous performance, stability and drift tracking after deployment. |

## 4. Governance — three lines of defence

| Line | Owner | Model-risk role |
|---|---|---|
| **1st line** | Model owners / developers | Develop, document, use and monitor models; own the risk. |
| **2nd line** | Model Risk Management / independent validation | Set standards, validate, effectively challenge, maintain the inventory. |
| **3rd line** | Internal Audit | Assure the overall MRM framework. |

The board / risk committee owns model-risk appetite and receives regular reporting on material models and validation findings.

## 5. Model inventory & tiering

Maintain a complete **model inventory**; assign each model a **materiality tier** (e.g. High/Medium/Low) from its financial, regulatory and reputational impact. Validation frequency, documentation depth and oversight scale with the tier.

| Model | Purpose | Owner | AI/ML? | Tier | Last validation | Status |
|---|---|---|---|---|---|---|
| [model] | [credit/pricing/AML/…] | [owner] | [yes/no] | [H/M/L] | [date] | [dev/live/retired] |
|   |   |   |   |   |   |   |

## 6. Model lifecycle & stage gates

| Stage | Key activity | Gate |
|---|---|---|
| Development | Sound design, data quality/lineage, documentation an independent party can reconstruct | Development evidence complete |
| Validation | Independent validation proportionate to tier | Validation passed / conditions logged |
| Approval | Effective challenge; owner + MRM sign-off | Approved for use (tiered authority) |
| Monitoring | Ongoing performance, drift & override tracking | Monitoring live; thresholds set |
| Revalidation | On material change, breach, or schedule | Revalidation completed |
| Retirement | Decommission safely; retain records | Retirement approved |

## 7. Independent validation

Validation, independent of development, covers: **(a) conceptual soundness** (design, assumptions, methodology); **(b) ongoing monitoring & process verification** (incl. benchmarking); and **(c) outcomes analysis / back-testing**. For AI/ML models, additionally assess **data lineage, feature stability, overfitting, explainability/interpretability, and drift**. Vendor and third-party models are validated too — outsourcing the model does not outsource the model risk.

## 8. AI/ML-specific controls

- **Explainability** sufficient for the use case (reason codes for credit; documented interpretability for others).
- **Drift & performance monitoring** with thresholds and a retraining/circuit-breaker playbook.
- **Bias/fairness testing** where the model affects people (see the Fair Lending procedure).
- **Data governance** — provenance, quality, representativeness.
- **Security** — protection against data poisoning and model theft.

## Regulatory & framework mapping (financial services)

| Instrument | Jurisdiction | What this policy supports |
|---|---|---|
| SR 26-2 / OCC 2026-13 / FDIC (Apr 2026) | US banks (>$30B) | Model inventory, tiering, independent validation, governance (supervised ML in scope; GenAI/agentic out of scope) |
| Treasury / CRI FS AI RMF (Feb 2026) | US financial services | ~230 control objectives crosswalked to NIST AI RMF & SR 26-2 |
| OSFI Guideline E-23 (eff. 2027) | Canada FRFIs | Lifecycle model risk incl. AI/ML |
| PRA SS1/23 | UK banks | Five model-risk principles |
| MAS FEAT + AI MRM paper | Singapore FIs | AI inventory, materiality, validation |
| ECOA/Reg B §1002.9, FCRA | US consumer credit | Adverse-action reason codes; fair lending |
| NAIC Model Bulletin, NY DFS CL7, CO SB 21-169 | US insurance | AIS Program; proxy/bias testing |
| EU AI Act Annex III 5(b)/5(c) + DORA; GDPR Art. 22 | EU | High-risk credit/insurance AI; ICT resilience; automated decisions |
| ISO/IEC 42001 & 23894; COSO ERM + Three Lines | Global | Management system, AI risk, governance backbone |

## 10. Review

MRM standards and the inventory are reviewed at least annually and after any material regulatory change or model incident.

## Appendix A — Validation report template

| Section | Content |
|---|---|
| Model & tier | [name / H/M/L] |
| Conceptual soundness | [findings] |
| Data quality & lineage | [findings] |
| Outcomes analysis / back-testing | [results] |
| Ongoing monitoring plan | [metrics & thresholds] |
| Bias / explainability (AI/ML) | [findings] |
| Limitations & conditions | [list] |
| Validator (independent) & date | [name / date] |
| Effective-challenge sign-off | [name / date] |


---

## Document control & approval

| Version | Date | Author | Approved by | Summary of change |
|---|---|---|---|---|
| 1.0 | [Date] | [Author] | [Approver] | Initial adoption |
|   |   |   |   |   |

**Sign-off**

- Policy owner: __________________________  Signature: ______________  Date: __________
- Accountable executive: __________________________  Signature: ______________  Date: __________
- Next review due: __________

> _This template was generated by **autogovern.io** as a professional starting point. Review and adapt it to your organisation, systems, sector and legal advice before adoption. It is an educational aid, not legal advice._