Establishing Model Risk Management
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 14
logged, and confirm that process controls exist to prevent misuse or unintended
outcomes.
8. Regular statistical performance reviews should be carried out. Any deviation from the
stated use cases or predefined tolerance parameters should be escalated to the model
governance, validation, and model development teams. Additionally, back-testing
should be regularly conducted to ensure the model is properly calibrated to current
market conditions. Model owners should have clear controls and processes for model
stoppage, change management, and recalibration if ongoing monitoring or backtests
indicate a need for change.
9. Models and their challenger models should be reviewed and re-validated on a regular
basis. The validation team should have the option to grant a continuation of the existing
model validation status, seek a minor revalidation, or pull the model out of use during a
major revalidation or redevelopment process. The frequency of re-validation should be
tied to the model’s risk tier as determined by the validation team.
5.3. Organizational Structure
A sound MRM program should have a well-supported team of expert stakeholders inclusive of
users of the outputs and controls functions. The MRM team should be comprised of individuals
responsible for developing, implementing, supporting, and governing analytics and models.
The team should carefully outline the skills, roles, responsibilities, and support activities needed
for each analytic and modeling capability. In addition, it should establish where each resides
within the organization inclusive of lines of reporting and spans of control.
In standing up an MRM support structure, the company should first assess its current state.
That assessment should include the company’s understanding of how model development is
organized, structured, tested, documented, and approved, who has institutional and technical
knowledge, what vendor dependencies exist and where they reside, and what control activities
exist.
Recommendations:
1. Model developers and independent validation specialists should have proper training,
skills, and knowledge.
2. Model owners should review the approved use of models, review ongoing monitoring
and back-testing results, have the responsibility to evaluate overrides, determine the
root cause of errors, and discern whether the model should be updated.
3. Model governance and validation personnel should have the authority and
independence to provide an effective challenge, including the authorization to halt
model usage if they deem it excessively risky or erroneous.
4. Roles and responsibilities should be clearly defined with appropriate descriptions of
accountability across the model development lifecycle.
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 14
logged, and confirm that process controls exist to prevent misuse or unintended
outcomes.
8. Regular statistical performance reviews should be carried out. Any deviation from the
stated use cases or predefined tolerance parameters should be escalated to the model
governance, validation, and model development teams. Additionally, back-testing
should be regularly conducted to ensure the model is properly calibrated to current
market conditions. Model owners should have clear controls and processes for model
stoppage, change management, and recalibration if ongoing monitoring or backtests
indicate a need for change.
9. Models and their challenger models should be reviewed and re-validated on a regular
basis. The validation team should have the option to grant a continuation of the existing
model validation status, seek a minor revalidation, or pull the model out of use during a
major revalidation or redevelopment process. The frequency of re-validation should be
tied to the model’s risk tier as determined by the validation team.
5.3. Organizational Structure
A sound MRM program should have a well-supported team of expert stakeholders inclusive of
users of the outputs and controls functions. The MRM team should be comprised of individuals
responsible for developing, implementing, supporting, and governing analytics and models.
The team should carefully outline the skills, roles, responsibilities, and support activities needed
for each analytic and modeling capability. In addition, it should establish where each resides
within the organization inclusive of lines of reporting and spans of control.
In standing up an MRM support structure, the company should first assess its current state.
That assessment should include the company’s understanding of how model development is
organized, structured, tested, documented, and approved, who has institutional and technical
knowledge, what vendor dependencies exist and where they reside, and what control activities
exist.
Recommendations:
1. Model developers and independent validation specialists should have proper training,
skills, and knowledge.
2. Model owners should review the approved use of models, review ongoing monitoring
and back-testing results, have the responsibility to evaluate overrides, determine the
root cause of errors, and discern whether the model should be updated.
3. Model governance and validation personnel should have the authority and
independence to provide an effective challenge, including the authorization to halt
model usage if they deem it excessively risky or erroneous.
4. Roles and responsibilities should be clearly defined with appropriate descriptions of
accountability across the model development lifecycle.
