Establishing Model Risk Management
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 7
• Miscalibration: data errors resulting from incorrect inputs, or false parameterization.
Model risk can be categorized by inherent complexity and materiality, including the model’s
relevance. That categorization can be used to prioritize activities for highly complex, material
models while reducing the administrative burden for low-risk, low-impact models. For
example, model risk might be organized by tiers as presented below:
Figure 2: Model Risk Tiers
Model Risk Classification Tiers Materiality
High Medium Low
Complexity High Tier-1 Tier-2 Tier-3
Medium Tier-2 Tier-3 Tier-4
Low Tier-3 Tier-3 Tier-4
In this example, Tier-1 models carry the highest model risk and should be subject to the most
stringent controls. Tier-4 models, on the other hand, are comparatively lower risk and may be
subject to less rigor.
2.3. Model Risk Management
The term “Model Risk Management” (“MRM”) refers to the system of organization, controls,
procedures, and supporting capabilities that allow a company to manage risk throughout the
model life cycle. The foundation of any MRM program should mandate that the business is only
allowed to use validated models with current approvals. Companies should aim for a fit-for-
purpose framework that aligns with their organization, models, and risk profile, in addition to
meeting regulatory requirements and considering other human factors such as health and safety
concerns. MRM programs generally incorporate policies and procedures, committee
participation, and independent model development and validation teams (see Section 4 for
more details).
2.4. Tools and End User Computing
The terms “End User Computing” (EUC) and “Tool” refer to Information Technology (IT)
applications, databases, spreadsheets, macros, database queries, batch processing programs,
scripts, and vendor-based software products that might not meet a strict definition of “model”
but should still be subject to reasonable oversight and controls. Since these EUC tools can pose
significant risks, organizations should have a fit-for-purpose EUC governance framework
alongside their MRM framework.
2.5. Vendor Models
The term “vendor models” has two meanings in this paper. The first includes stand-alone
models provided by a third party. The second includes models and functions embedded in
software systems (e.g., the Black-Scholes engine in a trade capture system) or analytics
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 7
• Miscalibration: data errors resulting from incorrect inputs, or false parameterization.
Model risk can be categorized by inherent complexity and materiality, including the model’s
relevance. That categorization can be used to prioritize activities for highly complex, material
models while reducing the administrative burden for low-risk, low-impact models. For
example, model risk might be organized by tiers as presented below:
Figure 2: Model Risk Tiers
Model Risk Classification Tiers Materiality
High Medium Low
Complexity High Tier-1 Tier-2 Tier-3
Medium Tier-2 Tier-3 Tier-4
Low Tier-3 Tier-3 Tier-4
In this example, Tier-1 models carry the highest model risk and should be subject to the most
stringent controls. Tier-4 models, on the other hand, are comparatively lower risk and may be
subject to less rigor.
2.3. Model Risk Management
The term “Model Risk Management” (“MRM”) refers to the system of organization, controls,
procedures, and supporting capabilities that allow a company to manage risk throughout the
model life cycle. The foundation of any MRM program should mandate that the business is only
allowed to use validated models with current approvals. Companies should aim for a fit-for-
purpose framework that aligns with their organization, models, and risk profile, in addition to
meeting regulatory requirements and considering other human factors such as health and safety
concerns. MRM programs generally incorporate policies and procedures, committee
participation, and independent model development and validation teams (see Section 4 for
more details).
2.4. Tools and End User Computing
The terms “End User Computing” (EUC) and “Tool” refer to Information Technology (IT)
applications, databases, spreadsheets, macros, database queries, batch processing programs,
scripts, and vendor-based software products that might not meet a strict definition of “model”
but should still be subject to reasonable oversight and controls. Since these EUC tools can pose
significant risks, organizations should have a fit-for-purpose EUC governance framework
alongside their MRM framework.
2.5. Vendor Models
The term “vendor models” has two meanings in this paper. The first includes stand-alone
models provided by a third party. The second includes models and functions embedded in
software systems (e.g., the Black-Scholes engine in a trade capture system) or analytics