Model Risk Management (SR 11-7) refers to a comprehensive regulatory framework established by the Board of Governors of the Federal Reserve System for managing risks associated with artificial intelligence and machine learning models deployed within banking institutions. The guidance, formally issued as Supervision and Regulation Letter 11-7 in 2011 and subsequently updated, mandates a full-lifecycle approach to model governance that extends from initial development and validation through continuous operational monitoring and periodic re-validation ¹⁾. This framework addresses the growing complexity of quantitative models used for credit risk assessment, market risk measurement, and operational decision-making in banking environments. SR 11-7 is now considered table stakes for high-impact models in risk and collections, establishing expectations for comprehensive lifecycle management, continuous monitoring, drift detection, and periodic re-validation ²⁾.

SR 11-7 establishes governance structures requiring banking institutions to implement formal policies, procedures, and controls for all material models throughout their operational lifecycle. Material models are defined as those with significant potential impact on bank capital, liquidity, or earnings, or those used for regulatory capital calculations and stress testing scenarios ³⁾.

The framework mandates that banks establish a Model Governance Committee with representation from risk management, lines of business, and model development functions. This committee maintains an inventory of material models, tracks their development status, assigns accountability for performance monitoring, and ensures appropriate escalation of model issues. Banks must document assumptions underlying each model, including data sources, mathematical methodologies, and parameter specifications. The governance structure requires independent model validation—performed by personnel with technical expertise but without direct responsibility for model development—and documented sign-off from senior management regarding model adequacy for its intended use ⁴⁾.

Effective model governance frameworks require defensible audit trails, data attribution, and access controls to ensure models are properly validated and monitored throughout their operational lifecycle ⁵⁾. These governance requirements establish foundational expectations that distinguish model risk governance from broader risk intelligence activities, emphasizing the centrality of documented controls and accountability mechanisms in regulatory compliance ⁶⁾.

The SR 11-7 framework emphasizes that model risk management extends across the complete model lifecycle, not merely at deployment. The validation phase requires comprehensive testing of model logic, data integrity, parameter estimation techniques, and sensitivity to assumption changes. Model developers must conduct backtesting against historical data, forward-testing against out-of-sample performance, and stress-testing under adverse scenarios. For credit models specifically, validation includes verification of discriminatory power, calibration accuracy, and stability across business cycles ⁷⁾.

Continuous monitoring represents a core operational requirement under SR 11-7. Banks must implement automated systems that track key performance indicators (KPIs) for each material model, including prediction accuracy metrics, data quality measures, and statistical tests for model performance degradation. Monitoring systems must detect model drift—the phenomenon where model inputs, relationships, or target variables change over time, reducing predictive accuracy. Common drift types include data drift (input distribution shifts), concept drift (relationship changes between inputs and outputs), and label drift (changes in target variable definition or measurement). Banks must establish specific statistical thresholds triggering investigation and potential remediation when drift is detected.

Independent validation reviews occur before model implementation and on a periodic basis thereafter—typically annually for material models, with more frequent review for models in high-risk domains or exhibiting performance degradation. Re-validation assessments evaluate whether the model continues to perform adequately for its intended purpose, examining whether underlying assumptions remain valid and whether new data patterns have emerged that affect model reliability.

Documentation requirements under SR 11-7 mandate maintenance of comprehensive model files including theoretical justification, mathematical specifications, parameter estimation results, validation evidence, governance approvals, and ongoing performance monitoring records. Banks must maintain model versioning systems that track modifications, updates to training data, parameter recalibrations, and performance changes across iterations. This audit trail supports regulatory examination and demonstrates adherence to sound model risk management practices.

Implementation of SR 11-7 framework requirements presents substantial operational challenges, particularly as banks increasingly deploy sophisticated machine learning models alongside traditional quantitative approaches. Model interpretability challenges arise when deep learning models or ensemble methods lack transparency regarding how inputs drive outputs, complicating independent validation and regulatory explanation requirements. Banks must balance model sophistication with explainability requirements, sometimes implementing simpler, more interpretable models alongside advanced techniques.

Data quality and governance present ongoing operational challenges, as comprehensive model monitoring requires clean, consistently structured data across extended time periods. Models trained on historical data may perform poorly when operational environments change—such as during financial crises, regulatory shifts, or technological disruptions—yet identifying appropriate re-validation triggers remains difficult without comprehensive performance monitoring infrastructure. The resource intensity of full-lifecycle model management, including independent validation, continuous monitoring, and periodic re-validation, requires significant investment in technical talent, monitoring systems, and governance infrastructure.

SR 11-7 framework requirements integrate with broader enterprise risk management practices, including stress testing, concentration risk management, and capital adequacy assessment. The Federal Reserve expects models supporting regulatory capital calculations to undergo enhanced validation, including hypothetical stress scenarios and back-testing under adverse historical periods ⁸⁾. Banks must maintain audit trails demonstrating that model assumptions remain reasonable and that performance remains adequate across varying economic conditions.

• Supply Chain Risk Designation
• EU AI Act High-Risk Classification
• AI Preparedness Framework