Knowledge and Insights

Model Governance: How to Formalize the Program

As a small financial institution, you may not have formalized a comprehensive model risk governance program. Model governance refers to the framework and structure an institution establishes to oversee and manage its models effectively.

Such a program is to be in accordance with the Office of the Comptroller of the Currency and Federal Reserve Bank supervisory guidance on model risk management (OCC 2011-12 and FRB SR11-12, respectively), adopted by the Federal Deposit Insurance Corporation FIL-22-2017.

We typically see our clients implementing a model governance framework when they exceed $1 billion in assets. As the institution gets closer to the $5 billion asset mark, your federal regulators most likely will be including this during their examinations. So where does one begin the process to formalize a model governance program?


  1. Designate a champion to run the model governance program.
    This may be the Chief Risk Officer, Director of Internal Audit, or another role that has a big picture view of the institution. The program along with who leads it will evolve over time as your organization grows. However, the model owners need to be the champions over their model and take a vested interest in the implementation of the program.
  2. Outline a formal policy.
    Make sure to define what constitutes a model. Note that your risk management practices may include more than what is defined within the statutory definition. Include how you will identify models used throughout your institution, and the risk assessment and validation strategies of each. Be sure to note the frequency of updates for audit, training, retention and overall policy. Refine this outline as you continue through the next steps.
  3. Educate all levels of management within your organization as to your definition of a model.
    This is a critical step to identify and inventory the models in use. You can leverage surveys and questionnaires to assist in compiling the list. In order to keep the list current, make sure to include a step within your vendor management program to alert the model governance champion early in the onboarding process.
  4. Review the list of models in inventory against risk rating factors.
    Ask yourself questions like: What would happen if the model did not exist? What are the consequences if the results of the model are not accurate? How many departments utilize the output? Is a validation required under regulation? This will help you determine the criticality of the model. The higher the criticality, the greater the validation efforts and frequency should be.
  5. Identify the validation strategy to deploy for each of the risk ratings established. The efforts taken for each specific model may vary as long as it is within the guidelines set by the policy. Validation efforts can be independent or by a process owner. It can be conducted by internal personnel at the institution or outsourced to a third-party vendor, such as our team at Mercadien. The validation efforts can include one or more of the following: the model’s conceptual soundness, data inputs, assumptions, and outputs. The timing of validation is critical. Make sure to validate a new model before relying on the results. This may include running an older system in parallel for a few months to compare the outputs. The model owner should always keep the assigned risk level in mind as the model risk may change over time.
  6. Develop the security and change control procedures of each model.
    Without adequate controls the model’s integrity and validation results are meaningless. A good practice is to have the model owners restricted from making direct edits to the model’s inputs and algorithms. They would be the ones to approve such edits, which would typically be implemented by the IT department and verified by the model owner. Proper segregation of duties is key.


In closing, model risk management is not a check the box process as it supports the overall health of the institution. By implementing effective model risk management practices and formalizing your model governance program, your institution can mitigate the potential adverse impacts of model errors, enhance decision-making processes, maintain regulatory compliance, protect its reputation, and safeguard its financial stability.

Mercadien’s Financial Institutions Services Group can assist you with formalizing a model governance program, performing model validations, and help you effectively maintain compliance while mitigating risk. Our team of experts have deep knowledge of the banking industry and are nationally recognized for our expertise in the areas of audit, compliance, validation and risk management. Contact us today to learn more about how we can help your institution.

DISCLAIMER: This advisory resource is for general information purposes only. It does not constitute business or tax advice and may not be used and relied upon as a substitute for business or tax advice regarding a specific issue or problem. Advice should be obtained from a qualified accountant, tax practitioner or attorney licensed to practice in the jurisdiction where that advice is sought.