What is SR 11-7 Guidance on Model Risk Management?

CIMCON Software has over 25 years of experience in helping firms with EUC, Model, and AI Risk Management, aiming to significantly reduce the friction and challenges for firms as they strive for SR 11-7 compliance. Below are the technological solutions CIMCON provides to address specific principles outlined in SR 11-7:

• Automated Model Identification: CIMCON takes a model-agnostic approach to identifying and risk assessing EUCs such as Excel files, models created in Python or R, and even third-party executables. This is crucial as these all could be considered models under the SR 11-7 definition: "Models are simplified representations of real-world relationships among observed characteristics, values, and events".
• Self-Organizing Model Inventory:Regularly scheduled scans help uncover hidden risks and automatically keep the Model Inventory up-to-date. Firms can maintain inventories that are firm-wide as well as department-specific. This aligns with the guidance that banks should maintain a firm-wide model inventory: "Banks should maintain a comprehensive set of information for models implemented for use, under development for implementation, or recently retired".
• Powerful, Yet Flexible Risk Assessment: Since there are an increasing number of different types of models to risk assess, it can help to standardize risk assessment based on model type. For example, assessing Excel through Number of Formulas, Macros, & Hidden Sheets, 3rd party applications through the presence of AI, and models through fairness, bias, explainability, and validity is crucial to understanding which EUCs you need to control. "The rigor and sophistication of validation should be commensurate with the bank's overall use of models, the complexity and materiality of its models, and the size and complexity of the bank's operations".
• Interdependency Map: Visualize relationships between models and data sources, adjusting risk assessment scores for a model based on its interdependencies. SR 11-7 emphasizes the need to understand model interdependencies to manage aggregate model risk: "Aggregate model risk is affected by interaction and dependencies among models; reliance on common assumptions, data, or methodologies".
• Comprehensive Documentation Generation & Management: Maintain up-to-date documentation on model development, testing, and risk scores in one place across the firm. SR 11-7 requires comprehensive documentation to ensure transparency and continuity of operations: "Documentation of model development and validation should be sufficiently detailed so that parties unfamiliar with a model can understand how the model operates, its limitations, and its key assumptions".
• 3rd Party Risk Management: Identify and assess risks associated with third-party models and applications, ensuring they meet your internal standards. SR 11-7 states, "Analysis of the integrity and applicability of internal and external information sources, including information provided by third-party vendors, should be performed regularly".
• Proper Controls and Accountability: Restrict and track changes to models, maintaining security and accountability. SR 11-7 highlights the importance of governance, policies, and controls in model risk management: "A strong governance framework provides explicit support and structure to risk management functions through policies defining relevant risk management activities, procedures that implement those policies, allocation of resources, and mechanisms for evaluating whether policies and procedures are being carried out as specified".
• Approval Workflows: Create automated approval workflows, tracking model approval status and identifying process improvements. This helps firms adhere to SR 11-7’s standards for model approval and change management: "The model owner should also ensure that models in use have undergone appropriate validation and approval processes, promptly identify new or changed models, and provide all necessary information for validation activities.".