Preparing for Regulatory Oversight of Advanced Modeling and AI

In today’s competitive and tumultuous environment, companies are beginning to rely on advanced modeling and artificial intelligence tools to drive decisions. With increased use of Monte Carlo simulation models and other tech-based tools, regulators are beginning to ask more questions about models and the data that goes into them.

An article prepared by McKinsey & Company provides a glimpse as to why regulators are placing greater emphasis on “model risk management” when it says:

The stakes in managing model risk have never been higher. When things go wrong, consequences can be severe. With digitization and automation, more models are being integrated into business processes, exposing institutions to greater model risk and consequent operational losses. The risk lies equally in defective models and model misuse.

Defective models (…or ones used incorrectly) can lead to losses into the hundreds of millions or even billions. As I discuss in this post on outputs and reports, regulators are looking for assurance that the company is being well run, is compliant with relevant laws, and is financially solvent.

If your company is starting to integrate models, AI, and other technology tools into its decision making, regulators and other third-parties are going to scrutinize how well tested and proven these tools are.

Some questions they may ask include:

  • Where is the data coming from?
  • How are you managing the data?
  • Why should we [as regulators] trust the data?
  • To what extent are your data and subsequent models impacting decisions?

It’s important to remember that “model risk” regulations for insurance and other industries may be several years behind financial institutions, but that doesn’t mean you shouldn’t be preparing.

It’s better to understand potential questions beforehand, is it not?

How can organizations prepare for regulator questions around AI, modeling and other tech tools for decision-making?

Because these tools are so new, especially for non-financial firms, there is little historical data on how accurate models and other methods are.

Besides some of the general questions mentioned above, think about questions regulators and other people outside of the organization may ask as you develop your models. Those questions may include:

  • How historically accurate has this data been?
  • Has there been any in-depth trending and analysis done on this data before?
  • What has the organization done to ensure the completeness of the information?
  • Where was the information sourced? (third party, consumer, government, etc.)
  • What assumptions are being made in the use of this data?

In addition to questions, regulators will also want to see any documentation about how your models were developed and used. This guidance for financial firms from the FDIC explains:

Documentation of model development and validation should be sufficiently detailed so that parties unfamiliar with a model can understand how the model operates, its limitations, and its key assumptions. Documentation provides for continuity of operations, makes compliance with policy transparent, and helps track recommendations, responses, and exceptions.

But as I explain in this article on regulators and ERM, you have to walk a fine line…sharing too little OR too much with regulators could prompt additional scrutiny. But I am NOT advocating operating the model(s) in a black box environment where the model operations are held in secret.

In the long run, companies who rely heavily on models and AI may want to consider a formal risk management framework.

Banks and other financial firms may already be doing this since they are at the forefront of using models, AI, and machine learning to drive decisions. Some lenders are even using AI instead of traditional FICO credit scores to make decisions on credit applications.

Therefore, guidance for developing a risk management framework around models is most advanced for the financial industry. Standards such as the SR 11-7 guidance issued by the Federal Reserve System in 2011 can provide some good clues on where to start, even if you are not in the financial industry.

At a fundamental level, a governance framework for modeling and AI:

…provides explicit support and structure to risk management functions through policies defining relevant risk management activities, procedures that implement those policies, allocation of resources, and mechanisms for evaluation whether policies and procedures are being carried out as specified.

Does this mean you need to have a complex, formal framework before using modeling and other tech-based tools to drive decisions?

Absolutely not!

The complexity of any framework will be driven by a variety of things, some of which include the number of data sources, number of stakeholders using the output, and the frequency the model will be updated, to name a few.

Simply having some rules around roles & responsibilities, guidance on what the model is being used for, and requirements of data going into the model are all good reasons for a framework. Unless your company is in a highly regulated industry and subject to more intense scrutiny, this should be sufficient.

As modeling, AI, machine learning and other tech-based tools become more common in the years ahead, organizations should expect more questions and scrutiny around how they are using them to drive decisions. Taking a little bit of time now to understand how this oversight will unfold will go a long way towards ensuring you can satisfy the regulators’ needs with the least amount of headaches possible.

How is your company or industry preparing for the potential of regulatory scrutiny of modeling and AI?

I’m interested in learning more from you on how we as risk professionals can factor the future of oversight into how we plan and execute risk management activities. Leave a comment below or join the conversation on LinkedIn.

And if your company would like to use modeling like Monte Carlo Simulation and other technology-based tools to better inform decisions but don’t know where to start, please feel free to reach out to discuss your situation today!

Featured image courtesy of Michael Dziedzic via

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More