Ensuring Stability: A Comprehensive Guide to Complying with OCC 2011-12 in Model Risk Management

Since the release of OCC 2011-12, regulators have emphasized the importance of identifying and mitigating the model risks that impact business decisions. Introduced in 2011, these guidelines continue to define supervisory expectations, even as the regulatory environment has changed. 

Today’s financial institutions operate in an environment that relies on complex analytics, AI, and machine learning systems that, naturally, go beyond the models envisioned in 2011. To address this, the OCC issued the 2021 Model Risk Management Handbook, expanding on OCC 2011-12 to reflect modern models and institutions.

A Living Framework

The OCC 2011-12 remains a foundational guide for model risk management (MRM) across OCC supervised institutions, including national and foreign banks and federal savings associations. Although originally designed for traditional models, the framework takes on a risk based approach allowing it to be adaptable with today’s landscape. 

The 2021 MRM Handbook outlines how these long standing principles should be interpreted in present day context, extending to AI and machine learning systems. It stresses that any system producing material decisions or risk assessments should be treated as a model. The most up to date guideline, 2025 OCC Bulletin for Community Banks, reinforces this principle, stating that all institutions must demonstrate validation, governance, and monitoring aligned with their model risk exposure. 

Maintaining Strong Foundations

This framework is built on three pillars: governance, validation, and monitoring, each essential to maintaining model integrity.

• Governance and Policy – Institutions should have defined roles for model developers and validators to ensure that MRM is integrated into the entire governance framework.
• Model Development and Validation – Models must be properly implemented and validated before use to test assumptions, inputs, and performance. This now extends to explainability and fairness for AI and machine learning models which carries higher risk.
• Ongoing Monitoring and Documentation – An inventory of all models must be maintained with the purpose, ownership and validation details. Performance monitoring helps detect when models should be retired.

Read our previous piece of AI Governance: Amplifying your AI Governance expertise with AI Teaming

Meeting the New MRM Standard

The scope of MRM has grown since the OCC 2011-12 was created. Its main aspects are still relevant, however the 2021 Handbook recognizes that current models extend beyond traditional applications to include data bias and explainability, which are required to improve validation and monitoring techniques.

Regulators are now expecting financial institutions to evaluate whether their AI and ML systems are meeting the same standards of transparency that are applied to conventional models. Having control over data quality and model interpretability should be the focus for institutions to ensure their decisions are in line with what senior management is aware of.

As banks continue to adopt vendor provided or open source models, the OCC expects firms to apply the same rigor of in-house models to these externally sourced tools, including any results and monitoring. MRM frameworks must evolve to support innovation and to ensure that risks are under control as new technologies emerge.

Modernizing MRM

With rising regulatory expectations MRM teams must make sure regulatory principles go from principle to practice. Teams should refine their frameworks around the following priorities:

1. Strengthen governance and oversight so that boards and senior management understand model risks across the organization, including those from AI and third-party systems. A clear escalation process for model issues should be established and routinely tested.
2. Enhance the model inventory to capture all tools used in decision making in both traditional models and generative AI applications. Each entry should document ownership, purpose, limitations, and validation history.
3. Adopt a risk-based approach to validation and monitoring. High risk models require more focus and frequent review. For AI systems, testing should also include explainability, bias detection, and drift analysis.
4. Ensure third party oversight through robust due diligence, contract governance, and independent reviews of vendor-supplied models.
5. Invest in training and awareness so technical and non-technical stakeholders can understand, challenge, and responsibly use models across the enterprise.

Balancing Innovation and Control

OCC 2011-12 remains a core piece of MRM, but modern expectations demand more. Institutions need to cover all their bases with AI, machine learning, and generative models to ensure they are transparent and accountable at all points of the model lifecycle. Reinforcing governance, validation, and emerging risks will allow MRM teams to ensure compliance and responsible innovation in a time where technology is rapidly changing.

Download our technical brief today to learn how you can comply more efficiently.