How Model Risk Management (MRM) Teams Can Comply with SR 11-7

Over a decade since its release, SR 11-7 remains a cornerstone of model risk management, providing banking organizations with a framework to address emerging risks. As technologies continue to reshape financial services, compliance has grown more complex. Regulators now apply SR 11-7’s principles to AI, machine learning, and generative AI, raising expectations around explainability, bias mitigation, and transparency.Â
Regulators are also emphasizing third-party and vendor model risk, requiring institutions to demonstrate oversight of external AI services. On a global scale, supervisory frameworks like the U.K.’s SS1/23 and the EU AI Act complement SR 11-7, highlighting that model risk management (MRM) must adapt across jurisdictions.
Understanding Model Risk
AI and statistical models in banking always carry uncertainty. Institutions may have different types of risk, but exposure to it is nonetheless unavoidable whether that is because of foundational errors producing misleading outputs or misuse of efficient models. These two scenarios can harm a bank’s reputation, performance, or undermine stakeholder trust, especially if a model is inadequately validated.
Many firms are expanding their definition of a ‘model’ to include automated decision systems and AI services, factors that were previously outside traditional inventories. Managing model risk means embedding SR 11-7 into firm policies, ensuring independent model review, including third-party models, and maintaining evidence of compliance.
The SR 11-7 framework offers a structured approach via four pillars, including validation, documentation, governance, and monitoring, and in the present day these must evolve to account for AI’s unique features such as model drift, explainability, and vendor opacity.
Model Validation
Model validation ensures that models function as intended and produce results aligned with the firm’s objectives. MRM teams must have structure and discipline throughout their development process to make sure that everything aligns.
To make this process more effective, financial institutions are adopting tiering frameworks that classify models by materiality and complexity. Leading firms are also incorporating explainability testing, robustness checks against adversarial inputs, and scenario based stress testing for GenAI outputs to demonstrate compliance with rising supervisory expectations. This allows teams to focus on high risk models.
SR 11-7 underscores the importance of understanding how models behave in practice and of implementing controls to minimize and manage model risk. Through proper model validation, MRM teams can identify, document, and mitigate potential risks, ensuring that models remain both robust and dependable.
Learn about another regulation here: Bridging the Gap: How ValidMind Helps Banks Respond to the PRA’s SS1/23 Findings
Model Governance
A strong governance framework provides accountability for how models are developed, approved, and used across the institution. Under SR 11-7, governance is not optional and requires transparency from senior management and boards to set policies and oversee compliance. Leaders are expected to actively oversee high risk models, including third-party risks and assessing whether models meet internal goals.
Dedicated MRM committees or governing bodies can reinforce this accountability by providing independent oversight, escalating issues to senior leadership, and ensuring alignment between model risk practices and enterprise wide objectives. Embedding governance throughout the model lifecycle demonstrates control and compliance with regulatory expectations.
Model Documentation
Thorough documentation across the model lifecycle is important for MRM under SR 11-7 as it enables risks to be understood and easily managed. Proper documentation offers a clear audit trail and ensures teams understand current model activity. Those within the firm unfamiliar with the model should also understand how it operates, what its capabilities and limitations are, and the reasons behind its use.
Evaluating a model’s compliance with the banks’ operational standards helps clarify its impact on auditors, regulators, and stakeholders involved in the banking process.
Model Monitoring
Monitoring ensures models remain reliable over time. To keep up with changing market conditions or evolving regulatory requirements, MRM teams must continuously track model performance to confirm it remains fit for its intended purpose.
An effective monitoring framework uses detailed model inventories to do regular performance checks and document which models are in use, under development, or retired. Modern practices go beyond traditional accuracy metrics, creating tests for bias, fairness, model drift, among others. For generative AI, monitoring must also capture risks like hallucinations, factual reliability, and performance under varied or adversarial inputs.
Identifying these issues early and monitoring your models limits negative impacts and ensures that models continue to align with institutional goals and the regulatory expectations under SR 11-7.
Discover how effective AI Governance creates business value in our Webinar Replay | From Compliance to Competitive Edge: Turning AI Governance into Business Value
Extending SR 11-7 to Modern AI and GenAI Risks
Adhering to SR 11-7 is essential but in today’s environment it also means addressing AI, machine learning, and generative AI. Though not explicitly written into SR 11-7, stakeholders are now expecting institutions to embed explainability, fairness, transparency, and continuous monitoring into their MRM frameworks, all while maintaining model oversight.
SR 11-7 provides the foundation, but effective compliance today requires adapting its principles across jurisdictions. Institutions that strengthen validation, governance, documentation, and monitoring will meet stakeholder expectations and build long-term resilience and trust.
Learn more about how innovative financial institutions are adhering to SR 11-7 here.