Model Risk Management in Banking: Building Strong Risk Teams

TLDR

  • Model risk management (MRM) is a regulatory requirement, not just a best practice — SR 26-2 now governs U.S. bank MRM frameworks as of April 2026
  • A flawed VaR model contributed to JPMorgan's $6.2 billion London Whale loss and $920 million in regulatory fines
  • Strong MRM teams require the three lines of defense, covering model development, independent validation, and audit oversight
  • The talent gap is structural: MRM roles demand rare combinations of quantitative depth, programming fluency, and regulatory literacy
  • Specialized recruiters — not generalist firms — are built to find and vet candidates with genuine model validation expertise

What Is Model Risk Management in Banking?

Model risk management is the practice banks use to identify, measure, and control the risks that arise when quantitative models drive decisions. Credit scoring, fraud detection, capital adequacy calculations, CECL reserving, stress testing — every one of these relies on models, and every one of them can fail in ways that create real financial and regulatory consequences.

The Federal Reserve and OCC formalized the MRM standard in 2011 through SR 11-7, which defined model risk as "the potential for adverse consequences from decisions based on models that are either incorrect or misused." That guidance established two distinct risk sources:

  • Model error — flawed assumptions, bad data, or faulty methodology that produces inaccurate outputs
  • Model misuse — applying a model outside its intended scope, or misreading what its outputs actually mean

In April 2026, the Fed, OCC, and FDIC jointly issued SR 26-2, superseding SR 11-7 after 15 years. The updated guidance emphasizes a risk-based approach, introduces formal "model materiality" tiering, and is most relevant to banks with over $30 billion in total assets. Community banks received separate clarification through OCC Bulletin 2025-26, which confirmed that proportional MRM practices are acceptable and annual validation is not required across the board.

What Model Risk Failures Actually Look Like

Two cases illustrate what goes wrong when MRM governance breaks down.

2008 Financial Crisis: Flawed VaR and Gaussian copula models underpinned structured credit decisions at major institutions. The Wharton/Oliver Wyman analysis found that 25% of 16 studied institutions experienced losses exceeding 150% of their pre-crisis economic capital estimates — a direct consequence of models trusted without adequate challenge.

2012 JPMorgan London Whale: The incident produced $6.2 billion in trading losses after a VaR model for the Synthetic Credit Portfolio was found to be "inaccurate, unreliable" — used to mask, rather than measure, rising risk. JPMorgan paid $920 million in regulatory fines. The Senate investigation confirmed failures at both the model validation and risk oversight levels.

JPMorgan London Whale 6.2 billion loss VaR model failure timeline and fines

Both failures trace back to the same root cause: the absence of qualified, independent validators willing to challenge the models in use. That's a people problem as much as a process one — and it's why building the right MRM team matters.

The Regulatory and Business Case for Prioritizing MRM

Regulatory expectations around MRM have moved in one direction for 15 years: upward. SR 26-2 doesn't soften that trajectory — it codifies it with more detailed requirements around model materiality, effective challenge, and governance documentation.

Examiners no longer just review model outputs. They scrutinize:

  • Whether validation teams are truly independent from model developers
  • Whether the model inventory is complete and current
  • Whether senior leadership and the board receive meaningful MRM reporting
  • Whether the governance framework has the organizational standing to actually effect change

That last point matters. SR 26-2 requires "critical analysis conducted by objective experts" with "organizational standing and influence" — meaning an MRM team that lacks seniority or board visibility is a governance gap, not just an organizational footnote.

The Business Case Beyond Compliance

The London Whale case makes the cost-benefit argument better than any policy document. A single flawed model, inadequately challenged, generated losses equal to roughly one year of JPMorgan's retail banking profit at the time. The RMA's 2024 Model Risk Management Survey documents ongoing "diligence and frustrations" across the industry — resource and governance shortfalls are widespread, not limited to a handful of institutions.

What makes this risk particularly expensive is how long it stays hidden. Data drift, assumption decay, and undocumented usage changes can corrupt model outputs for months without triggering an alert. By the time the problem surfaces — through an exam finding or a material loss — the window for a low-cost internal fix has long closed. That's the operational argument for investing in MRM talent before regulators make it for you.

Core Functions of a Model Risk Management Team

The Three Lines of Defense Applied to MRM

MRM governance maps directly onto the standard three lines of defense structure:

Line Function Role in MRM
First Model developers and owners Build, document, and use models within business units
Second Model validators and risk managers Independently challenge, validate, and oversee the model portfolio
Third Internal audit Provides assurance over the entire MRM framework — does not duplicate validation work

The critical word is independent. SR 11-7 requires that validators operate with genuine separation from the teams whose models they review. This isn't just an organizational chart preference — it's a regulatory requirement, and one that examiners test directly.

The Model Lifecycle — Where Gaps Create Risk

An MRM team must own coverage across the full lifecycle:

  1. Development and documentation — models must be built with documented assumptions and methodology
  2. Pre-implementation validation: independent review before any model goes live
  3. Ongoing performance monitoring — tracking whether model outputs remain accurate over time
  4. Periodic revalidation: formal re-review triggered by time elapsed, material changes, or performance deterioration
  5. Model retirement — controlled decommissioning with documented rationale

5-stage model risk management lifecycle from development to retirement process flow

Each stage requires different expertise. A team that excels at initial validation but lacks monitoring capacity creates exposure that surfaces only after a model has already drifted off-course — often long after the damage is done.

Governance, Inventory, and Emerging Risks

Lifecycle coverage only holds if the governance infrastructure supporting it is funded and functional. At smaller institutions, the governance function — maintaining a complete model inventory, assigning risk tiers, setting escalation protocols, reporting to leadership — is frequently deprioritized. Without it, gaps in coverage go undetected and model risk accumulates without oversight.

Two specific risks are worth calling out:

Shadow models. ForvisMazars identifies unregistered spreadsheets, scripts, and business-unit tools as sources of "uncontrolled risk and regulatory noncompliance." Catching and cataloging these requires proactive model identification, not just waiting for business units to self-report.

AI and machine learning governance. SR 11-7 explicitly excludes generative and agentic AI from scope, creating a governance gap for banks deploying these tools. For non-generative ML models, explainability reviews and bias assessments are already expected.

The CFPB has made clear that lenders using AI must provide specific, accurate adverse action reasons under the Equal Credit Opportunity Act. MRM teams without ML governance expertise are directly exposed to that compliance risk.

Key Roles and Skills in a Strong MRM Team

Roles That Every MRM Team Needs

A functional MRM program requires five core roles:

Role Primary Function Line of Defense
Head of MRM / Model Risk Manager Sets strategy, owns the program, reports to CRO or board risk committee Second line
Model Validator Independently tests and challenges models — must be independent from developers Second line
Model Developer Builds, documents, and maintains models First line
Model Risk Analyst Monitors performance, maintains inventory, tracks findings Second line
AI/ML Risk Specialist Governs machine learning and algorithmic models, leads explainability and bias reviews Second line

The Head of MRM's reporting line matters. Placing this role under a business unit rather than the CRO or board risk committee compromises the independence the entire function depends on.

Technical and Regulatory Skills in Demand

Current job postings at major U.S. banks reflect a demanding and narrow skill profile. Senior model validator roles typically require:

Technical competencies:

  • Programming: Python, R, SAS, SQL
  • Quantitative methods: backtesting, sensitivity analysis, stress testing, benchmarking, time-series forecasting
  • ML/AI methods: neural networks, Bayesian estimators, boosting/bagging trees, logistic regression
  • Banking applications: CECL, CCAR/DFAST stress testing, credit origination, asset/liability management

Regulatory knowledge:

  • SR 11-7 / SR 26-2 framework requirements
  • Basel III/IV capital frameworks
  • CCAR and DFAST stress testing requirements
  • Emerging AI governance expectations (CFPB adverse action guidance, state-level AI rules)

Candidates who combine genuine quantitative depth with regulatory literacy are rare. Most are strong in one area but not both — either quantitative skills without regulatory context, or compliance knowledge without the technical foundation to challenge a model's methodology.

Model validator dual skill requirements quantitative depth versus regulatory literacy comparison

The non-technical side of the role is just as consequential. Strong validators also need:

  • Communicating complex findings to non-technical audiences, including boards
  • Willingness to challenge assumptions from senior model owners
  • Rigorous documentation discipline — MRM work that isn't documented didn't happen, from a regulatory standpoint

The Hidden Talent Gap in Model Risk Management

The talent challenge in MRM is structural. Banks are deploying AI and machine learning models at pace while their validation teams were built — and are still largely staffed — for traditional statistical models. Left unaddressed, the gap compounds as model inventories grow.

GARP's analysis on SR 26-2 and agentic AI warns directly against "clinging to outdated hiring practices," noting that agentic systems are "dynamic, probabilistic, and increasingly autonomous" in ways that existing validation frameworks weren't designed to handle. Teams built for the SR 11-7 era may not have the skills the SR 26-2 era requires.

Why the Pool Is Thin

Qualified MRM candidates sit at a narrow intersection of skills. Most open roles require four to six years of specialized experience across several of the following:

  • Neural network architecture and ML model behavior
  • Python fluency and statistical programming
  • SR 11-7 and SR 26-2 regulatory frameworks
  • Credit risk domain knowledge
  • Board-level communication of model findings

Competition for these candidates extends well beyond banking. Hedge funds, fintechs, and technology companies recruit from the same quantitative talent pool — typically offering higher compensation and fewer regulatory constraints. Community and regional banks face the toughest version of this problem: they can't match large-institution pay packages, and they often need senior validators with broad coverage rather than narrow specialists.

The Internal Assessment Gap

Many banks also face an internal blind spot: they don't regularly evaluate whether their existing MRM team has the expertise to validate newer model types. A team that validated traditional credit scorecards well may have significant gaps when asked to validate an ML-based behavioral scoring model or a climate risk stress testing framework. Those gaps tend to surface during a regulatory examination rather than ahead of one.

Specialized recruiting firms can bridge this by accessing passive candidates who are already working in validated roles and aren't actively searching. Wayoh, which focuses exclusively on risk, compliance, and legal hiring in banking and fintech, maintains candidate networks across major U.S. markets that include practitioners with both technical depth and regulatory experience — a profile that's difficult to source through broad-based searches.

How to Build and Staff a Strong MRM Team

Step 1: Conduct a Realistic Gap Analysis

Before making any hiring decisions, a bank needs to understand what it has and what it's missing:

  • Inventory your models — complete count, complexity levels, business impact, and current validation status
  • Map team skills against model types — who can actually validate a gradient boosting credit model versus a traditional regression-based scorecard?
  • Identify lifecycle gaps — is monitoring being skipped? Are shadow models being cataloged?
  • Assess governance coverage — does senior leadership receive meaningful MRM reporting, or just model counts?

The gap analysis should drive hiring priorities, not organizational intuition.

Step 2: Build vs. Buy vs. Borrow

Three paths exist, and most banks need a combination:

  • Develop internally: Structured training through programs like the ABA's CERP, GARP's FRM, or PRMIA's PRM can build depth in existing analysts over 12–18 months
  • Hire externally: For senior validators, Model Risk Managers, and AI/ML specialists, external hiring is faster and more reliable than internal development for critical coverage gaps
  • Use contract professionals: For specific validation projects, regulatory remediation, or periods of elevated demand, interim MRM professionals provide immediate capacity without long-term headcount commitments — Wayoh's interim staffing model supports exactly this kind of engagement, with full candidate vetting before placement

Three-path MRM staffing strategy build buy borrow options comparison infographic

Step 3: Partner With the Right Recruiter

Generalist recruiters struggle with MRM roles because assessing genuine model validation expertise requires knowing what to probe. The difference between a candidate who lists "backtesting" on a resume and one who can describe designing a backtesting framework for a CECL model under SR 11-7 requirements is not visible from a keyword search.

Wayoh's relationship-led approach uses direct conversations to assess technical capability, regulatory knowledge, domain experience, and the communication skills MRM roles demand. With over a decade in regulated financial services and 500+ placements across banking and fintech, the firm's network includes practitioners who aren't actively searching but would consider the right opportunity. That's where most strong MRM hires actually come from.

Frequently Asked Questions

What is model risk management for a bank?

Model risk management is the practice banks use to identify, measure, and control risks that arise from relying on quantitative models for decisions like credit scoring, fraud detection, and capital planning. SR 11-7 (2011), issued by the Federal Reserve and OCC, remains the foundational regulatory standard for MRM in U.S. banking.

What are the 5 steps of the risk management model?

The core steps are risk identification, risk assessment and tiering, risk mitigation (including independent validation), ongoing monitoring, and governance and oversight — covering the full model lifecycle from pre-implementation through retirement. Strong MRM teams own each stage.

What are the types of risk management in banking?

The main categories are credit risk, market risk, operational risk, liquidity risk, compliance risk, reputational risk, and model risk. Model risk is distinct: it arises from the tools banks use to measure all the other categories. A failed credit model is simultaneously a credit risk problem and a model risk failure.

What are the models used in bank risk management?

Common model types include credit scoring models, DFAST/CCAR stress testing models, CECL reserve models, fraud detection models, and market risk/VaR models. The MRM framework governs how all of them are developed, independently validated, monitored, and retired, whether the underlying methodology is statistical, machine learning-based, or judgmental.

What are the 7 types of risk in banking?

Banking regulators recognize seven primary risk categories: credit, market, operational, liquidity, compliance/regulatory, reputational, and model risk. Model risk has grown in prominence as banks rely more heavily on algorithmic and AI-driven decision-making. SR 11-7's continued relevance — and ongoing regulatory updates — reflects how central it has become to the overall risk agenda.