Skip to main content
Model Risk 101: Fortify Your Three Lines of Defense

As banks use increasingly more analytic models in their decisions, regulators are asking increasingly more probing questions about them – specifically, how these tools are being leveraged for risk management, capital requirements, customer decisioning and other activities.

Regulators demand transparency, consistency and comprehensive documentation around areas such as model design, data quality, sample construction, model validation and risk policy reviews, just to name a few. Stress testing and capital adequacy reviews pressure banks to address the “new normal” of additional scrutiny and increased demand on their analytic resources and systems.

Collectively, banks need the processes, people and technologies to enable comprehensive model risk management – similar to how an organization would architect a comprehensive risk management program to support all aspects of their day-to-day operations. Some leading banks are focusing on how to best use their scarce resources to help ensure checks and balances are in place to drive the entire model management and governance process. This is often referred to as the “three lines of defense” for model management, requiring three distinct sets of resources that:

  1. Mitigate model risk where it starts (development and use)
  2. Establish that the first line has accounted for and assessed any model risk (risk management and measurement)
  3. Ensure the other lines execute against enterprise policies, procedures and risk profile (internal audit)
All three lines of defense should have independent QA functions that identify risks and control gaps within their respective line of defense. To ensure these three sets of resources work effectively together, banks need to implement corresponding policies, processes and model risk technologies.

In the coming weeks, I’ll share insights for enhancing productivity and effectiveness for several of these lines of defense. For more on the topic of model management and governance, you can also check out our Insights white paper "Reducing Regulatory Drag on Analytics Teams" or visit

related posts