Case note: preparing a mid-size lender for model risk review

Illustrative case

About this case. The following is an illustrative composite, not an account of a specific client. It is written to show how an engagement of this kind typically unfolds and what it produces. Real client work is confidential and is shared only with permission and full anonymization. We publish this example so prospective clients can see how we think and work.

The situation

A regional lender had been using a statistical model to support credit decisions for several years. The model worked — it had been built carefully by a capable internal team — but the institution had grown, and with growth came the expectation that its model risk practices would stand up to supervisory scrutiny under guidance like SR 11-7. A regulatory examination was on the horizon. Leadership's concern was not that the model was wrong; it was that they could not yet demonstrate it was sound to an outside examiner.

This is a common and underappreciated gap. Model risk review is less about whether a model performs and more about whether an institution can show, with documentation and independent evidence, that it understands and controls the model's risks. A good model with poor documentation can fail a review that a mediocre model with disciplined governance would pass.

What we looked at

The work fell into three strands, run in parallel.

The first was independent validation. Because the model had been built in-house, the institution needed a review by someone who had not built it. We re-examined the model's assumptions, tested its performance on data it had not been tuned to, and checked whether it still behaved as intended on recent data — the question of whether performance had drifted since the model was first deployed.

The second was documentation. We inventoried what existed and compared it against what an examiner would expect: a clear statement of the model's purpose and limitations, evidence of how it was developed and tested, a record of ongoing monitoring, and a description of who is accountable for it. The gaps here were the real story. The knowledge existed — it lived in the heads of the team and in scattered files — but it had never been assembled into a form someone outside the team could follow.

The third was governance. We looked at whether there was a defined process for approving model changes, a schedule for periodic review, and a clear line of accountability. These are the structures that turn a one-time fix into something durable.

What it produced

The engagement delivered three things. A validation report that an examiner could read, stating plainly what was tested, what held up, and what required attention. A consolidated model documentation package that pulled the institution's scattered knowledge into a single, maintainable record. And a short set of governance recommendations — a review cadence, an approval step for changes, and named ownership — designed to keep the institution ready rather than scrambling before each future review.

Notably, the model itself required only modest adjustments. Most of the value was in making the institution's existing diligence visible and defensible. That is typical. The work of model risk review is frequently less about rebuilding the model and more about being able to prove what you already know.

The takeaway for others

If a model risk review is on your horizon, the most useful question to ask is not "is our model good?" but "could we prove our model is well-managed to someone who has never seen it?" The institutions that pass reviews comfortably are rarely the ones with the most sophisticated models. They are the ones whose documentation, validation, and governance let an outsider reach the same confidence the team already has.

The work is also far easier to do before an examination is announced than after. Independence, documentation, and governance take time to assemble well, and they are hard to retrofit under deadline pressure.