Model Risk Management (MRM) has long been the preserve of financial institutions, born from the crucible of the 2008 financial crisis and codified through regulatory mandates like SR 11-7. For years, the primary focus was straightforward: credit, market, and operational risk models. But in a rapidly changing risk landscape—one shaped by climate volatility, stakeholder activism, and rising reputational exposures—MRM is evolving.
Today, organizations are applying MRM frameworks to a new class of non-financial risks. Climate scenario models, ESG scoring algorithms, and even AI-driven reputation monitoring systems are now part of the expanding universe of models under governance. These models differ from traditional quantitative models in scale, scope, and complexity—but the stakes are no less material. In fact, failure in these emerging areas could be even more existential than a missed VaR limit.
To remain effective, MRM must become more adaptive, interdisciplinary, and future-oriented. This article explores how leading organizations are applying model governance to non-financial domains—and how to build a flexible, extensible MRM framework capable of scaling beyond traditional boundaries.
The Expanding Definition of a “Model”
One of the enduring challenges in non-financial risk governance is definitional: what counts as a model?
In traditional finance, a model is usually defined as a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories. In non-financial domains, however, the “models” may include scenario simulations, natural language processing (NLP) tools, decision engines, or hybrid expert systems.
Consider a few examples:
- A climate scenario model simulating the impact of global temperature increases on a company’s supply chain.
- An ESG scoring algorithm combining structured (e.g., emissions data) and unstructured (e.g., news sentiment) inputs to generate third-party risk ratings.
- A reputation analytics platform using AI to track brand perception and predict backlash risks based on public sentiment.
Each of these tools carries model risk: the possibility of flawed design, data bias, or inappropriate use—yet most were not built with formal model validation in mind.
Why Model Risk Governance Must Expand
Organizations are under growing pressure to manage and disclose risks that are inherently non-financial in origin but financial in consequence. Regulators are moving in that direction too. The ECB and PRA now expect climate-related models to undergo the same scrutiny as traditional risk models. Meanwhile, investors and customers alike demand greater transparency into ESG ratings and risk methodologies.
In this environment, applying MRM principles to new domains offers three core benefits:
1. Accountability in Uncharted Territory
Most climate or ESG models rely on assumptions, forward-looking projections, or third-party data. MRM frameworks require organizations to document assumptions, quantify uncertainty, and track changes over time—an essential discipline when dealing with “unknown unknowns.”
Example: A global bank applies model governance principles to a climate transition risk model. They establish internal guidelines for evaluating scenario inputs, such as carbon pricing and regulatory shifts, and create version-controlled model documentation to capture evolving assumptions.
2. Cross-Functional Validation
Non-financial risk models often sit at the intersection of sustainability, risk, and data science. Applying MRM means forcing dialogue across silos—validating not just technical robustness but strategic fit and ethical implications.
Example: A technology firm building an AI-powered reputational risk tool convenes a validation team that includes data scientists, risk managers, legal counsel, and public relations leaders to evaluate model sensitivity and unintended consequences.
3. Guardrails for AI and Vendor Models
Many ESG and reputational models are purchased from third parties. These black-box systems pose unique risks: limited transparency, inconsistent documentation, and unknown data sources.
MRM provides a due diligence framework for vendor model onboarding, including documentation reviews, bias testing, and performance monitoring.
Example: An asset manager integrates an ESG risk score from a vendor but applies internal MRM protocols to assess the methodology, test for regional data bias, and benchmark against alternative sources.
Designing an Extensible MRM Framework
To accommodate the diversity of non-financial models, organizations need a more flexible, extensible MRM architecture. This does not mean abandoning rigor—it means adapting controls to fit model context, complexity, and criticality.
Key Considerations for MRM 2.0:
- Model Tiering by Impact: Create risk-based tiers to determine review depth—climate scenario models may warrant full validation, while auxiliary models may only require light-touch governance.
- Documentation for Intangibles: Capture assumptions, data sources, qualitative inputs, and expert judgment in structured templates—even for models that rely heavily on human input.
- Bias and Explainability Testing: Evaluate fairness and interpretability, particularly for models using machine learning or NLP.
- Dynamic Monitoring: Establish processes for continuous monitoring, including post-deployment tracking of inputs, outputs, and changes in data sources.
A Paradigm Shift: From Compliance to Resilience
Applying MRM to non-financial risks is more than a compliance exercise—it’s an opportunity to build institutional resilience. ESG ratings, climate scenarios, and reputational signals increasingly inform capital allocation, insurance underwriting, and supply chain decisions. If these models are wrong—or worse, unchallenged—the consequences can reverberate across financial and societal domains.
In this new paradigm, model risk managers are not simply validators of technical methods. They are translators across disciplines, challengers of assumptions, and stewards of trust.
Final Thoughts
The risks that matter most today—climate change, reputational damage, ESG credibility—are not easily captured in spreadsheets. But they are modeled, scored, forecasted, and monetized through tools that demand as much scrutiny as traditional financial instruments.
Model Risk Management must rise to meet this moment. By embracing an expansive definition of models and applying adaptive governance practices, organizations can bring clarity, accountability, and resilience to the most complex risks of our time.
It’s not enough to ask “Does the model work?” We must now ask, “Does it make sense for the world we’re building?”
