Celebrating! - We have climbed 33 places to rank #45 in the Chartis RiskTech100 2026
_1.png)
Balancing Model Exposure with Effective Oversight
In model risk management, it’s well understood that not all risks can be eliminated. Even the most rigorously validated models retain a level of residual risk once deployed into production. These uncertainties may stem from limitations in data, methodology, governance, or integration with enterprise systems.
As regulatory expectations evolve – guided by the Federal Reserve’s SR 11-7 and the upcoming OSFI Guideline E-23 (effective May 2027) – institutions are increasingly expected to demonstrate that they have appropriate compensating controls in place to manage these risks in a structured, transparent, and repeatable manner.
1. Introduction
Compensating controls are governance or operational mechanisms designed to mitigate residual model risk – the risk that remains after standard validation, testing, or approval steps have been completed.
In practical terms, they function as safeguards that help ensure models remain reliable, explainable, and compliant throughout their lifecycle.
SR 11-7 requires U.S. institutions to maintain a “sound model risk management framework,” which includes strong control processes around development, implementation, and use. Similarly, OSFI’s E-23 Guideline extends this principle to Canadian FRFIs, reinforcing governance, accountability, and ongoing monitoring as central pillars of model oversight.
The transition from development to production exposes models to real-world data shifts and operational complexities that pre-deployment testing cannot fully simulate. This is where compensating controls become essential.
2. Case Study – Compensating Controls in Action
A large North American retail bank implemented a loan origination credit scoring model trained on five years of customer data. Post-deployment, the bank observed data drift due consumer behavior changed post-pandemic. Redeveloping the model immediately was not feasible, so the bank implemented the following set of compensating controls:
- Monthly model monitoring reports to track stability and performance metrics.
- A structured override policy for credit officers to manually adjust borderline cases.
- Enhanced validation reviews every six months, rather than annually.
- Independent model attestation confirms that key risk indicators remain within acceptable tolerance.
This structured approach both contained potential model impact and demonstrated to regulators that the bank had a mature, proactive compensating control structure in place.
3. Why Does It Matter?
Compensating controls are no longer considered optional. Regulators view them as evidence that an institution understands and manages model risk holistically, even when technical fixes aren’t immediately possible.
3.1 Regulatory Context
Both SR 11-7 (Federal Reserve) and OSFI E-23 (Canada) highlight that models are subject to limitations that cannot always be corrected through technical redesign. Instead, institutions must establish compensating governance mechanisms to manage those limitations transparently.
- SR 11-7, Section III (Model Risk Management), calls for “ongoing monitoring and governance structures” and emphasizes that compensating measures should be in place when models are used outside their approved boundaries.
- OSFI E-23 (draft, due 2027) introduces the concept of “risk-based proportionality”, acknowledging that not all models merit the same level of control, but that appropriate compensating mechanisms must exist when risk cannot be fully mitigated.
3.2 Key Categories of Compensating Controls
While compensating controls differ by institution, they generally fall under several governance and operational categories:
Each activity functions as a control mechanism that collectively strengthens the resilience of the model environment. Importantly, regulators view these controls not as paperwork but as evidence of continuous accountability across the first and second lines of defense.
3.3 Technology Enablement
Managing compensating controls manually can be cumbersome. Practitioners increasingly rely on Model Risk Management (MRM) platforms to automate and coordinate these workflows. A centralized platform allows model owners, validators, and governance teams to:
- Track attestations and validations systematically.
- Trigger alerts for overdue monitoring or CAPs.
- Maintain a unified audit trail for internal and external reviews.
Automation does not replace sound judgment but ensures consistency, traceability, and readiness for regulatory examinations.
4. The Road Ahead
As regulatory expectations evolve, compensating controls will shift from being reactive safeguards to proactive governance enablers.
With the release of OSFI E-23, regulators are signaling a shift toward data-driven oversight, emphasizing continuous monitoring, accountability of model owners, and integration of compensating measures into enterprise risk frameworks.
Financial institutions should:
- Strengthen the link between model inventory and control evidence.
- Use analytics-based monitoring to identify early warning signals.
- Foster collaboration between model developers, validators, and risk teams to ensure no residual risk is overlooked.
Compensating controls are not temporary fixes – they are a core component of sustainable model governance.
5. How Solytics Can Help
Solytics Partners’ MRM Vault provides an integrated environment to manage and evidence compensate controls effectively. Through configurable workflows and automated documentation, the platform enables institutions to:
- Map each model to its risk tier and control set.
- Automate attestations, monitoring, and validation tracking.
- Maintain real-time dashboards for CAPs, policy exceptions, and breaches.
- Generate regulator-ready evidence aligned with SR 11-7 and OSFI E-23 requirements.
By adopting structured automation, organizations can demonstrate control effectiveness, transparency, and operational resilience across their model lifecycle.
6. References
- Federal Reserve (US) – SR 11-7: Guidance on Model Risk Management – https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm
- Office of the Superintendent of Financial Institutions (Canada) – Guideline E-23: Model Risk Management (Draft for Implementation 2027) – https://www.osfi-bsif.gc.ca
- Prudential Regulation Authority (UK) – Supervisory Statement SS1/23: Model Risk Management Principles for Banks – https://www.bankofengland.co.uk/prudential-regulation/publication/2023/ss1-23
- Monetary Authority of Singapore (MAS) – FEAT Principles for Fairness, Ethics, Accountability and Transparency in AI and Data Analytics – https://www.mas.gov.sg/publications
- Australian Prudential Regulation Authority (APRA) – CPG 229: Model Risk Management – https://www.apra.gov.au
- Reserve Bank of India (RBI) – Discussion Paper on Governance Framework for Model Risk – https://www.rbi.org.in
_1.png)
.png)
.svg)
