Risk Model Inventory

Risk model knowledge lives in modelers' heads or undocumented spreadsheets. When the credit risk team asks 'which models are approved for CCAR stress testing?' nobody can answer definitively. Model versions, validation dates, limitations, and regulatory approval status exist only in email chains and meeting notes. If a model fails backtesting, there is no written record of its historical performance or prior validation findings.

None — AI cannot perform any model risk management because no model inventory exists. Every model risk assessment starts from zero with no institutional memory.

Risk models are tracked in a basic spreadsheet or SharePoint list with model names and vague descriptions like 'commercial real estate PD model' or 'VaR engine for trading book.' The inventory lacks standardized fields for model version, regulatory tier, input data sources, or validation cycles. When OCC examiners ask for Tier 1 model documentation per SR 11-7, the MRM team scrambles across network drives and email searching for validation reports. Model ownership is unclear — models list a developer name but that person may have left the firm years ago.

AI could scan model names for keywords, but cannot categorize models by regulatory tier, risk type, or validation status because records lack consistent structure and controlled vocabulary.

Risk model inventory follows a standard template with consistent fields: model ID, SR 11-7 tier (Tier 1/2/3), risk category (credit, market, operational, liquidity), regulatory application (CCAR, CECL, Basel III capital, PPNR), model owner, developer, validation cycle, last validation date, approval status. Every model has an entry. But the inventory record is a standalone row in a spreadsheet — it does not link to validation reports, model documentation, backtesting results, or the data lineage for model inputs. When a validator needs the prior validation report, they must search shared drives by model name and hope the file naming is consistent.

AI can generate MRM dashboards showing models by tier, risk category, or validation status. Can flag models overdue for validation. Cannot assess model risk holistically because the inventory does not connect to validation findings, performance metrics, or input data quality.

Risk model inventory is comprehensive and connected. Each model entry links to validation reports, model development documentation, backtesting results, issue tracking for model limitations, data dictionaries for inputs, and change logs for model version history. A validator can query 'show me all Tier 1 credit models used in CCAR with validation findings rated moderate or higher in the past 18 months' and get a complete answer. Model classifications follow SR 11-7 guidance. Validation findings are coded by severity (low/moderate/high) and finding type (conceptual soundness, data, implementation).

AI can automate MRM reporting — tracking model validation coverage, overdue validations, outstanding findings by severity, and regulatory exam readiness. Can draft validation scope memos based on model type and prior findings. Cannot yet perform independent model validation because assessing conceptual soundness and benchmarking require deep statistical judgment.

Risk models are formal entities in a model risk knowledge graph. Each model has machine-readable relationships to data sources (with data quality lineage), consuming business processes, regulatory requirements (CCAR, CECL, Basel III capital rules), validation methodologies, known limitations, approved use cases, and prior validation findings. An AI agent can ask 'which CECL models depend on unemployment rate data, and do those data feeds have data quality controls meeting SR 11-7 standards' and get a precise, structured answer. Model taxonomies map to regulatory guidance (SR 11-7 tiers, OCC risk categories, TRIM principles).

AI can autonomously track model usage against approved use cases, flag models used outside their approved scope, monitor model performance drift through automated backtesting, and generate validation planning schedules. Can draft complete validation reports for low-complexity Tier 3 models. Human validators still required for Tier 1 model conceptual soundness review.

Risk model inventory is a living governance system that monitors itself in real-time. When a CCAR stress scenario runs, the model inventory automatically captures which models were used, with what inputs, producing what outputs, and whether outputs fell within expected ranges. Model entities self-update validation status, usage statistics, and performance metrics without manual reporting. When a model drifts outside calibrated parameters, the system auto-generates a validation scoping memo, assembles relevant backtesting data, and routes to the validation queue. The inventory is a real-time reflection of the entire model risk posture.

Fully autonomous model risk surveillance. AI monitors model performance, flags degradation, manages validation cycles, drafts validation reports for Tier 2/3 models, and tracks remediation of validation findings. Human oversight is strategic — reviewing AI recommendations on Tier 1 model approvals and conceptual soundness assessments rather than performing routine MRM administration.

Ceiling of the CMC framework for this dimension.