Strengthening decision-making with OSFI’s E-23 Model Risk Management Guideline

6 min read

The Office of the Superintendent of Financial Institutions (OSFI) has taken a pivotal step forward with its E-23 Model Risk Management Guideline, underscoring the importance of robust governance, validation and monitoring frameworks to mitigate risks associated with the use of models across various domains. OSFI first published the guideline in 2017, and the final draft, published on September 11, 2025, takes effect on May 1, 2027. Where the earlier version of the guideline was applicable only to banks, trust and loan companies, the guideline expands its applicability to foreign bank branches, and life insurance, property and casualty companies.

Why model risk management matters now more than ever

  • Models have been foundational to modern financial decision-making, enabling organizations to forecast economic trends, optimize portfolios, analyze market risk and exposure, and optimize capital allocation. As reliance on models grows beyond financial decision-making and toward areas like pricing, underwriting, customer service, risk assessment, compliance, fraud detection and even human resources, which now use artificial intelligence (AI) and machine learning (ML), so do the potential adverse outcomes stemming from incorrect, biased or misused models. As such, model risk can lead to inaccurate predictions, regulatory non-compliance and reputational damage.
  • The Canadian financial sector is witnessing an exponential increase in the use of AI based on the OSFI-FCAC Risk Report – AI Uses and Risks at Federally Regulated Financial Institutions, published in September 2024:
    • In 2019, approximately 30% of financial institutions used AI.
    • In 2023, approximately 50% of financial institutions used AI.
    • By 2026, 70% of financial institutions are expected to be using AI.
  • Key risks identified in the report, Financial Industry Forum on Artificial Intelligence, published by OSFI, the Department of Finance and the Global Risk Institute in July 2025, are:
    • Cybersecurity: AI-enhanced tools, such as adaptive malware, enable threat actors to move quickly and inflict significant damage on their targets.
    • Data risk: Internal AI models used by organizations process sensitive data, leading to threats such as data poisoning, model extraction and adversarial manipulation.
    • Concentration risk: Reliance on a few large AI cloud service providers can create single points of failure.
    • Supply chain risk: The interconnected nature of AI solutions expands exposure to multiple vendors.
    • Data integrity: Data, design and algorithms lacking transparency undermine data integrity and complicate model validation.

Key pillars of OSFI’s E-23 Guideline

Under E-23, “model” refers not only to traditional quantitative tools (such as those used for risk assessment or valuation) but also to AI/ML algorithms and other data-driven decision-making solutions. This expanded definition recognizes that any technology with a material effect on decision-making must be subject to the same rigorous standards that have historically applied to conventional models.

  1. Governance framework: Organizations are required to establish clear roles and responsibilities for managing model risk, from the board of directors to senior management, model owners and model users, ensuring accountability and oversight at every level.
  2. Rigorous validation processes: Models must undergo independent validation at every stage to assess their accuracy, performance and alignment with intended purposes. Validation processes ensure that models are theoretically sound as well as practically reliable.
  3. Comprehensive model inventory: Maintaining a centralized inventory of all models used across the organization serves as a single source of truth, providing visibility into model ownership, purpose and validation status.
  4. Continuous monitoring: The guideline stresses the need for ongoing monitoring of model performance. Organizations must establish metrics and thresholds to detect deviations early and take corrective action proactively.
  5. Third party models: The guideline emphasizes that organizations should exercise oversight over models obtained from third parties, including consideration of the third party’s development environment and model architecture.
  6. Risk assessment and reporting: Regular assessments of model risk help organizations understand the potential impact of model errors. Transparent reporting to senior management and the board fosters informed decision-making.

OSFI’s E-23 is a compliance tool for fostering a culture of risk-aware innovation. By embedding model risk management into their enterprise-wide risk management framework, organizations can balance the pursuit of innovation with the imperative of risk mitigation.

Key considerations for implementation

Once the guideline comes into force, OSFI expects organizations to take the following actions:

  • Governance: Establish a risk-aligned governance framework that scales with the organization’s model complexity and use cases, ensuring clear accountability and oversight from the board through operational teams.
  • Policies and procedures: Develop and maintain streamlined, well-documented policies covering the entire model lifecycle, from development and validation to deployment and retirement, to promote consistency and regulatory compliance.
  • People: Define and communicate roles and responsibilities clearly by establishing dedicated governing bodies for each phase of the model lifecycle, thereby fostering a proactive culture of model risk management.
  • Data and systems: Implement a centralized model inventory and robust reporting system to maintain transparency, ensure data integrity and enable continuous tracking of model performance.
  • Change management: Implement ongoing risk assessments and independent validations to monitor model performance regularly, adapt to emerging threats, and address regulatory, market or operational changes on a timely basis.

How Protiviti can help — OSFI E-23 Model Risk Management compliance

Protiviti’s team of risk management professionals and subject-matter experts is dedicated to helping organizations implement robust model risk management frameworks that not only meet OSFI’s E-23 requirements but also drive operational excellence. Our expertise and support for our clients include the following:

Independent model validation

+
  • Perform rigorous qualitative and quantitative assessments to validate models independently at every lifecycle stage.
  • Identify gaps and improvement opportunities for ensuring models are robust and fit for strategic use while complying with industry standards.

Strategic roadmap development

+
  • Develop a customized roadmap outlining key actions, clear ownership, defined milestones, realistic timelines and resource requirements.
  • Align the roadmap with evolving regulatory expectations and best practices, ensuring sustainable model risk management.

Maturity assessment

+
  • Assess current model risk management practices using Protiviti’s Capability Maturity Model.
  • Identify gaps against OSFI E-23 requirements, and map out the transition from current to target maturity levels.
  • Conduct thorough benchmarking against industry standards and practices among peers.
  • Provide actionable, data-driven recommendations to elevate the overall model risk framework.

Model risk framework development

+
  • Develop and customize a comprehensive model risk management policy and procedure templates to ensure regulatory compliance.
  • Design an enterprise-wide model inventory to maintain transparency on model ownership, purpose, validation status and performance metrics.

Training program

+
  • Design a training program that addresses essential topics such as governance roles, rigorous validation techniques, regulatory expectations and best practices in ongoing monitoring.
  • Deliver training sessions shaped for various stakeholder levels, from board members and senior management to model developers and users.
Loading...