Strengthening decision-making with OSFI’s E-23 Model Risk Management Guideline

Why model risk management matters now more than ever

• Models have been foundational to modern financial decision-making, enabling organizations to forecast economic trends, optimize portfolios, analyze market risk and exposure, and optimize capital allocation. As reliance on models grows beyond financial decision-making and toward areas like pricing, underwriting, customer service, risk assessment, compliance, fraud detection and even human resources, which now use artificial intelligence (AI) and machine learning (ML), so do the potential adverse outcomes stemming from incorrect, biased or misused models. As such, model risk can lead to inaccurate predictions, regulatory non-compliance and reputational damage.
• The Canadian financial sector is witnessing an exponential increase in the use of AI based on the OSFI-FCAC Risk Report – AI Uses and Risks at Federally Regulated Financial Institutions, published in September 2024:
  • In 2019, approximately 30% of financial institutions used AI.
     
  • In 2023, approximately 50% of financial institutions used AI.
     
  • By 2026, 70% of financial institutions are expected to be using AI.
     
• Key risks identified in the report, Financial Industry Forum on Artificial Intelligence, published by OSFI, the Department of Finance and the Global Risk Institute in July 2025, are:
  • Cybersecurity: AI-enhanced tools, such as adaptive malware, enable threat actors to move quickly and inflict significant damage on their targets.
     
  • Data risk: Internal AI models used by organizations process sensitive data, leading to threats such as data poisoning, model extraction and adversarial manipulation.
     
  • Concentration risk: Reliance on a few large AI cloud service providers can create single points of failure.
     
  • Supply chain risk: The interconnected nature of AI solutions expands exposure to multiple vendors.
     
  • Data integrity: Data, design and algorithms lacking transparency undermine data integrity and complicate model validation.

Key pillars of OSFI’s E-23 Guideline

Under E-23, “model” refers not only to traditional quantitative tools (such as those used for risk assessment or valuation) but also to AI/ML algorithms and other data-driven decision-making solutions. This expanded definition recognizes that any technology with a material effect on decision-making must be subject to the same rigorous standards that have historically applied to conventional models.

1. Governance framework: Organizations are required to establish clear roles and responsibilities for managing model risk, from the board of directors to senior management, model owners and model users, ensuring accountability and oversight at every level.
2. Rigorous validation processes: Models must undergo independent validation at every stage to assess their accuracy, performance and alignment with intended purposes. Validation processes ensure that models are theoretically sound as well as practically reliable.
3. Comprehensive model inventory: Maintaining a centralized inventory of all models used across the organization serves as a single source of truth, providing visibility into model ownership, purpose and validation status.
4. Continuous monitoring: The guideline stresses the need for ongoing monitoring of model performance. Organizations must establish metrics and thresholds to detect deviations early and take corrective action proactively.
5. Third party models: The guideline emphasizes that organizations should exercise oversight over models obtained from third parties, including consideration of the third party’s development environment and model architecture.
6. Risk assessment and reporting: Regular assessments of model risk help organizations understand the potential impact of model errors. Transparent reporting to senior management and the board fosters informed decision-making.

OSFI’s E-23 is a compliance tool for fostering a culture of risk-aware innovation. By embedding model risk management into their enterprise-wide risk management framework, organizations can balance the pursuit of innovation with the imperative of risk mitigation.

Key considerations for implementation

Once the guideline comes into force, OSFI expects organizations to take the following actions:

• Governance: Establish a risk-aligned governance framework that scales with the organization’s model complexity and use cases, ensuring clear accountability and oversight from the board through operational teams.
• Policies and procedures: Develop and maintain streamlined, well-documented policies covering the entire model lifecycle, from development and validation to deployment and retirement, to promote consistency and regulatory compliance.
• People: Define and communicate roles and responsibilities clearly by establishing dedicated governing bodies for each phase of the model lifecycle, thereby fostering a proactive culture of model risk management.
• Data and systems: Implement a centralized model inventory and robust reporting system to maintain transparency, ensure data integrity and enable continuous tracking of model performance.
• Change management: Implement ongoing risk assessments and independent validations to monitor model performance regularly, adapt to emerging threats, and address regulatory, market or operational changes on a timely basis.