The ongoing trend in using quantitative models for decision making prompted institutions and regulatory authorities to establish stricter rules on model risk management. Examples of this continuing expansion can be found in various model using areas e.g. the use of algorithms for trade execution in Securities Trading, the use of decision models in Credit Risk Analytics. Financial risk areas like Credit, Market or Compliance Risk entail model use cases with exposure to Model Risk.
Disclaimer: Data, charts and commentary displayed herein are for information purposes only and do not provide any consulting advice. No information provided in this documentation shall give rise to any liability of Auriscon Ltd and of of Auriscon HK Ltd.
© 2026 Auriscon Ltd. No reproduction without permission. Short excerpts with attribution permitted.
Our Aproach
is to advise and support our clients in review and audit planning by adding subject matter expertise in reviewing quantitative models and audit testing. Our contribution ensures that objectives are realized in time. By adding insight about model risk, helping firms' to manoeuvre successfully a rapidly changing regulatory and competitive environmen, and aligning strategies of businesses with model frameworks, we provide time insights drawn from review and audit outcomes.
Planning
We support the planning and executing of Model Risk reviewing and audit examinations including Data Governance, Credit Risk and Traded Risk.
Specialisation
Given our specialization in Model Risk, we can suport with relevant contributions. We are a specialist provider in the model risk technical audit field and draw insight from hands-on audit experience across multiple functional and asset-class areas.
Anticipation
Our consuiltancy ams to identify latent and emerging risks to higlight issues at an early stage in the review. Detrimental impacts of emerging risks will be highlighted and explained in relation to the context.
Approach
The approach is rooted in a risk-based detail assessment augmented by holistic viewpoints.
Contact us to request further details on our support.
→ Contact
Common Root Causes for Model Risk
| Wrong Model Use | Wrong model usage leading to shortfall in governance. |
| Model Limitations | Model design limitations due to unsuitable methodologies and mismatched assumptions leading to unsuitable model outputs. |
| Data Limitations | Lack of data quallity leading to calibration bias. |

Expectations and Model Risk
| Regulatory Expections | Regulatory and rating agencies' preference for Through-The-Cycle (TTC) Credit Risk models with the caveat that models notoriously slow in reacting to sharp recessionary market downswings. |
| Business Expectations | Lending businesses often show preference for TTC models given loss outcome is less than predicted in boom cycle periods, which seemingly re-confirms model conservatism as long as not contradicted by loss outcime in bust periods. |
Examples for Model Risk
| Expected Shortfall |
Replacement of VaR by Expected Shortfall (ES) for Market Risk measurements in Traded Risk and Asset Management is accompanied by technical challenges. Validation and backtesting of ES with unsuitable methods is leading to Model Risk . |
| Machine Learning | AI-ML methods such as boosted trees used in transaction fraud and credit risk requires suitable KPI for monitoring interpretabiliy. Lack of transparency of risk driver used in black-box methods lead to interpretation gaps and heightened Model Risk. |
Review and Audit Phases and Activities
Audit activities occur in phases, with each phase consisting of specific tasks for preparing and inputting any subsequent phase. Of particular importance is the initial phase also known as Audit Planning. The planning phase is used to communicate the scope of the audit to auditees and management and to identify the areas of inherent and emerging risks.

Mapping of Asset Class and Risk Areas to Regulations
Regulators have confirmed that financial institutions must implement a Model Risk Management (MRM) framework.
This includes setting up adequate governance to cover risk models with policy details for model life cycle.
In addition, periodical follow-up via reviewing and validatoins and management assessments as set-out in the model risk managment policy.

Data Analytics in Auditing
Increasingly more financial institutions base their decision making on data and analytics. For audit to keep pace with expectations, more analytics and advanced technology has to be integrated into the review process. The sampling process traditionally used in auditing carries some risk that important details are overlooked. Using advanced analytics in reviewing can yield a positive impact on the quality and depth of auditing. As a case in point, the review of analytical models is an area where the use of data analytics is beneficial to audit outcome.

Machine Learning models methods are meanwhile commonly used within the context of credit and fraud customer screening, marketing, and multiple other areas.
Interpretability of model inputs and predictions is important for obtaining the acceptance from business and user community. Interpretabiliy applies especially for black-box models such as boosted trees. Clarity about interpretation should therefore be considered a key step before the deployment of any AI-ML model takes place. Fortunately, verifying interpretability does not have to be model dependent. In fact model agnostic methods used for interpretability verification are available and can be used in audit.
Data Bias can have a significant negative impact on models. Degradation in model performance due to data bias is a key issues in other areas of model development too. One reason for data bias is that prediction models are typically built and calibrated based on data sampled over a certain time period, and therefore the sampled data are conditioned based on internal and external events occuring over this eriod. Another reason for data bias can be due to the choice of certain business strategy.
Data Quality are important aspects any review should opine on. Aspects of data quality such a missing data or outdated data should receive sufficient attention to conclude on data limations. Audit testing of data quality can also consider the data quality monitoring to cover the DQ dimensions namely completeness (no missings), accuracy (no outliers), timeliness, controlled data sources, usage monitoring.
Data Integrity testing involves the review of suitable and controlled Data Sources. More often that not a central data repository is used and review checks may cover the controls implemented to ensure data consistency across several IT systems. Finally, governance aspects pertaining to the definition of Critical Data Elements (CDE) should be considered as part of the Data Analytics stream to add to the audit outcome.

Regulatory expectations on data integrity and governance establish demand for detailed metadata repositories, data lineage and automated data quality checks to be implemented with sufficient granularity and currentness. Industry standards are set out holistically in the BCBC 239 report with internal reporting, regulatory reporting and management decision systems being in scope.
Furthermore, institutions are expected to have data quality management and standards in place with data quality indicators and tolerance level attached.
Consequently, audit assignments should incorporate data quality and data governance aspects into the audit testing. However, challenges in implementing any blue print standards on data quality management can be overwhelming when heterogeneous system architectures with multiple source systems from which data are obtained are used across businesses and functions.
→ READ MORE ... ECB guide on effective risk data aggregation and risk reporting
Outcome and Reporting
Our approach to reviewing and technical auditing ensures that controls marked as ‘critical’ receive prioritization during audit fieldwork and assessment.
We perform auditing through colloboration involving auditees and senior management to ensure audit tesitng is effective throughout.
The reporting of the Audit outcome will be clearly communicated and based on a consistent documentation.
Thematic drivers of issues will be identified and presented together with contextual information.
