What is SR 11-7 Guidance on Model Risk Management?
                     What is SR 11-7?
The Federal Reserve and the Office of the Comptroller 
of the Currency (OCC) issued SR 11-7, “Supervisory 
Guidance on Model Risk Management,” on April 4, 
2011. This guidance outlines comprehensive 
requirements for Model Risk Management (MRM) for 
banks and financial institutions operating within the 
United States. The document details what to classify as 
a model, principles for risk classification, governance 
and controls, model validation, and the roles and 
responsibilities for key MRM functions such as testing, 
documentation, and reporting.
Why is SR 11-7 Important?
• SR 11-7 is a critical framework for ensuring robust governance over models used in banking 
operations. The document provides a clear definition of a model: “a quantitative method, 
system, or approach that applies statistical, economic, financial, or mathematical theories, 
techniques, and assumptions to process input data into quantitative estimates”.
• The guidance emphasizes the importance of active model risk management to mitigate 
potential adverse consequences from incorrect or misused model outputs: “Model risk can 
lead to financial loss, poor business and strategic decision making, or damage to a bank’s 
reputation”.
• The guidance also stresses senior management and board accountability for overseeing model risk 
management activities: “Senior management, directly and through relevant committees, is 
responsible for regularly reporting to the board on significant model risk, from individual models and 
in the aggregate, and on compliance with policy”. This reinforces the importance of governance 
structures that ensure the integrity and reliability of models used within financial institutions.
The Journey to SR 11-7 Compliance
CIMCON Software has over 25 years of experience in helping firms with EUC, Model, and AI Risk 
Management, aiming to significantly reduce the friction and challenges for firms as they strive for 
SR 11-7 compliance. Below are the technological solutions CIMCON provides to address specific 
principles outlined in SR 11-7:
• Automated Model Identification: CIMCON takes a model-agnostic 
approach to identifying and risk assessing EUCs such as Excel files, models 
created in Python or R, and even third-party executables. This is crucial as 
these all could be considered models under the SR 11-7 definition: “Models 
are simplified representations of real-world relationships among observed 
characteristics, values, and events”.
• Self-Organizing Model Inventory: Regularly scheduled scans help uncover 
hidden risks and automatically keep the Model Inventory up-to-date. Firms can 
maintain inventories that are firm-wide as well as department-specific. This aligns 
with the guidance that banks should maintain a firm-wide model inventory: 
“Banks should maintain a comprehensive set of information for models 
implemented for use, under development for implementation, or recently 
• rPeotiwreedr”f.ul, Yet Flexible Risk Assessment: Since there are an increasing number of 
different types of models to risk assess, it can help to standardize risk assessment based 
on model type. For example, assessing Excel through Number of Formulas, Macros, & 
Hidden Sheets, 3rd party applications through the presence of AI, and models through 
fairness, bias, explainability, and validity is crucial to understanding which EUCs you need 
to control. “The rigor and sophistication of validation should be commensurate with the 
bank’s overall use of models, the complexity and materiality of its models, and the size 
and complexity of the bank’s operations”.
• Interdependency Map: Visualize relationships between models and data sources, adjusting 
risk assessment scores for a model based on its interdependencies. SR 11-7 emphasizes the 
need to understand model interdependencies to manage aggregate model risk: “Aggregate 
model risk is affected by interaction and dependencies among models; reliance on common 
assumptions, data, or methodologies”.
• Comprehensive Documentation Generation & Management: Maintain up-to-date 
documentation on model development, testing, and risk scores in one place across the firm. SR 
11-7 requires comprehensive documentation to ensure transparency and continuity of 
operations: “Documentation of model development and validation should be sufficiently detailed 
so that parties unfamiliar with a model can understand how the model operates, its limitations, 
and its key assumptions”.
• 3rd Party Risk Management: Identify and assess risks associated with third-party models 
and applications, ensuring they meet your internal standards. SR 11-7 states, “Analysis of the 
integrity and applicability of internal and external information sources, including information 
provided by third-party vendors, should be performed regularly”.
• Proper Controls and Accountability: Restrict and track changes to models, 
maintaining security and accountability. SR 11-7 highlights the importance of governance, 
policies, and controls in model risk management: “A strong governance framework 
provides explicit support and structure to risk management functions through policies 
defining relevant risk management activities, procedures that implement those policies, 
allocation of resources, and mechanisms for evaluating whether policies and procedures 
are being carried out as specified”.
• Approval Workflows: Create automated approval workflows, tracking model 
approval status and identifying process improvements. This helps firms adhere to SR 
11-7’s standards for model approval and change management: “The model owner 
should also ensure that models in use have undergone appropriate validation and 
approval processes, promptly identify new or changed models, and provide all 
necessary information for validation activities.”.
What else do I need to know?
• Since the 2007-09 financial crisis, regulators have added a series of regulations, in 
addition to SR 11-7, to test the reliability of models. Regulations such as, most 
recently, the Bank of England’s Supervisory Statement 1/23 (SS 1/23) as well as long-
standing regulations such as Basel II & III, ICAAP, Supervisory Capital Assessment 
Program (SCAP), Comprehensive Capital Analysis and Review (CCAR), Dodd-Frank Act 
Stress Tests (DFAST), and the European Central Bank’s (ECU) Comprehensive.
• Assessment, as well as others, use models to create what-if scenarios to 
test capital sufficiency through stress testing.
• Supervisors provide regulatory guidance on modeling and whether it is the Bank for 
International Settlements, the Federal Reserve Board of Governors, the European Central 
Bank, the Bank of England, or the Prudential Regulation Authority (PRA), regulators 
expect:
“transparent and repeatable” process.
“completeness and accuracy of information”.
internal controls around data integrity and models.
• With our software, our mission is to add controls and insight that empower our 
customers instead of restrict them and aid our customers in being compliant with 
the wide and ever-expanding regulatory landscape.
About Us
• Established in 1988, CIMCON Software, LLC is a pioneer in end-user computing and 
model risk management, serving over 800 companies across industries.
• Recognized by Gartner, Insurance ERM, and others as a top risk management vendor, 
CIMCON brings 25+ years of experience and industry best practices to support AI & GenAI 
readiness and governance. 
• With the largest global installed base, our feature-rich, extensively tested solutions offer 
unmatched depth, support, and reliability.
Contact Us
Boston (Corporate Office)
+1 (978) 692-9868
234 Littleton Road
Westford, MA 01886, 
USA
New York
+1 (978) 496 7230
394 Broadway
New York, NY 10013
THANK YOU