Model Risk Management by Asset Managers

TOEZICHT VISUAL SUMMARY NOVEMBER 2025 Model Risk Management by Asset Managers

In Short Technological developments and digitalization are leading to changes in the asset management sector. Due to the increasing availability of data and the added value of data analysis, asset managers are increasingly using models to support portfolio decisions and risk management. The development of new applications, such as artificial intelligence, also has implications for the scope and reach of these models. The increased use and growing complexity of models increase the likelihood of model risk. Controlling risks, including model risk, remains extremely important for asset managers. This report provides a number of guidelines to support asset managers in strengthening their model risk management.

What are good practices for asset managers to control model risk? Asset managers are increasingly using (complex) models. This increases exposure to model risk.

8 good practices for Model Risk Management (MRM)

1. Establish a specific governance structure for model risk.
2. Implement a model definition to support a shared understanding.
3. Define risk appetite and risk indicators to support MRM.
4. Create a model inventory as an integral part of MRM.
5. Validate models before implementation and ensure periodic re-validation.
6. Implement a lifecycle process for models.
7. Establish MRM principles for both internal models and third-party models.
8. Ensure internal knowledge and expertise regarding models and model risk.

Asset managers must control model risk where applicable. Model risk management encompasses the entire set of activities aimed at identifying, assessing, controlling, monitoring, and reporting these risks.

Increasing availability of data Advanced data analysis methods Errors in development or use Incorrect decisions Negative financial consequences Asset Manager Rise of AI Asset Owner Trend (Complex) models Drivers Model Risk Governance Model Lifecycle Risk Management People

Model Risk Management by Asset Managers 2 SUPERVISION REPORT

Management Summary 1 Article 4:14 Financial Supervision Act (Wft) 2 Article 3(1)(11) of Directive 2013/36/EU (CRD IV)

Asset managers are increasingly using models to support various activities, including portfolio construction, risk management, investment decisions, and regulatory compliance. The increased availability of data, advanced analysis methods, and the rise of machine learning and artificial intelligence mean that more and more complex models are being used. This development is expected to increase institutions' exposure to model risks.

As part of sound and prudent business conduct, as required under the Financial Supervision Act (Wft)1, asset managers are expected to control model risks.

Model risks can arise, among other things, from errors in the development, implementation, or use of models. The materialization of model risk can lead to financial or operational damage. Model risk management encompasses the entire set of activities aimed at identifying, assessing, controlling, monitoring, and reporting these risks.

The Dutch Authority for the Financial Markets (AFM) conducted an exploratory study into how asset managers handle model risk management (MRM) in practice. Since there is no explicit definition of model risk within asset management, the following definition was used for this study: the potential loss an institution may suffer as a result of decisions that could be based primarily on the output of internal models, and which is attributable to errors in the development, implementation, or application of such models2. This definition stems from prudential requirements that do not directly apply to the population in the context of this study, and is used solely for reference purposes. Prudential models fall outside the scope of this study.

This study focuses on four main themes: Governance, Risk Management, Model Lifecycle, and People. Within each theme, observations and good practices were collected based on input from participating asset managers.

With this report, the AFM aims to support asset managers in strengthening their model risk management, in line with the requirements for sound business conduct. The good practices are intended as inspiration and a reference point, not as a normative framework. Further dialogue and exchange within the sector can contribute to a shared understanding and a more consistent approach to model risks.

Key Observations: • Many asset managers recognize the importance of model risk management but employ varying definitions and approaches. • Governance regarding models is often regulated implicitly; explicit role distribution and alignment with the Three-Lines model are seen as good practices. • Risk appetite regarding model risk is rarely formally documented; defining risk parameters and monitoring processes provides guidance. • A central model inventory and independent validation are essential for control over the model portfolio. • Third-party models require additional control measures within the existing MRM framework. • Knowledge and awareness among employees are crucial; targeted training and role-specific support strengthen the effectiveness of model risk management.

Model Risk Management by Asset Managers 3 SUPERVISION REPORT

Introduction 3 Article 4:14 Financial Supervision Act (Wft)

The Dutch Authority for the Financial Markets (AFM) ensures that asset managers comply with the applicable legal requirements for sound and prudent business conduct.3 As part of their sound and prudent business conduct, asset managers must ensure effective risk management, including regarding the risks associated with the use of models (model risk).

Through two surveys, it was investigated how asset managers handle model risks. This looked at how they recognize, control, and embed these risks in their business operations. Based on the results, various good practices emerged that can help asset managers further strengthen their model risk management.

These good practices are examples of how institutions can responsibly comply with applicable regulations, as assessed by the AFM. They contain suggestions or recommendations; institutions are free to adopt a different approach, provided they comply with relevant legislation and regulations and can demonstrate this.

The purpose of this report is to share the good practices with market participants. The AFM does not aim for completeness in this report. The included observations and good practices form an initial exploration and may vary in breadth and depth.

The insights from this study on model risk management are based on a two-phase research approach. In the first phase, a closed survey was distributed among a broad group of Dutch market parties, including investment firms, UCITS, AIFs, proprietary traders, trading platforms, and MiFID top-ups (collectively referred to as 'asset managers'). In total, 250 asset managers participated in this first phase. The second phase consisted of an in-depth questionnaire with open questions, focused on a selected group of institutions. 14 asset managers participated in this phase. These asset managers were selected, among other factors, based on 'assets under management' (AuM) and 'dominant investment strategy' to arrive at a selection representative of the entire asset management sector.

The Dutch asset management sector is diverse in composition, with a few very large asset managers alongside a large number of smaller parties. This variation in size, complexity, and use of models means that the findings in this report are not automatically applicable to every organization. The presented good practices should therefore be interpreted in relation to the scale and nature of model use within one's own organization. They are intended as guiding and inspiring, not as a uniform standard.

Model Risk Management by Asset Managers 4 SUPERVISION REPORT

Good Practices

Good Practice 1 - Cover model risks by establishing a specific model governance structure

Model governance encompasses the entire set of policies, procedures, and activities by which organizations formalize responsibilities and decision-making regarding the use of models. A governance framework is considered specifically focused on model risks when risk management is designed to recognize, control, and monitor these model risks, and when there are clear agreements on oversight and accountability.

Observations Of the 250 participating entities, 86 asset managers (34%) stated that they have established a model governance structure. From this, the AFM draws the following conclusions: • Most organizations with a separate model governance structure have assigned clear roles to users, owners, and developers of models. Additionally, 59% (51 companies) have also appointed an independent validator. • 71% of companies (61 organizations) have organized governance and responsibilities regarding model risk in accordance with the Three-Lines model, with tasks distributed across the first line (execution), second line (risk management), and third line (internal audit). • 55% of companies with a model governance structure (46 organizations) have established a specific model governance committee. These companies often make extensive use of models and have multiple departments involved in the development, use, and monitoring of models. • Other entities have either defined a clear escalation path as an alternative to a model governance committee, or have integrated model risk into existing committees.

Analysis Strong governance, policies, and controls in line with the complexity of the models used and the intensity of model use within the organization will support the effective understanding and management of model risks.

Good Practice – Establish a specific model governance structure for model risk • Formalize responsibilities for the development, implementation, maintenance, validation, change management, and termination of models. • Organize governance and responsibilities regarding model risk in line with the Three-Lines model. • Depending on the intensity and complexity of model use within the organization, effective governance may require a special model governance committee. For some entities, an escalation framework with clear procedures may suffice. Integrating model (risk) oversight into existing committees is also a possible alternative.

Model Risk Management by Asset Managers 5 SUPERVISION REPORT

Good Practice 2 - Implement a model definition to support a shared understanding

Since model risk can be defined in various ways and at different levels, a shared understanding is needed within the organization regarding what qualifies as a model and what model risk encompasses.

Observations Of the 250 respondents, 72 organizations (29%) stated that they have implemented a model definition. From the various model definitions provided by these respondents, it is noted that a model definition generally contains the following elements: (1) Input data, (2) a quantitative system or methodology that processes the input data, and (3) output that supports or informs decision-making processes. Some organizations also choose to include an indication of 'recurring use', which can help distinguish formal models from one-off or ad-hoc tools that may fall outside the scope of governance regarding model risks.

Analysis A formal and implemented model definition supports the effectiveness of model risk management and helps determine the scope of the organization's MRM framework.

Good Practice – Implement model definition to support a shared understanding • Establish a clear definition of what is considered a model and formalize it. • Document and communicate this model definition. • Determine which types of tools or models fall within the scope of MRM.

Good Practice 3 - Define risk appetite and risk indicators to support MRM

Effective management of model risk begins with establishing the extent to which an organization is willing to accept this risk.

By formulating a clear risk appetite for model risk and translating it into concrete limits – preferably with quantitative thresholds – a robust framework for model risk management is created. By actively monitoring these limits, the organization can ensure that model activities remain within the boundaries of risk appetite.

Observations Of the 250 survey respondents, 56 entities (22%) defined a risk appetite for model risk as part of their Risk Appetite Statement (RAS). 9 of the 14 asset managers who participated in phase 2 stated that they have defined a risk appetite for model risk as part of their organization-wide risk appetite.

Depending on the nature and size of the model risk, organizations may choose to document their risk appetite specifically for model risk in a separate statement. This is particularly relevant when model risk is material or subject to specific supervision by regulatory authorities. An alternative is to integrate model risk within broader risk categories, such as operational or IT risk. In that case, model risk is considered a component of those domains, including the associated risk appetite. Then, model risk can be represented as a separate Key Risk Indicator (KRI) with associated risk limits under the defined risk appetite for that category.

In both approaches, model risk can be monitored via a separate KRI, equipped with clear risk limits that align with the established risk appetite of the relevant risk domain. Translating the model's risk appetite into measurable KRIs and monitoring them helps to track and manage identified risks. The study showed that where the risk appetite of the model was defined, this was in some cases further specified in KRIs that are actively monitored. Examples of KRIs provided by study respondents include: the number of models used without validation, the number of reported deviations in model output, and the frequency of overdue model assessments.

Analysis By including model risk in the organization's risk appetite and monitoring this appetite based on defined risk limits (KRIs), uniform management of model risk within the organization is supported.

Good Practice - Define risk appetite and Key Risk Indicators (KRIs) to support MRM • Define the organization's model risk appetite. • Translate the model risk appetite into KRIs. • Establish a monitoring process for KRIs. • Align controls and procedures with the model risk appetite and/or KRIs. • Some entities strive to limit model risks through general business, operational, or IT risk management. To ensure effectiveness, model-specific governance elements can be included, such as assigning clear model ownership.

Good Practice 4 - Create a model inventory as an integral part of MRM

The organization's model inventory is an overview of all models used within the organization. A model inventory is a centralized repository that records important model-specific information, such as ownership, user roles, and version history. It may also contain a risk classification of the model. In the context of this report, it is not a so-called digital place where all model documentation is stored.

Observations The study showed that of the 250 participating entities, 67 asset managers (27%) use a model inventory. In the second phase of the study, 6 of the 14 asset managers (43%) stated that they have a model inventory.

Asset managers participating in the study indicated including the following elements in their model inventory: • Model-ID (name or ID) • Purpose of the model • Owner • Developer • User • Life cycle status (e.g., active, in development, terminated) • Risk classification/tiering (the risk associated with a model, often based on complexity and impact, as assessed by the model owner and risk function) • Version • Date of last validation

Depending on the organization's use of models, the complexity of the model, and the risk appetite, additional elements should be added to the model inventory: • Language of the model (code) • Location where the model is stored and used • An ID for the business process supported by the model • Complexity of the model • Impact of the model • Frequency of model use • An indicator of whether the model uses AI or ML techniques

Analysis A model inventory can be considered a cornerstone in an MRM framework. To maintain control and ensure oversight and accountability, it is recommended that an organization maintain a complete and accurate set of information regarding the models it develops and uses.

Model Risk Management by Asset Managers 7 SUPERVISION REPORT

Good Practice – Create a model inventory as an integral part of MRM • Formalize a model inventory. • Use the model inventory as the "central hub" of the organization's model risk management framework. • Clearly assign ownership and responsibility, include risk classification, and track life cycle status to support effective oversight. • Determine which elements are necessary characteristics of the model inventory.

Good Practice 5 - Validate models before implementation and ensure periodic re-validation

Model validation involves checking models, both before implementation and periodically during use, to ensure they remain suitable for their intended purpose. The validation process is intended to provide an independent and objective view of whether a model works adequately and delivers reliable results for its intended application.

Observations The study showed that model validation is sometimes interpreted as model assessment, while these activities serve different purposes. Model assessment is a broader and continuous process of evaluating model performance, including compliance with policy. Model validation, on the other hand, is a specific test of model input and mechanics, providing assurance regarding the accuracy and reliability of the model.

In the study, 58 respondents (23%) stated that they have a model validation process. Of these 58 entities, 23 organizations (40%) validate only internal models, while 35 entities have a validation process for both internally developed models and models from external providers.

Asset managers included in phase 2 of the study provided details on the setup of their model validation process. The validation process varies by entity, depending on factors such as model complexity, risk appetite, and the size of the entity.

When organizations adopt a formal process for model validation, the following principles are usually followed: • Validation frequency aligned with the model's risk classification How often and how thoroughly a model is validated depends on the risk classification. The higher the risk associated with a model, the stricter and more formal the validation should be. Many organizations use risk classification as a guide to determine this. • Validation before commissioning is standard, periodic re-assessment is less frequent Before a model is deployed for the first time, validation usually takes place to check if it functions properly. This often happens even if there is no formal validation process. Periodic re-validation occurs less frequently and usually takes place annually or at set intervals, depending on the model's risk level. • Independent validation may depend on organization size Large organizations often have a separate, independent model validation function. Smaller organizations address this with internal peer reviews or the four-eyes principle. Validation is usually performed by employees who are not directly involved in the development of the model, but sometimes also by external parties.

Analysis Organizations must have a model validation process to provide independent and effective challenge to model development and model use. Model validation can be considered one of the most important components of risk management throughout the entire model lifecycle and an important part of the MRM practice of asset managers. Model validation activities must be performed independently of model developers and users to provide robust and unbiased validation.

Good Practice – Validate models before implementation and ensure periodic re-validation • Formalize a model validation process. • Validation before the first implementation of the model is necessary. The nature and scope of re-validation can vary for models, depending on the risk classification or model tiering, as determined in the model inventory. • Validation is performed by a person independent of model development or model use.

Good Practice 6 - Implement a lifecycle process for models

The purpose of a lifecycle process for models is to provide a structured framework for managing models in all stages of their lifespan – from initiation to termination. A model lifecycle process contributes to models being developed, validated, implemented, and monitored in a way that supports operational effectiveness, regulatory compliance, and sound risk management. Each phase of the lifecycle involves various roles, responsibilities, and governance standards.

Observations Based on the under...