Model Risk

What this means in practice

It encompasses conceptual soundness risk (the model's design is inappropriate for its intended use), estimation risk (the model produces inaccurate predictions), and implementation risk (the model is correctly designed but incorrectly deployed). Model risk is the most AI-specific risk category and the one most likely to be underestimated by organizations accustomed to traditional software risk management. Unlike software bugs, model risks may not produce obvious errors -- a biased credit scoring model might function perfectly from a technical perspective while systematically disadvantaging protected groups. Model Risk Management (MRM), originally codified in the Federal Reserve's SR 11-7 guidance for financial services, is increasingly adopted across industries as a governance discipline.

Why it matters

Model risk is the most AI-specific risk category and the one most likely to be underestimated. Unlike software bugs that produce obvious errors, a biased credit model might function perfectly from a technical perspective while systematically disadvantaging protected groups. Organizations accustomed to traditional software risk management must expand their frameworks to address conceptual soundness, estimation accuracy, and implementation correctness of AI models.

How COMPEL uses it

Model risk falls under Domain 17 (Risk Management) in the COMPEL assessment framework. During Calibrate, model risk management maturity is evaluated. The Model stage designs risk assessment and mitigation processes for each AI system. The Produce stage implements risk controls and monitoring. The Evaluate stage reviews model risk outcomes, comparing predicted risk levels against actual incidents to calibrate risk assessment accuracy for future cycles.

Related Terms

Other glossary terms mentioned in this entry's definition and context.

• Accuracy
• Evaluate Stage
• Model Risk Management (MRM)
• Model Stage
• Produce Stage