Learnings from MRM implementation at a major Australian bank

Watch the full keynote video at the bottom of this article.

At the Yields Innovate 2026 event in Brussels, attendees gained an inside look at a massive, two-year Model Risk Management (MRM) transformation at a major Australian bank. The candid presentation was delivered by Atif Khan, Partner at Open Analytics in Australia and Senior Advisor at Global Credit Data. Having made a 30-hour trek from Australia to Europe, Atif shared his transition from being a fierce critic of his bank's MRM team to leading its complete strategic overhaul.

The Catalyst: A "Now or Never" Moment

The financial institution Atif referenced is a massive entity with a balance sheet of approximately 1 trillion Australian dollars. The bank utilizes over 1,000 models across credit risk, market risk, AML, fraud, marketing, and HR. The dynamic shifted when the Australian prudential regulator (APRA) audited the bank and concluded that its MRM framework required an "uplift" to provide appropriate levels of assurance over regulatory models. Leadership viewed this not just as a minimal compliance fix, but as a strategic "now or never" opportunity to pursue industry best-practice change and avoid falling behind global peers.

Redesigning the Framework

Because Australia lacks an explicit regulatory rulebook for model risk, the transformation team reviewed global baselines, including SR 11-7 from the US Federal Reserve, SS1/23 from the UK's PRA, E-23 from Canada's OSFI, and emerging standards from the ECB.

They rebuilt the framework upon six foundational pillars:

• Model Definition: The team expanded and precisely articulated the definition, prompting a bank-wide reassessment of all tools.
• Model Tiering: A structure was established to assign models to tiers based on materiality, complexity, and use.
• Risk-Based Approach: Validation rigour and frequency were calibrated according to the model's tier, focusing resources on the greatest risks.
• Independent Validation: Requirements were aligned to the model tier to ensure assurance was proportionate to risk.
• Model Ratings and Deficiencies: Ratings were redefined, separating them from model approval, and the deficiency framework was overhauled.
• Model Approval: Guidelines were clarified on what approval means, its validity, and who has the authority to approve.

Embedding Governance and Risk Appetite

To ensure the new framework succeeded, model risk had to be embedded at every level of the organization:

• The Board: New risk appetite measures were reported directly to the Board in a comprehensible format.
• Group Model Risk Committee (MRC): This committee handled central oversight and formal escalation paths.
• Business Risk Committees: Specific model risk requirements and metrics were explicitly embedded into business committee agendas.
• Model Owners/Users: Ground-level users were made accountable for model health, ongoing monitoring, and deficiency remediation.

The Technology Transformation

The existing internal tools were inadequate for the complexity and scale of the new framework. The bank required a single, auditable model inventory alongside a platform to support independent validation activities at scale. After a rigorous global search, they partnered with Yields to deploy two distinct products:

• Governance Platform: An enterprise registry with full lifecycle management workflows for model identification, onboarding, review, and retirement.
• Analytical Platform: An environment to support ongoing model performance monitoring and evidence-based independent assessments.

Six Lessons from the Trenches

Atif shared six critical lessons from the two-year journey, emphasizing that culture, not math, was the hardest problem:

1. Educate First, Govern Second: Board and senior management education is a prerequisite; you cannot build a risk appetite before a foundational understanding exists.
2. Frame It as Opportunity: Bankers initially viewed the changes as a compliance burden. The MRM team had to reframe independent validation as a way to de-risk the business and provide assurance, rather than just satisfying regulators.
3. Model Definition Has Consequences: Redefining "model" triggered a massive bank-wide identification exercise. For instance, it surfaced unquantified risks like an unvalidated HR tool predicting fresh graduate retention.
4. Culture Is the Hardest Problem: Resistance to ongoing controls was high, and the validation team was often seen as a blocker. Solving this required continuous conversation and education on the business benefits.
5. Governance Changes Need Evangelism: Asking business committees to add model risk to their standing agendas required sustained engagement, not merely a policy mandate.
6. Risk-Based Approach Is Not Enough for AI Scale: The volume of AI models is accelerating, causing model counts to grow in months rather than years. Because validation teams cannot scale linearly with this influx, the industry must rethink validation at scale through automation and new methodologies.

Conclusion

Ultimately, Atif Khan’s presentation highlighted that implementing a robust Model Risk Management framework is far more than a mathematical, technological, or regulatory exercise, it is a massive cultural transformation. By shifting the perception of MRM from a mere compliance burden to a strategic, value-adding asset, the bank not only satisfied its regulators but fundamentally de-risked its entire operation. As the financial sector braces for the exponential growth of artificial intelligence, this multi-year journey serves as a powerful blueprint: build a strong foundation on education, enforce it with adaptable technology, and ensure that your governance structures are ready to scale into the future.

You can watch the full keynote here: