OSFI Guideline E-23: What Canada's New Model Risk Management Rules Mean for Financial Institutions

Key takeaways

• OSFI published Guideline E-23 (Model Risk Management) on 11 September 2025. It becomes effective on 1 May 2027, giving federally regulated financial institutions a defined runway to prepare.
• E-23 is principles-based, but operationally prescriptive. It sets out 12 principles across three pillars, with concrete activities and a minimum model inventory standard (Appendix 1).
• The driver is the rapid growth in both the use and complexity of models, and in particular the rise of dynamic, self-learning and autonomous AI-based models, which raises the stakes for effective model risk management (MRM).
• The three pillars: model risk understood and managed enterprise-wide; a risk-based approach built on model inventory, risk tiering and assurance; and governance across the full model lifecycle, from development to decommissioning.
• MRM is no longer a point-in-time exercise, nor the job of a single team. Responsibilities sit with model owners, reviewers, approvers, monitors, implementers and more.
• A recurring theme runs through all three pillars: the need to track, evidence and report on model risk at enterprise scale points firmly towards a system-based approach to MRM.

In this article

• What is OSFI Guideline E-23?
• Why did OSFI introduce E-23 now?
• What does E-23 mean by effective model risk management?
• Pillar 1: How should model risk be understood and managed across the enterprise?
• Pillar 2: What does a risk-based approach to model risk involve?
• Pillar 3: How should governance cover the entire model lifecycle?
• What does E-23 mean for model risk management teams?

‍

What is OSFI Guideline E-23?

On 11 September 2025, the Office of the Superintendent of Financial Institutions (OSFI) which is the independent prudential regulator and supervisor overseeing Canada's financial system, published Guideline E-23: Model Risk Management, a principles-based approach setting out OSFI's expectations around model risk management at federally regulated financial institutions.

This Guideline document is the culmination of a public consultation process which started with the publication of draft revised Guideline E-23 in November 2023 (itself an update to a 2017 version of the same Guideline) and ended in March 2024. The new Guideline will be effective from 1st May 2027.

This article covers the key aspects of the new Guideline E-23 and delves into some of the implications stemming from these revised prudential expectations.

Why did OSFI introduce E-23 now?

The motivation behind the Guideline is the fact that the reliance on models for decision making within financial institutions and the complexity of these models are both increasing rapidly. Together with the influx of dynamic, self-learning and autonomous AI-based models, the need for effective model risk management (MRM) has never been greater.

What does E-23 mean by effective model risk management?

The ultimate objective of E-23 is "effective model risk management" which it defines as financial institutions achieving 3 core outcomes. These outcomes, listed verbatim below in quotes, with emphasis added by us, can be thought of as the 3 pillars of E-23 over which the entire framework stands:

• Pillar 1: "Model risk is well understood and managed across the enterprise."
• Pillar 2: "Model risk is managed using a risk-based approach."
• Pillar 3: "Model governance covers the entire model lifecycle."

E-23 supports each of these pillars with detailed underlying principles (12 principles in all). It is for this reason that the Guideline refers to itself as a principles-based approach. However, it is worth highlighting that these principles can be quite operationally oriented containing prescriptive activities that ought to be performed to enable that particular outcome. We will look into each pillar and its underlying principles and corresponding activities in the next section.

Pillar 1: How should model risk be understood and managed across the enterprise?

Pillar 1: "Model risk is well understood and managed across the enterprise."

This pillar is based on 3 principles and accompanying activities are summarised and discussed below.

The principles relate to setting up the proper reporting structure and resourcing it, aligning the MRM framework with the organisations' objectives and risk appetite and using models in a deliberate manner where their use adds to the decision making process.

These are senior management driven activities which go to the core of setting up a proper MRM team and function in an organisation and then aligning its mandate with the overall risk-taking posture of the organisation. The callout to resource MRM function with multidisciplinary skills, particularly legal and ethical professionals, is an acknowledgement of the increasing legal and ethical issues that can arise from the use of AI-based models which can be blackboxes.

The other aspect worth highlighting is the need for model risk to be well understood and managed across the enterprise. Organisations are increasingly turning to quantification of model risk through combinations of various measures e.g., model tiering, model risk ratings, remediation of findings etc., to communicate the quantum of model risk and track it over time. Such quantification, if it is to be achieved at an enterprise level, necessitates a system-based solution to ensure consistent capture of data, its availability for reporting and evidencing when needed. This theme will come up again as we look into further pillars and their accompanying principles.

Pillar 2: What does a risk-based approach to model risk involve?

Pillar 2: "Model risk is managed using a risk-based approach."

This pillar is based on 3 principles and accompanying are activities summarised and discussed below.

The idea of a risk-based approach and what it means in terms of assurance activities has been quite established in financial institutions with mature MRM functions. E-23 formalises this by taking a stepwise approach requiring the institution to have a formal and comprehensive model inventory, for each model to be assessed with an inherent model risk rating and for this rating to then drive the assurance activities. These requirements, listed below:

• the setting up of model inventory and what needs to be captured,
• the assessment of model risk tier and the dimensions that feed into it, and
• the establishment of a risk-based approach to independent assessment of models that varies depth and frequency based on risk

are detailed in E-23. This is an example of where the Guideline is more prescriptive than the term "principles-based" might imply. For example, it talks about what model attributes must be captured as a minimum as part of the model inventory (Appendix 1 of E-23), it also covers the aspects of a model's review that should be driven by its inherent risk (frequency, intensity etc.). This level of detail and prescription gives a concrete template to financial institutions around how to operationalise these principles and underlying activities and what they will be assessed on by the OSFI when regulatory reviews occur.

A consistent thread across these activities is the need for initial and continuous data capture which then drives important governance activities like model approval, model review, depth and frequency of that review, model ownership etc. This further highlights the need for a system-based approach to model risk management because underlying all these activities is the prudential requirement to be able to track, evidence and report on them. This next principle around the model life cycle clarifies this point further.

Pillar 3: How should governance cover the entire model lifecycle?

Pillar 3: "Model governance covers the entire model lifecycle."

This pillar is based on 6 principles and accompanying activities summarised and discussed below.

The idea of model risk management being a static, point in time activity has been outdated for a while in organisations that have had mature model risk management functions, However, with the influx of dynamic, self-learning and continuously updating AI-based models and algorithms, the idea of managing model risk continuously over the model lifecycle has become inescapable.

E-23 formalises MRM requirements through the model lifecycle by first requiring the MRM framework to be flexible and explicit in addressing risks through the mode lifecycle. This framework is a necessary prerequisite and the Guideline then talks about standard model lifecycle stages and the governance and risk management activities that ought to be performed in each of those stages.

The Guideline goes into some detail on expected activities during model lifecycle, covering:

• model design and development: rationale for model, choice of methodology, standards for model development and documentation
• model data: particular focus on model data and the need to link with enterprise-level data governance frameworks on top of what is needed for model development,
• model (independent) review: independence requirements, instances when an independent review is warranted, the nature of activities to be performed in these reviews
• model approval: describing what model approval means and when approvals ought to occur
• model implementation: requirements around implementation environment, testing, change control
• model monitoring: the need for defined standards around model monitoring, including thresholds, documentation and escalation mechanisms
• model decommissioning: rationale and formal approach for decommissioning a model, the governance steps that ought to accompany a decommissioning etc.

The detail provided in E-23 around the model risk management and governance activities in each model lifecycle stage reinforce the need for MRM to be a continuous exercise through the life of a model. The activities do not all sit with the model risk individual, rather they are distributed across model owners, model approvers, model independent reviewers, model monitors, model implementers etc. These roles tie in with the taxonomy given at the start of the Guideline and highlight the enterprise-wide nature and expectation of MRM activities.

From a system perspective, what Pillar 3 highlights more than anything else is that workflows covering the lifecycle stages of a model are an essential part of effectively managing the risk of these models. From the time a model is in ideation phase and instantiated in the model inventory, to it moving into an independent assessment, then approval, implementation, monitoring and subsequent periodic independent review (and reapproval), data points need to be captured which drive governance steps, reporting and determine the flow of subsequent activities. All this information needs to be captured, reported on and be available for internal management, audit and regulatory scrutiny.

What does E-23 mean for model risk management teams?

The focus on model risk management has shifted significantly across the globe and most jurisdictions are converging onto a much higher level of rigour. This also means that model risk management teams are under pressure and, more than ever, in need of the right tools and systems to enable them to execute on this broadening mandate. At the same time, model risk management is not just the responsibility of the Model Risk team anymore, and the enterprise-wide view of model risk management with many activities sitting with different stakeholders, further necessitates an enterprise-wide system solution.

‍