OCC Bulletin 2011-12 / Federal Reserve SR 11-7 — Model Risk Management
OCC 2011-12 (and the joint Federal Reserve SR 11-7) is the baseline U.S. supervisory guidance on model risk management for banks. It mandates controls over model development, implementation, use, validation, ongoing monitoring, third-party risk, and incident handling. Ledgix evidences each control via the policy lifecycle, per-decision ledger, signed incidents, model cards, and dataset sheets.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 2 (incidents, model cards, dataset sheets) module shipping.
Scope
SR 11-7 applies to Federal Reserve-supervised banks and the OCC equivalent applies to national banks and federal savings associations. The guidance is widely referenced by other regulators and regularly applied beyond the strict letter of its scope (credit unions, brokerage, insurance). Coverage spans governance (Section III.A), development documentation, ongoing monitoring of outcomes, independent validation, third-party model risk, and incident/remediation handling.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| SR11-7-MODEL-GOV-01 | policy_snapshots / events_jsonl | Model Governance — Policies and Controls | Versioned policies document the governance regime; each action bound to the approved policy version. |
| SR11-7-MODEL-DEV-02 | policy_snapshots / model_cards / dataset_sheets | Model Development — Documentation | Policy documents plus signed model cards and dataset sheets. |
| SR11-7-ONGOING-MON-03 | events_jsonl / checkpoint_chain | Ongoing Monitoring — Outcomes Analysis | Time-series decision outcomes supporting performance monitoring and drift detection. |
| SR11-7-VALIDATION-04 | events_jsonl | Validation — Evaluation of Conceptual Soundness | Confidence scores, reasons, and citations support conceptual-soundness validation; attestation packets complete the Phase 8 coverage. |
| SR11-7-THIRD-PARTY-05 | events_jsonl | Third-Party Model Risk | Third-party-invoked tools enumerated through the tool inventory. |
| SR11-7-INCIDENT-06 | incidents / events_jsonl | Model Risk Incidents | Signed incident records capture detection, severity, root cause, and corrective action. |
Evidence types referenced
- policy_snapshots — versioned governance and development documentation.
- events_jsonl — per-decision outcomes, confidence, reasoning, and citations.
- model_cards — signed model cards per production model.
- dataset_sheets — data sources, collection methodology, preprocessing, known limitations.
- checkpoint_chain — continuous monitoring record supporting tamper-evident outcomes analysis.
- incidents — signed incident records for model-risk failures.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. SR11-7-VALIDATION-04's independent validation finding is typically authored outside Ledgix and attached to a Phase 8 attestation packet for tenants that require one.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting OCC Bulletin 2011-12 / Federal Reserve SR 11-7 and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/occ_sr_11_7.json - Canonical source: OCC Bulletin 2011-12 — occ.treas.gov and Federal Reserve SR 11-7 — federalreserve.gov