Guideline E-23 is here. Is your insurance firm ready for OSFI’s new model risk management expectations?

Recognizing the challenges that come with more sophisticated models and data, the Office of the Superintendent of Financial Institutions (OSFI) has refreshed Guideline E-23 – Model Risk Management to better support financial institutions.¹

The updated, principle-based guideline, effective May 1, 2027, expands its scope beyond federally regulated deposit-taking institutions to include all Federally Regulated Financial Institutions (FRFIs), including insurance companies. It now applies to all models, not just those requiring formal regulatory approval, and includes artificial intelligence (AI) and machine learning models.

Key enhancements of the revised guideline

• Broader applicability: All FRFIs, including insurers, are subject to this guideline.
• Comprehensive coverage: Applies to all models, including those used for underwriting, pricing, financial planning, marketing, claims analytics, asset-liability management, risk analytics, etc.
• AI model oversight: AI and machine learning models are now in scope, reflecting their unique risk profiles.

OSFI expects organizations to establish robust, enterprise-wide Model Risk Management (MRM) frameworks that address these expanded requirements and through the entire model lifecycle.  

Building a robust model risk management framework

A strong MRM framework should offer an organization-wide perspective on model risk, supported by clear policies, defined roles and responsibilities, and effective controls. Insurance companies should review and update their MRM policies to:

• Include models across all functions: make sure your model inventory reflects every area of your business, including underwriting, pricing, claims, capital modelling, and marketing, so that nothing is overlooked under the updated Guideline E-23.
• Address data accuracy and relevance: put strong checks in place so the data feeding your models is accurate and relevant, helping you meet OSFI’s standards and make confident decisions.
• Establish comprehensive risk classification schemes: work with your team to set up a clear risk classification system that accounts for each model’s complexity and its impact on your business.
• Consider AI and advanced modelling techniques: build in extra layers of governance and validation around AI and machine learning models. Take the time to recognize the unique challenges and opportunities they bring.
• Maintain consistent risk ratings across business units: ustandardized assessment criteria across your teams so model risk ratings stay consistent, no matter where they are applied in the organization. You can adopt enterprise-wide risk tiering frameworks to ensure all models are evaluated on the same criteria, implement uniform validation checklists, and adopt standardized model risk scoring matrices.

It is often challenging to maintain consistency across business units. Organizations that include all stakeholders in building the MRM framework maintain better uniformity while fostering a sense of ownership throughout the organization. Regular conversations and transparent metrics are essential for strong oversight.

Model lifecycle, governance, and inventory

Organizations are expected to define governance and accountability throughout the model lifecycle, including for outsourced activities. It is vital for model reviewers to possess appropriate expertise, especially for AI and third-party models.

Maintaining a comprehensive model inventory is another expectation for Guideline E-23. This inventory should:

• Serve as a centralized, accessible repository for models that could pose meaningful risk to your organization
• Include critical details (e.g., model ID, risk classification, validation status, performance metrics)
• Provide consistent updates to reflect changes
• Function as a workflow and reporting tool

When selecting inventory platforms, insurers should prioritize user-friendly and secure solutions that invite collaboration. Solutions should integrate with existing databases and support documentation.

Model review and compliance

Guideline E-23 encourages having an independent team review models, including those using third-party components or automated processes. It also suggests how often and how thoroughly you review each model should depend on its level of risk. With resources often stretched, starting early and considering outside expertise can make it easier to comply with these new expectations.

How Deloitte can help

Deloitte offers comprehensive services to support insurers in meeting the revised Guideline E-23, including:

• Development and review of MRM policies and governance frameworks
• Implementation and automation of model risk processes including model review, documentation, and governance
• Model inventory management and reporting solutions
• Outsourced model review services, including expertise in AI models
• Integration of MRM with broader Governance, Risk, and Compliance (GRC) frameworks

Our team combines deep industry knowledge with advanced expertise in regulatory insight, making us a trusted partner for Canadian insurers. While Guideline E-23 might appear complex, we can help make your compliance journey seamless. Let’s chat about how we can prepare your team together.