Deloitte Model Risk Management Survey in Southeast Asia

Many institutions still lack a dedicated Model Risk Management function. Responsibilities often rest with model developers or users - blurring accountability and compromising independent oversight. This raises red flags around ownership clarity, governance effectiveness, and potential conflicts of interest.

While some banks have developed MRM policies, the policies are either outdated or fragmented with limited communication made on the usage. As the use of models—especially AI/ML - expands beyond traditional areas, policies must evolve to ensure comprehensive coverage and stronger safeguards.

Formal model inventories are either missing or incomplete across several organizations. Common issues include:

• Missing or incomplete records of models
• Unclear model ownership
• Inadequate lifecycle tracking

These gaps limit transparency and hinder oversight on critical models and high risk models that are not captured in the inventory.

Most AI/ML models remain undocumented in formal inventories, with few institutions having established risk management and fairness controls or ethical guidelines. As AI adoption grows, the absence of clear governance leaves institutions vulnerable to unchecked risk and regulatory scrutiny.

Validation mainly focus on outside models used for regulatory purpose and validation is done on ad hoc basis for other models. Ongoing monitoring, particularly for AI/ML models, is either underdeveloped or absent - putting institutions at risk of undetected model drift, bias, and performance decay.

The survey highlights a broader cultural challenge: model risk is still seen by many as a compliance obligation rather than a strategic enterprise risk. Without embedding MRM into the risk culture, institutions may fall behind in anticipating and managing model-driven vulnerabilities.