Are you ready for Guideline E-23?

In September 2017, the Office of the Superintendent of Financial Institutions (OSFI) Guideline E-23 Enterprise-Wide Model Risk Management for Deposit-Taking Institutions came into effect. This guideline, which falls under the category of “Sound Business and Financial Practices”, sets out OSFI’s expectations regarding sound policies and practices related to enterprise-wide model risk management.

Fast forward to 2025 – the models used in financial services organizations continue to increase in complexity, relying on larger and more varied data sets as well as advanced analytics such as machine learning and artificial intelligence. Models are increasingly embedded into operations. As decision-makers place more reliance, directly or indirectly, on the outputs of models, there is a corresponding increase in model risk. In recognition of this, OSFI announced in May 2022 that it was seeking to revise Guideline E-23 to:

1. Extend the guideline to other federally regulated financial institutions (FRFIs), including insurers
2. Address emerging model risks
3. Provide clarification on how the guideline should be applied

Based on feedback received during the May 2022 consultation period, an updated draft guideline was issued in November 2023. Final guidance was published in September 2025 with an effective date of May 1, 2027.

Although insurers, reinsurers, and fraternals have not been subject to Guideline E-23 so far, use of models has long been embedded in the insurance industry. After all, the business of insurance requires quantifying the impact of uncertain future events, usually relying on the specialized modeling skills and professional judgement of actuaries. Consequently, all FRFIs conducting insurance business should already have a model risk management (MRM) framework in place. However, this does not mean that these institutions should be complacent about the implications of being included in the scope of Guideline E-23. Here are some things to consider:

As mentioned above, there has been a long history of using models in insurance. It is easy to identify “big” models, such as those that are used for actuarial purposes, including pricing, financial reporting, risk and capital management. However, the definition of a model as set out in Section A.4 of the May 2027 version includes any tool that applies theoretical, empirical or statistical techniques and assumptions in processing data to generate results. Therefore, the entity would need to consider whether the current MRM framework has captured all tools which would potentially meet the OSFI definition. AI adoption has significant implications for the number of models as each of the separate use cases for an underlying AI model need to be captured and evaluated separately.

Once the universe of models in the organization has been identified, any model with a non-negligible impact to risk profile of the entity should be within the scope of the MRM framework. This can include, for example, a spreadsheet tool that is used to estimate so-called “out of model” adjustments to the output of the “big” actuarial models.

What about models that are used to support operations, such as a model used in making underwriting decisions; or to inform strategic direction, such as a spreadsheet that forecasts sales and revenue? A sound assessment of models in scope should at a minimum:

a) Trace both upstream and downstream model dependencies for external and internal reporting

b) Examine key processes and the tools that support them

c) Assess how the models identified in a) and b) affect the organization’s risk profile

It is expected that the volume of models that will need to be tracked will significantly increase, and insurers should consider the challenges of maintaining an up-to-date and comprehensive inventory across all the different model types and use cases.

Section A.4 and A.5 of the May 2027 version of Guideline E-23 define certain roles within an MRM framework as well as OSFI’s expected outcomes Iof effective MRM. Section B provides principles underlying an effective MRM framework. These include:

• A risk-based approach that takes into consideration the model risk appetite of the organization and the institution’s overall broader risk and governance framework
• Coverage of the entire model lifecycle as defined in Section A.4. This includes model development, model monitoring and change management, and model decommissioning
• A model inventory that is kept up to date and provides the information that is needed to support the operational activities of the MRM framework. 

Tracking models at various stages in the model management cycle can be a challenge. The challenge increases with the number of models to be tracked and the wider the range of model users and model owners. Some insurers are already investing in technology solutions that can not only help with inventory management but also help to manage the workflow associated with the risk management activities.

Model change management places a lot of emphasis on vetting and validation activities – these can be very time and resource intensive, and extending the models that are now in scope can lead to capacity issues for organizations.

Insurers should review their MRM framework against the expectations set out by OSFI in the May 2027 Guideline in their assessment of compliance readiness. For example, it is not uncommon to see the role “model steward” which, at different entities, may be mapped to different E-23 role definitions, or even to a combination of roles. Another example is where the role of reviewer and approver may be combined under the current framework, whereas OSFI would prefer that they are separate. Governance structures may need to be updated or mechanisms put in place to ensure independence and conflicts of interest are managed.

The 2017 version of Guideline E-23 makes a distinction between expectations for deposit-taking institutions using approved internal models for regulatory capital purposes vs. institutions without an internal model approval i.e. “standardized institutions”.  There is an implicit assumption that this distinction will also capture “large and complex” vs. “smaller and simpler”. The May 2027 version of Guideline E-23 that will also apply to insurers and other FRFIs removes this categorization and states that regulatory expectations are proportional to the perceived risk, taking into account factors such as the organization’s “size, model risk profile, nature and complexity of operations and risk of disruption to financial markets as a whole¹”. Regardless, smaller insurers and fraternals could struggle with some operational aspects of  their MRM framework and may need to consider outsourcing one or more of the components (for example, independent model validation for highly specialized models).

The pace of change for tools and approaches used by insurers to manage their business has picked up considerably since Guideline E-23 was first issued. Recent developments, such as IFRS 17 adoption, have also contributed to an environment where models are becoming increasingly complex and specialized. One example is the deployment of new stochastic models to meet IFRS 17 requirements related to measuring financial options and guarantees embedded within insurance products.  As it may take time to build capability in new modeling skill sets, this can lead, at least in the short term, to increased reliance on third parties.  The incorporation of advanced analytics, machine learning, artificial intelligence, and other complex processing techniques lead to results that are harder to validate and explain. OSFI has taken a fresh look at how entities should assess and manage model risk while acknowledging the need for proportionality in how entities of varying sizes and complexities address similar risks.

The model risk management landscape continues to evolve and change for insurers. The May 2027 version of Guideline E-23, released in September 2025, will extend applicability to insurers and set out OSFI’s expectations of how model risk is managed within the organization.

KPMG’s advisory professionals can help insurance organizations assess their preparedness for compliance with the updated Guideline. Beyond compliance, we can advise on preferred practices that can drive better MRM outcomes, while managing the administrative burden. Our modeling and model risk professionals have the knowledge, skills and experience to help with components of the MRM framework using leading technologies. Organizations of all sizes should take this opportunity to revisit their MRM frameworks, processes, and model inventory so that they are well-positioned to address model risk as part of their overall risk management framework.