Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

June 3, 2025

Strengthening Insurance Decision-Making with Robust Model Risk Management

Economic uncertainty, shifting loss patterns, and fast-moving advances in data science are changing how insurers make critical decisions. From pricing and reserving to reinsurance and capital planning, models have become indispensable tools for interpreting complexity and driving strategy. These tools condense oceans of information into a single number. Still, every number carries uncertainty. That inherent gap between a model’s prediction and real-world outcomes is known as model risk, and it’s now firmly on the radar of directors, audit committees, and regulators alike.

The American Academy of Actuaries defines model risk as “the loss—economic, reputational, or otherwise—arising from decisions based on flawed or misused models.”​ Four familiar culprits are typically behind this risk:

  1. Poor data quality
  2. Design flaws or questionable assumptions
  3. Coding errors
  4. Using a model outside its intended purpose. 

When left unaddressed, these weaknesses can lead to misstated reserves or capital levels, flawed performance projections, overlooked risks in claims or underwriting, and increased scrutiny during regulatory exams.

Given the increasing complexity and visibility of models, especially with the growing use of AI and machine learning in pricing, reserving, and risk evaluation, insurers need more than technical competence. They need a robust, well-governed Model Risk Management (MRM) framework that supports confident decisions, meets regulatory expectations, and aligns with organizational risk appetite. That’s where Johnson Lambert comes in. We work closely with insurers to assess, enhance, and implement model governance practices that not only reduce downside risk but also strengthen strategic decision-making across the organization. 

Governance Expectations Keep Rising, and So Do the Stakes 

What used to be viewed as good actuarial hygiene is now squarely a board-level concern. In December 2023, the NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, which has since been implemented in 23 states. The bulletin requires insurers to establish a formal governance program for AI and predictive modeling, covering everything from data quality and third-party oversight to risk controls and model explainability​. It also makes clear that responsibility for AI-driven decisions, whether made internally or through a vendor, ultimately lies with the insurer.

The implications go well beyond regulatory compliance. Strong model governance increases transparency, enhances internal accountability, and builds trust among key stakeholders. For boards and senior leadership, it means better visibility into the tools driving business outcomes. For regulators, it’s evidence that models are being used responsibly. And for the organization as a whole, it lays the foundation for confident, informed action in a volatile environment.

AI Is Changing the Game Faster Than Many Governance Frameworks

Artificial intelligence is transforming actuarial modeling, offering new levels of accuracy, speed, and efficiency. Machine learning, in particular, uses historical data to identify patterns and predict outcomes across the insurance value chain. Common applications include:

  • Risk scoring: Automating risk assessments for new policies based on factors like location, industry, and historical data. Machine learning identifies complex, non-obvious data relationships. 
  • Fraud detection: Spotting anomalies and patterns that suggest potentially fraudulent claims.
  • Reserving: Improving reserve accuracy by forecasting future claim payouts with greater precision.
  • Underwriting support: Surfacing key risk factors and relevant historical data to assist underwriters.

Insurers are also using natural language processing to extract insights from unstructured data sources like contracts, PDFs, and even news or weather feeds. Meanwhile, generative AI—still in its early stages of adoption in actuarial modeling—offers emerging applications such as:

  • Synthetic data generation to supplement limited datasets and enable more robust scenario testing.
  • Regulatory report drafting by extracting and formatting relevant data based on specific guidelines.
  • Training content development through the creation of synthetic claims scenarios that avoid using sensitive real-world data. 
  • Contract analysis to flag obligations and risks within complex reinsurance agreements.
  • Model explainability and visualization by translating technical model logic into plain-language summaries or dynamic graphics.

These tools bring powerful advantages, but they also introduce new model risks, such as algorithmic drift, limited explainability, and potential bias among them. Regulatory expectations are still evolving and often outpace internal controls.

That’s why modern MRM programs must evolve to include AI-specific safeguards: explainability testing, fairness reviews, prompt security for generative models, and clear documentation of model development and validation processes. Insurers that invest in these controls today will be better positioned for not only regulatory compliance but also smarter, more responsible innovation.

Hallmarks of a High Performing MRM Program

A high-functioning MRM framework doesn’t just check the boxes. It enables better decisions, clearer accountability, and greater resilience. While each organization’s structure and tools may vary, several elements consistently stand out:

  1. Board-level ownership. Senior leadership is actively engaged in model governance. The board approves MRM policies, understands how models influence financial outcomes, and receives concise reports highlighting key risks, limitations, and trends.
  2. A current, centralized model inventory. All models (internal, vendor-developed, AI-driven, or legacy) are identified, documented, risk-rated, and assigned owners. Inventories are maintained in real time and integrated with control frameworks.
  3. Risk assessment and validation. Models are assessed for risk individually and in aggregate, based on complexity, input uncertainty, frequency of use, and materiality. Higher-risk models undergo deeper validation, addressing inputs, processing logic, and outputs on a more frequent schedule.
  4. Ongoing monitoring and change management. Performance and sensitivity are monitored regularly. Controls ensure that updates to assumptions, code, or data inputs trigger appropriate review and documentation before changes are implemented.
  5. Strong data governance. Model data is traceable, documented, and quality checked. This includes source validation, legal authorization, cleansing routines, and secure handling of sensitive or synthetic data particularly where generative AI is used.
  6. Integrated IT controls. Change management, access rights, availability, and patching controls apply to all model environments, from spreadsheets to cloud platforms and large language models.

Three Lines of Defense, Updated for the Age of AI

Clear roles and responsibilities are essential to making model governance work at scale. As AI becomes more embedded in modeling processes, insurers are adapting the traditional three lines of defense to address new risks and regulatory expectations:

Line of DefensePrimary FocusKey Responsibilities
Model Owners & UsersTechnical accuracy and model performanceDevelop and maintain models; monitor outputs; ensure models remain fit for purpose and fully documented in line with policy.
Risk & ComplianceGovernance and regulatory alignmentMaintain the MRM framework; define policies; conduct independent validation; ensure adherence to legal, regulatory, and ethical standards.
Internal AuditIndependent assuranceEvaluate the design and effectiveness of model governance practices; test key controls; report findings to the Audit Committee.

Clarifying these responsibilities not only strengthens accountability but also reduces redundancy and ensures emerging risks are escalated and addressed promptly.

Turning Compliance into Competitive Advantage

Leading insurers view Model Risk Management as a strategic tool. When boards and business leaders trust the models behind pricing, reserving, and capital planning, they can act with greater speed and clarity. When regulators see a well-documented, evidence-based framework, they respond with confidence.

Johnson Lambert helps insurers turn that vision into reality. Our team blends actuarial insight with audit rigor to strengthen MRM programs and address the growing demands of AI-enabled modeling. Engagements are tailored to your goals and may include:

  • Independent MRM assessments benchmarked to current regulatory expectations
  • AI readiness reviews covering policy, procurement, and vendor oversight
  • Targeted control testing across six high-impact areas:
    1. Governance: Oversight of AI-related model risks 
    2. Model lifecycle: Controls for data curation, training, and validation 
    3. Secure configuration: Protections against unauthorized access or data leakage 
    4. LLM integration: Safe and governed use of large language models
    5. Third-party dependencies: Vendor and supply chain risk management
    6. Monitoring & reporting: Early detection of bias, drift, or anomalous behavior

With this support, clients gain more than compliance. They build confidence in every model-backed decision. A well-governed model isn’t just safer; it’s the smartest foundation for your next strategic move.

Ready to strengthen your model risk management program?

Contact us to schedule a conversation with our team and explore how we can support your strategy with tailored insights and hands-on expertise.

Kim Mobley

Kim Mobley

Partner

View Bio
Matt Kranisky

Matt Kranisky

Managing Director - Internal Audit

View Bio
Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit

View Bio

Questions?

Reach out to schedule a conversation with our team and explore how we can support your strategy with tailored insights and hands-on expertise.

Contact Us

Related Resources

Strengthening Insurance Decision-Making with Robust Model Risk Management

Economic uncertainty, shifting loss patterns, and fast-moving advances in data science are changing how insurers make critical decisions. From pricing and reserving to reinsurance and capital planning, models have become indispensable tools for interpreting complexity and driving strategy. These tools condense oceans of information into a single number. Still, every number carries uncertainty. That inherent gap between a model’s prediction and real-world outcomes is known as model risk, and it’s now firmly on the radar of directors, audit committees, and regulators alike.

The American Academy of Actuaries defines model risk as “the loss—economic, reputational, or otherwise—arising from decisions based on flawed or misused models.”​ Four familiar culprits are typically behind this risk:

  1. Poor data quality
  2. Design flaws or questionable assumptions
  3. Coding errors
  4. Using a model outside its intended purpose. 

When left unaddressed, these weaknesses can lead to misstated reserves or capital levels, flawed performance projections, overlooked risks in claims or underwriting, and increased scrutiny during regulatory exams.

Given the increasing complexity and visibility of models, especially with the growing use of AI and machine learning in pricing, reserving, and risk evaluation, insurers need more than technical competence. They need a robust, well-governed Model Risk Management (MRM) framework that supports confident decisions, meets regulatory expectations, and aligns with organizational risk appetite. That’s where Johnson Lambert comes in. We work closely with insurers to assess, enhance, and implement model governance practices that not only reduce downside risk but also strengthen strategic decision-making across the organization. 

Governance Expectations Keep Rising, and So Do the Stakes 

What used to be viewed as good actuarial hygiene is now squarely a board-level concern. In December 2023, the NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, which has since been implemented in 23 states. The bulletin requires insurers to establish a formal governance program for AI and predictive modeling, covering everything from data quality and third-party oversight to risk controls and model explainability​. It also makes clear that responsibility for AI-driven decisions, whether made internally or through a vendor, ultimately lies with the insurer.

The implications go well beyond regulatory compliance. Strong model governance increases transparency, enhances internal accountability, and builds trust among key stakeholders. For boards and senior leadership, it means better visibility into the tools driving business outcomes. For regulators, it’s evidence that models are being used responsibly. And for the organization as a whole, it lays the foundation for confident, informed action in a volatile environment.

AI Is Changing the Game Faster Than Many Governance Frameworks

Artificial intelligence is transforming actuarial modeling, offering new levels of accuracy, speed, and efficiency. Machine learning, in particular, uses historical data to identify patterns and predict outcomes across the insurance value chain. Common applications include:

  • Risk scoring: Automating risk assessments for new policies based on factors like location, industry, and historical data. Machine learning identifies complex, non-obvious data relationships. 
  • Fraud detection: Spotting anomalies and patterns that suggest potentially fraudulent claims.
  • Reserving: Improving reserve accuracy by forecasting future claim payouts with greater precision.
  • Underwriting support: Surfacing key risk factors and relevant historical data to assist underwriters.

Insurers are also using natural language processing to extract insights from unstructured data sources like contracts, PDFs, and even news or weather feeds. Meanwhile, generative AI—still in its early stages of adoption in actuarial modeling—offers emerging applications such as:

  • Synthetic data generation to supplement limited datasets and enable more robust scenario testing.
  • Regulatory report drafting by extracting and formatting relevant data based on specific guidelines.
  • Training content development through the creation of synthetic claims scenarios that avoid using sensitive real-world data. 
  • Contract analysis to flag obligations and risks within complex reinsurance agreements.
  • Model explainability and visualization by translating technical model logic into plain-language summaries or dynamic graphics.

These tools bring powerful advantages, but they also introduce new model risks, such as algorithmic drift, limited explainability, and potential bias among them. Regulatory expectations are still evolving and often outpace internal controls.

That’s why modern MRM programs must evolve to include AI-specific safeguards: explainability testing, fairness reviews, prompt security for generative models, and clear documentation of model development and validation processes. Insurers that invest in these controls today will be better positioned for not only regulatory compliance but also smarter, more responsible innovation.

Hallmarks of a High Performing MRM Program

A high-functioning MRM framework doesn’t just check the boxes. It enables better decisions, clearer accountability, and greater resilience. While each organization’s structure and tools may vary, several elements consistently stand out:

  1. Board-level ownership. Senior leadership is actively engaged in model governance. The board approves MRM policies, understands how models influence financial outcomes, and receives concise reports highlighting key risks, limitations, and trends.
  2. A current, centralized model inventory. All models (internal, vendor-developed, AI-driven, or legacy) are identified, documented, risk-rated, and assigned owners. Inventories are maintained in real time and integrated with control frameworks.
  3. Risk assessment and validation. Models are assessed for risk individually and in aggregate, based on complexity, input uncertainty, frequency of use, and materiality. Higher-risk models undergo deeper validation, addressing inputs, processing logic, and outputs on a more frequent schedule.
  4. Ongoing monitoring and change management. Performance and sensitivity are monitored regularly. Controls ensure that updates to assumptions, code, or data inputs trigger appropriate review and documentation before changes are implemented.
  5. Strong data governance. Model data is traceable, documented, and quality checked. This includes source validation, legal authorization, cleansing routines, and secure handling of sensitive or synthetic data particularly where generative AI is used.
  6. Integrated IT controls. Change management, access rights, availability, and patching controls apply to all model environments, from spreadsheets to cloud platforms and large language models.

Three Lines of Defense, Updated for the Age of AI

Clear roles and responsibilities are essential to making model governance work at scale. As AI becomes more embedded in modeling processes, insurers are adapting the traditional three lines of defense to address new risks and regulatory expectations:

Line of DefensePrimary FocusKey Responsibilities
Model Owners & UsersTechnical accuracy and model performanceDevelop and maintain models; monitor outputs; ensure models remain fit for purpose and fully documented in line with policy.
Risk & ComplianceGovernance and regulatory alignmentMaintain the MRM framework; define policies; conduct independent validation; ensure adherence to legal, regulatory, and ethical standards.
Internal AuditIndependent assuranceEvaluate the design and effectiveness of model governance practices; test key controls; report findings to the Audit Committee.

Clarifying these responsibilities not only strengthens accountability but also reduces redundancy and ensures emerging risks are escalated and addressed promptly.

Turning Compliance into Competitive Advantage

Leading insurers view Model Risk Management as a strategic tool. When boards and business leaders trust the models behind pricing, reserving, and capital planning, they can act with greater speed and clarity. When regulators see a well-documented, evidence-based framework, they respond with confidence.

Johnson Lambert helps insurers turn that vision into reality. Our team blends actuarial insight with audit rigor to strengthen MRM programs and address the growing demands of AI-enabled modeling. Engagements are tailored to your goals and may include:

  • Independent MRM assessments benchmarked to current regulatory expectations
  • AI readiness reviews covering policy, procurement, and vendor oversight
  • Targeted control testing across six high-impact areas:
    1. Governance: Oversight of AI-related model risks 
    2. Model lifecycle: Controls for data curation, training, and validation 
    3. Secure configuration: Protections against unauthorized access or data leakage 
    4. LLM integration: Safe and governed use of large language models
    5. Third-party dependencies: Vendor and supply chain risk management
    6. Monitoring & reporting: Early detection of bias, drift, or anomalous behavior

With this support, clients gain more than compliance. They build confidence in every model-backed decision. A well-governed model isn’t just safer; it’s the smartest foundation for your next strategic move.

Ready to strengthen your model risk management program?

Contact us to schedule a conversation with our team and explore how we can support your strategy with tailored insights and hands-on expertise.

Kim Mobley

Kim Mobley

Partner

Matt Kranisky

Matt Kranisky

Managing Director - Internal Audit

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit