Model governance built for APRA CPG 234 and CPS 230.

We help Australian businesses build model governance frameworks that satisfy APRA and ASIC, with risk-tiered validation, drift monitoring, and three lines of defence designed for credit risk models, fraud detection algorithms, and insurance pricing models. Practical for data science teams, defensible for regulators.

View services

Built for

Heads of data science Model risk teams Chief risk officers APRA-regulated entities Internal audit
Aligned to: APRA CPG 234 / APRA CPS 230 / APS 113 / SR 11-7 / ASIC REP 798 / Australian AI Guardrails

Why model governance breaks down in production.

Data science teams build credit scorecards, fraud detection systems, and pricing algorithms that make material decisions affecting customers, capital, and compliance. Without model governance, these systems create silent risks that only surface when something goes wrong.

  1. 01

    No model inventory.

    Most organisations cannot answer a basic question: how many models are in production? Without a comprehensive inventory, businesses have no visibility into which AI systems are making decisions, who built them, or when they were last validated.

  2. 02

    No independent validation.

    The same team that builds a model should not be the only team that validates it. APRA expects "effective challenge" by qualified validators separate from the development team, particularly for high-risk models used in credit, pricing, and fraud detection.

  3. 03

    Silent model drift.

    Models degrade over time as data distributions shift. Without drift monitoring, performance degradation goes undetected. Australian businesses discover their models are failing only after material losses, biased outcomes, or a regulatory review surfaces the problem.

  4. 04

    Notebook-to-production gap.

    Data science teams develop models in Jupyter notebooks optimised for experimentation. When these research artefacts move to production without proper engineering, version control, or reproducibility, results become impossible to reproduce and governance controls are bypassed entirely.

Model risk management services.

Six services covering every stage of the model lifecycle, from initial inventory and risk classification through independent validation, ongoing monitoring, and regulatory compliance.

Service A

Governance framework

Comprehensive model risk management framework aligned to APRA prudential expectations: policy and standards, lifecycle development standards, independent validation methodology, model risk committee charter, and model card documentation templates.

Service B

Model inventory & tiering

Discovery and cataloguing of every model across the organisation. Risk classification (Tier 1, 2, 3), documentation gap analysis, prioritised remediation roadmap, and shadow AI identification.

Service C

Independent validation

Conceptual soundness assessment, data quality verification, implementation verification, champion-challenger testing, bias and fairness assessment, and a comprehensive validation report for the governance committee.

Service D

Monitoring & drift detection

Input monitoring, performance monitoring, drift detection (PSI, CSI, distributional shift tests), three-tier alerting (informational, warning, critical), and fairness monitoring.

Service E

APRA compliance assessment

Gap analysis against APRA CPG 234 and CPS 230. Current-state assessment, remediation plan, operational risk alignment for AI systems, board and executive reporting templates, and three lines of defence model structure.

Service F

Financial services models

Specialist governance for credit risk models (PD, LGD, EAD scorecards), fraud detection and AML/CTF algorithms, insurance pricing and reserving models, investment and robo-advice models, and APS 113 capital adequacy model compliance.

Model lifecycle governance, end to end.

Effective governance covers every stage, not just deployment. We embed controls into how your data science teams already work, so governance becomes part of the workflow rather than an afterthought.

  1. 01

    Problem definition and scoping.

    Governance begins before a line of code is written. Clearly articulated business problem, defined success criteria, regulatory and ethical considerations identified, and stakeholder sign-off on objectives.

  2. 02

    Data preparation and quality.

    Data quality assessment, training/validation/test split methodology, feature engineering documentation, and bias analysis of training data. Critical for credit risk and insurance pricing models where historical data reflects past discrimination.

  3. 03

    Development and validation.

    Algorithm selection rationale, hyperparameter documentation, performance metrics, and independent validation. Tier 1 models include champion-challenger testing, sensitivity analysis, stress testing, and comprehensive bias and fairness evaluation before any production deployment.

  4. 04

    Approval and deployment.

    Documentation package review, risk assessment approval through the model risk committee, deployment plan sign-off, production environment testing, and rollback plans.

  5. 05

    Monitoring and revalidation.

    Ongoing performance tracking, drift monitoring, outcome analysis, and periodic revalidation. High-risk models on annual cycles, medium-risk on biennial. Monitoring detects covariate shift, concept drift, and data quality degradation before business impact.

  6. 06

    Review and retirement.

    Performance review against original objectives, retirement decision criteria for underperforming models, and controlled decommissioning with audit trail.

Why machine learning models degrade.

A model that performs well at deployment will not perform well indefinitely. Understanding why is essential for designing monitoring strategies that catch silent failures early.

Covariate shift

Detection: PSI > 0.25

The distribution of input data changes over time. A credit risk model trained on pre-pandemic data encounters fundamentally different applicant profiles post-pandemic. Population Stability Index measures the shift in input features.

Concept drift

Detection: CSI, A vs P

The relationship between features and outcomes evolves. Fraud patterns change as criminals adapt. Customer behaviour shifts. The underlying concept the model learned no longer holds. Characteristic Stability Index and actual-versus-predicted analysis surface this drift.

Data quality degradation

Detection: input monitoring

Upstream data sources change without notice. Fields get deprecated, missing value rates increase, or pipelines introduce errors. Input monitoring tracks feature distribution, missing values, and out-of-range values against baselines.

External environment

Detection: outcome KPIs

Economic downturns, regulatory changes, and market disruptions invalidate model assumptions. An insurance pricing model calibrated during a stable claims environment will misprice during a natural catastrophe cycle.

Industry-specific model governance.

Different industries deploy different model types, each with unique governance requirements. Our specialists bring expertise in the model types, regulatory obligations, and risk practices specific to your sector.

Banking & credit risk

APS 113 路 responsible lending

Application scorecards, behavioural scorecards, and PD, LGD, EAD models feeding capital adequacy under APS 113. Rigorous governance because errors affect capital requirements, consumer outcomes, and responsible lending obligations.

Insurance pricing & claims

GI Code 路 Insurance Contracts Act

Underwriting, premium pricing, claims cost prediction, fraud detection, and catastrophe modelling. Indirect discrimination risks where proxy variables correlate with protected attributes need active management.

Fraud & AML/CTF

AUSTRAC 路 real-time decisioning

Real-time auto-decline and suspicious activity flagging. Constant tension between detection and false positives. AML/CTF models carry additional regulatory weight where failures can result in enforcement action.

Superannuation & investment

APRA performance test 路 SIS Act

Asset allocation, return forecasting, risk modelling, member outcome projection, and robo-advice. Fiduciary obligations because models directly affect member retirement outcomes. APRA performance test means investment models face regulatory scrutiny of their outputs.

Why model governance matters: three failures.

When AI models operate without adequate governance, consequences extend beyond financial loss to regulatory action, reputational damage, and real harm. Each of these cases shares the same governance gaps.

  1. 01

    Algorithmic credit discrimination. $70M+ in fines.

    A major financial institution's credit card algorithm offered significantly different credit limits to men and women with identical financial profiles. In 2024, the CFPB ordered fines of $45 million against the bank and $25 million against its technology partner.

    Gap: no bias testing, no fairness validation, no independent challenge before deployment.

  2. 02

    Robodebt. $1.73 billion in unlawful debts.

    An income averaging algorithm used for automated debt assessment generated 433,000 unlawful debts totalling $1.73 billion before being halted. The Royal Commission characterised the mechanism as "crude and cruel."

    Gap: no independent validation, no performance monitoring, insufficient human oversight, no tiering.

  3. 03

    UK exam results algorithm.

    An algorithm designed to predict exam results during COVID-19 systematically downgraded students from disadvantaged schools while upgrading those from historically high-performing schools. Abandoned after public outcry.

    Gap: no segment-level fairness analysis, no limitation assessment, no challenger testing before full-scale deployment.

Related AI consulting services.

Risk framework development
AI risk taxonomies and assessment methodologies aligned to APRA CPS 230 and NIST AI RMF.
AI governance consulting
End-to-end programme design including operating models, committee structures, and accountability frameworks.
AI policy development
Comprehensive policy suites covering acceptable use, risk assessment, vendor management, and generative AI.
AI audit & assessment
Independent assessment of current model inventory, validation practices, and regulatory compliance gaps.

Establish model governance that protects your organisation and enables innovation.

If your business deploys AI models that make material decisions, you need appropriate governance, independent validation, and ongoing monitoring. Initial assessment includes review of current model inventory, validation practices, regulatory compliance gaps, and recommended governance strategy.

Or start with an AI audit

Get in Touch