Representative work, written with the discretion the work requires.
Where we can publish anonymized engagements, we do. Where the client requires absolute silence, we keep it. The scenarios below illustrate how we structure work of this kind.
Schedule I Bank: pre-deployment model risk review.
This illustrates how Feerstone structures an engagement of this kind. It is a representative scenario, not a description of a specific client or a completed matter.
A Schedule I bank prepared to deploy a revised credit decisioning model and required an independent, pre-deployment review against its model risk obligations. The model relied in part on United States hosted cloud infrastructure, which introduced a cross-border data flow that the bank's existing governance had not fully addressed. The mandate was a board-ready assessment of the model's risk and control posture before it entered production.
- —A fixed timeline tied to a planned release date.
- —Existing vendor contracts that could not be reopened within the engagement window.
- —No budget or appetite for model retraining.
- —Concurrent Canadian and United States jurisdictional exposure arising from the data flow.
The engagement was an advisory review, not a technical penetration test. Work proceeded through structured stakeholder interviews across risk, technology, and the business line, a documentation review covering model development, validation, and monitoring, and a mapping of identified gaps against the bank's stated control framework. The cross-border data flow was treated as a first-order governance question rather than an implementation detail, and was examined for residency, access, and the individual's ability to contest an automated decision.
Findings were kept proportionate. The objective was not an exhaustive catalogue of every theoretical weakness, but a clear, ranked view of what mattered before deployment and what could follow on a defined schedule.
Feerstone delivered a board-ready risk memorandum, a prioritized remediation roadmap covering the following 90 days, and updated model risk policy language reflecting the cross-border exposure. The bank proceeded with a documented, defensible record of its decision.