Supervising Corporate Governance During Crises
Wednesday, Apr 15, 2020

Supervising Corporate Governance During Crises


Strong corporate governance in regulated firms is important at all times, to provide strategic direction and to ensure that risks are properly managed.

Crises such as the current COVID-19 outbreak heighten the importance of strong corporate governance, in providing corporate leadership and in maintaining operational resilience, financial soundness and fair treatment of customers during a period when most risks are increasing.

Meanwhile, the COVID-19 outbreak brings additional pressures and practical challenges by making it impossible for boards and senior management to meet and to make decisions in the usual way.

Supervisors have a deep interest in the corporate governance of the firms they supervise. Well-run and well-managed firms are less likely to fail and less likely to treat their customer badly or to be used for the purposes of money laundering. Supervisors therefore need to maintain close watch on firms’ corporate governance, through direct contact with and assurances from firms’ boards and senior management, even as supervisors are also having to alter their own working practices.

This Toronto Centre Note considers the implications of the COVID-19 outbreak for the corporate governance of supervised firms and sets out the main issues that supervisors need to address in supervising this. The broad conclusion is that sound corporate governance is more essential than ever. Implementing it during the current crisis may be extremely challenging in some cases, but firms and supervisors alike need to ensure that these challenges are met.

The Note sets out a number of issues that the boards and senior managements of supervised firms need to address, and to be able to demonstrate to their supervisors that they have addressed, together with some ways in which supervisors should be interacting with the firms they supervise.

This is the fourth Toronto Centre Note addressing supervisory issues in the wake of the COVID-19 outbreak. The first three focused on issues for supervisors during crises; business continuity planning by supervisory authorities; and the impact of the COVID-19 outbreak on credit quality.[2]

Eternal truths of good corporate governance

An earlier Toronto Centre Note (2016) set out in detail the meaning of corporate governance, the key elements of good corporate governance, and why this is important for supervisors of financial firms.

Corporate governance provides the structure through which the objectives of a company are set, and the means of attaining these objectives and monitoring the performance of the company are determined.

A company’s board is the keystone of its corporate governance. The main functions of the board are to:

  • set and guide the strategy, policy, values and conduct of the firm;
  • establish the framework of risk governance (setting the firm’s risk appetite; monitoring whether the risks that a firm takes are consistent with this appetite; and identifying, measuring, monitoring, controlling and reporting all material risks);
  • understand the nature and level of all the risks being taken by the firm and ensure that the firm holds sufficient resources (including capital and liquidity) to meet these risks;
  • regularly verify whether the firm’s internal controls are adequate, including where appropriate through independent review;
  • understand the nature and level of all the risks being taken by the firm and ensure that the firm holds sufficient resources (including capital and liquidity) to meet these risks;
  • set performance objectives and monitor whether they are being achieved;
  • select key executives and oversee succession planning;
  • set the annual budget and business plans; and
  • oversee major capital expenditure and acquisitions.

Corporate governance is important for supervisors because the objectives of corporate governance overlap closely with the goals that supervisors of financial institutions seek to achieve, in particular the financial soundness of supervised firms, the protection of consumers and investors, market confidence and financial stability.

Good corporate governance is critical to achieving and maintaining public trust and confidence in the financial system. Poor corporate governance in contrast may undermine this and may contribute to the failure of financial institutions or to the mistreatment of consumers and investors.

Supervisors can have greater confidence in the internal control mechanisms of financial institutions with high standards of corporate governance, and in the information reported by such firms. Well-managed and well-controlled financial institutions will also be better placed to implement any changes in their structure or operations required by their supervisors. This is why an assessment of a supervised firm’s corporate governance is a key element of risk-based supervision, because good corporate governance can be an important mitigant against the risks being taken by a firm.[3]

Good corporate governance can reduce the probability that risks will materialize and strengthen the ability of a firm to manage the impact of those risks if they do so. On the other hand, poor corporate governance can make it more likely that risks will materialize, and more likely that the consequences of these risks will be severe. Indeed, poor corporate governance is in many respects an additional risk in its own right.


The earlier Toronto Centre Note dealt largely with corporate governance in ‘normal’ times – albeit drawing on some lessons that emerged from the 2008 financial crisis. The COVID-19 outbreak means that firms and supervisors are operating in circumstances that are highly abnormal – and this may persist for some time.

Financial institutions are facing heightened risks, from the wider economic environment (which has increased credit, market and some insurance underwriting risks) and from operational strains (staff working from home and a weakening of some internal processes and controls). Firms are having to prioritize and, in some cases, substantially reconfigure their businesses in the light of the crisis.

These changes, together with the operational pressures that have arisen, mean that firms’ controls need to be aligned with new business models at a time when there are serious operational strains. This relates squarely to corporate governance and the responsibility of boards. The need for sound corporate governance is as great as ever, and possibly greater.

Meanwhile, boards are themselves facing operational pressures. They may be unable to meet physically and have to conduct their business through phone or video links. Normal patterns of meetings and interactions with senior management may be disrupted in other ways and it may not be possible for management to produce conventional management information for their boards. There may also be an understandable wish not to ‘get in the way’ of senior management who are struggling to cope with the crisis – a wish that, however sincere, is misguided if carried to the point at which the board might be judged to have abdicated its responsibility.

Supervisors are also struggling with how best to undertake their functions in the crisis. They are facing operational and other challenges similar to those confronting the firms. Many are operating in business continuity mode with staff working remotely.[4] They are also having to prioritize ruthlessly.[5] As far as corporate governance is concerned, the key messages for supervisors are that:

  • Sound corporate governance is as important in the crisis as it has ever been, if not more so. It would be a grave mistake to overlook its importance or to acquiesce in claims – for example by board members – that it is ‘all too difficult’ to do it properly at the moment. Boards have a key role in providing tangible leadership. This is a requirement at all times but is of paramount importance in crises.
  • Supervisors should use the opportunity of the crisis to familiarize themselves with the work of boards (if they have not already done so), make essential contacts and make judicious use of the controls and disciplines embodied in sound corporate governance to make best use of their own stretched resources.

Ten key issues in corporate governance and its supervision in the crisis

  1. Boards must establish an effective modus operandi for themselves during the crisis to enable them to continue to undertake a changed but essential governance role.
  2. The first priority in the crisis is the implementation of the business continuity plan (BCP). The board should already have approved a generic BCP. They need to be informed that it has been implemented and to monitor its operation.
  3. However difficult and using whatever unconventional means may be necessary, boards must understand and monitor the key risks firms are facing and continue to bring an independent perspective on these.
  4. Boards must understand and monitor key risks and ensure they are controlled.
  5. To the maximum extent possible, boards should promote and demonstrate ownership of enterprise-wide processes for assessing risk and the adequacy of capital, solvency and liquidity.
  6. Board members should ensure that firms cooperate openly and fully with supervisors, making themselves available for contacts and discussions where supervisors judge this to be appropriate.
  7. Boards should keep sight of longer-term issues such as climate change-related risks, FinTech, financial inclusion and gender equality even where these may not be obviously the most pressing issues during the crisis.
  8. Boards need to consider strategies for their firms as the crisis unwinds. It may be too early to make definite decisions, but they should engage in scenario and other planning now.
  9. Supervisors should devote significant attention to corporate governance during the crisis. Supervisors should establish close links with boards and, where appropriate, draw on their risk management processes in order to make most efficient use of scarce supervisory resources in ensuring that prudential, conduct and financial crime risks are being controlled.
  10. Supervisors should expect supervised firms to be demonstrating good corporate governance and should intervene where they are not.

The key issues in detail

1. Boards in crisis mode

Boards must establish an effective modus operandi for themselves during the crisis to enable them to continue to undertake a changed but essential governance role.

Effective corporate governance is even more important during a crisis than at other times. Boards need to provide direction to senior management and ensure that risks are understood, monitored and controlled. The role of the board above all else is to provide visible leadership to the company as a whole. It is important that supervisors can have assurance that the board is operating effectively and able to carry out its role.

The critical issues on which boards need to collaborate with senior management during the crisis are:

  • Communication channels. While physical meetings may not be possible, full use should be made of video, telephone and email links. There is no reason why high-quality communication cannot continue.
  • Board structures. The board and its committees (such as audit and risk) must convene as often as necessary and in whatever form is available to enable them to continue to carry out their remits. There may be a case for making more use of board committees than usual in the interests of efficiency and getting things done.
  • Interactions with senior management. It is always necessary for boards to strike the right balance between effective oversight and unwarranted interference. The crisis throws this dilemma into sharper relief. The form and frequency of interaction needs to be agreed with senior management.
  • Some adjustment may be necessary to the exact form and frequency of management information (MI) and other information provided to the board in the light of operational and other pressures. This is inevitable. The degree to which usual standards can be compromised depends on the continued ability of the board and the executive to carry out their essential functions.


Firm A is a medium-sized life insurer. It has activated its business continuity plan (BCP). Staff are working from home and senior management are prioritizing its activities on the basis of those that are judged critical and the resources available to it. The board normally meets physically eight times each year. A board meeting had been scheduled for the week after the BCP was implemented. It was clearly not possible for this to go ahead. The CEO and other senior management are demonstrably under great pressure.


  • The board postponed all scheduled meetings (board and committees) until further notice.
  • This was on the basis of general agreement by board members that they should not ‘get in the way’.
  • The chair agreed to be consulted by the CEO on issues on an ad-hoc and one-to-one basis.
  • The CEO made use of this facility twice in the course of six weeks. Both times the chair signified passive agreement to what the CEO proposed.
  • There is no indication that the chair consulted or apprised other board members of issues.

Supervisory response:

  • Supervisors asked about the operation of corporate governance during the crisis.
  • The supervisor told the firm that the (non) arrangements were unsatisfactory. They were ad hoc, involved the suspension of normal structures and provided no reassurance regarding strategic direction or controls.
  • The supervisor set a fixed and short timescale for appropriate governance and control arrangements to be put in place. The firm was expected to comply with these on a cooperative basis though it was also made clear that sanctions are available if needed in extremis.


  • The board recognizes that it has a critically-important leadership role in the unusual and stressed circumstances:

o   It recognizes that it retains overall responsibility for the oversight and governance of the firm – especially strategy and risk management.

o   It provides an important sounding board and source of guidance for the CEO and other senior management.

  • The scheduled board meeting went ahead using video/phone link. It agreed the following:

o   The direction and priorities under the firm’s BCP.

o   A phone/video meeting of the risk committee (which normally meets quarterly) would be held twice-monthly to assess the principal risks facing the firm, and how these are being managed.

o   Other board committees (Audit, Compliance, HR) will also convene for similar ‘light touch’ updates.

o   Focused MI will be made available to board members monthly – drawing on internal information being produced already to avoid any additional burden.

o   The objective is to stay on top of the principal risks the firm is facing and ensure that these are being managed, but on a relatively ‘light touch’ basis which does not add to senior management workload.

Supervisory response:

  • After contacting the firm, the supervisor was satisfied with the way governance arrangements were working. Board and risk committee chairs were also contacted to determine how arrangements were working on the ground.
  • The supervisor was able to gain assurance that appropriate control was being exercised, particularly over risk.
  • The supervisor found that board members were themselves important sources of information regarding risks and how these are being managed. The supervisor established twice-monthly contact with the board chair by phone.


 2. First priorities

The first priority in the crisis is the implementation of the business continuity plan (BCP). The board should already have approved a generic BCP. They need to be informed that it has been implemented and to monitor its operation.

An earlier Toronto Centre Note (2020b) set out in some detail the development and operation of BCPs for supervisory authorities. Most of the same principles apply to supervised firms. The key point here is that boards need to be fully engaged with the development of such plans – in particular the identification of critical activities and how staff and other resources will be deployed.

At the onset of a crisis, senior management need to consider how the (generic) BCP may need to be adjusted in light of the specific circumstances of the crisis. The board should be informed immediately that the BCP has been implemented and then needs to engage closely with senior management on its operation. The BCP should be a standard item on board agendas for as long as it remains in operation.

The plan should explicitly address the firm’s strategy, prioritization of activities and tasks, the allocation of available resources and the operation of key controls during the crisis. There should be provision for identifying and addressing issues that are not apparently critical at the onset of the crisis but could become so as it unfolds. The plan also needs to be realistic in recognizing for example that many staff will be facing very difficult personal circumstances with implications for their effectiveness. The board cannot, and should not, aim to be involved in every aspect of decision making during the crisis. It must however be comfortable that the BCP and the decisions and actions that flow from it provide an effective basis for the effective and sound management of the firm.

Supervisors need to satisfy themselves that firms have developed ‘generic’ BCPs in normal times. Once these are implemented, the firm needs to be able to demonstrate that the specifics of the crisis are reflected in the BCP and that it effectively identifies critical activities and ensures an effective allocation of available resources. Above all, supervisors need to be assured that the plan will enable the firm to continue to function soundly even if it is facing considerable stress.


The board of Firm B had pressed senior management to develop a BCP two years ago. A generic plan has been developed in response.


  • The board had shown little interest in the development or detail of the generic BCP or the results of periodic testing (mostly in the form of call cascades).
  • It showed no pro-active interest in the implementation of the BCP in the crisis – how it had been adjusted to the specific circumstances, evaluation of critical functions and resources.
  • The CEO sent a round-robin communication to board members informing them that the BCP had been implemented and that staff were working from home. This evoked no response.

Supervisory response:

  • The supervisor inquired about the board’s involvement in the BCP.
  • The board’s lack of engagement was interpreted as a lack of responsibility for key aspects of the firm’s functioning during the crisis.
  • The board was instructed to engage with the BCP as implemented; to formally approve it; and to be able to demonstrate that they had discussed and understood its implications for the business and controls.


  • At the onset of the crisis, senior management took 24 hours to review the provisions of the BCP; consider any necessary adjustments in the light of crisis specifics; and develop an action plan.
  • The outline BCP and actions flowing from it were presented to the board in a specially convened phone/video board meeting. This prompted questions and (constructive) challenge.
  • The risk committee sought senior management views on risks arising from implementation of the BCP and asked for updates of these in fortnightly phone/video meetings.

Supervisory response:

  • The supervisor was able to satisfy itself that the BCP and implementation had board approval/backing, and that the attendant risks were being identified, monitored and addressed.
  • Some board members were contacted directly by the supervisor (with the knowledge but not the involvement of senior management) and asked to provide information on risks and risk management during the crisis.


 3. Risk identification

However difficult and using whatever unconventional means may be necessary, boards must understand and monitor the key risks firms are facing and continue to bring an independent perspective on these.

All firms should have in place mechanisms for the identification and monitoring of current and emerging risks. For large firms, the Chief Risk Officer (CRO) is typically responsible for the analysis, aggregation and monitoring of risk across the organization and reporting on this to senior management and the board. The CRO needs to be independent of revenue-generating activities and to have the standing and authority to be effective.

It is not realistic to expect some smaller firms to have a full risk management function and a dedicated CRO. In such cases, alternative structures may be appropriate but without losing sight of the key principle that a senior individual should have an independent perspective on risk and access to senior management and the board.

One of the central functions of the board is to understand the risks a firm is taking and to take the necessary steps to ensure that these are properly identified, monitored and controlled. The board may do this directly or through a risk sub-committee, though bearing in mind that as with any delegation, functions may be delegated but responsibility is not.

Supervisors need to have assurance that firms have sound and robust processes for identifying and monitoring risk. It is not sufficient for structures and processes just to be in place. They also need to be demonstrably effective. This can be a challenge in the case of smaller firms where arrangements may need to be flexible but must still provide effective oversight and control.

Aide memoire: Risk issues in the COVID-19 crisis

Supervised firms need:

  • Mechanisms for explicit identification, monitoring and control of all key risks
  • A measured approach to calibrating risk and understanding risks in the context of the firm’s (altered) risk tolerance
  • Clear accountability and responsibility for doing this – including at board level

In the context of the COVID-19 crisis, this may involve:

  • A heightened focus on operational risk – staff will be working at home and staff resources generally may be depleted. It may be necessary to accept non-conventional approaches to processes, controls and record keeping.
  • Functions and activities may be outsourced or carried out by third parties that may themselves be facing operational and other pressures. The risk implications of this need to be understood and managed.
  • There may be few new categories of risk but risks within existing categories will be heightened. This includes prudential risks (credit, market, underwriting) as well as conduct risk (particularly where there is potential harm to consumers).
  • Wrong-doing and financial crime can flourish in a crisis. It may be necessary to heighten scrutiny of areas where this is a risk and controls must remain effective.
  • There needs to be a special focus on legal and reputation risks – for example the treatment of consumers. The implications of mishandling these risks may persist long after the crisis.
  • Risks are not static. The risks the firm faces will change – particularly if the crisis is prolonged – and new ones will emerge. These must be kept under review.

Illustration (1)

Firm C is a middle-sized retail bank. It has a dedicated risk management function headed by a Chief Risk Officer. Extensive work has gone into identifying the full range of risks the firm usually faces. The risk management function collects metrics on these risks and aggregates these into reports for senior management and the board risk committee. It also undertakes stress and scenario testing to determine the bank’s resilience to severe but plausible scenarios.

At the onset of the crisis, the risk management function explicitly considered the additional and heightened risks the bank would be running. These were reflected in a supplementary document to the usual risk report that was sent to the CEO and board.


  • The supplementary risk report prompted no discussion at the board.
  • The head of the risk committee made no effort to engage either the CEO or the CRO on matters of heightened risk.
  • Neither the board nor the risk committee sought any additional information or feedback regarding current or emerging risks or their handling. Nor did they show any interest in potential scenarios for the evolution of the crisis.

Supervisory response:

  • Supervisors expressed surprise and dissatisfaction with the board’s passive stance.
  • In a phone meeting, the board chair was asked how the board was able to discharge its responsibilities with such minimal engagement – with no satisfactory response.
  • The board was informed that it appeared to be failing to carry out its responsibilities for oversight of risk. It was given two weeks to develop, implement and demonstrate improved terms of engagement with senior management.


  • At the onset of the crisis the chair of the board risk committee sought a discussion with the CEO and CRO to discuss the identification and handling of risk.
  • Risk committee members contributed useful ideas to the content of the supplementary document and how best to present the information the board would require.
  • It was agreed that the risk committee would meet in a streamlined form with the CRO on the phone every two weeks to consider risk on the basis of the supplementary document.
  • The board formally agreed a number of proposed changes to the firm’s risk tolerance – albeit in broad and indicative terms.

Supervisory response:

  • The supervisor noted the additional reporting and engagement of the risk committee.
  • In discussion with the CRO and risk committee chair, it was possible to point to multiple instances of where the risk committee had played a constructive role in risk management.
  • The supervisor felt able to place some measured reliance on these processes.


Illustration (2)

Firm D is a small investment management firm with 30 employees. It is not large enough to warrant a dedicated risk function. One director (the CFO) has traditionally had overall responsibility for controls including internal audit, compliance and risk. This is not ideal, but the director has no role in revenue-generating activities so is credibly independent. The board has two independent NEDs.


  • With the changes in roles and responsibilities resulting from the crisis, the CFO was asked to take temporary responsibility for a commission-generating function.
  • The board was informed of this in an email from the CEO – this provoked no comment.
  • The CEO made clear to the CFO that the survival of the firm is at stake so the main focus should be on revenue continuity.
  • High-level risk and compliance oversight was effectively suspended – staff were still required to comply with ‘first line’ requirements but they were working from home so there were no checks on recording/documentation.

Supervisory response:

  • The supervisor was not informed of the CFO’s changed role – this was mentioned in passing in a routine call.
  • The firm argues that its survival is at stake and that changes in responsibilities are essential and temporary.
  • The supervisor agrees that some re-configuration may be acceptable but the principle of independent oversight of risk must be maintained.
  • The firm was required to come up with a revised plan preserving this independence within two weeks.


  • Revenue-generating directors were asked to take on additional commission-generating responsibilities.
  • The CFO was not asked to take on any revenue-generating responsibilities but was asked to take on the responsibilities of more junior compliance and IA managers who were moved temporarily to revenue-facing activities.
  • The changes were formally communicated to the board, which had an opportunity to challenge/question the CEO on them.
  • The board then formally approved the changes.
  • This was subject to monthly review of how these changes are operating, with a three- month sunset provision (renewable).

Supervisory response:

  • The supervisor was satisfied that the modified control arrangements are acceptable on a temporary basis.
  • The supervisor was also satisfied that board approval has been sought and given on the basis of appropriate process.
  • The CFO remains the key internal contact for supervisors on control issues.
  • The chair of the audit committee is seen as the key board-level supervisory contact.


4. Understanding, monitoring and controlling risks

Boards must understand and monitor key risks and ensure they are controlled.

Boards must have the information to enable them to carry out their responsibility of ensuring that risks are monitored and managed. The impossibility of holding physical meetings is not a significant constraint on this given the availability of phone and video links. The necessary oversight in a crisis may involve more (rather than less) frequent interaction with senior management but this can be organized in an appropriately ‘light touch’ way – for example in the form of an hour-long, twice-monthly phone or video meeting involving the CEO/CRO and the risk committee. This provides an opportunity to discuss current and emerging risks and how these are being managed.

Good data is an essential foundation for risk monitoring and reporting. At the outset of the crisis, managements should have assured themselves that data sources are adequate to the task. They should have identified weaknesses (as revealed by internal audit or supervisors for example) and taken whatever steps were necessary to rectify these, investing in technology or other fixes as necessary. Streamlined risk reports at relatively frequent intervals may be necessary to ensure that key risks are identified and addressed, although this should not be at the expense of conventional and thorough reporting on the usual periodic basis.

Identification and monitoring of risks are not ends in themselves. Measures need to be taken to ensure that heightened or newly emerging risks are controlled and remain within the firm’s risk tolerance. This may involve tighter limits, more stringent front-line controls and processes or, in some cases, the scaling back or cessation of some activities altogether.

The board remains responsible and accountable for the way the firm operates during the crisis, when there may have to be significant changes to methods of operation and risk management. The board needs to be on top of these and in some cases formally approve changes.

As with all other aspects of risk management, supervisors need to be assured that boards have a grip on the risks firms are running and that information flows and communication – within the board and with senior management – facilitate this. The greater the level of such assurance, the more reliance can be placed on the firm’s own management and controls.


Firm E is a medium-sized life insurance company. It has a dedicated risk management function headed by a senior and respected CRO. The CRO has direct access to the board risk committee. The risk management function provides a comprehensive risk report usually amounting to around 20 pages for each meeting of the risk committee, which take place around eight times per year. The next meeting of the risk committee was scheduled for around five weeks after the onset of the crisis and the triggering of the BCP.


  • The chair of the risk committee judged that it was neither necessary nor desirable to convene an extraordinary meeting of the risk committee – there was no wish to create additional work for the CRO and things would be clearer in five weeks’ time.
  • As part of the BCP, the risk management department undertook an exercise to identify risks that were specific to, or heightened by, the COVID-19 crisis. These are being reported in a five-page weekly document to the CEO and senior team, which is seen as supplanting the usual 20-page document for the time being.
  • Neither the risk committee nor the board as a whole was aware of this document and so had no opportunity to discuss it.

Supervisory response:

  • The supervisor was apprised of the more focused and frequent risk monitoring undertaken by the risk management function.
  • The supervisor was surprised to find that the board had not sought, and was not receiving or discussing, the new risk reports, and that the standard one was no longer being produced.
  • The board chair was challenged on how the board was able to carry out its responsibilities on this basis and was instructed to increase the board’s effective engagement within two weeks.


  • At the onset of the crisis, the CRO contacted the chair of the risk committee to discuss plans for the new risk monitoring arrangements.
  • The risk committee chair persuaded the CRO to place more emphasis than had been originally intended on operational and mis-selling risks.
  • A special phone meeting of the risk committee was immediately convened. It was agreed to hold twice-monthly meetings for the duration of the crisis at which the crisis-related risk report will be discussed.

Supervisory response:

  • The supervisor was reassured that the board and risk committee are actively and constructively monitoring risk
  • The supervisor feels confident in devoting relatively more of its resource and attention to riskier, less well-managed firms for the duration of the crisis.


 5. Oversight and ownership of enterprise-wide risk assessments

To the maximum extent possible, boards should promote and demonstrate ownership of enterprise-wide processes for assessing risk and the adequacy of capital, solvency and liquidity.

Day-to-day risk management remains of great importance in a crisis, which must not be a pretext for losing sight of business as usual and its attendant risks. Boards should however also work with senior management and supervisors to develop deeper, broader and longer-term perspectives on crisis-related risks and the firm’s ability to deal with stresses.

There has been a growing emphasis in recent years on exercises such as internal capital adequacy assessments (ICAAPs) and internal liquidity adequacy assessments (ILAAPs) for banks and own resource and solvency assessments (ORSAs) for insurers. These root and branch assessments of risks and firms’ resilience should be driven and owned by senior management. Boards are also expected to engage fully, for example in understanding and challenging the basis on which these are done (assumptions, scope, scenarios) and in taking actions where such exercises identify weaknesses or vulnerabilities likely to affect the firm’s soundness.

There is an important role for such exercises in crises and resources should be allocated to them, even though the immediate focus is likely to be on day-to-day risks. They allow senior managements and boards to address questions such as: do we have a comprehensive view of risk (including conduct and consumer-facing ones); what additional risks are we facing as a result of the COVID-19 crisis; how might risks evolve over time; are our risk management processes adequate; and how would our capital/solvency/liquidity be affected by a range of severe but plausible stresses – including a crisis that is deeper or more protracted than expected? These are fundamental issues, which go squarely to the responsibilities of the board. In seeking assurance on these issues, it may be possible to repurpose existing exercises or analyses such as ICAAPs or recovery plans, rather than having to undertake the necessary analysis from scratch.

Where boards and senior management show a commitment to fundamental reviews of this kind, together with a willingness to take actions on the basis of the results, supervisors can derive considerable reassurance that risk is being addressed and managed by the firm at an appropriately deep and broad level, including during the crisis.


Firm F is a medium-sized retail bank. It undertakes an ICAAP and ILAAP every year as part of business as usual.


  • In business as usual, the ICAAP and ILAAP exercises are seen as routine chores undertaken only to satisfy the supervisor.
  • The task is delegated to a group of technical specialists who devise the stresses and scenarios along with complex algorithms that generate the results.
  • The results are included as an annex to a routine report to the risk committee of the board and have never provoked comment.
  • There has been no suggestion from senior management or the board that a special exercise be undertaken in the light of the COVID-19 crisis.

Supervisory response:

  • While the firm had a reasonable grip on day-to-day matters, including COVID-19-related ones, neither senior management nor board members were able to provide convincing answers to questions regarding its solvency in a range of adverse scenarios.
  • Supervisors were therefore unable to conclude that its risk management had sufficient depth or breadth, casting doubt on the extent to which reliance could be placed on it.


  • The business as usual ICAAP was readily undertaken by the firm, which viewed it as a useful extension to the scenario and capital planning it already undertook.
  • The board has been fully engaged with these types of exercises for several years (evidenced for example by multiple references in board minutes).
  • At the onset of the crisis, the chair of the board risk committee asked the CRO if such an exercise was planned to address the change in risk profile resulting from COVID-19 and was assured that this was already under way.

Supervisory response:

  • As a result of the exercise, the firm is able to provide convincing reassurances regarding its soundness and capital adequacy under a range of scenarios and that the board was equipped to carry out its full range of responsibilities.
  • The supervisor feels confident in devoting relatively more of its resource and attention to riskier, less well-managed firms for the duration of the crisis.


 6. Collaboration with supervisors

Board members should ensure that firms cooperate openly and fully with supervisors, making themselves available for contacts and discussions where supervisors judge this to be appropriate.

While open and constructive engagement with supervisors is always a priority, it assumes particular importance in a crisis. In common with the firms they oversee, supervisors will be facing operational and resourcing challenges, requiring them to prioritize their activities in pursuit of their objectives. Accordingly, supervisors are likely to ask more questions and may be more intrusive than in their business as usual dealings with firms. They should reasonably be able to expect openness and cooperation. At the same time, supervisors need to prioritize their work strictly so managements or boards should not assume that if they have not heard from their supervisors, there are no issues. It may simply reflect the fact that the supervisor has not yet gotten around to contacting them.

Firms should be proactive in informing supervisors of emerging risks and issues. They should not hold back from being open about conveying bad news about their business and they should be creative and constructive in finding ways to provide necessary information and data. Consideration should be given to giving a board member explicit responsibility for supervisor relations to ensure that supervisors have the access they need at all levels.

Supervisors should show flexibility, for example in being willing to accept information in relatively unconventional formats or in developing work-arounds for activities that are usually undertaken on-site. They should also not over-react to firms passing on adverse information about their performance or financial soundness. While they need to respond appropriately to serious problems or shortcomings, over-reaction will inhibit firms from being forthcoming.

All supervisors face the dilemma of how much reliance to place on firms’ own management and controls. In crises, supervisors may, of necessity, need to make more use of such reliance as their tolerance for risk is inevitably heightened. This underlines the need for full and open access to senior managements and boards. As this Note seeks to demonstrate, the more the firm is able to show convincingly that it has a grip on the identification and management of risk, the more comfortable supervisors should be in placing reliance on the firm.

In addition to collaborating openly with supervisors, boards may wish to consider how much they wish to collaborate with each other – either directly or through industry associations. While much information about their performance will be proprietary, in the extraordinary circumstances of the COVID-19 crisis, there may be great value in sharing information about responses or emerging good practices that would be of general benefit while not raising competitiveness concerns.


Firm G is a medium-sized fund manager. Supervision of it consists mostly of checking compliance with conduct and client money requirements through on- and off-site work.


  • Firm G has traditionally had a rather defensive and confrontational relationship with the supervisor.
  • It provides the required returns and cooperates with periodic on-site visits but has no tradition of proactive cooperation with the supervisor.
  • During the COVID-19 crisis it becomes aware of a potential weakening of client money controls in some parts of the industry.
  • Senior management and the board make a conscious decision not to alert the supervisor on the grounds that making waves would just create trouble.

Supervisory response:

  • The supervisor is apprised of the client money issue by other firms and through market intelligence.
  • While no formal blame can attach to firm G for not raising the alert (it has no concrete evidence of wrongdoing), their failure to do so reinforces the view that they are uncommunicative and not a firm on which supervisors are disposed to place much reliance.


  • Firm G has always sought an open and cooperative relationship with its supervisor on the grounds that this contributes to a well-run industry and is likely to make its own supervision less burdensome.
  • The client money issue becomes increasingly apparent as sector-wide developments are discussed in the firm G’s management meetings, along with other relevant market intelligence.
  • The decision is taken that the CRO will raise the matter with the relationship manager in the supervisory body and offer a weekly round-up phone call on market matters.

Supervisory response:

  • The firm’s open and communicative attitude, together with other evidence of sound management, disposes the supervisor to place a degree of reliance on the firm, enabling it to focus more on more problematic firms.


7. Keeping sight of other priorities

Boards should keep sight of longer-term issues such as climate change-related risks, FinTech, financial inclusion and gender equality even where these may not be the most pressing issues during the crisis.

Boards and senior management of supervised firms should maintain at least some focus on issues other than those arising from the current crisis. They should not lose sight of issues that were important before the crisis, that may still be important during the crisis, and that will be important again once the crisis is over.

Such issues may take many forms, including:

  • Emerging risks that require board and senior management attention. For example, ahead of the COVID-19 outbreak many financial institutions were beginning to grapple with the risk management and disclosure implications of climate change-related financial risks.[6]
  • Responding to supervisory pressures on supervised firms to strengthen their operational resilience – not only the controls and other mitigants in place to reduce the probability of disruptive events occurring, but also the ability of firms to respond to and recover from disruptions when they do occur.
  • Assessing and responding strategically to FinTech developments. Supervised firms may face competition from other incumbent firms and from new entrants (ranging from start-ups to existing large technology firms entering the financial sector) using FinTech to offer new products and services, or to offer existing products and services using different (more efficient and less costly) channels. Indeed, the COVID-19 outbreak has accelerated the trend to digitization in many ways.
  • Similarly, where financial institutions have focused on financial inclusion, there is a need both to continue promoting financial inclusion and to recognize and respond to the ways in which the current crisis is having an impact on financial inclusion.
  • Major projects to improve IT infrastructure, data handling, risk governance and internal controls.

Many boards like to emphasize their social responsibility in documents such as annual reports. Their behaviours during the crisis, especially in relation to what might normally be regarded as ‘softer’ issues such as staff welfare and that of wider society may come to be seen as a marker of the extent they were willing in practice to act on the basis of such wider considerations.

Boards and senior management should be actively involved in decisions to de-prioritize or to delay taking forward these issues and should ensure that the agreed amount of attention is paid to them both during and following the crisis. This should be capable of being demonstrated to supervisors through board and other committee minutes, and through assurances that decisions are being followed through.


Firm H is a medium-sized general insurance company. Before the crisis, it had responded to pressure from its supervisor to begin developing stress tests for climate change-related financial risks. However, it had struggled both to design scenarios and to model how these might feed through to claims (many of the properties it insures are located in areas that could be prone to flooding if sea levels were to rise by more than one metre) and to the value of its assets. The board has so far shown no interest in this work.


  • Once the COVID-19 outbreak occurs, the senior actuary of the firm puts all climate change-related risk assessment on hold, with no date given for its resumption.
  • The rest of senior management and the board are not informed of this decision.
  • The firm’s supervisor is also not informed.

Supervisory response:

  • The supervisor discovers that the work has been put on hold only during a conversation with the firm’s senior actuary about COVID-19-related travel insurance claims.
  • The supervisor instructs the senior management of the firm to take a properly considered set of decisions on the re-prioritization of activities during the crisis, to alert the board to these decisions, and to revisit these decisions on a regular basis during the crisis.


  • Once the COVID-19 outbreak occurs, the senior management discuss the prioritization of the firm’s activities.
  • It is agreed that climate change-related financial risks are a growing issue for the firm, so some work on this should continue.
  • The senior actuary suggests that some technical staff could usefully continue to work on this from home during the crisis and could network effectively with staff in other firms facing similar issues. This is an opportunity to make real progress on this issue.
  • The board is informed of the senior management’s decisions on prioritization and agrees with them.

Supervisory response:

  • The supervisor is reassured by the positive way that the firm has addressed prioritization.
  • The supervisor asks other general insurance firms if they want to set up a virtual network of experts to share knowledge and experiences with building scenarios for stress testing climate change-related financial risks.


8. Strategy

Boards need to consider strategies for their firms as the crisis unwinds. It may be too early to make definite decisions, but they should engage in scenario and other planning now.

It may be too early for firms to be making final decisions on their strategy before the current crisis is over. But it is not too early to begin identifying how the world may have changed and how the firm’s strategy and business model may have to adjust if it is to remain viable. This process should be led and overseen by the board.

The COVID-19 outbreak itself, together with the impact of all the various policy responses to it, will have impacts in multiple areas. Many of these will affect the environment in which financial institutions operate. Some of these impacts may prove to be only temporary, but others will be long-lasting and not easily or quickly reversed:

  • Macro-economic – the sharp decline in global real GDP and in asset and commodity prices, shifts in the level and term structure of interest rates, shifts in credit spreads, and a deterioration in the creditworthiness of some sovereign borrowers will all have an impact on the value of the assets held by financial institutions. The economic recovery may be slower and shallower than expected.[7]
  • Financial flows – capital flows and remittances have fallen sharply, and their volume and pattern are likely to have changed permanently.
  • Global supply chains – companies are already beginning to rethink their supply chains in response to changing views on the balance between resilience and risk. The global economy may fragment to some extent. Financial institutions may follow in terms of how they manage their reliance on outsourcing.
  • Technology – the current crisis has accelerated the shift towards technology-enabled production, working practices and financial systems.
  • Concentration – there is likely to be a further increase in the concentration and power of large corporates, itself also due in part to the economies of scale inherent in technology and the use of big data.
  • Moral hazard – government support for ailing companies and prospectively for weak financial institutions may create expectations that such support will be forthcoming in future crises, and thereby lead to an increase in risk-taking behaviours.

Supervisors should seek assurance from firms that their boards have processes and procedures in place to determine how their strategies and business models may need to change in response to these developments, once their nature and duration become more certain.


Firm J is a large fund manager. Its senior management can see that its investment strategy will need to respond to the shifting external environment.


  • The firm’s senior management meet to discuss priorities in the crisis and decide that since the future is so uncertain, there is no point in spending any time discussing longer-term investment strategies.
  • The board is not informed of any re-setting of priorities.

Supervisory response:

  • The supervisor asks senior management about how it has re-set its priorities during the COVID-19 crisis and discovers that longer-term investment strategy has been de-prioritized.
  • The supervisor instructs senior management to discuss this with the board and, at the very least, to ensure that formal review procedures are in place so that the decision not to focus on longer-term investment strategies can be reversed once conditions become clearer.


  • The firm’s senior management meet to discuss priorities and decide that since the future could look substantially different, it would be harmful to investors not to assess the potential impacts of different scenarios.
  • A proposal is put to the board to establish a virtual task force for this purpose, and members of the board are invited to participate in its discussions.
  • The board welcomes this proposal and establishes a sub-committee to oversee this project.
  • The board asks senior management to ensure that the supervisor is informed of this.

Supervisory response:

  • The supervisor takes some assurance from the commitment of the firm to monitor and respond to longer-term influences on its investment strategy.


 9. Supervisory oversight of corporate governance

Supervisors should devote significant attention to corporate governance during the crisis. Supervisors should establish close links with boards and, where appropriate, draw on their risk management processes in order to make most efficient use of scarce supervisory resources in ensuring that prudential, conduct and financial crime risks are being controlled.

It is important for supervisors to maintain close contact with the boards and senior management of supervised firms in normal times. The goal is to establish that the board is effective in its role of overseeing the firm’s strategy and controls. Such assessments need to go beyond simple structural or factual issues. The existence of boards and committees with apparently qualified members that meet according to regular schedules is a necessary but not sufficient condition for good governance. Structures also need to be demonstrably effective.

Reviews of documentation (such as minutes of board and committee meetings) will assist in making such assessments, as will open-ended questioning of board members (‘give illustrations of how the board has influenced senior management’s attitude to risk’) combined with supervisory judgement regarding the quality of responses. Supervisors may also make some use of attestations from firms regarding the adequacy of their governance. This can be effective provided attestations are subject to some level of checking and where firms may potentially face sanctions if their attestations are found to have been unfounded.

This reassurance regarding effectiveness becomes even more important when firms are under pressure, as in the current crisis. Supervisors need to know how a supervised firm is responding to these pressures and to the shifting nature of the risks faced by the firm.

The inability of supervisors to undertake the usual forms of on-site supervision should not be – and should not be allowed to be – an obstacle to maintaining close contact. Any required documentation can be sent to the supervisor, while face-to-face meetings can be replaced by telephone or video conference calls.

For those supervisors whose contact with the boards and senior management of supervised firms is non-existent, or at best perfunctory and based on a limited standard checklist of questions, the COVID-19 outbreak is a great opportunity to start or build up such contact. A supervisor needs simply to pick up a phone or arrange a conference call to discuss the key issues facing a supervised firm in the current environment. Many of the issues discussed in this Note could provide a starting point for such a discussion.


Although it claims to be undertaking risk-based supervision, supervisory authority K has only ever paid superficial attention to the corporate governance of the firms it supervises.

The supervisory authority relies on a standing checklist of questions about boards, most of which are quantitative, such as checking that the board has a majority of non-executive directors, that the board meets regularly and that minutes are produced, and that the board has sub-committees for risk and audit that also meet regularly and report to the main board.

The checklist approach provides no opportunity for supervisors to exercise judgement about the effectiveness of corporate governance in supervised firms.


  • The supervisory authority responds to the COVID-19 crisis by ending its on-site work, including the review of firms’ boards (which was previously undertaken by the on-site supervision team).
  • It decides that it will re-start its work on corporate governance once the COVID-19 crisis is over at some indeterminate time in the future.


  • The supervisory authority recognizes and takes the opportunity provided by the COVID-19 crisis to expand its work on the corporate governance of supervised firms.
  • As a first step, it instructs its on-site supervision team (now working from home) to begin calling the CEOs of the six largest supervised firms to ask about how involved the board of the firm has been in developing the firm’s response to the COVID-19 crisis, including in any activation of the firm’s BCP and the prioritization of critical activities.
  • The CEOs will also be informed that the next step for the on-site team will be to call the board and risk committee chairs of each of these firms to discuss the board’s involvement.
  • Supervisors will be encouraged to use judgements in assessing responses from senior management and board members, in order to form a supervisory view of the effectiveness of a firm’s corporate governance.


10. Supervisory intervention to improve corporate governance

Supervisors should expect supervised firms to be demonstrating good corporate governance and should intervene where they are not.

Supervisors have a number of tools to monitor and, where necessary, to improve the standards of corporate governance in the firms they supervise. These include:

  • Using international or national standards to set clear expectations for the corporate governance of supervised firms.
  • Monitoring whether supervised firms meet these expectations. For example, supervisors can use off-site monitoring and telephone or video discussions with members of the board and senior management to assess whether the non-executive directors are sufficiently challenging of senior management; how well the board understands the risks that the firm is running; how well the board uses information from the firm’s external auditors, and from its internal control and internal audit functions; whether the core internal control functions are of high quality, sufficiently resourced, and independent of the business; and how the board assures itself that the firm’s internal controls, remuneration, and other policies and procedures operate effectively and are in line with the strategy and risk appetite set by the board.
  • Introducing an element of individual responsibility and accountability where the boards and senior management of regulated firms are subject to a licensing regime.[8]
  • Taking supervisory or enforcement actions when supervised firms fall short of expectations. Most supervisors will initially seek firms’ cooperation – informing them of material weaknesses in corporate governance and requiring them to take corrective measures in a timely manner. When firms are consistently unwilling to make the required changes, then they may be required to hold additional (Pillar 2) capital or to restrict their business until the shortcomings in corporate governance are rectified. A fit and proper persons regime may be invoked to replace members of the board or senior management, and in some cases, fines may be imposed on firms or (where powers are available) individual members of the board or senior management.

During the current crisis, supervisors will have a particular interest in scrutinizing governance arrangements in supervised firms and in using boards and senior management as an essential point of contact to discuss the changing nature and level of risks and corresponding risk management frameworks.


Firm L is a medium-sized retail bank. It has a dominant CEO and a weak board that exercises very little oversight of the executive and does not act as a check and balance on the CEO. Before the current crisis, the chair of the board had resisted attempts by the supervisor to discuss the dominance of the CEO and the challenges this poses for effective corporate governance.


  • Firm L has always had a defensive and confrontational relationship with the supervisor, driven by the attitude of the CEO.
  • In the current crisis, the firm has largely ignored the supervisor, passing no information proactively; responding late and on a minimalist basis to any requests for information by the supervisor; and avoiding any mention of corporate governance.
  • In one specific instance, the firm simply responded “yes” to a question from the supervisor to the chair of the board asking whether the board had considered the ways in which the COVID-19 crisis might have changed the risks facing the firm and its ability to identify and manage these risks.

Supervisory response:

  • The supervisor has lost patience with the firm.
  • The supervisor has imposed a Pillar 2 capital add-on of one percentage point on the firm’s minimum required regulatory capital ratio, pending the outcome of a detailed on-site review and assessment of the firm’s corporate governance by a specialist team from the supervisor once the crisis is over.
  • The supervisor has informed the firm that if it fails to meet the higher capital requirement, or if it fails to make the governance improvements (which should enable the capital add-on to be reversed in due course), the supervisor will begin formal disciplinary proceedings against the firm, with the possible outcome of removing its licence to operate.


  • The CEO of firm L recognized that a more inclusive and less domineering management approach might be more effective during the COVID-19 crisis, given the need to delegate more to others in the senior management team.
  • Collectively, the senior management team has made more of an effort to engage the board and to actively seek the board’s views on how the firm should operate differently during the crisis.
  • The chair of the board has encouraged the board to engage more actively with senior management, and as a result the board has become more assertive in asking questions and challenging senior management.

Supervisory response:

  • The supervisor has begun to notice a change in approach at the firm.
  • The supervisor has increased contact with the firm in an effort to secure a significant step towards a more open and constructive dialogue. The head of the supervisory authority has arranged a video call with the chair of the firm, ostensibly to discuss the impact of the crisis on the retail banking market, but also to take soundings on the early signs of a more positive approach to corporate governance.
  • The supervisor is considering how to ensure that progress made during the crisis is maintained once the crisis is over.



The main messages of this Note are straightforward in principle, but require some commitment and imagination to put into practice:

  • Corporate governance in supervised firms is more important than ever, not least board leadership and board support for and constructive challenge of senior management as firms navigate difficult times.
  • There are ample opportunities for supervisors to continue to assess the effectiveness of corporate governance during the COVID-19 crisis.
  • There are also opportunities for supervisors who currently pay too little attention to the effectiveness of corporate governance to up their game here.


Toronto Centre. Improving Corporate Governance in Regulated Firms. January 2016.

Toronto Centre. Assessing the Suitability of Key Individuals in Financial Institutions. May 2017a.

Toronto Centre. Climate Change. July 2017b.

Toronto Centre. Risk-Based Supervision. March 2018.

Toronto Centre. Climate Change: Issues for Banking Supervisors. July 2019.

Toronto Centre. Ten Issues for Supervisors During Crises. April 2020a.

Toronto Centre. Business Continuity Planning for a Supervisory Authority. April 2020b.

Toronto Centre. Supervisory Responses to the Impact of COVID-19 on Credit Quality. April 2020c.




[1] This Note was prepared by Clive Briault and Paul Wright.

[2] Toronto Centre (2020a, 2020b and 2020c).

[3] Toronto Centre (2018).

[4] See Toronto Centre (2020b).

[5] See Toronto Centre (2020a).

[6] The impact of these risks on financial institutions is discussed in Toronto Centre (2017b and 2019).

[7] Toronto Centre (2020c) discusses the impact of the COVID-19 outbreak on credit quality.

[8] Toronto Centre (2017a).