Turning Risk Assessments into Supervisory Actions
Friday, Aug 30, 2019

Turning Risk Assessments into Supervisory Actions

Introduction and Overview[1]

This is the fourth in a series of Toronto Centre Notes on the subject of Risk Based Supervision (RBS).  The first set out the principles of RBS[2] while the second discussed the particular challenges for senior managements of supervisory bodies in introducing it[3].  The third Note set out in some detail the issues involved in developing and implementing frameworks for risk based supervisory assessments[4]

The previous Note in this series outlined the judgement-based processes involved in identifying the risks in supervised institutions that are most significant and which warrant supervisory attention[5].  Once these priority risks have been identified they need to be addressed and mitigated as part of a supervisory programme.  The development and use of such programmes is the subject of this Note.

The main features of RBS were set out in detail in the earlier TC Note.  These are as follows:

  • Supervisory bodies have limited resources. They therefore have to prioritise
  • RBS focuses on the risk that are most significant from the point of view of the supervisory body’s objectives
  • It provides a framework for the efficient and effective allocation of resources
  • It is a forward-looking, judgment-based approach (in contrast to others which are backward-looking and compliance-based with little scope for the use of judgment)
  • In taking specific account of the impact of firms and the risks they pose it provides a vehicle for identifying and addressing systemic risks alongside macroprudential analysis
  • RBS does not (and should not aim to) eliminate risk. It does however provide a systematic and analytical way of identifying and addressing risk
  • Rigorous prioritization means that some sources of risk will not be addressed or will receive less attention than under regimes which purport (wrongly) to address all risks

RBS is increasingly viewed internationally as the standard for best practice by supervisors.  In promoting a common understanding of risk, it also provides the basis for a constructive dialogue with supervised firms.

This Note describes a framework for turning risk assessments into firm-specific supervisory programmes.  This typically involves a cyclical process as set out below in Section 2.  It needs to be emphasised that supervisory approaches to specific firms can and should vary widely according to the risk characteristics of the firm (including its impact) and the preferred style or approach of the supervisory body.  The key considerations that should govern the treatment of specific firms under RBS include the following:

  • Decisions about the risks that should be followed up. In principle, any risks that could significantly affect the supervisory authority’s statutory objectives could legitimately be pursued.  In practice, and consistent with the principles of RBS in a resource-constrained world, choices need to be made on the basis of the likelihood and impact of the risks and the supervisory body’s own risk tolerance[6].
  • Linked to this is the choice of supervisory approach to be adopted with the firm. Some supervisors choose to apply a relatively prescriptive and compliance-based approach where measures that firms are required to take are spelled out in detail.  Others adopt a more cooperative, principles and remediation-focused approach in which they are willing to work with firms to identify detailed remedial measures.  Some supervisors are comfortable with placing quite a high level of reliance on firms’ managements to identify problems and to take the necessary measures to address them in some cases – albeit on the basis of evidence that such reliance is warranted.   A supervisory body can and should adopt elements of these different approaches for each of the firms for which it is responsible according to the nature of the firms and the risks they pose.  Alternative supervisory approaches are discussed in Section 3. 
  • Many supervisors also find it appropriate to place the supervisory programme within a wider framework in which ‘stages of intervention’ are identified. These make a link between the level of risk posed by the firm and the type of supervisory action that may be warranted alongside its ability to recover from stress and (particularly in the case of higher impact firms) any issues that might be involved if it was to become non-viable.  This is the subject of Section 4 of the Note
  • The supervisory approach, together with the perceived level of risk, has a bearing on the intensiveness with which remediation will be followed up and monitored. In the case of a large systemic firm running high levels of risk which could potentially place its solvency in jeopardy causing harm to consumers or threaten financial stability, remedial measures need to be monitored closely.  The review of lower level risks in smaller, lower impact firms however is likely to be less intensive consisting for example of a check that remediation has been implemented after a discrete interval.  There is a spectrum of options in-between.  These issues are discussed in Section 5.
  • Supervisors need to achieve a balance between programmes that are sufficiently stable to provide strategic direction but are also capable of taking account of significant changes to firms’ risk profiles. There need to be processes surrounding significant changes to supervisory programmes which are rigorous but also appropriately flexible. These are discussed in Section 6.

Supervisory programmes – part of a cyclical process

A supervisory programme is a strategic, risk-based framework intended to guide the work of supervisors in relation to firms (or groups of firms) over a specific period – usually one to three years.  The object of the programme is to ensure that the risks posed by firms (or groups of firms) that are judged to be significant are fully understood and addressed through an agreed set of actions implemented by the firms’ managements.  There should also be appropriate focus on the ability of any firm rapidly to put in place measures to enable it to recover from severe stress (recovery planning) and the scope (in extremis) for resolving the firm should it cease to be viable (resolvability assessment).

Consistent with the principles of RBS, supervisory programmes should reflect the risk characteristics (including the impact) of the firms concerned.  Large firms, including those whose failure could have systemic consequences, are likely to be subject to detailed and intensive scrutiny.  This will be reflected in the complexity of their risk assessments, the level of detail of the supervisory programmes stemming from these and the nature and depth of the ongoing relationship between the supervisor and the firm.  Smaller firms with lower impact and posing lower risk, by contrast, will typically be subject to much less intensive oversight and supervision – at least individually[7].  This contrasts with non risk-based approaches in which the supervisory treatment of firms –the frequency of visits, resources allocated to these and the nature of on- and off-site activities – are determined on a more formulaic and less risk-focused basis.

The earlier TC Notes emphasized the dynamic, judgement based and forward-looking nature of risk- based supervision.  Neither the context within which firms operate nor the risks they pose are static; these evolve over time and supervisors need to monitor these changes and their implications.  For this reason, RBS is a cyclical process broadly involving the steps shown in the chart.  This is a somewhat expanded version of a chart presented in RBS1 and, like that one, should be seen as a ‘conceptual’ rather than a precise sequence of actions which, as explained below, may need to be adjusted as risks evolve[8]

The supervisory cycle involves a number of discrete steps involved in identifying risks and ensuring that they are addressed.  This is not a one-off activity but a continuous process of re-evaluating risks and the measures taken to address them as they evolve.  A common implementation issue faced by supervisory bodies introducing RBS is that supervisors often undertake a risk assessment of their firms and then revert to more ‘traditional’ supervisory tasks, imagining that this is somehow the end of the RBS process and that ‘business as usual’ can resume.  In reality, supervisors need continually to review risks and the effectiveness of the risk mitigation measures that have been put in place; RBS involves a permanent change in the approach to supervision.  Assessments of firms also need to be repeated at intervals which are governed by the level of risk.



  • Information about the firm – the nature of its business, its business plan and strategy, its governance and control structure – is typically gathered through the receipt of regulatory returns, on- and off-site analysis, informal contacts with the firm, ‘inherited’ knowledge from past interactions and market intelligence - as discussed in earlier TC Notes.
  • This information, including that derived from dialogue with the firm’s board and management, will form the basis of the risk assessment. This will usually involve the completion of a risk matrix along the lines of the example provided in the previous TC Note[9].
  • The risk assessment is the first step in devising the supervisory programme. This should focus on the areas that are seen as posing the greatest risk and set out the measures that need to be taken by the firm over a defined period to mitigate these.  The choice of risks to be addressed will be a matter for judgement by the supervisory body and will typically comprise those that pose the greatest risk to the achievement of the supervisory body’s statutory objectives, taking into account its risk tolerance and available resources.  As discussed below, the detailed measures to be taken to address priority risks may be the subject of discussion with the firm. In such cases the supervisor needs, in the first instance, to identify the risk-based outcomes which the remedial programme will achieve.
  • Once agreed internally within the supervisory body, the supervisory programme needs to be communicated to the firm, usually the board and senior management. In the case of firms which are parts of larger, sometimes international groups, communication needs to take place with those parts of the group where ultimate management and control are exercised.  This should prompt a dialogue between the supervisors and the firm concerning the exact measures the firm will take in implementing the programme and the timescales involved. 
  • While pressing risks will need to be addressed as a matter of urgency, implementation of the full supervisory programme will typically take place over quite an extended period - perhaps up to two years. The development and communication of a programme emphatically does not represent an end-point in the supervisory process.  The firm’s risk profile and progress with the programme need to be continually monitored and kept under review and this will usually involve dialogue with the firm.  This will be intensive for high impact or particularly risky firms and less so for lower impact ones.
  • Supervisors also need to evaluate the effectiveness both of the actions agreed with the firm and their own processes. The question is ‘are the measures the firm is taking proving effective in mitigating the risks?’ bearing in mind that while it is often relatively easy to establish that measures have been put in place, assessment of their effectiveness may be much more challenging.  If sufficient evidence of progress is not forthcoming, additional pressure on the firm or even a change of approach may be warranted. 
  • The cycle will typically be completed with the supervisory body undertaking a renewed risk assessment and development of a new supervisory programme. The timescale for this - normally 1-3 years for all but the very smallest firms - should itself be a risk-based decision.  Some supervisory bodies also commit themselves to an annual review which is not a full reappraisal but allows them to take stock of progress with the supervisory programme.

It should be emphasized once again that the comprehensiveness and level of detail of the cyclical process described will depend on the size (and hence the impact), complexity and risk posed by the firm concerned. 

A hypothetical example

Throughout the remainder of this note hypothetical examples designed to illustrate the points being made are given in the boxes such as the one below.  One continuous example is presented throughout the Note (Firm A – grey box).  In some sections examples of other types of firm are given (pink boxes) to illustrate how arrangements may differ for them.

Firm A is a medium sized life insurance company.  It accounts for 11% (by value) of total life insurance policies written within the jurisdiction and is an important retail savings vehicle.  It has significant interconnections with the rest of the financial system.  Its scale is such that a poorly managed failure would be disruptive though it is not thought that it would have systemic consequences.   It is judged to be medium high impact. The supervisory resource allocated to it is one full time analyst; part of a manager (who has overall responsibility for five similar sized firms) and technical (eg actuarial) expertise on an as-needed basis amounting in total to around 0.2 of a person per year. 

Information about Firm A is gathered through the receipt and analysis of routine reporting (common to all life insurers) together with detailed documentation regarding the firm’s P&L, its business and strategic plan and the organization of its management, board and control functions together with five days spent on-site.

A simplified risk matrix for firm A (based on the approach set out in RBS3) looks as follows:


The overall net risk rating of the firm was rated as Medium High[10] and the supervisory team identified the following three principal areas of concern where remedial action was required:

  • Potential mis-selling of savings products reflected in a relatively high level of complaints and a number of adverse decisions by the financial ombudsman.  Further investigation showed that the sales force is remunerated largely through bonuses which may create perverse incentives.  Management controls over selling practices are weak (reflected in ratings of NI (needs improvement) for Senior Management in this area and overall.  [This is of concern to the supervisory body which has responsibility for consumer protection, including conduct issues, but also because the mis-selling is a source of reputation and other prudential concerns]
  • Deficiencies in Internal Audit.  The absence of a risk-based plan; several instances of failure to follow up on recommendations/requirements and sketchy/infrequent reporting to the Audit Committee of the Board (reflected in an overall rating of NI for this function)
  • Weaknesses in credit risk management – the firm seemed insufficiently aware of the credit risk involved in ceding a significant amount of business to reinsurers (credit risk is rated as MH for this function).  There was no evidence of the systematic collection, analysis or reporting of data on credit risk reflected in a rating of NI for risk management in this area and overall)

The required supervisory outcomes were as follows:

  • More effective controls over the sales of savings products supported by remuneration arrangements which incentivize compliance rather than the volume of sales
  • The development and maintenance of continuous, forward looking internal audit plan together with rigorous arrangements for follow up and greater and more continuous engagement by the Audit Committee
  • Improved internal monitoring and reporting arrangements for the use of reinsurance and the development of improved counterparty risk management arrangements

A panel within the supervisory body[11] agreed the risk assessment, the overall rating and the key areas for remediation and required measures.  These were included in a draft letter to the firm’s board and management which was also approved by the supervisory panel and sent to the firm.

Two points should be noted at this stage:

  • The use of an internal panel within the supervisory body to scrutinize and validate the risk assessment and supervisory programme. The TC Note ‘Risk Based Supervision’ outlined the importance of such panels in providing a cross check on supervisory teams’ findings and promoting consistency of approach.  In this case, the use of the panel provided the supervisory team with confidence that the assessment and proposed risk mitigation were appropriate and in line with those for other comparable firms.
  • In the example, supervisors exercised some discretion in deciding how prescriptive to be regarding the detail of required supervisory actions. The requirements placed on the firm were fairly high level: the exact nature of the controls over the sales force and the remuneration arrangements were not specified in detail, for example.  Neither were the exact arrangements for the audit plan or the monitoring and analysis of credit risk.  It was recognized in this case that there was scope for discussion with the firm on exactly how it would achieve the required outcomes. 

In general, supervisors need to decide how prescriptive to be regarding the detail of required supervisory actions.  In some cases, a high level of prescription is appropriate.  If the issue is purely one of compliance with a clear requirement, it makes sense to be relatively prescriptive.  If, for example, it is a supervisory requirement that firms should have a Money Laundering Reporting Officer and a firm does not have one, the requirement – that they should acquire one – is clear and unambiguous.  Other cases, such as Firm A, may be more nuanced.  If there is a requirement to strengthen risk oversight or aspects of management or corporate governance, there may legitimately be alternative ways of achieving this and a dialogue with the firm about the best approach may be warranted.  The supervisory body should, however, provide complete clarity about the (risk mitigating) outcome that needs to be achieved even if there is scope for discussion about the precise means of achieving it.  In general, the more sophisticated and risk-focused the firm and the more principles-based the supervisor, the greater will be the scope for discussions about the detailed measures to be taken. 

Other hypothetical examples

Firm A was chosen as an example of an institution that is of significant size but not systemic.  As such, it would attract relatively close, but not intensive, scrutiny as part of its risk assessment and the supervisory programme would be reasonably detailed.  Other examples are given throughout (in boxes as below) to demonstrate how the approach may differ for other types of firm.

Alternative example: a systemically important bank (Bank 1)

The supervisory resource allocated to a systemically important firm is likely to consist of a several full-time analysts and a significant part (at least half) of a manager’s time with extensive specialist input as required.  The risk assessment will be based on extensive on-site investigation and discussion with business heads, heads of control functions, other senior managers, board members and external auditors.  There will be significant focus on the business model and strategy as well as controls and financial resources.

The risk assessment will be extremely comprehensive covering all aspects of the business and may include a number of cross enterprise issues such as IT and asset and liability management.  Supervisors will still be selective however in making risk-based decisions about the issues they intend to follow up and the items to be included in the supervisory programme. 

The assessment and programme will be the subject of a detailed discussion by a supervisory panel.  A letter setting out the assessment and programme will be sent to the CEO and Board (and group management if the firm is part of a wider group) followed by a face to face meeting with the Board to set out the issues.


Alternative example: a small investment advisor (Advisor 1)

The firm employs three people and is one of around 50 similar firms in the sector.  It does not take customer deposits and the main generic risks that such a firm runs are that it is a vehicle or conduit for financial crime (money laundering); it may fail to safeguard client money and/or it may fail to provide proper advice on suitability of products.  It is judged to be low impact. Two supervisory analysts in the supervisory body have responsibility for the 50 similar firms in the sector.  The firm would typically receive a supervisory visit (lasting a maximum of one day) every 3-4 years; it is not due to have such a visit for another two years.  It routinely provides financial returns covering mainly financial data: balance sheet size and growth; number of clients; client money held; P&L and working capital

The firm was one of ten similar firms visited within the past six months as part of a thematic/horizontal review of the treatment of client money in the sector.  The thematic/horizontal review revealed a number of sector-wide deficiencies, some of which were found in Advisor 1.  On the basis of the review, the supervisory body compiled a document outlining sound practice in this area, based on good practices observed in the course of the review, together with some additional recommendations of its own.

A panel within the supervisory body discussed and approved a report outlining the findings of the review together with the statement of sound practices.  This, together with a generic letter outlining the results of the review and the supervisory body’s future expectations in this area was subsequently sent to the CEOs of all firms in the sector including Advisor 1.  The letter made it clear that all firms should assess themselves against the statement of sound practices in this area and should take any actions necessary to ensure that they meet the necessary standards.

Whilst approaches to firms of different types, levels of risk and impact may vary, wherever a firm-specific supervisory programme exists, there should always be complete clarity regarding the following, regardless of the firm’s size or impact:

  • The risks that have been identified as needing to be addressed
  • The risk-mitigating measures that the firm is expected to take. As noted, the supervisory body may initially specify these as required outcomes (‘strengthened corporate governance with more active engagement by the Board on risk issues’).  These can then be translated into specific measures through dialogue with the firm.  The choice of measures will to some extent reflect the supervisory body’s wider approach.  This is discussed in section 2
  • Any actions which the supervisor itself is taking in response to the identified risks. As discussed below (Section 2) most supervisors have powers to impose measures on firms ranging from changes in financial resource requirements to restrictions on their businesses or changes in management.  Such measures are likely to be used relatively infrequently and some will be temporary while the firm rectifies an underlying problem.  There needs to be clarity regarding such measures/requirements and the rationale for them.
  • Clear There should be clarity regarding the times by which agreed remedial measures should be completed as well as the timing of interim steps towards completion.  Required actions are likely to be spread over a period of up to 1-2 years with the most pressing being required within a short period of, say 3-6 months.  All of this needs to be spelled out.
  • It is also helpful to specify where in the firm responsibility and accountability for the necessary remediation lies. Where this rests with one or more identified individuals this is likely to focus attention and improve accountability.
  • Monitoring arrangements. These are the form and frequency with which the firm (or approved third parties acting on its behalf) will report progress; the nature and timing of monitoring and verification and the length of the cycle (and hence the timing of the next full supervisory review).  These issues are discussed in section 5.
  • The nature and timing of any interim reviews. Many supervisors choose to undertake an annual interim review of supervisory programmes to provide a check that the risk assessment remains broadly appropriate and that the supervisory programme is on track.
  • All of these elements need to be clearly documented to avoid any ambiguity. Documentation also provides assurance that supervisors can remain appropriately accountable and able to withstand challenge (for example if serious risks crystallise or a firm subsequently fails) as well as allowing continuity as supervisory personnel change.

It also needs to be made clear to firms that they are required and expected to comply with the requirements set out the supervisor.  A variety of measures should be available to supervisors in the event on non-compliance, ranging from increasingly assertive communication to the Board to punitive measures such as fines and public notices.  The decision on how to make this understood by firms is a matter of style and approach and is for the senior management of the supervisory body to determine.   The important thing is that the firm should be left in no doubt about its obligation to comply and that there will be serious consequences if it does not.

As a general principle, supervisory bodies should aim for maximum transparency with firms regarding their expectations concerning remediation and their general supervisory approach.  An earlier TC Note discussed whether supervisory bodies should disclose their ratings of overall net risk to individual firms.[12]  There are arguments for and against this but the TC came down, on balance, of disclosure.  What is not in question is that, having made its assessment, the supervisory body should leave the firm in no doubt regarding the principal areas of risk identified and the mitigating actions that it is required to take. 

  • These should be set out clearly in a letter addressed to the board and senior management of the firm.
  • In the case of the largest and/or highest risk firms, the supervisor should present its findings at a meeting of the board, placing particular emphasis on areas where remediation is most urgently needed
  • This should prompt a dialogue with the firm about the precise nature of the remedial measures that will be taken together with the timetable for these.
  • The firm should be then be expected to provide a written reply within, say, one month of receipt of the supervisory letter setting out the detailed measures it will take along with a timeline for these. 

Firm A (continued)

A letter was sent to the Board Chair and CEO of Firm A outlining the overall risk assessment (Medium High) together with the required remedial outcomes/actions.  A reply, setting out the detailed actions the firm was proposing to take and the timetable for these, was required from the firm within 28 days. 

On the basis of the firm’s reply and a meeting with the supervisory team, it was agreed that the firm would take the following specific measures (this was fully documented):

  • A third-party audit firm would be appointed to investigate the sales function and recommend improvements in incentives and controls in line with industry sound practice and regulatory guidance.
  • The firm would be appointed within four weeks
  • It would be asked to report within three months of appointment
  • A plan would be drawn up jointly with Senior Management and Board approval for this sought within a further month
  • All necessary control improvements would be put in place within a further three months (that is within eight months of the initial appointment of the audit firm)
  • Changes in remuneration policies would be introduced by the beginning of the firm’s next budget year
  • A project plan would be developed for strengthening the Internal Audit function. This would involve:
  • Recruiting an additional skilled individual to act as deputy Internal Auditor
  • The development of a risk-based audit planning process drawing on industry sound practice with the assistance of external consultants
  • A review of the Terms of Reference and membership of the Board Audit Committee to make more explicit its oversight of the Internal Audit function and to ensure that regular reports were received, explicitly approved and acted upon
  • The development of a rigorous, documented system for follow up and monitoring of IA recommendations with regular reporting on this to the CEO and the Board Audit Committee
  • The detailed plan would be drawn up and agreed with the Board within six weeks. The plan would be completed within three months of that and the CEO, CRO and Board will receive monthly progress reports.
  • The firm would recruit a specialist with proven skills in the analysis and monitoring of credit risk in insurance and reinsurance, to be located in the relevant business area
  • A framework will be developed for the analysis, monitoring and reporting of credit risk on an enterprise-wide basis
  • The methodology and approach will be agreed by the CRO
  • The analysis and monitoring will be included prominently in the MI pack produced monthly for the Board
  • The recruitment would take place within three months and the improved monitoring and reporting would be in place within a further three months from that.

The firm will send monthly progress reports to the supervisory body detailing progress on these three projects.  The supervisory team will hold a meeting with the Head of Internal Audit and the Chair of the Audit Committee to review progress in six months.

Supervisory approach and use of powers

A dilemma that all supervisory bodies face is whether to seek remediation in firms principally through dialogue and persuasion or the use of formal powers. In addition to the power to change the financial resource requirements placed on supervised firms – for example under Pillar 2 of the Basel framework discussed below - most supervisors have a set of formal, legally enforceable powers available to them which enable them to direct a supervised firm (inter alia) to:

  • Provide information (beyond standard reporting) and to make available its books, records or personnel, in response to reasonable requests
  • Change or curtail certain of its business activities – including through changes to the activities that it is legally permitted to undertake (‘permissions’). In extreme cases this might extend to a requirement to restructure the business
  • Change aspects of its controls, management or governance, including through the removal or replacement of key individuals
  • Cease operating. This ultimately involves removing a firm’s authorization, either to operate specific business lines or to remain in business at all

All supervisors should have a suite of such powers, enshrined in legislation, which allow a graduated response to concerns posed by firms. In some countries, legislation provides only for the ‘nuclear’ option of removing a firm’s license. This is an extreme step which should only be taken in the most serious circumstances and is (rightly) subject to extensive due process.  As such, it does not provide the flexibility that supervisors need to address matters which may be serious but fall short of grounds for revocation.  Where the legislative framework for supervision does not provide for such graduated measures, changes should be sought to introduce these. 

Even where such graduated powers exist, many supervisors believe that formal powers should be used as a last, rather than a first, resort. This is largely a matter of supervisory style and culture and is something that should be considered at a strategic level within the supervisory body. At the risk of oversimplification, it is possible to identify two polar opposite versions of supervisory intervention.

Two types of supervisory intervention

Enforcement/rules led


  • Focus on rules
  • Binary decision making (‘if the rules don’t say I can’t do it, I can’)
  • Compliance basis (firm either complies with the letter of the rules or it doesn’t)
  • Remedial measures are easy to identify – make sure you comply in future
  • More readily applicable to conduct issues than prudential ones
  • Ready use of enforcement measures in cases of non-compliance
  • Not very risk-based – may not focus principally on areas of greatest risk and how these should be addressed
  • Shared understanding of risk (where the supervisory body is coming from)
  • Consider issues/incidents within a wider risk-based context
  • Dialogue with the firm
  • Principles based
  • Openness to consider alternative means to achieve risk-based ends
  • Possible willingness to place judicious reliance on the firm’s management and controls
  • Use of formal powers either as a last resort or as the concerns about potential non-viability increase
  • Consistent with risk-based approaches

In practice, nearly all supervisors operate through a combination of rules and principles-based approaches.  International standards such as the Basel capital requirements and the IAIS solvency requirements for insurers contain a large number of prescriptive requirements which are implemented by prudential supervisors many of whom would think of themselves as mainly principles- rather than rules-based.  There remains a question for supervisory bodies however about whether they see their style and approach as being predominantly rules/enforcement led or more principles based.

Enforcement/rules led approaches have the advantage of being relatively simple to operate: rules can be set out clearly and firms are then expected to comply with them.  Where firms do not comply, they will be required to take measures to bring them into line and may be subject to disciplinary measures, often in the form of financial penalties, public statements and, in extreme cases, even closure.  There is little scope for ambiguity.  Traditionally, predominantly enforcement/rules-based approaches have been more prevalent in sectors such as securities and asset management where supervisory issues tend to be around business conduct which has been seen as more susceptible to regulation through rules rather than principles.  This is changing however with the adoption of more principles- and risk-based approaches in all sectors.

Many supervisors see some downsides to heavily compliance-based approaches.  They may be seen as confrontational, encouraging firms to adopt an equally confrontational or litigious stance towards the supervisory body.  The exercise of due process which needs to underpin enforcement-based approaches can prove slow and cumbersome.  And such approaches do not cope well with complex, evolving financial institutions and activities where supervisors may find that it is impossible quickly to develop clear rules to address risks which may be new or changing rapidly in character, resulting in gaps in supervisory coverage.

For this reason, many supervisors choose a more principles-focused approach based, in the first instance at least, on dialogue and cooperation with firms.  This may be more challenging than a compliance-based approach in that it requires a broader understanding of risk and its context and of the measures that might be most effective in addressing it. Such an approach also envisages the possibility of placing some, judicious reliance on firms’ controls and managements to address identified risk issues.

It should not be assumed therefore that an approach based principally on cooperation or suasion is an easier option either for the supervisory body or the firm.

  • Firms should be left in no doubt about the supervisory body’s concerns and their obligation to address these. Supervisors should be prepared to subject firms to rigorous challenge – at all levels up to and including the Board.
  • There will be openness to discussion about the means that might be adopted to achieve a given (risk-reducing) end. This is an important aspect of principles-based supervision but it is incumbent on the firm to spell out clearly and in detail how the actions they propose will work and be effective.
  • Supervisors should apply informed and considered judgement in deciding whether the proposed remedial measures are commensurate with the risk and likely to be effective. They also need to be ready to press firms hard on progress that is being made in implementation.
  • Supervisors may find that it is efficient to place some reliance on the firm’s management to ensure that issues are addressed but only where there is strong evidence of the firm’s willingness and ability proactively to address risks. This will in large part reflect the firm’s culture.  Even where the supervisor is willing to place such reliance, some checking/verification will usually be needed using the principle of ‘trust but verify’.


When should supervisors place reliance on firms’ management and controls?

This means:

·       Placing some reliance on firms’ own approaches to mitigating risks and rectifying problems

·       Placing a degree of trust on firms to verify that measures have been put in place and are effective

Positive indicators

Negative indicators

  • Management has displayed a positive, open and communicative stance in the past
  • The firm has been proactive in identifying risks and issues
  • It has drawn supervisors’ attention to issues promptly
  • Management understand and (to a large extent share) the supervisor’s risk-based philosophy and priorities
  • The firm has been shown to have strong and reliable internal control structures and governance



‘Trust but verify’

  • Positive indicators continue to be displayed
  • Checking by supervisors (albeit on a less intensive basis) confirms that measures have been taken and are proving effective
  • Firm can furnish evidence of continued cooperative approach and risk-focus
  • Management are secretive and reluctant to communicate
  • Issues and problems have
    • Not been identified; or
    • Have been identified but not communicated to supervisors (at all, or in a timely way)
  • Supervisors are seen as a nuisance who get in the way of the firm making profits
  • Firm’s culture and values do not encourage trust
  • Internal controls have not been shown to be strong or reliable in the past


Supervisor would be unwise to place much reliance on firm’s willingness to take remedial measures and assurance they have done so



  • While many supervisors give priority to approaches based on cooperation and suasion using enforcement as a last resort, they should remain open minded about which approach is likely to prove most effective in any given circumstances. They should stand ready to use formal powers at an early stage where there have been particularly egregious or serious shortcomings and/or where there is a risk of serious and widespread harm to consumers.  Serious consideration should be given to the early use of formal powers where there are questions about the firm’s culture and its willingness or ability to take remedial measures.  As with all other supervisory tools, supervisors should consider which are likely to prove the most effective in the particular circumstances
  • As discussed in the next section, there should be a greater disposition to use formal powers – to seek additional information/reporting and to effect changes in the business and/or management or controls - as concerns about potential non-viability

A further important tool which is available to supervisors is the discretionary adjustment of financial resource requirements.  A good example of this is the use of Pillar 2 adjustments to banks’ capital though it might also apply to insurers’ solvency requirements and liquidity requirements placed on banks and insurers.  Such measures sit somewhere between the two approaches described above in that they are clear requirements with which firms have to comply but they are based on supervisors’ (judgement based) assessments of risk. 

Supervisors will take a view about the appropriate level of capital or solvency based on the firm’s business model and taking account of factors such as sector concentrations and the level of interest rate risk in the banking book.  Such risks do not need to be ‘remediated’ provided supervisors can be confident that they are appropriately managed and controlled. Where additional risks are identified that do require remediation however (reflecting, for example, shortcomings in controls or governance) supervisors may judge that pending the implementation of the necessary measures, the risk associated with a firm is sufficiently elevated that an increase in financial resources is required to offset this.  Such increases should however be seen as temporary and cannot be seen as long-term response to higher, remediable, risk.  Such risks need to be addressed at source and increased financial resources can be only a temporary and indirect mitigant.

Firm A (continued)

The preferred general approach of the supervisory body is to seek remediation through collaboration where possible.  It has a range of powers available to it and does not hesitate to issue directions and take enforcement action where this is judged to be necessary and the most effective approach.

The relationship with Firm A has been consistently positive however.  The firm has proved open and cooperative in supplying information to the supervisor, both written and as part of on-site work.  There has been a good dialogue with the board and senior management and both have been receptive to the supervisors’ findings regarding their shortcomings. 

Senior management initially expressed some reservations about the remediation required but were receptive to the message that their processes and controls fell short of industry good practice in some areas.  They recognized the need for remediation and pro-actively suggested the details and timetables for the elements of the remediation programme that was finally agreed.

Supervisory programmes within a wider context of intervention

A fundamental principle of RBS is that the higher the level of risk, including impact, posed by a firm – and hence the higher the level of concern to the supervisory body - the more intensive the level of engagement will be. 

As the level of supervisory concern increases, the higher level of supervisory engagement will not be confined to ‘business as usual’ supervision.  There will be an increasing focus on recovery planning and (in the case of high impact firms) resolvability/resolution as shown on the chart.

Resolution planning
concerns the actions that would be taken (usually by the Resolution Authority) in the event of the failure of a systemically important firm to minimize risk to the firm’s retail customers and the financial system more widely.  In contrast to recovery planning it is a ‘gone concern’ concept focusing on steps that need to be taken once a firm has failed.  It is particularly relevant for firms whose size or interconnectedness with the rest of the financial system are such that their failure could have systemic consequences.  Conventional liquidation procedures may not be appropriate for such firms – particularly banks - and the use of special resolution powers, for example to effect a bail-in or to transfer critical functions, may be necessary.   As concerns increase to the point at which a firm’s future viability may be called into question, there will inevitably be increased focus on its resolvability (that is, the absence of impediments to an orderly resolution) as well as any potential issues in the triggering of the deposit, policy holder or investment compensation scheme. 
Recovery plans
seek to identify the steps that a firm will take to maintain its business and restore its financial health in the event of severe stress.  The firm should identify in advance a set of measures, agreed by the board, which would allow the firm to continue as a going concern.  This Note is not the place to go into the detail of recovery (or resolution) planning.[13]  The relevant points here however are: a) that all firms, even those whose risks are fully controlled and which currently present few risks, should have a recovery plan in place at all times; and b) the supervisory focus on the plan, specifically its plausibility and the ability of the firm to implement it, will inevitably increase as the level of concern increases.

Several supervisory bodies have found considerable value in setting out in some detail the generic relationship between the riskiness of firms (reflected in the level of supervisory concern) and the type of supervisory response this is likely to provoke[14].  An example of such an intervention schedule (which draws on, but is not identical to, those developed by supervisory bodies) is shown below.


Intervention schedules are of value in providing supervised firms with transparency and predictability regarding the types of actions that different levels of risk assessment are likely to provoke on the part of the supervisory body.  They also provide a useful framework for consistent decision making within the supervisory body itself.  There follow two examples of how such a schedule might be used in practice.

Firm A (continued)

In terms of the above schedule, Firm A is seen as Level 2.  It faces a number of risk issues which need to be addressed but there are no immediate concerns about its viability.

The remediation programme and monitoring would be as set out above.  In addition:

  • A detailed recovery programme was drawn up some time ago.  This will be kept under review, not in the expectation that it will need to be invoked as a result of the issues identified but to maintain a prudent state of readiness in anticipation of possible future stresses
  • The ability to effect an orderly run-off and transfer of business in the event of the firm’s failure would also be kept under review.  Though there seems to be no immediate prospect of the firm’s viability being called into question, any impediments to an orderly failure should be identified and addressed together with assurance regarding the firm’s ability to provide the necessary data to allow the policy holders compensation scheme to be mobilized expeditiously.

Alternative example: a medium sized bank (Bank 2)

A medium sized bank has a significant customer base though it is not judged to be systemically significant (it is not a DSIB). 

The bank has suffered serious and protracted credit problems as a result of ill thought-through changes to its business model 3-5 years ago which resulted in a sharp increase in credit risk which coincided with a weakening of its risk management and governance.

Non-performing loans have consistently turned out to be worse than expected, a problem which has been exacerbated by an economic downturn in the sectors to which it is most exposed.  Despite repeated interventions from the supervisory body the bank has failed to get a grip on the monitoring and control of credit.  The Risk function has been shown to be ineffective and the Board has failed to exercise its responsibilities effectively.

The bank is finding it increasingly difficult to fund itself, either at a retail level or in the wholesale markets.  Persistent losses have eroded its capital position so that it is now approaching its regulatory minimum.  It is not clear how it would raise new capital.

On this basis, the firm is judged to be at Level 4.  It poses a number of serious risk issues which need to be addressed as a matter of urgency.  If this does not happen, concerns would arise about the firm’s viability and survival.  Supervisors therefore insist on implementation of its recovery plan.  This involves:

  • Restructuring of the board and senior management – specifically the replacement of the CEO, the Head of Credit and two board members with others with proven ability in credit risk management
  • An urgent review of the credit book to establish the scope for segregating non-performing loans from performing ones and for selling off profitable parts of the book
  • The sale of two other non-core but profitable business lines – wealth management and correspondent banking – to bolster the capital position
  • The acquisition of an agreed stock of highly liquid assets to strengthen the liquidity position

The Resolution Authority will also undertake a review of the resolution plan for the firm, seeking to identify the most appropriate mechanisms (liquidation or resolution) to ensure that any potential insolvency creates a minimum of instability.  It will also seek to identify any impediments to an orderly closure.  Together with the Compensation Scheme, an assessment will also be made of the database of potential claimants to ensure that the Scheme can be mobilized expeditiously if required.

Monitoring and interim reviews

Having decided on the supervisory programme, it is necessary to make decisions about how it will be monitored; how intensive the supervisory engagement will be and what reporting will be required from the firm.  Once again, there is a spectrum of possibilities here:

  • If the approach being followed is largely a compliance-based one, the question is simply ‘has the firm taken the necessary measures to ensure that it complies with the requirements?’ This is a relatively binary decision.  The supervisory body then needs to decide whether to check compliance directly (that is, itself or through a credible third party) or rely on some form of assurance from the firm.   These options are discussed further below.
  • If the approach is more focused on remediation and cooperation, judgements about whether risk has been appropriately mitigated are more complex and nuanced. The supervisory body again faces the decision of whether to check implementation directly (itself or drawing on the work of a credible third party) or rely on information and assurances by the firm.  As noted in earlier Notes on RBS it is important to draw a distinction between the implementation of measures and their effectiveness[15].  It is relatively straightforward to check that a firm has made changes to its structures or processes but much more challenging to assess how effective these changes are in practice.

The issues can be summarized in the table below

Supervisory approach

Example of issue

Supervisory outcome


Issues in assessment

1   Compliance based


Firm does not undertake adequate AML checks on customers

Firm can demonstrate that it undertakes adequate AML checks on customers

Straightforward to assess processes

May be more challenging to assess effectiveness

Decision: confirmation that processes are in place or direct verification of effectiveness (may be relatively resource intensive)

2   Remediation based – straightforward issue


Firm does not collect and analyse enterprise wide data on operational risk

Firm can demonstrate that it collects, analyses and reports this data internally as part of enterprise wide risk management

Relatively straightforward to assess whether adequate measures are in place, though some supervisory judgement is required

More challenging to assess effectiveness.  This may prove resource intensive

3   Remediation based – more complex issue

Audit Committee does not function or challenge senior management effectively

Audit Committee comprised of qualified individuals who understand their role in the firm’s governance and carry this out effectively

Straightforward to identify improved structures

Much more challenging to assess effectiveness.  Likely to prove highly resource intensive

Direct checking/monitoring by the supervisor
. This gives a high level of reassurance but may be relatively resource intensive.  It should not be assumed that full, on-site verification is necessarily the best or only way to check on remediation in all cases.   Consistent with the principles of RBS this should be reserved for relatively high risks issues/institutions and there should be no presumption that direct checking and monitoring is always the answer.There exists a variety of ways in which supervisors can satisfy themselves that the necessary remedial measures have been implemented, though this is not the same as ensuring that they are effective.  Assessing effectiveness is in general a more challenging task.  There are three broad approaches to monitoring and checking progress:

  • Reliance on the work of third parties. Supervisors will often rely on the work of third- party experts such as auditors, reporting accountants and actuaries to report on implementation of remedial measures and their effectiveness (such third parties can also sometimes be used as part of the risk assessment process).  In this case the supervisory body is effectively outsourcing or delegating the monitoring/checking function, albeit to bodies which should be able to demonstrate both their competence and their familiarity with industry sound practices[16].
  • Reliance on the firm itself. Such reliance may take several forms:
  • The firm confirms that it has taken the agreed measures. This might be sufficient and appropriate where the link between the measure and its likely effectiveness is fairly direct and where the firm/issue are relatively low risk.  An example would be a small firm which is required to appoint an MLRO.  If it credibly reports having done so and can show that the individual appointed is qualified for the role, there can be a reasonable presumption that the risk of money laundering will be reduced and no further checking may be required.
  • The firm might be required, either in writing or as part of an on-site visit, to furnish evidence of the remedial measures having proved effective.  As noted, measuring effectiveness is not always easy and requiring the firm to provide this evidence is a good test of how they themselves make this assessment.  They might for example be able to report (documented) evidence of fewer instances of non-compliance with limits, fewer operational problems, better and more focused board challenge and so on.
  • The firm may be required formally to attest that it has taken necessary measures. The CEO may be required to supply a letter formally stating that specific measures have been taken.  This underlines the key issue that remediation is the responsibility of senior management and there would be an understanding in such cases that if the attestation is subsequently found to have been false or unfounded, serious consequences will follow[17].


Approaches to monitoring/verification



  • Direct checking by supervisor
    • On-site work or
    • Use of standard or enhanced reporting
  • Supervisors go on-site to check that measures have been implemented
  • Firm confirms in writing that measures have been implemented
  • Use of external experts (audit firms; consultants; actuarial specialists) to assess implementation and effectiveness
  • External auditors required to report on firm’s implementation of processes in accordance with industry sound practice and effectiveness of these
  • Supervisory body can have a major role in scoping the report
  • Regular reporting by firm on implementation of measures


  • Firm reports monthly or quarterly on implementation
  • Firm may be asked additionally to provide evidence of improved outcomes
  • Reliance on firm in respect of effectiveness
    • Reasonable confidence that if firm has implemented measures, risk is likely to be mitigated; or
    • Firm has demonstrated understanding of risk issues and wish to rectify these – judicious reliance is warranted
  • Firm has implemented rigorous and foolproof AML checks.  High likelihood that these will prove effective – limited value in independent check of effectiveness
  • Firm has demonstrated open and cooperative attitude and understanding of importance of effective remediation.  It confirms that remediation has taken place and is effective
  • Attestation by firm that measures have been implemented
  • Firm senior management report in writing that measures have been implemented
  • Understanding that incorrect or misleading attestation would likely lead to enforcement action


The choice of approach to monitoring and verification should be governed by considerations of risk and cost effectiveness as well as the extent to which it is judged that reliance can reasonably be placed on the firm.  The question should be ‘which approach is likely to give an acceptable level of reassurance with an acceptable level of cost?’ bearing in mind that supervisory time and resource is limited and needs to be allocated in the most efficient way.

Some supervisory bodies also find it useful to have interim reviews of supervisory programmes at fixed periods such as annually.  The purpose of these is not to undertake a complete re-evaluation of risk but to check that the risk assessment continues to look broadly correct (in the light of any factors which might have caused it to change – see Section 6) and that the agreed supervisory programme remains appropriate and on track.  Such reviews will usually involve the senior management responsible for the supervisory team concerned and sometimes an internal panel.

A further decision for supervisory bodies is the frequency with which full risk assessments should be undertaken and the supervisory programme renewed or revised.  In terms of the diagram on page 5 this is in effect the length of the cycle.  This will depend to some extent on the resources available to the supervisory body and its risk tolerance.  In principle, however, the decision should be risk based.  Those firms which pose the highest risks – because of their impact and/or the likelihood of risks crystallising, should be subject to the most frequent review.  The period involved might be as short as a year and is unlikely to be longer than 2 years.  Lower risk firms will be reviewed less frequently though it will prove hard to maintain continuity of supervisory oversight if the period is longer than, say, 3-5 years.


Firm A (continued)

As agreed, the firm will send monthly progress reports to the supervisory body detailing progress on the three projects it is undertaking (controls and incentives in the sales process, Internal Audit and improved credit risk monitoring).  In addition:

  • The supervisory team will hold a meeting with the Head of Internal Audit and the Chair of the Audit Committee to review progress in six months. 
  • The supervisory body’s specialist credit risk team will undertake one-day visits in 3 months and again in 6 months to assess progress with the reinsurance project
  • The firm will be required to submit reports detailing the improvements to its sales processes in 6 months and again in 12 months, including evidence (such as reduced customer complaints) that it is proving effective.

The supervisory body has a policy of conducting interim, relatively high-level reviews of all supervisory programmes approximately annually.  Panels are conducted, consisting of members of the senior management of the supervisory body and other supervisory teams.  The supervisory team makes a presentation containing a progress report on the remedial measures and their impact in reducing risk, together with confirmation that the principal inherent or business risks facing the firm have not changed.  A panel may deal with three to four interim reviews of medium sized firms like Firm A in a single meeting. 

It has been agreed that the length of the supervisory cycle for Firm A – that is the period between full risk assessments and renewal of the supervisory programme should be 30 months.  For systemic firms it is 12-24 months and for the lowest impact ones it can be up to four years.

Alternative example: medium sized broker (Broker 1).  Two contrasting approaches

A medium-sized investment broker has been found to have inadequate procedures for segregating client funds.  It is difficult to be certain but there appear to have been no direct losses to consumers as a result.   

Compliance/enforcement-based approach

  • The issue is largely a compliance one – there are clear rules on segregation of client funds so an enforcement-based approach could be judged to be straightforward and appropriate
  • The supervisory body assembles evidence to show that segregation was inadequate and that there was a significant possibility of customers losing money. It takes enforcement action based on this, seeking a fine of $2mn
  • The firm challenges the enforcement action on the basis of advice from its extensive complement of internal lawyers
  • The firm offers a settlement involving a ‘no blame’ public statement and a payment (categorized as compensation) of $1mn. This is rejected by the supervisory body
  • The dispute is taken to the Financial Services Tribunal and then to the High Court in the jurisdiction in question
  • After three years the case is resolved with a finding against the firm, which is required to pay the $2mn penalty and a public statement is issued. The case is found to have taken a total of 1.5 person years of supervisory time and to have cost the supervisor $0.8mn in legal costs (which it is unable to recover)

Cooperation/suasion approach

  • The firm, which values a cooperative approach, pro-actively notifies the supervisory body that the problem has been uncovered by its Internal Audit function
  • The firm’s senior management seek a meeting with the supervisory body to discuss remedial actions
  • The supervisory body judges that potential risks to consumers and to the firm itself (mainly via reputational damage) are such that an adjustment to the supervisory programme is warranted
  • The firm agrees to the following:
    • Immediately to put in place a segregated account into which all new customer funds will be placed
    • To undertake an urgent review of all existing client funds to establish which should be placed in the segregated account. The review will be completed and all qualifying funds migrated within six weeks
    • To train all staff on the importance of segregating client money and to put in place an in-house advisory mechanism available to any staff who may be unsure about the correct procedures
  • It is agreed that all of the measures will be in place within four months
  • Progress will be reported to the Board monthly until the remediation programme is complete. This reporting will also be provided to the supervisory body which will undertake at least one on-site visit to confirm progress within the next nine months.
The firm has traditionally been seen as strong and positive culture and it is given credit in this case for reporting and seeking to remedy the issue in a timely and pro-active way.

Changes to supervisory programmes 

A supervisory programme was defined above as being a strategic, risk-based framework intended to guide the work of supervisors in relation to firms (or groups of firms) over a specific period.  This implies a degree of fixity – supervisors need to focus on the risks that matter most and aim to ensure that these are addressed in a systematic way without being constantly deflected by day-to-day matters.  At the same time however it needs to be recognized that risks change over time.  This may be because previously undiscovered risks crystallise or come to light; the firm undergoes significant changes in terms of its business plans; the loss of key control staff; or the environment within which it operates changes.  Such changes in risk cannot be ignored.

The dilemma for supervisors is how to make supervisory programmes sufficiently stable to allow risks to be addressed in a systematic, strategic way but also to permit sufficient flexibility to take account of significant new (or newly identified) risks as they emerge. 

Ultimately this has to be a matter for supervisors’ judgement.  It is however possible to provide elements of a framework to allow judgement to be exercised in these circumstances.

  • Where new risks emerge (or existing ones are newly identified) supervisors need to assess these using the principles that support the risk-based framework. The key questions are ‘how likely is it that these risks will threaten the achievement of our supervisory objectives?’ and ‘how much would it matter if they were to crystallise?’  The fact that a risk has newly emerged or just been identified does not in itself make it a high priority.  This needs to be assessed carefully.
  • Where such newly identified risks are judged to warrant supervisory intervention which was not envisaged in the original programme, this should be discussed and agreed using the normal referral/escalation procedures within the supervisory area concerned. The proposed intervention and the rationale for it should be fully documented.
  • If the changes are of a scale which is judged fundamentally to alter the risk profile of the firm, there may, exceptionally, be a case for revisiting the supervisory assessment and programme. This might be appropriate for example if the firm is taken over or undergoes a merger; it completely changes its business model or strategy; it loses a number of key management or control staff; or if previously unsuspected risks emerge which fundamentally change its perceived riskiness (for example a major fraud is uncovered).
  • Where a case can (exceptionally) be made that a fundamental re-evaluation is warranted, this should involve the full set of processes that would normally accompany the development and agreement of a programme, including reference to the internal panel.

Firm A (continued)

Nine months into the supervisory programme Firm A informs the supervisory body that it is in discussions concerning the possible purchase of a health insurance business which has previously been a business unit of a rival firm.  The new business would represent around 10 percent of the balance sheet of the expanded Firm A and would represent a significant new business departure. 

Having kept the supervisory body apprised of developments throughout, the purchase goes ahead six weeks later.  A project team is set up in Firm A to handle the integration of the new business, its controls and management and the migrating staff. 

After careful consideration, the supervisory team for Firm A concludes the following:

  • The new business was assessed a year ago as part of the supervision of the vendor firm.  It was not regarded at that time as having high inherent risk and there is no reason to think that this will change now that Firm A has acquired it
  • While the acquisition is clearly important to Firm A it does not represent a fundamental change of strategy.  It is important but not critical to the future of Firm A
  • The project team handling the consequences of the acquisition appears to be well focused, adequately resourced and has demanding but feasible time lines
  • In view of this there is judged to be no call for a complete reassessment of Firm A’s risk profile
  • The acquisition however will be added to the risk matrix as a new and separate Area of Focus rated, initially at least, as MH
  • The supervisory programme will be adjusted to take on board regular updates and meetings with key staff concerning the progress of the integration of the new business
  • The recovery plan will be updated to take account of the new business

This approach is put to the panel undertaking the interim review (due around two months after the acquisition) who agree with it.

Alternative example – fraud at a major bank (Bank 3)

A second-tier retail bank is judged to be high impact and potentially systemic by virtue of the size of its customer base and interconnectedness with the rest of the financial system.  It underwent a risk assessment just over one year ago.  Its overall net risk was rated as ML.  A supervisory programme was put in place to address a number of issues, none of them judged critical.

A major fraud has recently been uncovered in one of its trading departments. 

  • The losses (which are largely unrecoverable) have had a significant impact both on the bank’s P&L and its capital, though it remains a little way above its regulatory minima
  • The controls in the trading area concerns have been shown to have been largely ineffective
  • Senior management were slow to alert both the board and the supervisory body to the fraud, initially believing (wrongly) that it could be contained and some of the loss-making positions reversed
  • Internal Audit had identified control weaknesses in the relevant area eight months earlier. Its recommendations for improvements had not been acted upon
  • The MI provided to the Board did not allow it clearly to identify the potential fraud or the losses that eventually crystallised. There is no record of the Board ever having questioned the bank’s trading philosophy or the adequacy of the controls in its trading areas
  • The fraud has become publicly known, generating significant publicity and reputational damage. The bank is at risk of being downgraded by the ratings agencies.

The supervisory body, having considered all the facts, concluded the following:

  • The bank will be required to increase its capital under Pillar 2. Its minimum required capital ratio will be increased to a higher level than previously, reflecting the higher level of risk that has been exposed by the fraud
  • The shortcomings that have been revealed – in the bank’s business model, its senior management, its internal controls, Internal Audit and Board are pervasive. For this reason, it is decided that a fundamental reassessment of its risk is needed
  • The priority is for the bank’s management to restore its capital – drawing on elements of its recovery plan – and to put in place controls to prevent any recurrence of fraudulent activity
  • This will take place over the next three months and will be continuously monitored by the supervisory body with written reports and meetings every two weeks with senior management
  • The new risk assessment will take place in tandem with these changes
A panel consisting of senior staff of the supervisory body and other supervisory teams has agreed this approach and will consider the new risk assessment in due course.

Concluding Comments

This Note has focused on turning risk assessments into supervisory actions and programmes within a risk-based framework.  There are legitimate differences among supervisory bodies on the style and approach to supervision and, consistent with RBS principles, supervisory priorities and approaches to remediation will vary according to the type, riskiness and impact of the firms involved.  In all cases however, transparency and communication with the supervised firm are paramount considerations.  Firms must be in no doubt as to what supervisors see as the most significant areas of risk and the steps that they need to take to address these.

A number of supervisors also choose to set out in some detail the generic link between risk assessments and the kinds of supervisory actions that firms can expect.  This highlights the importance of both recovery and (where necessary) resolution planning alongside more traditional supervisory activities. 

As with all other aspects of RBS the development and implementation of supervisory programmes needs to be forward looking, judgement based and flexible whilst retaining sufficient flexibility to deal with significant changes in risk profiles as they arise.


LifeCo is a major life insurance company. It is rated as high impact and on the basis of a recent supervisory assessment its overall net risk rating was Medium High.  The three main risk areas to be addressed in the supervisory programme were identified as being:

  • Shortcomings in AML controls in its take-on of customers
    • The individual undertaking the function of MLRO was under qualified for the role and had other responsibilities and was unable to devote sufficient time to it
    • There had been particular weaknesses in the checks applied to purchasers of long term savings products over the past 12 months
  • Weakness in Risk Management
    • The RM function is under resourced
    • There were questions about the independence of the Chief Risk Officer
    • The firm was unable to demonstrate that the RM function had a grip of enterprise-wide risks and was able to report on these effectively to the board
  • Weakness in corporate governance
    • Several board members lacked training and experience in insurance risk
    • There was no evidence of the Board having a meaningful a risk appetite framework or of its decision-making taking account of any such framework
  • Compensation structures that encouraged excessive risk taking
    • The remuneration of the sales force contains a substantial element of commission
    • There was evidence of this providing incentives to mis-selling (though no evidence that this has been widespread to date) while providing no reward for compliance with internal rules and standards

The firm has traditionally been open and cooperative in its relationship with the supervisor.  It alerted the supervisor to the need (and its intention) to strengthen AML procedures and was receptive to the findings of other shortcomings revealed by the supervisory assessment and willing to address these.

The rating and priority areas for remediation were discussed and agreed by an internal panel in the supervisory body.  They were communicated by letter to the CEO and Board of the company.  On the basis of their reply and a subsequent meeting with the supervisory team the following programme was drawn up.  [To clarify the timings it is assumed that the programme is drawn up at the beginning of month 1 so that an action to be completed in, say, six months will be shown as having a deadline of month 6 (M6)].

Elements of a more detailed supervisory programme (Life Company)

Remedial action

Timescale (M3 = after 3 months etc)

Monitoring arrangements

Weaknesses in AML arrangements

  • Appointment of full time MLRO with suitable experience and qualifications
  • Strengthening of AML checks applied to all purchasers of savings products
  • Retrospective AML checks on all purchasers of savings products over the past 18 months
  • Within 4 months (M4)
  • New procedures to be introduced and applied within 4 weeks (M1)
  • Retrospective review to be completed within 6 months (M6)
  • Monthly progress reports to supervisor
  • Written confirmation when new procedures are in place
  • 3 month report on progress (M3).  Full report plus remedial action to be sent to supervisor on completion of review (M6)


Weakness in Risk Management

  • Recruitment of 2 additional, suitably qualified, members of RM team
  • Review of CRO reporting lines – CRO and CEO to agree a de facto ‘contract’ setting out the independence of the CRO, including direct access to the Board
  • Review of Risk Department’s approach to monitoring, analyzing and reporting on risk at enterprise wide level involving external advisers drawing on industry sound practice
  • Implementation of recommendations from review
  • Within 5 months (M5)
  • To be completed and agreed by the board within two months (M2)
  • Appointment of external advisers within two months (M2)
  • Completion of the review within three months of appointment (M5)
  • Internal action plan based on review findings (M6).  Agreed by Board and implemented within 6 months of receipt of external review (M11)


  • Report to supervisor once team is up to strength
  • Supervisor to be apprised of new arrangements once agreed by the Board
  • Meeting with advisers to discuss their draft report (around M4)
  • Supervisor to be sent copy of the final report
  • Action plan to be sent to supervisor (M6)
  • Supervisor to be notified once implementation has taken place (M11)
  • Meeting with CRO and CEO to discuss new arrangements

Weakness in Corporate Governance

  • External review of Board effectiveness including Board members’ experience and qualifications undertaken by suitably qualified external consultancy
  • CEO and Board chair to draw up a plan to strengthen governance on the basis of the consultancy report
  • Risk Management Department, drawing on outside expertise and industry sound practice to work with the Head of the Board Risk Committee to draw up and agree a risk appetite statement and make the necessary changes to MI
  • Review completed within four months (M4)
  • Management/board plan to be completed within two months of receipt of consultant’s report (M6)
  • Change plan to be completed within 9 months (M15)
  • Draft risk appetite statement to be drawn up within three months (M3)
  • Agreed by board and implemented (with necessary MI etc) within six months (M9)


  • Supervisor to receive final report (M4)
  • Meeting with management and board chair to discuss likely changes (around M5)
  • Supervisor sent final plan (M6)
  • Quarterly review of implementation of change plan (M9, M12)
  • Review of strengthened arrangements six months after implementation (M21) involving: on site work or external review (to be decided)
  • Meeting with CRO to discuss progress (around M6)
  • Supervisor to receive risk appetite statement and be apprised of arrangements for monitoring etc (M9)



Compensation arrangements

  • Executive Committee working with Head of HR to undertake a review of remunerations structures firm-wide, drawing on FSB and other regulatory guidance on sound practice
  • Recommend proposed changes to the Board
  • Implement changes to deter excessive risk taking and encourage positive compliance culture
  • Recommendations with 3 months (M3)
  • Implementation to coincide with beginning of next budget year in 8 months (M8)
  • Supervisor to be apprised of new arrangements (M3)
  • Supervisor to review operation of new arrangements (around M12)


Key References

Australian Prudential Regulatory Authority Supervisory. Oversight and Response System. April 2017. https://www.apra.gov.au/sites/default/files/attachments/0417-soars-guide.pdf

Central Bank of Ireland. PRISM Explained - How the Central Bank of Ireland is Implementing Risk-Based Regulation. February 2016. https://www.centralbank.ie/regulation/how-we-regulate/supervision/prism

Office of the Superintendent of Financial Institutions Canada. Guide to Intervention for Federally Regulated Deposit Taking Institutions. 2008. http://www.osfi-bsif.gc.ca/Eng/Docs/Guide_Int.pdf

Prudential Regulation Authority (UK). The Prudential Regulation’s Approach to Banking Supervision. October 2018.

 https://www.bankofengland.co.uk/-/media/boe/files/prudential- regulation/approach/banking-approach-2018.pdf?la=en&hash=3445FD6B39A2576ACCE8B4F9692B05EE04D0CFE3

Prudential Regulation Authority (UK). The Prudential Regulation’s Approach to Insurance Supervision. October 2018.


Toronto Centre Notes

Risk Based Supervision March 2018 https://www.torontocentre.org/index.php?option=com_content&view=article&id=82:risk-based-supervision&catid=10&Itemid=101

Implementing Risk Based Supervision: a Guide for Senior Managers July 2018 https://www.torontocentre.org/index.php?option=com_content&view=article&id=84:implementing-risk-based-supervision-a-guide-for-senior-managers&catid=10&Itemid=99

The Development and Use of Risk Based Assessment Frameworks January 2019 https://www.torontocentre.org/index.php?option=com_content&view=article&id=86:the-development-and-use-of-risk-based-assessment-frameworks&catid=10&Itemid=99


[1] This Note was prepared by Paul Wright on behalf of the Toronto Centre

[2] Risk Based Supervision: TC Note March 2018 (RBS1)

[3] Implementing Risk Based Supervision: A Guide For Senior Managers: TC Note July 2018 (RBS2)

[4] The Development and Use of Risk Based Assessment Frameworks: TC Note January 2019 (RBS3)

[5] RBS3

[6] See for example RBS2 (July 2018) page 11

[7] As discussed in the earlier TC Notes it often makes sense to look at groups of small firms as part of horizontal or thematic work.  See for example RBS1 page 11

[8] RBS1 page 4

[9] RBS3 page 2

[10] For an explanation see RBS3 page 20

[11] See RBS1 page 19

[12] See RBS3 page 22

[13] There is some discussion of this in RBS3 page 29

[14] See for example Australia (APRA’s) Supervisory Oversight and Response System (SOARS); Canada (OSFI’s) Staging approach and the UK (PRA’s) Proactive Intervention Framework (PIF).  For more details see the references at the end of this Note.

[15] This is discussed in RBS page 15

[16] Many countries have a provision in their legislation whereby the report is formally commissioned by the firm which pays for it and formally owns it, even though the supervisor may require the report to be produced, have a large input into its scope and full access to the final report.

[17] There is an important principle of attestation that the cost (in terms of penalties) to an individual found giving a false attestation needs to be greater than the harm that may otherwise ensue to them from doing so.  It is plausible to imagine a sanction which would deter a CEO from falsely attesting that a firm’s IT system has been improved.  It is harder to imagine one which would deter a CEO from concealing a fraud which may threaten the viability of the firm and, if uncovered, lead to the CEO being imprisoned.