Risk-Based Supervision
Friday, Mar 30, 2018

Risk-Based Supervision


Even in jurisdictions with relatively simple financial systems, there can be a large number of firms of different sizes undertaking a range of activities with complex operations.  Supervisors on the other hand are resource constrained, requiring them to prioritize rigorously. Risk-based supervision (RBS) increases the effectiveness of supervision through improving supervisory outcomes whilst also increasing efficiency through improved resource allocation and processes. It involves allocating resources to the areas of greatest risk. Risks are not eliminated under RBS, but supervisors are able to address them in the most efficient and effective way in pursuing their objectives. This document describes the principal features of RBS and sets out a number of the main operational and managerial issues that supervisors encounter when moving to a risk-based framework.

Most supervisory bodies are required to meet objectives that are typically set out in statute.  These objectives usually focus on the protection of users of financial services, the maintenance of financial stability and the prevention of financial crime. Detailed objectives vary from country to country and where there are multiple supervisory bodies in a country across supervisors. RBS needs to reflect these differences in these objectives, and the risks to achieving them.

Characteristics of Risk-Based Supervision

RBS is fundamentally different from compliance-based approaches that focus largely on the extent to which firms adhere to rules, requirements and directives, often involving a rigid on-site inspection schedule and penalties for non-compliance. RBS by contrast is largely outcomes and principles based. It seeks to assess, within a forward looking perspective and making extensive use of judgement, the most important prudential and conduct risks posed by firms to supervisory objectives and the extent to which firms are able to manage and contain these. RBS has a number of defining characteristics which distinguish it from other approaches.

Risks are addressed in a systematic manner giving priority to what matters most.

  • The focus in RBS is on the most important risks. That is to say those risks which, were they to crystallize, would have the greatest detrimental impact in terms of the supervisor’s objectives. These are outcomes which would, for example, cause maximum damage to users of financial services or create serious financial instability. Such outcomes will usually be linked to the firm’s own well-being. Risk-based supervision considers a combination of the impact that crystallization of risks would have and the likelihood that this will occur. The very highest impact firms and activities will be those which are judged to be a potential source of systemic risk in that failure would result in extensive losses to consumers, a wider economic impact and costs extending beyond those directly accruing to the owners of the firms concerned.

Chart A: Likelihood and Impact

  • RBS requires the assessment and consistent grading or scoring of institutions and issues, usually on a matrix or scoresheet (an example is shown in Chart E). This provides a useful aid to structured thought and a consistent basis for comparing institutions, groups of institutions or market/sectors in assessing comparative risk and in prioritising.
  • RBS recognizes that risks can originate from a variety of sources and that it is necessary to take a broad perspective. Risks arising in the wider economy (macroeconomic) or at an industry or sector-wide level (macroprudential) need to be considered alongside firm-specific ones. Firms cannot directly control these wider issues, but they have potential implications for their risk profiles. They need to be recognized and their consequences managed.

Chart B: Wider Context for Supervision

Risk-based supervision is dynamic and forward looking. It allows risks to be identified and addressed early.

  • Some supervisory scoring systems provide an essentially ‘static’ view of risks in firms, focusing only on areas of risk, the adequacy of risk management and of financial strength today. In contrast, RBS seeks to identify emerging areas of risk and the adequacy of management and financial resources to address these. This, in turn, supports early intervention by supervisors aimed at heading off emerging risks before they become serious.
  • This forward-looking approach provides the basis for an effective dialogue with supervised firms. Well-run firms should have a similar risk-based focus so that the adoption of RBS by the supervisor will allow greater alignment of approaches and permit a richer discussion of the things that matter. Firms’ and supervisors’ views of the most relevant risks will inevitably diverge at times but having a risk-based focus will greatly facilitate dialogue around this. In some cases, the adoption of RBS by the supervisor will itself encourage firms to adopt an improved risk focus, recognizing the importance of this to their own sound management.
  • The adoption of a dynamic, forward looking approach allows supervisors to assess the effectiveness of their interventions and to adjust these if necessary. More narrow compliance-based approaches may involve a fixed schedule of firm visits to undertake compliance checks which is relatively invariant to perceived risks. RBS, by contrast, is a dynamic and continuous process that involves planning, risk assessment, execution of the supervisory programme and regular monitoring and evaluation on a risk-based cycle. While the intensity of the processes involved will depend on the impact and risk of the firm(s) concerned, this cycle is a feature of all risk-based supervision. 
  • In practice, continuous supervision is likely to be suitable (and possible) only for the largest, highest impact firms. However, the assessment of past actions and a forward-looking assessment of risk are important aspects of RBS and should apply to all firms. This requires specific approaches for smaller firms; one such approach is discussed in section 4 below.

Chart C: Continuous/Dynamic Nature of RBS

Note: frequency and intensity of actions will reflect assessed impact/risk

2.3       Risk-based supervision supports improved decision making and the most effective use of scarce supervisory resources.

  • All supervisors have to prioritize and many would already claim to do so on the basis of risk. RBS however provides a systematic and rigorous foundation for this. Firms and issues are classified on a consistent basis so that a particular rating (for example that a particular activity or business line is ‘medium high’ risk) has a specific meaning which is commonly understood throughout the supervisory body. Mechanisms for promoting and supporting such consistency are discussed further in section 6 below.

Box 1: Illustrative definitions of ratings for inherent risk

  • Some supervisory bodies have responsibility for more than one sector. They may, for example, have responsibility for banking and insurance, others for insurance and pensions. Risk-based approaches are applicable to all sectors – albeit with some necessary changes to the details of the frameworks. Properly applied, RBS provides a basis for assessing comparative risks across as well as within sectors.
  • RBS provides a rigorous basis for the allocation of scarce resources. In providing a common framework for assessing risk in the context of supervisors’ given objectives, it creates a sound analytical basis for the principle that resources will be allocated to the areas of greatest risk.
  • Many supervisors use RBS to formulate ‘baseline’ allocations of staff resources to firms posing different levels of risk. In practice, the main driver of perceived risk in formulating the baselines will often be impact. A starting expectation may, for example, be that a large, high impact firm will require an input of X persons per year regardless of the likelihood of risks materializing, while a small, low risk one may warrant an input of only Y person days. Such estimates should however be regarded as minima to be adjusted on the basis of the specific risks attaching to individual firms (and hence the required intensity of supervision), experience over time and management decisions. Supervisory bodies need to stand ready to devote resources beyond the baseline levels to firms, including smaller ones, that are assessed as being high risk. In order adequately to address the risks to consumers who deal with the smallest firms, supervisory bodies need to put in place strategies to ensure that the total resource devoted to them is deployed in the most efficient way possible (4.1 below). Although they can be no more than starting points, baselines are nevertheless valuable in creating expectations about broad patterns of resource allocations and hence as an input to management planning.

Box 2: Illustrative staff allocation by impact category

Source: Central Bank of Ireland: ‘PRISM explained’ – February 2016

Note: the figures given were tentative/illustrative and subject to revision


RBS is not confined to firm-facing supervision. 

The principles of RBS can be applied to processes such as authorization/licensing and enforcement as well as firm-facing supervision. All of these activities entail risks – new firms posing high levels of risk to the supervisory body’s objectives may seek licenses or questions may arise about the most effective use of resources enforcement issues. Supervisory bodies for example need to weigh the costs and benefits of deploying their limited enforcement resources in high impact cases against the potential demonstration effect of using enforcement to address issues in smaller firms. Similar issues may arise in the assessment of the adequacy of prospectuses/offer documents. While this note is concerned principally with firm-facing supervision, the principles of RBS are applicable to these wider areas.

Principles of Risk-Based Supervision

The precise application of RBS will – and should – vary from supervisory body to supervisory body depending on their specific objectives and the characteristics of their financial system.  There are however a number of principles which are ‘universal’ in that they underpin RBS wherever it is operated.

As discussed below (Section 8) other, less risk-based supervisory approaches may be appropriate for some businesses and activities and can exist alongside RBS. Where RBS is applied, however, it needs to be consistent in its application. Firms will be dealt with in a differentiated manner, receiving different amounts of supervisory attention depending on their impact and the risks they pose and not all risks will be addressed in all firms. But decisions about these matters must be taken on a consistent and systematic basis.

RBS needs to take account of relevant information both from within and outside of the supervisory body. This will include (but is not confined to)

  • Information about the wider economy which may have a bearing on risk (Chart B). For example, a change in the interest rate environment will have an impact on savings behaviour or returns on assets held by life insurers. Supervisory bodies do not normally undertake their own macroeconomic analysis; it is necessary for them to identify the best source for this, which will often be the central bank.
  • Intelligence regarding the wider industry or sector (Chart B). A widespread change in lending practices for example will affect credit risks in banks or a ‘search for yield’ in a low interest rate environment will affect investment preferences. Supervisory bodies may have in-house facilities for monitoring these kinds of macroprudential risks. If not, they need to identify the best source of this information. Macroeconomic and macroprudential information will be directly relevant to the supervision of the largest firms. For smaller ones it may figure less directly but will still form part of the wider context within which risks, perhaps for categories of firms, should be assessed.
  • Supervisory information about the wider financial group of which the firm may form a part. A bank or insurer in one jurisdiction may, for example, be part of an international group in which case information exchange with other national supervisors, often in the form of a college, will be essential to arrive at a coherent picture of risk. The bank or insurer may also form part of a domestic conglomerate, parts of which are supervised by other agencies within the jurisdiction. Here too information exchange will be critical if risks are to be fully understood and addressed. This illustrates the paramount importance of consolidated supervision of group which have international or cross- sectoral activities.

In order to be effective, RBS depends heavily on the application of an agreed framework supported by the appropriate infrastructure. RBS will not be effective if it is applied partially or inconsistently. More details of the framework are provided in section 4 below.  Broadly, however, this means:

  • The use of a common framework throughout the organization. This consists of the tools, documentation and decision-making processes that support RBS along with the approach to assessing and acting upon identified risks. The specific risks that need to be assessed will differ across sectors – as between banks, insurance firms and pension funds, for example. There nevertheless needs to be general agreement on, and acceptance of, such a comprehensive framework which conforms to risk-based principles and whose details are tailored to the needs of the supervisory body, the risk characteristics of different sectors and the specifics of the financial institutions in the jurisdiction. The framework should be ‘owned’ by a designated group of staff with the authority to ensure that it is applied consistently throughout the supervisory body.
  • Front line supervisors need to be clear about what is expected of them in terms of the time they will allocate to firms, the balance between on- and off-site work and the tools available to them. It is particularly important that they are supported in their use of risk-based judgement.
  • Supervisors need to be provided with clear guidance and assessment criteria for the operation of RBS. This should not take the form of rigid templates but guides to decision making which will assist staff in assessing business or inherent risks, making consistent use of ratings and in forming judgements about the adequacy of controls, management and governance. RBS is, above all, a judgement-based framework and staff need to have extensive support to enable them to make sound and consistent assessments. It needs to be made clear that where supervisors have followed agreed processes and made reasonable decisions on the basis of the information available to them, they will be supported even where risks crystallize and things subsequently go wrong. 

Box 3: Example of Guidance Note (sometimes called a ‘risk card’) – assessment criteria for supervisors

Example – Internal Audit


  • The issue of consistency is a serious challenge for supervisory systems based predominantly on judgement and the application of principles. It is inevitable that, absent mechanisms to promote consistency, different supervisors will assess and rate risks differently and make a range of judgements about the appropriate responses. The guidance referred to above is one important mechanism to promote consistency. These need to be supplemented with oversight and quality control mechanisms which enable peers and managers to review assessments and decisions in order to ensure consistency of approach. These include supervisory panels (see section 6.2 below).
  • The systematic collection of information on matters such as the allocation of staff resources, the use of tools and the evolution of firms’ risk profiles also represents an invaluable source of management information. This allows the management of the supervisory body to have an overview of whether its objectives are being pursued in the most efficient and effective manner.

A key feature of RBS is that it is forward looking. Some ratings-based approaches have the disadvantage that they are capable of providing only a ‘point in time’ assessment of risks today. An important principle of RBS is that, conducted effectively, it is capable of identifying risks at an early stage so that the necessary remediation can be undertaken before these can crystallize and cause damage. Such a forward-looking approach aims to address the following questions:

  • How are the risks to the business (or in some cases, the financial system) likely to develop, taking into account such factors as the wider economy, trends in the wider sector or industry, and the strategy and business model of the firm?
  • Are the controls, management and governance of the firm sufficiently robust to ensure that these risks can be managed?
  • Are the financial resources of the firm sufficient today and will they remain so for the foreseeable future?

Depending on the assessment of these issues:

  • What remedial action is the firm required to take to ensure that the level of (net) risk it poses is acceptable both now and in the future?

Supervisors should always aim to ensure that their actions are proportionate. This is one of the key elements of RBS – risks are classified according to their importance to supervisory objectives, which allows resources to be allocated appropriately and remedial action to be proportionate to the risk identified.

Above all, RBS is concerned with outcomes. Compliance based regimes typically focus narrowly on specifying rules or directives and assessing compliance with these. The emphasis on post facto compliance sometimes results in particular prominence being given to sanctions or punishment for transgressions. Whilst RBS can be used to address both prudential and conduct risks and enforcement has a role in underpinning it, the focus is more broadly on the promotion of good outcomes (such as ensuring that customers are treated fairly) and the avoidance of bad ones (such as losses to users of financial services resulting from firm failures). Risk is assessed in this broad context and remedial tools are more often used pre-emptively to promote desired outcomes. This is a more challenging approach than a pure compliance based one, but it is better able to identify and address a broader range of risks in a timely way.

Risk Based Processes

The precise way in which RBS is conducted can (and should) vary among different supervisory bodies. It is important that the detailed mechanisms adopted are attuned to the objectives and capabilities of the body and the characteristics of the financial system in the jurisdiction in which it operates. It is important that, in adopting a risk-based approach, supervisory bodies devote time and thought to what will work in their jurisdiction rather than merely importing a framework that has been developed elsewhere. 

Against this background however it is possible to identify a number of processes and mechanisms which need to feature in any risk-based framework.

Development of a framework for assessing impact. As noted earlier, there are two dimensions of risk – the impact of adverse outcomes should they occur and the likelihood of these. In practice, impact tends to be the starting point for many supervisory decisions.  Firms will typically be classified on the basis of the potential impact of problems at the firm, with the expectation that high impact firms (for example those with extensive retail operations and/or interconnections throughout the financial system) will tend to receive more attention than lower impact ones. For many supervisory bodies, therefore, a starting point for RBS is a methodology for assessing impact. 

  • Supervisors should consider adopting the methodology set out by the Basel Committee for assessing whether banks are systemic (DSIBs). This provides a methodology for assessing firms in terms of range of criteria including size and interconnectedness[2]. Supervisors judging that insurers in their jurisdictions may be of potential systemic importance should refer to similar assessment criteria published by the International Association of Insurance Supervisors (though this was developed specifically with reference to globally systemic firms)[3].
  • A similar methodology may assist in identifying those firms which are high or medium impact but may not be classified as systemic. In practice, the supervisory body will need to exercise judgement as to where the cut-off point between ‘systemic’ and ‘other, non-systemic’ firms should come. This will be an important part of decision making regarding impact. Such decisions will partly reflect the supervisory body’s view about its risk tolerance (see section 7.4 below).
  • Supervisory bodies also need to develop strategies for dealing with low impact firms. The logic of RBS is that such firms individually will receive less supervisory attention than higher impact ones. In practice they will often individually attract a very small proportion of the resource allocated to larger ones. This is certainly not to say that they should receive no attention however; consumers are at direct risk from the failure of firms with which they do business, large or small. Small firms can also be a source of risk collectively, in circumstances where numbers of them may fail at the same time as a result of correlated risks such as a downturn in a sector to which they are jointly exposed. It is necessary to develop constructive and proportionate ways to engage with them. Thematic or horizontal work may be a means of approaching this dilemma. 

 Chart D: Firm specific vs Thematic work


Identification of areas of risk focus. RBS explicitly recognizes that not all firms pose the same level of risk and that within firms, not all activities are equally risky. The areas on which supervisory resources are focused should reflect this.  It is therefore essential to identify which activities within firms pose the greatest risk to supervisory objectives and therefore warrant the most attention. This is the starting point for the completion of a risk matrix (Chart E). 

Risk-based supervisory bodies approach this in a variety of ways. In some cases, the focus is on significant activities – those which by dint of their nature and importance are capable, should risks crystallize, of posing significant risks to a large number of its customers, the firm’s stability or even its survival. Examples of significant activities could be unsecured lending, custodian services or the writing of reinsurance. Other supervisors focus on whole business units or, in the case of firms with a limited range of activities, the firm as a whole. 

In deciding on the appropriate areas of risk focus, supervisors should ask themselves what level of detail (firm, business unit or significant activity) will provide the most useful basis for forming the necessary picture about risk. There is sometimes a temptation to become increasingly granular – for example in focusing separately on consumer, retail mortgage and credit card lending when, in reality, this does not reveal a significantly different picture of risk from looking at retail lending as a whole. 

Chart E: Elements of a Risk Matrix



  • This is a simplified risk matrix as might be applied to a bank. A comparable risk matrix for an insurer or pension provider would have a different selection of inherent risks.
  • The exact form the risk matrix will take will differ from supervisory body to supervisory body depending on the nature of their objectives, financial institutions and methodological preferences.
  1. May be significant activities, business unit or whole May also include enterprise-wide activities such as ALM or IT.  See paragraph 4.2
  2. See paragraph 3.2 for discussion of macroeconomic and macroprudential risks
  3. The table shows a sample of inherent risks only. Other ‘generic’ ones may include legal, reputational, strategic, IT.  Relevant inherent risks will differ according to sector – eg underwriting risk (insurance) or investment risk (pensions). See paragraphs 4.3 and 4.4
  4. The table shows a sample of risk management, internal audit and governance functions only. Others will include compliance, actuarial, financial management.  See paragraph 4.5
  5. Net risk is inherent risk as mitigated by risk management and governance. See para 4.6 and 4.7
  6. Financial resources will usually refer to capital adequacy in this context though some supervisory bodies also assess firm-wide liquidity and earnings at this point. See paragraph 4.9

Identification of risk exposures. Having identified the appropriate organizational level on which to focus (such as significant activity or business unit) it is necessary to identify the types of risk being run and the levels of these (Chart E). 

  1. As noted above (paragraph 3.2) there needs to be an established set of processes for assessing risks which are external to the firm being assessed. These are principally macroeconomic and macroprudential Supervisory bodies need to identify the best source for such information and then develop a ‘house view’ about these broader risks and a means of ‘hard wiring’ into supervisory processes a requirement to consider the implications of these external issues for their risk assessments.
  2. Supervisors then need to assess the types of risk being run within the areas of risk focus (significant activity, business unit, etc.). These are often termed inherent risks.
  • The most important inherent risks differ across sectors. In most banking activities for example, credit risk will figure prominently as will market risk where the bank undertakes extensive trading activities. For life insurers, key inherent risks will be interest rate risk (the possibility that returns on assets fail to match those on its long-term obligations to policy holders), liquidity risk arising from uncertainty about the timing of redemptions, valuation risk on long term liabilities and insurance underwriting risk embodied in the life cover it has written.
  • Any firm, from whatever sector, providing products that require complex or extensive processing will run operational or IT risk, while all firms with retail customers run the risk of their products being mis-sold (conduct risk). This risk is particularly acute where products are complex and/or of long maturity so that the consequences of mis-selling may not be apparent for several years. Similarly, firms in all sectors are susceptible to financial crime or being used for money laundering.
  • There are well established definitions for certain types of inherent risk and methodologies for assessing these. These include credit risk, market risk, interest rate risk, insurance underwriting risk and to some extent operational risk.
  • The definitions of some other types of inherent risk are less universal. Some supervisors include legal, reputational and even IT risks within operational risk for example. There is also debate regarding the scope of strategic risk – whether this should include the absence of a viable strategy for example or be confined to instances of particularly risky or high impact strategic change.
  • Supervisory bodies also need to consider whether some risks – such as liquidity and IT risk – should be considered at the level of the individual risk area or are pervasive (and often centrally managed) such that they should best be considered at an enterprise-wide level.
  • Most supervisors have a remit to eliminate or reduce money laundering, terrorist financing and other forms of financial crime. The application of RBS to these issues is fairly straightforward in terms of assessing the impact and likelihood of these types of activity and the effectiveness of the controls designed to prevent it. As with IT and liquidity however, the question arises as to whether it is appropriate to consider this at a disaggregated level (business unit, or significant activity) or at an enterprise-wide level.
  • As noted earlier, in the case of groups, it is essential for supervisors to have a view of risks in the consolidated group, whether the group undertakes one activity (e.g., banking) across national borders; several activities (e.g., banking and insurance) within a single jurisdiction; or both (see para 4.8 below).

Detailed decisions about the definition and treatment of risks need to be taken by the supervisory body on the basis of what works best for them. As with the choice of the appropriate area of focus however, the guiding consideration should be the definition and treatment which best allows supervisors to form a coherent picture about the risks posed by the supervised entity. This by no means always equates to the most granular treatment.

It should be emphasized that this stage of the process is solely about determining the types of inherent risk that are being run – independently of the severity/extent of the risk and the effectiveness of any controls. These are considered at the next stages. 

Having identified the types of inherent risk being run, supervisors then need to assess the severity or level of these. These will normally be reflected in a rating. 

  • It is not possible to be precise about the level of risk. Where numerical data exists – for example on loss rates on credit, actuarial data on insurance or value-at-risk in traded instruments, full use should be made of these. But the overall assessment of the extent of risk will also reflect qualitative judgement about economic and market conditions, target customers and other relevant factors.
  • For this reason, numerical ratings are best avoided. They create a spurious impression of precision and often give rise to the temptation to aggregate scores in various ways so that numerical totals come to supplant judgement. Many supervisory bodies find that categories such as high, medium high, medium low and low work best in this context – involving an even number of categories to avoid the tendency to default to a central ‘medium’ rating.
  • Experience with supervisory work will often create prior expectations of the levels of risk associated with various types of activity. Residential mortgage lending for example is often found to involve a lower level of credit risk than unsecured personal lending. Some supervisors have translated this experience into ‘baseline’ scores which provide a starting point for the assessment. A baseline for credit risk in residential mortgage lending might therefore be ‘medium low’. While this may be helpful, it is important to remember: a) that baselines can only ever be extremely approximate; and b) that they are only a starting point. Supervisors must actively consider whether to override them on the basis of the available evidence.

Evaluation of controls, management and governance. The processes described in sections 4.2 to 4.4 above were aimed at identifying the ‘inherent’ risks being run (credit, operational, etc.) and the levels of these. The overall risk being run by a firm however will also depend critically on how these risks are controlled and managed. An important principle of RBS is that inherent risks are assessed separately from the adequacy of controls, management and governance. Firms may, for example, have high levels of inherent risk (as a result of targeting particularly high-risk segments of the market) but also operate stringent controls which would mean that the overall or net level of risk is moderate or even low. In some cases, weak controls and management may actually amplify the risks stemming from the business rather than reducing them. It is important to consider these components of ‘net’ risk separately.

Chart F: Net risk

The evaluation of controls and management in the firm is therefore a key part of the overall risk assessment. There are three broad elements to this part of the assessment:

  • Evaluation of control functions. In most firms, controls are applied at two levels and it is necessary to evaluate these separately. ‘Local’ controls are applied at the level of the business unit or activity (such as local limits and sign-off procedures). High level, enterprise-wide control functions such as Risk Management and Internal Audit in contrast are key aspects of the senior management of the firm and should be fully independent of the business areas. While both are important, the high-level functions require the closer scrutiny. The key question here is “how effective are the firm’s internal controls in managing risk”?
  • Senior management. This will include all of the most senior management responsible for managing the firm up to and including the Chief Executive Officer. It will include the heads of functions that should be independent from the business lines such as the Chief Risk Officer, the Chief Finance Officer and the Internal Auditor. The question here is “how effective is the senior team in understanding, monitoring and controlling risk”?
  • The Board and Board Committees. The Board has the ultimate responsibility for setting the firm’s strategy, including its appetite for risk, and ensuring that the mechanisms are in place for managing the associated risks. It should be active in satisfying itself that controls are in place and effective and should receive comprehensive (but also comprehensible) information to assure itself that this is the case. The question here is “do Board members understand their responsibility for risk and discharge it effectively”?

Many supervisors have traditionally sought to satisfy themselves only that high-level control functions formally exist – that there is an Internal Auditor, a Board Risk Committee and so on.  RBS requires supervisors to go several steps beyond this. In addition to asking “are the structures in place?” it is necessary to consider whether these are effective.

This is a challenging task, particularly in countries where there is no real tradition of detailed questioning of Board members for example. In order to arrive at a comprehensive view of performance rather than just characteristics, it is necessary to undertake fairly rigorous questioning. The following may assist with this:

  • ‘Open ended’ questions can be particularly useful. Board members should, for example, be able to explain in their own words when the Board last discussed the firm’s risk appetite; what the discussion concluded and what relevant developments have taken place since
  • This type of questioning will require the involvement of relatively senior staff. It is unreasonable to expect junior supervisors to undertake these discussions unsupported.
  • It is important to have some written guidance governing the assessment of all high-level control functions outlining what supervisors should expect to see and what constitutes sound practice. Such guidance should cover governance and should not take the form of a check list of questions but a reminder of the issues being investigated and what would constitute positive and negative evidence.

When putting all this information together, it is necessary to consider net risk along two dimensions. 

  • If, for example, one of the key areas of focus (ie the basis for the ‘rows’ in the risk matrix (Chart E) is retail lending, it is obviously necessary to consider both the inherent risks in this specific activity and the extent to which it is subject to controls at both the local and enterprise-wide level. How effective are the local controls in the retail lending area? Does the Board monitor retail lending (including the controls over it)? Has the area been subject to an Internal Audit with appropriate follow up actions?
  • When arriving at the overall assessments however, it is also necessary to consider the adequacy of high level controls and governance as a whole. The question here is ‘what does all of our information tell us about the adequacy of risk management, internal audit and so on’? In terms of the matrix, this is a ‘vertical’ perspective which goes beyond the risks in any one business area.

The assessment of business/inherent risks together with the effectiveness of controls, management and governance allows the supervisor to arrive at a view of net risk, both by business unit/significant activity and, by aggregation, for the firm as a whole. 

As noted above, if the firm is part of a wider group, it will be necessary to arrive at a consolidated view of the risks. Where the supervisor is the ‘home’ or ‘lead’ supervisor for a group an RBS approach can readily be applied to the consolidated group, drawing on information from other (international and/or domestic) supervisors. Where a supervisor is the host to a firm which is part of a wider group and where the home or lead supervisory body is elsewhere, the situation is less straightforward. Risks in the wider group such as the impact of intra-group transactions or of business decisions taken elsewhere are clearly of relevance to the firm in the host jurisdiction. The group may also operate group-wide controls in some areas and be a potential source of, or drain on, of capital. Careful consideration needs to be given therefore of how to assess these risks and whether the wider group is, on balance, a source of strength or weakness to the supervised firm.

This assessment of net risk leads naturally to the question of whether the firm’s financial resources are sufficient to support the level of net risk it is running. 

  1. The first element of this will be the current and prospective level of the firm’s earnings. Supervisors should assess the sources, stability and reliability of future earnings streams.  This is an indicator of the profitability and financial well-being of the firm and retained earnings are an important potential source of capital.
  2. The most fundamental aspect of a firm’s financial strength however is its capital adequacy. The higher the level of net risk being run by the firm, the more capital/solvency will be required to mitigate this. It needs always to be borne in mind however that the solution to an unacceptably high level of net risk is to reduce it. Capital provides an important palliative but cannot provide a long term offset to excessive net risk. Current international standards for the assessment of banks’ capital and insurers’ solvency both draw on firms’ own assessments of current and prospective risks, the effectiveness of controls and the adequacy of capital/solvency. These are the basis of the Internal Capital Adequacy Assessment Process (ICAAP) for banks and the Own Risk and Solvency Assessment (ORSA) for insurers. In assessing capital/solvency, the following points need to be borne in mind:
  • Consistent with the forward-looking nature of RBS, it is necessary to consider not only the firm’s capital position today but how it is likely to evolve and the adequacy of capital planning to address this. This is consistent with ICAAP/ORSA approach
  • Whilst the clear trend in recent years has been for firms to take the lead in assessing capital/solvency through the ICAAP/ORSA process, supervisors cannot necessarily accept such assessments at face value. They should have in place processes for assessing – and where necessary requiring improvements to – firms’ own assessment processes to ensure that they are fit for purpose and can be relied upon.
  • As with other parts of the supervisory process, it is possible in principle to consider capital either at the levels of disaggregated business units/significant activities or enterprise-wide. Given the role of capital in supporting risk taking throughout the business, the latter approach is generally preferable. The assessment of capital adequacy and future planning are a key part of senior management responsibility in any firm and should also be a key focus of the Board.
  • There should be no trade off except in the very short term between capital and risk. If net risk in a firm is judged to be unacceptably high, the first priority is to implement the remedial measures that will reduce it. Capital is a valuable short-term risk mitigant while this is taking place but cannot substitute for effective remediation.

In addition to considering the adequacy of capital the light of the assessment of net risk, some supervisors choose also to assess the adequacy of the firm’s liquidity at this stage. This would be an alternative to the possible approach noted earlier (para 4.3) in which liquidity and its management can be treated as enterprise-wide inherent risks (that is, a separate ‘row’ in the matrix). In designing their risk frameworks, supervisors need to decide, partly on the basis of their experience and the way firms organize themselves, which approach is likely to provide the better overall assessment of liquidity risk.


Whilst the emphasis in RBS is on doing rather than writing, it needs to be supported by comprehensive documentation. The following are the minimum requirements for this:

A short note – no more than 20 pages – outlining the objectives of RBS and the approach and methodology of the supervisor. This document should be published with the object of explaining to all stakeholders, including supervised firms, how the supervisory body goes about its work and what is expected of the parties involved.

The risk matrix on which findings are summarized to arrive at a picture of risk in the supervised institution. While the form of this will depend on the supervisory body’s detailed objectives and the characteristics of the firms, it is likely to include the elements shown in Chart E. It should involve separate evaluation of: i) inherent risks; ii) controls, management and governance; and iii) financial resources (capital and sometimes liquidity – see paragraph 4.10 above). It is important to remember and to emphasize to supervisory staff that the matrix is a tool and an aide to structured thought, not an end in itself. They key issue is not so much the precise form of the matrix but the requirement that important risks need to be captured somewhere and that this is done consistently throughout the supervisory body.

Supervisors should also produce for publication a broad guide to supervisory intervention. Some supervisors have found it useful to identify 4-5 broad levels of concern, ranging from ‘no significant perceived problems’ through to ‘imminent insolvency’, and to indicate the broad types of supervisory actions that it can be expected to take at each of these. These will range from monitoring, through remedial action, the triggering of recovery plans and ultimately resolution. Such published material is valuable in shaping firms’ expectations regarding the types of supervisory actions they can expect as well as providing a good discipline to supervisors. Supervisory bodies should also have an internal view (probably not for publication) about likely thresholds for supervisory intervention. It may be decided, for example, that all risks rated high and medium high will be followed up for high impact firms but only those rated high will be addressed for the smallest. Alternatively, all high and medium high risks will be followed up for all firms, regardless of impact but the intensity of monitoring will differ. These questions need to be addressed by the senior managements of supervisory bodies as part of their consideration of risk tolerance (see 7.4 below) and need to be documented clearly for internal use.

Box 4: Supervisory Intervention Framework

Based on net risk categories: Low, Medium Low, Medium High, High plus additional category for firm facing imminent insolvency

Internal background papers and guidance notes
. These notes (sometimes called ‘risk cards’ serve at least three purposes:

  • To remind supervisors of the issues they need to cover in assessing risks
  • To outline the standards expected of supervised firms. They should provide indicators of what good and poor practice looks like. In many cases, sound practice will be well established and may even be a legally requirement, such as the existence of an Audit Committee of the Board. In other areas however, such as the establishment of risk appetite statements or the engagements of boards in controls to ensure fair treatment of customers, sound practice may still be emerging. In such cases supervisory bodies should draw on their experience and observation to indicate to firms and supervisors alike what developing sound practice looks like
  • To provide guidance on scoring and other judgements that supervisors will need to make. The existence of all expected characteristics (functions and committees) as well as demonstrable evidence of their effectiveness will typically attract a low risk score. Where effectiveness is not clear and cannot be demonstrated however, the scores will reflect this.

It cannot be emphasized too highly that completing the matrix is not an end in itself.  Once completed, the supervisory team should stand back and consider whether it accurately reflects its considered view of the risks in the institution – ‘the risk story’. If it does not, there are two possible explanations:

  • The structured process of completing the matrix may indeed have provided insights into risk which should be incorporated into a revised story; or alternatively:
  • The scores in the matrix need to be revisited.

In either case, comparing the matrix with wider perceptions of risk provides an important reality check.

Documentation of findings. While the matrix summarizes the supervisory findings, these need to be documented in more detail. This can be done in quite a pro forma way but it is important that the following are recorded clearly: a) the perceived risk; b) the evidence supporting the allocated risk score; c) discussions and exchanges that have taken place with the firm regarding remediation, including timescales. Whilst these documents will be for internal use, it should always be borne in mind that they will be basis for justifying the risk assessment and required supervisory actions to internal stakeholders and the firm itself.

Communication with the supervised firm.  A key stage of the RBS process is a communication, usually in the form of a letter, with the supervised entity outlining the main findings and required remediation, including timescales. This letter should follow an agreed format and be perfectly clear. The desired outcome is for the receiving institution to agree with the risk assessment and to put in place a set of agreed remedial actions.  To this end the letter should be specific regarding the areas of highest risk and required remediation but not overly-detailed.  Some supervisors include in the letter a summary risk rating (such as ‘overall medium high risk’), but fine detail (such as individual matrix scores) should be avoided as firms may cavil over this, creating a distraction from the main objective.

Consistent with the risk based approach, the time allocated to evaluation of risk, the design of the remedial programme and monitoring/follow up will broadly reflect the impact of the firm (Section 4 above). Significant risks need to be addressed wherever they are found but higher impact firms will, in general, attract more intensive (and extensive) supervisory attention than lower impact ones.

Peer Review and Quality Assurance

In any supervisory regime it is essential that the treatment of firms is fair, proportionate and consistent. Ensuring this is challenging in a judgement- and principles-based regime given the legitimate and inevitable variation which will arise between individuals and teams in their assessments of risk. It is therefore important to put in place mechanisms to provide the maximum possible assurance in this respect. There are three essential safeguards:

The creation of a ‘Practices Group’. Such a group effectively ‘owns’ the supervisory framework. It provides the internal documentation and guidance notes and authorizes any changes to the framework. Group members should also take part in discussions about risk, including panels (see below), to advise on methodology and consistency issues. It is recognized that in some supervisory bodies it may not be practicable to create a sizeable group specifically to undertake this function. It is however essential that such a function exists even if it involves staff with other responsibilities. It must be headed by an individual with sufficient standing and authority to provide effective ownership and control of the supervisory framework.

The use of supervisory panels. Panels should examine all significant risk assessments and supervisory programmes. The supervisor and/or team undertaking the assessment should present their findings to a panel consisting of representatives from the senior management of the supervisory body; the Practices Group; any necessary specialist staff (e.g. legal or accounting) and other supervisors unrelated to the assessment in hand. The purpose of the panels is to provide independent scrutiny and challenge and to promote consistency. Panel members will quickly develop a sense of how issues are dealt with in a range of contexts and will be able usefully transmit this to individual supervisors and teams whose perspective is inevitably narrower. It is up to the specific supervisory body to decide whether the panel should be advisory with decisions remaining with the supervisory team, perhaps on a ‘comply or explain’ basis, or whether the panel is the formal decision maker. As a general matter the former, advisory, role is preferable.

A Quality Assurance function. This function, which has some similarities to a supervision-specific internal audit, should be charged with examining, on a sample basis, supervisory cases at stages throughout the cycle, from planning through to communication with the firm. Its task is to ensure that processes are followed correctly, documentation is complete, clear and meaningful and that communication with the firm is appropriate. The individual(s) undertaking this role need to be thoroughly versed in supervisory processes but independent from existing supervisors. They need to be of sufficient seniority to have authority and influence and should report to the Head of the supervisory function.

Cultural and Managerial Challenges

The adoption of RBS is sometimes seen, mistakenly, as largely a technical matter. In reality, a significant and deep-rooted change management programme needs to accompany its introduction if it is to be successful. Senior managements in supervisory bodies need visibly to embrace RBS and to understand and accept its implications. Staff members need to feel supported in stepping into what for many will be a radically new way of doing things. Toronto Centre has published a number of guidance notes on addressing the management and cultural challenges involved in implementing new approaches to supervision[4]. These are available on the Centre’s website.

Internal communication at all levels is critically important. Senior management need to demonstrate not only that they are committed to RBS but that they fully understand its implications and accept these. One of the key features of RBS is that conscious decisions will be taken either not to do things – or to do less of them than in the past. This itself entails risk and management need to demonstrate that they understand this, both in terms of their own decisions and in supporting decision making more widely.

Staff will often feel uneasy about the introduction of RBS, either because they feel they will be unable to do as good a job as in the past, especially in respect of smaller firms, or they will be blamed if matters to which they have assigned a lower priority go wrong. Staff members need explicit reassurance that, provided they have followed procedures and made reasonable risk-based decisions, they will be supported even when things do go wrong.

External communication is also critical. Supervised firms need a good understanding of how RBS works; what it means for them and what will be expected of them. Other key stakeholders will include the central bank, finance ministry and politicians – not least to explain the limitations of RBS and the fact that unwelcome outcomes will still occur from time to time. The point needs to be made that bad outcomes will happen whatever the supervisory regime, but that RBS is more efficient and effective than the alternatives and permits rational decision making about risk.

RBS needs to be supported with extensive training.  Importantly, this is not just about training front line staff on technical matters such as how to fill in the matrix. Training is required at all levels (including at the very top) and must cover issues such as how to interact with firms and risk-based decision making. The visible and active engagement of senior staff in training sends a strong signal about their commitment to the process.

One of the most valuable outcomes from RBS is the ability to allocate supervisory resources on the basis of risk and hence greatest need. In practice this is quite challenging: it is necessary to introduce reasonable flexibility while maintaining some of the continuity that staff and supervised firms value. Getting this balance right is a key task for management in an RBS regime.

Management of supervisory bodies also need to develop and articulate the supervisory body’s risk tolerance. The introduction of RBS does not eliminate risk. It represents a rational and systematic way of prioritizing aimed at identifying and minimizing residual risk in the financial system. There needs to be an explicit recognition at all levels in the supervisory body that adverse outcomes will occur and responses to these will be governed largely by whether they are within or outside the range of acceptable outcomes implied by the risk tolerance.

RBS can only work where there is a rational and transparent framework for decision making. Generally speaking, front line supervisors should be expected to make decisions only on the basis of immediate supervisory and technical considerations. At this level it is important that ownership and accountabilities are clear – specifically who signs off on the risk assessment; who signs the letter to the supervised entity; whether the panel is advisory or has formal decision making powers. 

It is inevitable that decisions will sometimes be over-ridden, for example on wider, including political, grounds. It is essential that there is clarity about which senior staff are expected to make decisions on these wider grounds and that there is transparency and accountability around this process. Front line, particularly junior, supervisory staff must be clear that they are not expected to take account of such wider factors but that mechanisms exist by which they can be appropriately escalated.

The Use of RBS Across Sectors

RBS was developed principally to address prudential risks affecting banks and life-insurers.  Forward looking, outcomes focused approaches naturally lend themselves more readily to such risks than to more binary compliance issues. RBS can, however, be applied a wide range of supervisory issues with the proviso that most supervisors employ a mix of rules/compliance- and principles-based approaches and that the balance between these will vary according to the activities and risks being addressed.

Whilst there is a clear distinction between risk- and compliance-based approaches to supervision, it is possible to over-simplify this. The following need to be borne in mind:

  • Enforcement is by no means a feature only of compliance based regimes. It has a role to play in reinforcing RBS
  • RBS has a significant role in promoting sound conduct. In seeking to ensure that customers are treated fairly for example, an RBS approach assesses the risks of customers being unfairly treated and the adequacy of controls to prevent this.
  • There may be some circumstances in which a simple compliance/enforcement based regime may be more effective in achieving supervisory goals than a more nuanced risk-based one. The key requirement is that supervisors consider carefully what is likely to prove most effective in achieving their objectives.

This note has focused principally on the application of RBS to banks and life insurers. The following section briefly outlines its potential application to other sectors.

General (non-life) insurance

The most significant prudential risks in this sector are typically underwriting risk (including catastrophe risk) and the credit risk involved in the use of reinsurance (both of which are drivers of solvency) and the operational risk embodied in claims management processes.   

General insurers are susceptible to conduct risk, albeit involving rather shorter time horizons than in the case of life insurers. Here too, a combination of RBS and conduct-based supervision may be appropriate. As with life insurance, the risk based component can be extended beyond prudential issues to include a broad, outcomes-focused assessment of controls over, for example, selling practices. Once again, judgement will be needed as to whether an RBS or compliance approach (or a mixture) is the most appropriate way to address what have traditionally been seen as conduct risks.


The key prudential risks facing defined-benefit pension providers are investment risk and valuation risk (the risk that the methods and assumptions used to estimate the value of plan assets and liabilities will result in values that differ from experience). As with life insurance, the evaluation of these risks is highly complex, involving technical actuarial assessment. The challenge for supervisors is not to second guess these assessments but to ensure that they are being undertaken and managed properly. 

In some cases, pensions providers will be not-for-profit entities that do not hold capital which would otherwise provide a buffer against errors in valuation. Pension plan boards and trustees may also consist of members of the plan who have a direct interest in its performance but lack the technical expertise to judge the long term management and performance of the pension fund. As in other sectors, key functions may be outsourced to external providers, introducing additional risks which need to be assessed and managed.

In addition to these prudential risks, pensions companies will also be expected to comply with conduct rules, particularly those relating to treating customers fairly. The long-term nature of the business means that mis-selling for example may not become apparent to the consumer for many years. In these circumstances it is particularly appropriate to adopt a risk-based approach which aims to assess the inherent risks and the effectiveness of controls to prevent these at the outset rather than to await the consequences – often many years later – and then apply sanctions to the firm concerned.

Securities broker dealers

Areas such as advising and dealing in securities on behalf of customers have traditionally been more subject to conduct regulation than prudential. At the retail level, securities firms are required to establish customers’ attitudes to risk and to sell products which are suitable in that context. Client money is rigorously separated from the firms’ own funds and capital requirements tend to be lower and to have the characteristics of working capital. 

Whilst the supervision of such firms has traditionally been tilted more towards conduct than prudential approaches, there is nevertheless scope for the application of risk-based methodologies. Some firms will run higher inherent risks than others – for example in terms of the products they offer and their target customer bases. It is also possible and appropriate to assess the effectiveness of firms’ controls, management and governance in incentivizing appropriate behaviour on the part of front line staff as well as back office activities such as record keeping.


The supervisory challenges posed by different sectors vary widely. In most cases, a judicious mix of prudential and conduct supervision will be warranted, with the proportion of these differing by sector. The supervision of a large bank will typically involve more of a focus on prudential than that of a small, retail based securities firm. It is wrong to conclude however that risk-based approaches are applicable only to prudential supervision or to specific sectors.  Even where there is a preponderance of conduct-based supervision, RBS can inform the frequency and intensity of supervision, the identification and calibration of inherent risks and the effectiveness of controls. RBS in other words can improve the efficiency and effectiveness of all supervision.

Concluding Comments

All supervisors have to prioritize their work. Many would already claim to do this on the basis of risk. Devoting more time to firms and issues perceived to be of highest risk is common sense. RBS however provides a rigorous framework for assessing and addressing risks and for the efficient allocation of resources. This note has set out a number of important principles and approaches to RBS but there can be no fixed template.  Supervisory bodies need to design structures and approaches that are best suited to their needs. Toronto Centre has wide experience of assisting with the implementation of RBS in a wide range of countries and contexts and is committed, as part of its mission, to continue to do so.


Key References

Australian Prudential Regulatory Authority. Probability and Impact Rating System. April 2017. http://www.apra.gov.au/CrossIndustry/Documents/0417-PAIRS-guide.pdf

Australian Prudential Regulatory Authority. Supervisory Oversight and Response System. April 2017.


Bank of England. Prudential Regulation Authority. The PRA’s Approach to Banking Supervision.   March 2016. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/approach/banking-approach-2016.pdf?la=en&hash=67655137353DEB7FFF88F5726EE81FE2F8B750F7

Bank of England. Prudential Regulation Authority. The PRA’s Approach to Insurance Supervision. March 2016. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/approach/insurance-approach-2016.pdf?la=en&hash=0A45EA5347C60D2204C4140BDF7E786EEED42229

Central Bank of Ireland. PRISM Explained - How the Central Bank of Ireland is Implementing Risk-Based Regulation. February 2016. https://www.centralbank.ie/regulation/how-we-regulate/supervision/prism

Hong Kong Monetary Authority. Supervisory Policy Manual: Risk Based Supervisory Approach.  October 2001 plus updates. http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-1.pdf

Monetary Authority of Singapore. Framework for Impact and Risk Assessment of Financial Institutions. April 2007 (revised in September 2015). http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Monographs%20and%20Information%20Papers/Monograph%20%20MAS%20Framework%20for%20Impact%20and%20Risk%20Assessment.pdf

Office of the Superintendent of Financial Institutions (OSFI) Canada. Supervisory Framework. December 2010. http://www.osfi-bsif.gc.ca/eng/fi-if/rai-eri/sp-ps/pages/sff.aspx




[1] This note was prepared by Paul Wright on behalf of Toronto Centre.

[2] Basel Committee on Banking Supervision, A Framework for Dealing with Domestic Systemically Important Banks, October 2012, https://www.bis.org/publ/bcbs233.pdf.

[3] International Association of Insurance Supervisors, Globally Systemically Important Insurers: Updated Assessment Methodology, June 2016, https://www.iaisweb.org/page/supervisory-material/financial-stability-and-macroprudential-policy-and-surveillance/file/61179/updated-g-sii-assessment-methodology-16-june-2016

[4] See for example Managing the People Aspects of Supervisory Change (December 2016), https://www.torontocentre.org/index.php?option=com_content&view=article&id=72:managing-the-people-aspects-of-supervisory-change&catid=13&Itemid=99, Decision Making (October 2015) https://www.torontocentre.org/index.php?option=com_content&view=article&id=56:decision-making&catid=13&Itemid=99, and Implementing an Action Plan (August 2015) https://www.torontocentre.org/index.php?option=com_content&view=article&id=57:implementing-an-action-plan&catid=13&Itemid=99.