Implementing Risk-Based Supervision: A Guide for Senior Managers
Sunday, Jul 15, 2018

Implementing Risk-Based Supervision: A Guide for Senior Managers

Introduction [1]

Toronto Centre has been in the forefront of promoting risk-based approaches to supervision (RBS).  The rationale for RBS and many of the technical issues involved have been set out in detail in a recent TC publication.[2]  This note discusses the cultural and managerial challenges that need to accompany the introduction of RBS and suggests ways in which senior management should respond to these. 

The introduction of RBS requires visible and sustained input from the most senior management in supervisory bodies to achieve the cultural, behavioral and organizational changes that are essential to its success.  The extent of the necessary changes at all levels, including the most senior, are often underestimated.  If the introduction of RBS is viewed as a purely technical exercise, it will fail. 


The main features of RBS were set out in detail in the earlier TC Note:

  • Supervisory bodies have limited resources. They therefore have to prioritize.
  • RBS focuses on the risk that are most significant from the point of view of the supervisory body’s objectives.
  • It provides a framework for the efficient and effective allocation of resources.
  • It is a forward-looking and judgment-based approach (in contrast to others which are backward-looking and compliance-based with little scope for the use of judgment).
  • RBS does not (and should not aim to) eliminate risk. It does however provide a systematic and analytical way of identifying and addressing risk.
  • Rigorous prioritization means that some sources of risk will not be addressed or will receive less attention than under regimes which purport (wrongly) to address all risks.

Many supervisors claim they already operate regimes in which supervisory work is prioritized on the basis of risk: “of course we spend most time on the areas of greatest risk”.  But this in itself does not constitute RBS.  As was shown in the earlier Note, RBS requires the adoption of a common understanding of what constitutes risk, together with systematic processes and procedures for identifying and addressing it.

The adoption of RBS involves radically different ways of doing supervision.  The cultural and behavioral changes that need to accompany this are pervasive.  Senior management, including the heads of supervisory agencies need to:

  • Understand precisely the implications of adopting RBS.
  • Actively and visibly support RBS when it is being introduced and when it is in operation, including through their own actions.
  • Be prepared for the fact that – under RBS as with any other system – things will go wrong. Managements need to be robust in these circumstances.

One topic which recurs throughout this Note and in all discussions of RBS is that of ‘supervisory failure’.  Supervisors have a difficult job and are subject to criticism when undesirable outcomes occur.  Such outcomes will occur from time to time under any system of supervision.  They will not be eliminated under RBS, though it is likely that, if it is properly implemented, their likelihood and incidence will be less than under non-RBS regimes.

Supervisory ‘failure’ should not be taken to refer only to failures of firms but to a wider range of unwelcome outcomes including losses suffered by customers of financial firms or guarantee schemes, control failings in financial institutions which may fall short of precipitating failure, mis-selling or significant instances of financial crime. In some cases, such outcomes may occur because risks were not identified or received insufficient attention.  Risk-based procedures and processes may not have been followed in some instances.  Senior management in supervisory bodies need to have a clear stance towards such adverse outcomes, drawing on the following principles:

  • Some outcomes will, by virtue of their nature or scale, be unacceptable in any circumstances. These may for example include the failure of a firm deemed to be systemically important or extensive financial crime involving a major firm.  These are events for which there is zero tolerance.
  • Other outcomes, while unwelcome, may come within the tolerance for risk (page 12 below). In terms of a risk-based calculation, it may be judged that the allocation of resources to mitigate such risks could not be justified because there are other, higher, priorities.  
  • Most risks will come somewhere between these two extremes and decisions will need to be made about them on a case-by-case basis. Anticipating such risks, and where they will stand in relation to risk tolerance is not easy and there is no formula that can help with it.  There are however two important principles that need to be borne in mind:
    • While it is appropriate to review the factors leading to unwelcome outcomes and to learn lessons from them, these should not be seen as representing a failure of RBS In particular, they should not be a trigger for retreating back to (superficially ‘safer’) non-RBS models of supervision.
    • The inevitability of occasional failures under any supervisory system including RBS needs to be communicated to stakeholders, especially government and politicians (pages 6-7 below).

Key Issues in the Implementation of RBS

Checking the Statutory Framework

Before embarking on the implementation of RBS, it is important to check that the statutory framework in the jurisdiction is compatible with it.  Virtually all supervisors have their functions and powers set out in legislation.  The extent to which this specifies the form that supervision must take and the processes involved in it, varies widely however. It is possible to identify two broad scenarios:

  • Prescriptive legislation. This will typically set out objectives and powers, together with matters such as the supervisory body’s accountability to the legislature.  It will tend to be prescriptive with regard to the way in which supervision is conducted.  It might for example specify the frequency with which firms need to be visited and the types of on-site activities that need to take place during a visit (e.g. checks on loan books) with no provision for the frequency or nature of visits to reflect perceived risk.  In extreme cases it might actively militate against risk-based outcomes, for example in specifying that all firms have to be treated identically – for example in respect of capital requirements. 
  • Enabling, non-prescriptive legislation. Such legislation will typically be silent on the form that supervisory action needs to take, leaving such matters – often along with rule-making powers – up to the supervisory body (though major changes in the supervisory regime, including its scope, may still require changes to primary legislation).  Where the supervisory body has such discretion, there is much greater scope for the introduction of risk-based approaches.

These models have different implications for the introduction of RBS as follows:


  • Scope for introducing RBS may be very limited
  • Close collaboration with outside stakeholders will be needed (usually finance ministry and perhaps central bank[3]) to assess this
  • ‘Mapping’ exercise to assess what scope (if any) exists for RBS
    • If legislation requires the compilation of ratings, would the compilation of a matrix together with communication of key risks to firms satisfy this requirement?
    • If legislation specifies ‘regular, on-site work’, would a risk-based schedule of visits satisfy this requirement?
  • This mapping exercise needs to be undertaken in a positive and enabling spirit (responses along the lines of ‘the legislation tells us we can’t do it’ need to be challenged vigorously)
  • If there is no, or very little, scope for accommodating RBS within the legislative framework, begin discussions about changes to primary legislation[4] 


  • ‘Mapping’ exercise used to confirm that RBS is consistent with existing legislative provisions
  • Communication with key stakeholders is needed regarding: a) intention to operate in RBS-based manner under legislation; and b) any amendments that might be needed to legislation

The extent to which the legislative basis for supervision is supportive of RBS needs to be established at the outset and dialogue with the key stakeholders needs to take place at an early stage to avoid a situation in which the process of moving to RBS is relatively advanced only to find that it is circumscribed by the legislative framework.

Developing and Sharing the Vision of RBS

It cannot be emphasized too highly that the introduction of RBS is not simply a technical exercise.  It involves profound changes in the style of supervision and in organizational culture.  As with any deep-rooted change, management need to have a clear vision of what the new world will look like and what it will mean for them and more widely.  Once this vision has been established and assimilated by senior management, it must be communicated clearly and without reservation to the remainder of the organization.

The table below sets out twelve key elements in any comprehensive vision for RBS.  The list is not comprehensive and will vary to some extent among supervisory bodies.  It does however aim to give an idea of the principles that senior management need to embrace and promote.  Below each of the key elements, the table sets out indicators of contrasting non-RBS and RBS behaviors.

There will be a shared understanding throughout the supervisory body of what is meant by risk



‘Risk’ may be equated with a range of generally undesirable outcomes


Clear link between risk and the ability of the supervisor to achieve its statutory objectives

We will have mechanisms for calibrating risk that are applied consistently across different types and sizes of firms and (where necessary) across sectors



Intuitive, non-rigorous ‘sense’ of what constitutes high or low risk


Agreed calibration based on measures of impact and likelihood of risk crystallising

There will be a systematic approach to identifying and addressing risks in large and medium sized firms and a strategy for the risks posed by the smallest/those with lowest individual impact



Undifferentiated focus on large firms (because they are large) no strategy for small/low impact (of which there may be many)


Rigorous differentiation on basis of impact and likelihood.  Systematic strategy for dealing with small firms

We will have a systematic view of how much, and what type of risk we are willing to tolerate together with the ability to measure whether the risks we actually face are compatible with this



Perceived need to eliminate all risk and all ‘bad’ outcomes.  All bad outcomes seen as supervisory failures


Recognition that risk cannot be eliminated.  Agreed view of risk ‘tolerances’ 

It is recognized that things will go wrong resulting in failures of firms, losses or other unwelcome outcomes.  Such outcomes will sometimes be within our tolerance for risk.  When they are not, we will deal with them rationally and not default back to old, non-risk-based ways



Strive to avoid all bad outcomes.  Defensive attitude and tendency to blame lack of resources


Assessment of bad outcomes in context of risk tolerance.  ‘Lessons learned’ rather than ‘blame’

Our resources will be deployed according to risk so that they are focused on the things that matter most from the point of view of our objectives



Allocation based on non-risk factors (historical patterns; intuitive estimates of risk; empire building; who shouts loudest)


Allocation based on assessed risk.  Need to balance flexibility with the need for reasonable continuity of staffing

We will know who our stakeholders are and will have a dialogue with them about how RBS operates and its implications



No systematic approach to stakeholders or what they need to know.  Largely reactive communications/outreach


Clear identification of stakeholders.  Communication strategy to inform pre-emptively and continuously about supervisory approach and issues


We will have a dialogue with supervised firms based on a common view of risks and how these should be addressed.  Our interactions and information needs will be risk based and efficient


No convergence with firms’ approaches to risk.  Information and other requirements seen as an imposition by firms


Common understanding of risk as basis for dialogue.  Tailored information requirements and visits.  Firms accept the need for these


We will be willing to place judicious reliance on management and controls in firms where evidence suggests this is warranted



Formulaic approach to assessment of firms – visits at fixed intervals; identical testing and approach


Assessment of effectiveness of firms’ controls and management.  Place some reliance on these on ‘trust but verify’ basis where appropriate


We will have access to a supervisory toolkit that includes authorisation and licensing prudential business conduct and AML supervision, enforcement, to be deployed as appropriate



Uncoordinated approach to prudential, conduct and enforcement – inefficiency and overlap (often done by different people)


Coordinated, strategic approach based on identified risk and the most effective tools for addressing it


Our staff will understand what it means to work in a risk-based way and will be empowered to do so.  Risk based behaviours at all levels will be recognized, celebrated and rewarded



Staff not confident to make risk-based decisions.  Extent of their responsibility is unclear and they fear blame if things go wrong

Reward/promotion based on non-risk-based behaviours

No visible evidence of risk-based behaviours from senior management



Responsibilities are clear. Staff understand they will be supported if they followed processes and made reasonable decisions

Reward system based on clear grasp and application of RBS.  Visible examples of risk-based behaviours by senior management

Decisions will be made on the basis of risk, with effective mechanisms for delegation and escalation and proper accountability.


When it is necessary to make decisions on wider grounds than usual risk considerations would dictate, such decisions will be made at the appropriate level with proper accountability



Lack of clarity on where/whether decisions have been made.  Apparently arbitrary over-rides – e.g., on political grounds


Clarity regarding delegation and escalation.  ‘Over-rides’ (e.g., political) made at the right level with reasonable accountability for these

Annex 1 contains a number of illustrations designed to expand on some of the issues in the table.  They demonstrate that the introduction of RBS involves radical changes in the approach to supervision at all levels, especially the most senior. 

Stakeholder Management

The approach to supervision and its effectiveness are of direct concern to a variety of stakeholders both within and outside the supervisory body and relations with these need to be actively managed.  In many cases the supervisory body will be formally accountable to government or the legislature for its performance.  Other stakeholders such as users of financial services and supervised firms will also be significantly impacted by its actions and performance however.

The first step is to identify relevant stakeholders.  The main internal stakeholders are the staff.  The next section (D) deals specifically with the management of this group.  External stakeholders are likely to include, but not necessarily be confined to, the following:

  • The legislature.
  • This will typically be the finance ministry but sometimes other bodies, for example if the supervisory body has a ‘wider’ remit (e.g., to encourage development or to promote the financial centre).
  • The central bank. Where the supervisory body is not part of the central bank, its operations will nevertheless have a direct bearing on financial stability.
  • Users of financial services.
  • Supervised firms.
  • Other supervisors. Both domestic where there is ‘functional’ separation of supervision of different sectors and international where cross border firms are subject to supervision.
  • Other bodies whose responsibilities are closely linked to those of the supervisory body. These will include deposit/investor/policy holder guarantee schemes, the resolution authority and the macroprudential authority.
  • ‘Opinion formers’. These include the press and other (e.g. web-based) media which are able to influence perceptions of the supervisory body and its performance.

In formulating a stakeholder communication strategy, it is usual to begin with an assessment of how various stakeholders are likely to be affected by aspects of the supervisor’s performance.  It is appropriate to consider this question from two points of view: a) how stakeholders will be affected in ‘steady state’, that is by the day-to-day application of RBS; and b) how they are likely to be affected or may react when, as will inevitably happen, outcomes occur which may provoke criticism of the supervisory body. 

As far as the ‘steady state’ is concerned, supervised firms and other supervisors are the stakeholders most likely to notice a change in day-to-day supervisory practices and the way in which the supervisory body interacts with them.  This will need to be explained in advance and reiterated during implementation.  Emphasis should be placed on the benefits of RBS to supervised firms in terms of the greater clarity they can expect about the supervisory body’s view of risk and of the actions that will be expected of them to mitigate this.  In some cases there may be scope for more tailored interactions, more streamlined data requirements and a dialogue based on a more closely aligned view of risk though these will be by-products and not drivers of RBS.  Users of firms on the other hand, have little reason to take interest in the way in which supervision is conducted and are unlikely to notice any change in day-to-day practices. 

Government, the legislature and deposit/investor protection schemes are likely to have some interest in day-to-day supervisory practices.  The point will sometimes need to be made to government that, although RBS is designed to increase both the efficiency and effectiveness of supervision, it is not and should not be seen as a way of cutting costs.  Rather it is a way of improving the quality of supervision for a given input of resources.  Where the supervisory body is separate from the central bank, the latter will have a close interest in the supervisory approach and the implications of this for system-wide risk, particularly where it has responsibility for financial stability.

Government and the legislature (together with opinion formers) are likely to take a very close interest in the approach to supervision ex post, when outcomes occur which attract criticism.  Supervisory bodies should at all costs avoid being in a position where they are obliged to explain to such stakeholders for the first time in a crisis either that they have recently changed their approach or what the implications of RBS are.  This is to invite further criticism along the lines of “you are culpable in having chosen to play down some activities where risks subsequently crystallized – and you didn’t tell us about it”.

A pre-emptive dialogue with government and legislative stakeholders designed to explain RBS and its implications is the best way to secure a degree of buy-in to the approach and its implications.  In addition to emphasizing the benefits of RBS this needs to emphasize the reality that risk cannot be eliminated, that things will therefore go wrong from time to time and that RBS cannot prevent this even though it is likely to reduce the incidence of bad outcomes.  Such a pre-emptive approach may go some way to forestall criticism and knee-jerk pressure to return to non-risk-based approaches when problems arise.[5]

Once these issues have been considered carefully, it is necessary to develop a stakeholder communication strategy.  This should involve a mixture of publications, speeches and press interviews combined with direct engagement with senior stakeholders by representatives of the supervisory body’s most senior management.  The development and roll-out of the strategy is a key part of any RBS program.  It should not be delegated and forgotten.  Senior staff have a critical and ongoing role to play in it.

Dealing with Staff Concerns

Many staff will welcome the implementation of RBS with the opportunities it affords for greater autonomy and use of judgement.  Others however will be resistant to it.  Some people simply dislike change.  More focused concerns may arise from the rigorous prioritization of time and resources that RBS entails.  Supervisors accustomed to spending, say, three days each year on-site at a small firm undertaking a fixed list of routine supervisory tasks may feel uncomfortable at being able to spend less time at such firms in future and at having to make risk-based judgements about what to cover in their visits.  This may arise out of a legitimate (and commendable) concern that they will not be able to do as good a job as in the past, that risks might not be identified and that they will be blamed in such an event.

These concerns are real and legitimate and need to be addressed, even though they may be based in emotion as much as in logic.  Otherwise they are likely to create resistance to the necessary changes.  The following are a number of key issues in change management:[6]

  • An effective change management programme aims to decrease resistance to change and increase support for it.
  • Resistance to change can occur at all levels in an organization.
  • It is particularly likely to arise where individuals: a) see change as potentially having a negative impact on them; b) feel unable to control or influence what is happening; and c) do not have confidence that senior management are listening to them or are willing to address their concerns.
  • It is easy to identify active resistance. Passive resistance is, by definition, harder to spot but may be equally inimical to achieving change.  Silence should not be equated with acquiescence or support.
  • Resistance when made explicit and articulated can be valuable in focusing attention on staff concerns that need to be addressed.
  • An effective antidote to resistance is accountability. Simply telling individuals that they will be expected to behave in a way which they perceive as inimical to their interests is unlikely to succeed.  Giving them tasks within the new framework for which they are accountable will be much more effective in securing buy-in.

The indispensable tool for dealing with staff concerns is communication.  This should not take the form of management merely telling the staff about the change.  Rather it should be a two-way process in which concerns are articulated and addressed.  It will not be possible credibly to allay all the staff’s concerns.  It is important however to show that these are being listened to and taken seriously.  Communication must be undertaken directly by the senior management of the supervisory body who should use it as an opportunity to demonstrate their commitment to the project and to RBS principles.  Delegation either to more junior management or (worse) to outside consultants will be seen as demonstrating a lack of understanding and/or commitment.

The following are key elements of a high-level communication strategy for introducing RBS

  • An explanation of why RBS is necessary and why it is necessary to introduce it now. This will involve an explanation of why the conventional way of doing things is no longer fit-for-purpose but must also provide a positive account of how RBS will be better.
  • Closely linked to this is the articulation and sharing of the vision outlined in section B above. Senior management will be able to draw on this to explain how the supervisory body will be more effective and efficient and why working for it will be a more rewarding experience.
  • An explanation of how RBS will be embedded in the culture of the organization. Promotions and reward for example will be demonstrably based on risk-based behaviours as well as other necessary attributes such as teamwork.
  • A recognition from the outset that some staff will be apprehensive about the introduction of RBS. The positive aspects such as the scope for more challenging and rewarding work and the use of initiative need to be emphasized.  It should be made clear that staff will receive training to equip them for the demands of the new approach, both technical and in areas such as risk-based decision making.
  • Staff should also feel that they will be supported in adopting risk-based behaviours. When bad outcomes occur, the emphasis will be on learning from them.  There will not be a blame culture and provided individuals can be shown to have made reasonable risk-based decisions they will be supported. 

Staff at all levels should receive extensive training, initially in the principles of RBS followed with specific sessions on its technical and cultural aspects.  Senior management should not remain aloof from this.  They should take an active interest in the progress of the training program and issues arising from it and have a visible role – at least in providing introductory endorsements of RBS in training sessions and (preferably) by visibly taking part in some of the sessions themselves.

At some point during the implementation program it may become clear that, notwithstanding all efforts at persuasion and communication, some staff are simply unable or unwilling to adapt to the new way of working.  As a rule of thumb, no more than 5-10 percent of staff should be in this category – if the proportion exceeds this the transition plan may need to be reviewed.  For this group, however, there may be no alternative to concluding that their future does not lie in the supervisory body and suitable exit arrangements will need to be made.

Transitional Arrangements

The development and initial implementation of RBS will require the creation of a high-level project team.  Such a team can expect to be in existence for at least one to two years.  Its purpose is to devise and develop the detailed framework for RBS, to oversee the development of the infrastructure that will support it, to develop and oversee training and day-to-day communication about the project (though as noted above, senior management need to have an active and visible role in internal and external communication). 

The project team should have the following characteristics and functions:

  • The individuals comprising the team should have wide knowledge and experience of supervision. They will need to be trained at the outset in the principles and techniques of RBS.  This may involve outside agencies such as Toronto Centre.
  • This training should not take the form of indoctrination in any particular model of RBS. Instead it should provide the principles along with examples from a range of jurisdictions.  The team needs to devise, from first principles, a model of RBS drawing on others’ experiences but tailored to the needs of the jurisdiction and supervisory body.
  • Team members need to be enthusiastic champions of the new approach.
  • The members of the team should have sufficient seniority and credibility to make decisions about the detailed framework for RBS and to make things happen. The leader of the team and at least some of the members should be seconded from their normal work to enable them to devote their energies to the project full time.
  • Taking highly effective senior people away from their day-to-day work to be part of the project team involves a significant commitment by senior management. This needs to be recognized and accepted at the outset.  As well as being functionally necessary, the willingness to second people in this way is a powerful signal of support for change.
  • The team (or the team leader) needs a contact point at the highest levels of the supervisory body able to provide guidance on sensitive or high-level issues arising in the development of the new framework. It may be helpful to create a steering committee drawn from senior management.  If the head of the body is not involved in such a steering committee they should receive regular updates on its work.
  • The project team will ultimately oversee all aspects of the implementation from high level design through to the detailed framework.[7]
  • It should design and oversee the roll-out of a Practices Group and the use of panels to promote consistent treatment of firms and issues (see below).
  • RBS requires a documentation and IT infrastructure which are truly supportive of its aims and not merely a bureaucratic adjunct. This needs to support risk-based decision making and facilitate the clear documentation of decisions taken and the rationale for them.  Designing such infrastructure is not a task that can be delegated to experts and forgotten.
  • It is necessary to put in place rigorous mechanisms for Quality Assurance to ensure that RBS is implemented consistently and to an acceptable standard. The QA function needs to be headed by a senior and experienced supervisor who should report directly to the head of the supervisory body and the most senior team.

The project team should consider carefully, in conjunction with the senior management team, the appropriate timetable for the roll out of RBS.  As with any project, ‘quick wins’ can be of great value, particularly if attention can be drawn to decisions which have been made explicitly on a risk basis and the thinking behind these.  The timing of the roll out of the actual RBS framework requires careful thought.  Too early a roll out before a critical mass of understanding and infrastructure are in place risks failure and a loss of credibility.  Excessive delay on the other hand, perhaps waiting until every last piece of the framework is in place, will create frustration and loss of momentum.  Consideration also needs to be given to the choice of pilot firms and projects and the scope for limited parallel running of the old and new regimes.


Practices Group

The project team may form the embryo of the ‘Practices Group’ that will have a key role to play in RBS once it is up and running.  The Practices Group will effectively ‘own’ the RBS framework.  It will be responsible for overseeing the methodology and its application and for making any necessary adjustments or additions to it.  Members of the Practices Group should take part in discussions about risk including supervisory panels, to advise on methodology and consistency[8].  As with the project team it is important that the Practices Group comprises individuals with sufficient seniority and credibility to be able to make decisions and ensure that they are complied with. 

While it is highly desirable that such an autonomous, self-standing Practices Group is established, it is recognized that, in reality, it may not be practicable to create a dedicated group specifically to undertake this function in all supervisory bodies, especially smaller ones.  But it essential that such a function exists even if the staff involved have to combine their work on it with other responsibilities. 

Risk Tolerance

With even the most diligent approach to supervision, risks will always exist in relation to the supervisory body’s statutory objectives.  It is important that supervisory bodies have an idea of the types and amount of risk they face and whether this is seen as acceptable – both internally and to key stakeholders.  Such judgements will need to be made within the context of the overall resource constraint so that if senior management are uncomfortable with the level or distribution of residual risk in the financial system, the solution cannot (usually) be to deploy more resources to reduce it.  Rather, the question is how best to redeploy a fixed amount of resources to achieve an overall level and distribution of risk which is the most acceptable (or least unacceptable).  The amount and type of risk a supervisory body is willing to run is its risk tolerance.[9]

The identification of risk tolerance is challenging for several reasons:

  • Many forms of risk – notably the detriment caused by financial crime or loss of confidence - are not quantifiable.
  • The risks that supervisors are required to address are heterogeneous and hard to compare. There is, for example, no straightforward way of comparing the costs to investors of receiving poor advice against those of management failings at a major bank whose detrimental effects may stop well short of insolvency.
  • Risk tolerance will be heavily affected by history, particularly events in the recent past. Stakeholders (especially governments) will be acutely sensitive to recent high-profile cases in which investors or depositors lost money or where the use of public funds was required, even if the amounts and the likelihood of recurrence are small.

It is unlikely that the management of the supervisory body will be able to come up with a metric (or even several metrics) which encapsulate their risk tolerance.  To some extent, risk tolerance has to be ‘felt’ and experienced through usage rather than measured precisely. 

One approach to getting a handle on risk tolerance may be for senior management to take part in one or more workshops to elucidate the concept and to stimulate thinking about it.  Toronto Centre has run such workshops which have drawn on the following ideas:

  • There are likely to be some outcomes for which there is ‘zero tolerance’. Examples might be failures of systemically important institutions or significant financial crime involving major institutions.  It is helpful to identify these ‘zero tolerance’ outcomes. 
  • While many adverse outcomes cannot be quantified, it can be instructive to consider attitudes to alternative hypothetical scenarios based on quantified harm. How, for example, might senior management (and stakeholders) rank the loss (either directly to depositors or to a deposit protection scheme) of $100 sustained by 100,000 investors compared to a loss of $10,000 sustained by 1000 investors?
  • Supervisory bodies with exposure to different types of supervisory risk (for example conduct as well as prudential and financial crime) may find it helpful to compare scenarios involving these. How for example would senior management (and stakeholders) rank the loss of $100 by each of 250,000 investors who were mis-sold products against the laundering of $25mn of cash involving no direct financial loss?
  • Consideration may be given to risk tolerance in other areas of supervision such as authorisation and enforcement. What proportion of firms licensed in a given year might be expected still to be in business in five years?  If the supervisory body is responsible for bringing enforcement actions which may be subject to appeal, what likelihood of success would be sufficient to justify the resource cost of bringing an action? 

Undertaking such consciousness-raising exercises can be informative and the results summarized to provide a broad outline of priorities in regard to risk.  These can then be communicated more widely and help to inform decision making throughout the organization.  In drawing up statements on risk tolerance it is important to avoid platitudes.  One useful test is whether a proposition in such a statement is capable of having a meaningful opposite.  An assertion such as ‘we have zero tolerance for losses by customers of credit unions’ does have a meaningful opposite ‘we would in some circumstances tolerate losses sustained by customers of credit unions’.  An assertion such as ‘we have an appetite for innovation in our firms where this is carefully managed’ does not have a realistic opposite and is not therefore very meaningful.

Decision Making

Supervisory bodies are required to make many decisions, large and small, every day.  The logic of RBS is that these should be made on a risk-based basis.  The driver should be the implications of any decision for the ability of the supervisory body to achieve its objectives.  Supervisory interventions usually involve some cost, both to the supervisory body itself and to supervised firms and these may need to be considered alongside the benefits in terms of risk mitigation.  Examples of decisions and the considerations that should guide them are:

  • Does this issue warrant further scrutiny? Consideration: what are its implications for our ability to meet our objectives?  How do we balance that against the cost of deploying our resources for this purpose?
  • Should we require additional information from a firm? Consideration: what is the benefit in terms of helping us achieve our objectives having some regard to the cost to the firm of providing it?
  • Should we go on site more often/for longer at this firm? Consideration: what additional benefit would that have in terms of the achievement of our objectives?  Balanced against the potential cost/benefit of using our resources for something else.
  • Should we require this firm to take extensive (and possibly expensive) remedial action? Consideration: What impact would this have in mitigating the perceived risk?  Having some regard to the costs to the supervisory body and (to a lesser extent) to the firm.

To expect all decisions to be made on a fully risk-based basis is a counsel of perfection which is unlikely to be achieved in practice.  Departures from risk-based principles may occur for a variety of reasons, some more legitimate than others.  Political factors are often important.  It may be felt for example that a particular sector such as small community or cooperative banks may warrant closer attention, and hence more resources, than would be expected from an objective measure of the risk they pose because the political or reputational consequences of a failure in that sector would be particularly severe.  Such cases are inevitable, but every effort should be made to keep them to a minimum.  Decision making under RBS should be guided by the following principles:

  • The aim should be that all decisions are made transparently on the basis of risk – that is the benefit of mitigating identifiable risks to the supervisor’s objectives set against the cost (to the supervisor and the firms concerned).
  • Supervisory teams (that is to say up to and including middle management) should make decisions and recommendations based on purely technical supervisory judgements. These should be transparent and recorded.
  • Where ‘wider’ (e.g., political) considerations are likely to come into play, decisions should be escalated to senior levels on the basis of clear escalation criteria.
  • Where decisions or recommendations made by supervisory teams (as per above) are over-ridden or amended, the new decision and the reasons for it should be communicated clearly to the team concerned and the senior decision maker should be accountable for it.
  • Records should be kept of decisions taken at all levels in the supervisory body and of the factors underlying them. There should be complete clarity regarding the identity of the decision-maker, who should then be accountable.
  • Clear procedures should be in place for delegation and escalation of decisions. In some cases the criteria for delegation/escalation can be completely explicit (for example, the decision to increase the capital requirement for a D-SIB must be taken at senior management level). 
  • In practice, it will be impossible (and undesirable) to specify in advance the detail of all potential decisions so that a principles-based approach to delegation and escalation will be needed. This should indicate the types of decisions to be delegated/escalated together with the factors to be taken into account when doing so.

Resource Allocation

A central part of the rationale for RBS is that resources should be allocated on the basis of greatest risk.  There is little purpose in putting in place mechanisms for identifying and calibrating risk if the resource allocation in the supervisory body does not reflect this. 

In practice however, reallocating resources is not always straightforward.  There are several reasons for this:

  • At a technical level it can be difficult to compare risks across sectors or even across parts of the same sector. The more diverse the remit of the supervisory body, the more challenging this will be.  In deciding on resource allocation, a supervisory body responsible for the risk-based prudential supervision of banks and insurers needs to be able to compare the relative risks posed, for example, by community banks and those posed by general insurers – even though their business models differ widely.
  • An important part of the solution to this is the development of a common ‘language’ of risk throughout the organization together with an understanding of risk tolerance. Such a common language will be based on a consistent framework for assessing risk (with modifications to take account of the specificities of different sectors) together with a shared understanding of what, for example, is meant by ‘medium high’ risk.  This is not easy to achieve but the use of a rigorous framework combined with the use of mechanisms such as supervisory panels to permit the comparison of issues within and across sectors will facilitate the development of such a common language[10].
  • There is a particular challenge with small firms. Many supervisory bodies will be responsible for a relatively large number of small firms, each of which may individually have a small impact.  Such firms cannot be ignored however.  From a consumer’s point of view, a loss resulting from the failure of a small firm is indistinguishable from that resulting from the failure of a large one.  And in many countries, the (often correlated) simultaneous failures of a large number of small firms has proved a high impact event.  Supervisors require a strategy for dealing with small firms.  Such strategies are discussed in the TC Note on RBS referred to earlier.[11]  They may involve some combination of: a) a very limited allocation of resources for on-site visits to small firms; b) the maximum use of automation in submitting and analysing statistical data from firms; and c) the use of thematic or horizontal work in which more emphasis is placed on examination of risk issues across groups of firms rather than individually.
  • At a cultural level, there is a common tendency among managers to view the number of staff they are responsible for as a proxy for their status or prestige. Where the total staff resources of the supervisory body are fixed, reallocation will inevitably result in some managers losing staff.  This may be a source of resistance and special pleading in support of retaining staff on non-risk or spurious risk-based grounds. Such attitudes are extremely common and pose a significant challenge to senior management.  Part of the solution is to realign incentives for staff, including managers, such that reward, promotion and other signals of status and standing in the organization recognize risk-based behaviours and achieving effective outcomes rather than numbers of staff managed.  As noted earlier, such a change has to be clear and consistent.  Staff will be very alert to mixed signals in which it is apparent that reward and promotion are, in reality, governed by factors other than those that are claimed. 
  • There is also a legitimate concern about continuity. Supervisors inevitably develop expertise and knowledge which are specific to the firms they deal with.  In extreme cases this can lead to too close a relationship between supervisors and firms (‘supervisory capture’).  Generally, however, such continuity is valuable and there may be a legitimate concern that it may be lost if resources are (re)allocated too flexibly in response to risk. 

A staff allocation framework which may help to address the above issues would have the following characteristics:

  • The Practices Group should have a responsibility to collect and collate information from across the supervisory body about actual and emerging risks. This will be derived from firm-specific supervisory assessments, horizontal and thematic work as well as sector-wide macroprudential and macroeconomic data.
  • Senior management should then hold a strategic meeting at least annually at which the pattern of actual and emerging risk is considered in the context of the risk tolerance and whether the current allocation of staff is appropriate in the light of this. This assessment should be one of the key outputs of the meeting.
  • Where reallocation is warranted, this needs to be done in a measured way which balances the resource need against other factors such as continuity and the need for staff development. As a rule of thumb, it is unlikely that more than ten percent of any area’s staff resources would be reallocated in a year.
  • Such a process can be supported by an appropriate pattern of incentives. Managers should be rewarded on the basis of their willingness and ability to participate actively in such risk-based allocation and discouraged from empire building.  More junior staff can be incentivised to take advantage of the opportunities afforded by flexible resource allocation for their own development.


This Note has sought to emphasize that the introduction of RBS involves a profound and permanent change in the way in which supervision is done.  Its introduction is sometimes thought to be a largely technical exercise principally affecting junior staff and middle management.  This is incorrect.  The implications of RBS for the understanding of risk, the allocation of resources, the evaluation of supervisory outcomes and relations with stakeholders are profound.  They need to be understood, embraced and communicated by senior management.

The introduction of RBS requires stamina and determination on the part of senior management.  Because it usually takes the form of a project, there will be a tendency on the part of some staff (and management) to see the project as complete at some stage, allowing them to revert to old ways of doing things.  Resisting this and keeping up the momentum of change is a key role of management at all levels, including the most senior.  The Practices Group can assist with this, but it is ultimately up to all managers continually to ask the question “are we making decisions and deploying our resources in a risk-based manner?”  If the answer is “no” then staff must be directed and incentivized to continue to change their behavior.  As in all significant change projects, declaring victory too soon will result in failure.

Finally, it is imperative that management, including the most senior, go out of their way continually to demonstrate their commitment to risk-based principles.  This applies both to their own behavior and decisions as well as to the signals that are sent regarding symbols of recognition such as advancement, progression planning and reward.  ‘Tone from the top’ is essential to the credibility of this (as with any) project and it is imperative that the risk-based principles espoused by senior management are reflected in their actions in the areas of supervision and internal management.

Annex: Illustrative Examples of RBS and Non-RBS Approaches

Resources Deployed on the Basis of Risk (hypothetical supervisor responsible for the prudential supervision of banks and insurance companies)

The supervisory body has five departments: major retail banks; cooperative banks; credit unions; life insurers and general insurers.


  • The allocation of staffing among the departments has been relatively constant for several years based on the firms’ perceived ‘importance’ and size
  • There is no rigorous definition of ‘importance’. This is imprecisely based on size and the number of retail customers
  • Insurance is seen as inherently lower risk than banking and has fewer staff (who do different things)
  • A further factor in staff allocation is the need to undertake visits to firms on a fixed schedule (e.g., largest visited every year, smallest every three years) at which a fixed programme of on-site work is undertaken
  • Two years ago there was a proposal to reallocate a number staff from the credit unions department to the major retail banks departments. This was vigorously (and successfully) opposed by the director of credit unions who adduced several political reasons why credit unions could not be allowed to get into difficulties or fail
  • Great store is also placed on continuity. The firms value their relationship with the teams and supervisory managers, many of whom have been unchanged for several years


  • Clear and agreed metrics for risk based on systemic importance; impact and likelihood of risk materialising
  • Includes metrics for small firms which collectively may pose different types of risk and which assesses cross sectoral risk (banking and insurance) on a consistent basis
  • ‘Baseline’ for staff allocations to firms based on risk (impact and likelihood). Management accept that this includes a steep reduction in allocations to small/low risk firms where the allocation is a fraction of that for larger/higher risk ones 
  • Deviations from baseline allocations are justified in an annual budgeting process. Numbers of visits and on-site activities tailored to the risks posed by the institution concerned. Annual process for allocation of staff to departments and other risk-based activities
  • Managers are visibly and consistently rewarded for recognizing and adjusting to risk-based needs rather than deriving status from empire building

Risk Tolerance/Recognition (That things will go wrong)


  • The perception is that all risk (to firms, consumers and the financial system) is ‘bad’ and must be eliminated
  • But also an intuitive understanding that this isn’t possible – leading to fear of all ‘bad’ outcomes (which tend to be equated with those which will attract criticism)
  • Prevalence of ‘blame’ within the culture. When things do go wrong: a) blame lack of resources; b) blame individuals who were closest to the problem
  • Tendency to fight the last battle by allocating additional resources to recent or current problem areas, regardless of their intrinsic importance


  • Understanding, shared with major stakeholders, that risks (to firms, consumers and the financial system) will remain, however diligently the supervisory body does its work
  • Agreed sense, shared with major stakeholders, of the supervisory body’s risk tolerance. Which risks are acceptable and which are not (‘zero tolerance’) and some sense of how much residual risk the supervisor will accept
  • Clear articulation of how residual risk is linked to resources. Don’t blame bad outcomes on lack of resources but recognize that available resources need to be allocated optimally to minimize residual risk
  • Willingness to accept that some ‘bad’ outcomes, while undesirable, are within the risk tolerance
  • Respond to crystallised risks that are outside the risk tolerance by learning lessons to minimize recurrence. Learn the lessons but don’t over-react by fighting the last battle
  • Eliminate blame culture – objective is not to apportion blame when things go wrong. Make it clear that if individuals follow agreed processes and make reasonable decisions, they will be supported even when ‘bad’ outcomes occur 

Effective, Risk-based Decision Making


  • The arrangements for delegation and escalation of issues are unclear or poorly understood and not documented
  • Consequently, it is unclear at what level responsibility for many decisions resides
  • There may be a lack of clarity whether senior management views are decisions or ‘advice’. Documents or emails sent to seniors with proposed courses of action may produce responses that are non-committal or ambiguous
  • Decisions are frequently over-ridden on ‘wider’ (e.g., political) grounds. g., the decision may be taken to allocate a disproportionate amount of resource to institutions that are low impact but seen as politically sensitive.  The basis for such decisions is unclear
  • In some cases, staff whose decisions are over-ridden are made to feel that they have made a mistake (in not taking account of the wider factors involved) and their future decision making may be affected or inhibited by this (e.g., by making them over-cautious)


  • It is made clear that supervisory teams will be made on the basis of risk (i.e., at a technical RBS level)
  • There are clear criteria setting out the kinds of decisions (mostly technical) which are delegated to what level. There is also clarity about the basis on which decisions are to be escalated (e.g., if there are known to be wider political issues involved)
  • This will include clarity about whether the views of seniors (e.g., in ratings panels) constitute advice or firm decisions
  • Where decisions are over-ridden – e.g., on political grounds – it is clear where the decision to over-ride is to be taken and the basis on which it is made. It is clear that if the supervisory team has made a recommendation on technical risk-based grounds and escalated the matter appropriately, they have done what is expected of them


Ford, Jeffrey, and Laurie Ford. “Decoding Resistance to Change.” Harvard Business Review. April 2009.

Garvin, David, and Michael Robert. “Change Through Persuasion.” Harvard Business Review. February 2005.

Managing the People Aspects of Supervisory Change. TC Note. Toronto: Toronto Centre, December 2016.

Risk Based Supervision. TC Note.  Toronto: Toronto Centre, March 2018. 

Association of Project Management. “Stakeholder Management.” 2018.



[1] This note was prepared by Paul Wright on behalf of Toronto Centre.

[2] Risk-Based Supervision, TC Note (Toronto: Toronto Centre: March 2018).

[3] Where the central bank does not have responsibility for supervision.

[4] This is usually a protracted process but legislative windows can open unexpectedly so heads of agencies should have a ‘legislative shopping list’ ready should this happen suddenly.

[5] Though it needs to be recognized that supervisory bodies are always subject to criticism in these circumstances and any pre-emptive stakeholder engagement can have only a limited impact on this.

[6] Managing the People Aspects of Supervisory Change, TC Note (Toronto: Toronto Centre, December 2016).

[7] The structures and processes involved in the implementation of RBS were discussed in some detail in the earlier TC Note Risk-Based Supervision, pages 17-20.

[8] Supervisory panels provide oversight of risk ratings and supervisory program in order to promote consistency of approach.  For a detailed account see the TC Note Risk-Based Supervision, page 19.

[9] Risk tolerance bears some similarity to the concept of risk appetite as applied to supervised firms.  There is however an important difference in as much as financial firms need to take risks in order to make a profit and the strategic question they face concerns the trade-off between risk and return.  Supervisory bodies do not choose to take risk – their task is to reduce or mitigate it to the extent possible given their resources which is why the preferred term is ‘risk tolerance’.

[10] See page 12.

[11] Risk-Based Supervision.