Toronto Centre

Wednesday, Jan 30, 2019

Download Document

The Development and Use of Risk-Based Assessment Frameworks

Introduction[1]

This Toronto Centre Note is the third in a series on risk-based supervision (RBS). The first Note set out the characteristics and principles of RBS.^[2] The second addressed the particular challenges and issues confronting senior managers in implementing this approach^[3]. This Note provides more detailed guidance on the development of risk assessment frameworks and their implementation. It needs to be read in conjunction with the earlier Notes in which the fundamentals of RBS are developed at greater length.

Developing a Risk Assessment Framework

The earlier TC Note on the characteristics and principles of RBS presented a generic risk assessment framework. This was based on the fundamentals of RBS and draws on (but is not identical to) frameworks used in a number of countries. It was not meant as a detailed template: supervisory bodies need to develop their own frameworks, based on RBS principles, to meet their particular needs. This Note uses the generic framework as its starting point and provides guidance for its implementation and use which should be applicable (with appropriate modifications) to national versions of RBS frameworks.

Notes:

This is a simplified risk matrix as might be applied to a bank. A comparable risk matrix for an insurer or pension provider would have the same format but a different selection of inherent risks.
The exact form the risk matrix will take will differ from supervisory body to supervisory body depending on the nature of their objectives, financial institutions and methodological preferences.

Supervisory Objectives

It is essential to be clear at the outset about the meaning of ‘risk’. For the purposes of RBS, risk refers to a potential inability of the supervisory body to meet its objectives. All supervisory bodies need to have clear objectives, which are typically set out in statute. They will normally encompass at least some of the following:

Protection for the consumers of financial services, both from misconduct and loss resulting from prudential failure
Financial stability, which is closely linked with the avoidance of systemic risk
The avoidance of financial crime, including money laundering and terrorist financing

Risk management draws heavily on the concepts of impact and probability. In assessing a potential risk (such as large-scale losses at a firm; misconduct or financial crime) consideration needs to be given to the impact of such an event on the achievement of the supervisory body’s objectives were it to crystallize (how much it would matter) alongside the likelihood of its happening^[4].

An essential first step in RBS is the development of a methodology to categorize firms on the basis of their impact. The expectation is that high impact firms (for example those with extensive retail operations and/or interconnections throughout the financial system) will receive more supervisory attention than lower risk ones. Firms whose impact is judged to be systemic (in the sense that failure would result in contagion and significant macro-economic damage) should receive particularly close attention. Metrics such as size; the scale of firms’ retail business and the volume of intra-financial system connections (through interbank or other lending) and cross border activity need to be developed for this purpose^[5].

A An illustrative (and much simplified) example of a risk assessment

Throughout this note sections in shaded boxes like this illustrate how the kind of generic risk assessment presented in this note might be completed. The example is deliberately simplified to illustrate the broad approach. It should be emphasized that supervisory bodies need to develop their own detailed frameworks. The boxes are intended to give an indication of how a risk-based framework, including any national variants that are developed, might be used.

It is taken as given that the supervisory body has a rigorous and consistent methodology for classifying firms on the basis of their impact based on size, the amount of retail business undertaken and interconnectedness with the rest of the financial system. This will include a methodology for the identification of firms which are systemically important. The current risk assessment is being undertaken in respect of a medium sized bank which undertakes a mix of retail, commercial and private banking. It is not judged to be systemically important and is stand-alone in the sense that it is not part of a wider group, either domestically or internationally.

In this case, the supervisory body’s objectives are: a) to protect consumers of financial services from losses arising from failures of institutions; b) to protect consumers from mis-selling; c) to reduce financial crime. For simplicity it is assumed that reputational and legal risk are included within operational risk.

Identifying Areas of Risk Focus

Not all of the activities that firms undertake are equally risky and the allocation of resources in firm-facing supervision needs to reflect this. Once firms have been categorized on the basis of their impact, it is necessary to identify those areas or activities within each firm that represent the areas of greatest risk. These are areas or activities which, by dint of their nature and importance, are capable (if inadequately managed) of posing significant risks – of financial crime or risks to its customers, the firm’s stability or even its survival should they crystallize. Such adverse outcomes would have a potential bearing on the supervisory body’s ability to achieve its objectives.

There are a number of possible approaches to the identification of areas of focus. Some supervisors focus on ‘significant activities’. Examples of these could be unsecured lending, custodian services or the writing of reinsurance. Others focus on whole business units or even, where the range of activities is very limited, on the firm as a whole.

In deciding on the areas of focus, supervisors need to pay attention to available metrics such as the share of assets; revenue or profit accounted for by activities; the share of premiums written; the capital allocated to activities and potential risk factors in financial crime (such as the volume of cross-border business involved in private banking operations) and terrorist financing. The potential variability of metrics should also be considered. Firm’s business models and strategic plans should also be scrutinized, on the basis of documentary evidence and discussion with management, to identify areas which are of particular strategic importance or critical to the firm’s reputation. If activities are highly leveraged, supervisors need to bear in mind the potential for activities which appear small on the basis of current metrics to have a large impact on P&L. Areas of focus should not be simply the largest activities though in practice, size (in terms of shares of income, profits or premiums) will tend to be an important factor. The choice of areas of risk focus is itself a risk-based activity in that it is inherently selective so that some activities and areas will receive less scrutiny than others (or even none). As rule of thumb, it is unlikely that more than 5-10 areas of focus would be identified for the largest firms. For medium sized ones there may be fewer than five. There are two important implications of this:

The choice of areas of focus needs to be kept under review as part of the regular cycle of supervisory scrutiny.
There may be times when, notwithstanding the application of sound supervisory judgement, significant problems arise in areas which were not judged to be areas of focus. Lessons need to be learned from such cases, but this should not be seen as undermining the risk-based approach.

In deciding on areas of risk focus, supervisors should ask themselves what level of detail (significant activity, business unit or even whole firm) will provide the most useful basis for forming a coherent and comprehensive picture of the risks the firm is running. There is often a temptation to become increasingly granular – for example in focusing separately on different sub-categories of corporate lending - when, in reality, this may not reveal a significantly different picture of risk from looking at corporate lending as a whole.

Common implementation issues

Problems

Good practice

Supervisors simply equate significance with size
The assessment is static
The assessment is too granular with too many areas of focus
Activities or areas not judged to warrant particular focus are ignored

While size is an important factor, it is not the only one. Areas which are relatively small can have the potential to pose major risks, either currently or prospectively. This needs to be a matter of supervisory judgement
A forward-looking perspective is necessary that takes account of how the business (and hence risk) is likely to develop over time
The question is ‘how much would additional granularity add to our understanding of risk?’ It is often the case that ever greater granularity adds little in practice
The choice of areas of focus needs to be kept under review and amended from time to time if appropriate

B Illustration: areas of focus

A snapshot of the bank’s activities is as follows:

Business line	% of balance sheet assets	% of earnings	% of risk weighted capital
Retail lending	58	47	48
Of which: Residential mortgages	32	30	16
Credit card lending	26	17	32
Real estate lending	26	12	31
Commercial lending (to companies)	10	22	15
Wealth management/private banking	1	12	n/a
Foreign exchange	1	4	n/a
Commodities trading	4	3	6
Other observations (based on past supervisory experience, analysis of business model, strategic plan and discussions with senior management) The bank targets relatively low income/less creditworthy borrowers for mortgage lending Last year it was subject to enforcement action and heavily fined for inappropriate selling practices in the area of retail mortgages. They continue to target the same sector of the market but claim to have stopped mis-selling and to have strengthened controls to prevent this Wealth management/private banking involve minimal balance sheet exposure but has a substantial cross border element, possibly with some ‘politically exposed’ customers and is viewed as an important aspect of the bank’s franchise Commodities trading is proprietary trading using the bank’s capital The strategic plan (which has been communicated to shareholders) envisages significant growth in: a) unsecured credit card lending directed at low income/less creditworthy groups; and b) corporate lending to start-ups Capital allocation to commodities trading is CRE

Chosen areas of focus and rationale

Residential mortgages	Size (largest share of assets) Firm has recently experienced significant conduct issues (mis-selling)
Unsecured credit card lending	Size and importance of growth to strategic plan
Real estate lending	Size and importance of growth to strategic plan
Wealth management/private banking	Cross border nature and potential engagement with politically exposed persons
Issues Inclusion of commercial lending to companies is debatable o/a size. Decision not to include here but to keep under review Commodities (=proprietary trading) is a bit of a concern o/a leveraged use of bank’s capital. Decision not to include here but to keep under review In general, areas not chosen as areas of focus are not ignored but periodically revisited

Documentation

The following documentation should be provided on an agreed and consistent basis:

The chosen areas of focus plus rationale
Areas not chosen as areas of focus plus the rationale for this and timescale for periodic monitoring and review

The areas of focus can be entered onto the matrix as follows:

Areas of focus

External risks

Inherent risks

Risk management and governance

Net risk

Direction

Financial resources

Macroeconomic

Macroprudential

Credit

Market

Operational

Financial crime

Conduct

Board

Senior management

Internal audit

Risk management

Residential mortgages

Unsecured credit card lending

Real estate lending

Wealth management and private banking

Overall rating

Identifying External and Inherent Risks

A key tenet of RBS is that the risks firms face from the external environment and from the nature of their business (inherent risks) are assessed separately from the adequacy of management and controls. Once areas of focus have been identified it is necessary to identify these external and inherent risks^[6].

External risks encompass the following:

Developments in the wider economy which may have a bearing on the level of risk in the firm (macroeconomic). A change in interest rates for example may have an impact on non-performing loans a differential impact on the pricing of assets and liabilities, affecting P&L in both banking and insurance (particularly where some rates are fixed).
Intelligence regarding the wider industry or sector (macroprudential). A widespread change in lending practices for example will affect credit risks in banks; a ‘search for yield’ in a low interest rate environment will affect investment preferences or saturation in a market (such as life insurance) will affect firms’ behaviours and strategic choices.

Macroeconomic and macroprudential information will be directly relevant to the supervision of large firms. For smaller ones it may figure less directly but will still form part of the wider context within which risks, perhaps for groups of firms, should be assessed.

Inherent risks are the types of risk being run within the areas of risk focus. They can be defined as the probability of a material loss as a result of exposure to current and potential future events. The most commonly identified inherent risks are credit, market, insurance, operational, money laundering and conduct risk for which there exist standard definitions. Others such as legal, reputational, regulatory compliance and strategic risk also need to be considered, though the definition and treatment of these varies across supervisory bodies. Some for example include legal and reputational risk with operational. Decisions about these need to be made by supervisory bodies individually.

The most prevalent inherent risks differ across sectors. In most banking for example, credit risk will figure prominently while underwriting risk will be a feature of most insurers and investor/market risk will be key for pension funds. All firms are susceptible to financial crime or being used for money laundering and all customer-facing firms run the potential risk of misconduct/mis-selling. Areas of focus may embody other risks such as operational or legal risk though these should only be explicitly rated where there is reason to think that these are particularly significant.
Supervisory bodies need to consider whether some risks – such as liquidity, IT and money laundering/financial crime risk – should be considered at the level of the individual risk area or are pervasive (and centrally managed) such that they should best be considered at a firm- or enterprise-wide level.

It should be emphasized that this stage of the process is solely about determining the types of inherent risk that are being run – independently of the severity/extent of these or the effectiveness of any controls as shown in the table below.

Considered at this stage?
Type of external risk	Type of inherent risk	Severity of risk	How well it is controlled
Yes	Yes	No - later	No - later

Common implementation issues

Problems

Good practice

A disconnect between external sources of intelligence (macroeconomic and macroprudential) and risk assessments
Identification of too many inherent risks
A tendency to include elements of control risk

Supervisory bodies frequently do not undertake macroeconomic and macroprudential assessments themselves. These are often imported from elsewhere and it is important to develop a systematic way of incorporating this information into risk assessments.
If, for example, a lending function is identified as an area of focus, the principal inherent risk will be credit risk. Operational or reputational risk may also be present but these should only be considered explicitly if they are significant and have a real bearing on the overall risk profile
A firm’s management might emphasize the fact that, while they target a relatively risky segment of the market, this activity is well controlled. The quality of controls are not significant in this part of the assessment, which should identify only the inherent risks (credit, underwriting, conduct and so on) that are involved.

C Illustration: identifying external and inherent risks

Macroeconomic

The supervisory body does not undertake independent macroeconomic analysis but takes this from the central bank. Their assessment is that economic activity will remain generally strong and stable. There is unlikely to be any pressure on interest rates in the near future – it is likely that there will be a gradual downward movement in interest rates over the next three years.

Implications for assessment

No particular reasons for concern or to expect that the macroeconomic outlook is likely to increase risks in the financial system

Macroprudential

The supervisory body also takes its macroprudential analysis from the central bank. Their assessment is that financial sector leverage is stable and not excessive. Levels of personal sector borrowing are increasing gradually but not at a rate which causes concern. There are however concerning signs of an emerging bubble in commercial real estate prices which have increased far in excess of the general price level or residential property prices over the past two years.

Implications for assessment

The emergence of a real estate bubble is a matter of concern because of this bank’s exposure and the strategic importance of this type of lending going forward. This raises the question of whether the credit risk inherent in this type of lending should be seen as elevated because of the bubble.

Inherent risks

Residential mortgages – credit (lending product) and conduct (nature of target market)

Unsecured credit card – credit (lending product) and operational (IT intensive activity)

Commercial real estate – credit (lending product)

Private banking – financial crime (nature of business and customer base)

Rating External and Inherent Risks

Considered at this stage?
Type of external risk	Type of inherent risk	Severity of risk	How well it is controlled
Yes	Yes	Yes	No - later

Having identified the types of risk embodied in each area of focus, supervisors now need to assess the severity of the risks and assign ratings to these.

Assigning ratings cannot be a mechanical or precise process. Whilst use should be made of all available and relevant information (such as historic data on crystallized credit or underwriting risk), the process relies ultimately on supervisors’ informed judgement.
Experience suggests that an ideal number of ratings categories is four. More than this adds little in terms of risk information and creates a spurious impression of precision. An even number of categories also prevents indecisive supervisors defaulting to ‘medium’ or ‘average’ ratings.
It makes little difference whether ratings categories are assigned names (high, medium high etc) or numbers (4,3,2,1) provided the use of numbers does not give rise to an over- mechanical or numerical approach.
Some supervisors provide ‘baseline’ figures for credit risk in particular. An analysis of data might show for example that unsecured personal lending has a higher default rate than, say, residential mortgages. This might then be reflected in higher ‘baseline’ scores. This is acceptable provided the baselines are used as starting points only. Supervisors should then actively consider whether, given the specific circumstances of the firm they are assessing (or the environment within which it is operating), the baseline ratings are acceptable or need adjustment.

Supervisors need clear guidance for assigning ratings to inherent risk. An example of such guidance is as follows[7]. The severity of the ratings relates to the likelihood of significant damage to the firm or its customers over a specified time period.

High	In the absence of substantial and urgent remediation, there is a high probability of loss that will impair capital, leading to potential damage to depositors/policy holders within twelve months
Medium high	In the absence of remediation, there is a significant probability of loss that will impair capital, possibly leading to damage to depositors/policy holders in the foreseeable future
Medium low	There is some need for action in a limited number of areas but the likelihood of losses leading to damage to depositors/policy holders is small
Low	No significant remediation is required and losses leading to damage to depositors/policy holders are very unlikely

The management of the supervisory body should have some prior ideas about what the expected distribution of ratings might look like. In general, and in other than exceptional circumstances, it is unlikely that many identified risks (more than, say, 5-10%) will fall into the ‘high’ category. The criterion for ‘medium high’ is less searching but it would be surprising if a majority of ratings came into this category. Such prior ideas, while subject to review in the light of experience, can be a yardstick with which to consider the plausibility of the emerging pattern of ratings, particularly in the early stages of implementation.

Common implementation issues

Problems

Good practice

Conflation of inherent and control risks
Over-use of high ratings
Supervisors may be reluctant to assign low ratings because they are unwilling to associate themselves with the view that there are few or no significant risks
Insistence that ratings can be based only on metrics
Excessive diversity in ratings across firms

The focus at this stage is solely on the severity of the risk embodied in the activity/area of focus. How well these risks are managed is not a consideration
Whilst supervisors should be encouraged to use the full range of ratings, there is a common tendency in the early stages to assign too high a rating to risks. An excessive number of ‘high’ and ‘medium high’ ratings is intuitively implausible and works against the differentiation of risks which is central to RBS
Training and familiarisation are required on the use of ratings together with assurances that supervisors will be supported in making reasonable judgements
Ratings need to be based on evidence-based informed judgement and supervisors need to be encouraged to exercise this and supported in doing so
Even with the most comprehensive guidance, it is inevitable that diversity will emerge in which similar risks are given different ratings by different supervisors. This underlines the need for structures such as panels and peer review, both at the outset and once RBS is established to promote consistency^[8]

D Illustration: rating external and inherent risks

The criteria used are as per the guidance on page 10
Mortgage lending is often rated as ML but this has been raised to MH in this case because of the particular risks associated with the target market
The firm was recently fined for mis-selling of mortgage products. It continues to offer products and to target markets where the scope for mis-selling is quite high
The inherent risks in unsecured credit card lending are relatively high because of the unsecured nature of the product and the significant amount of processing required
In other institutions and previous assessments commercial real estate has sometimes been rated as having ML inherent risk but the macroprudential assessment of a developing bubble has persuaded the supervisors to elevate this to MH
On examination, the risks arising out of private banking are moderate: the number of politically exposed customers is small and these are from mostly low-risk jurisdictions

Implications for assessment

*Area of focus*	*Principal inherent risks*	*Explanation*	*Overall rating*
Residential mortgages	Credit Conduct	Lending product and target market Nature of product and target market is particularly susceptible to mis-selling	MH MH
Unsecured credit card lending	Credit Operational	Lending product Credit card activity is very process/IT intensive and susceptible to IT problems	MH ML
Commercial real estate	Credit	Lending product	MH
Private banking	Financial crime	Cross border nature of activity and nature of customers	ML

The relevant part of the matrix can now be completed. Note that it is neither possible nor necessary to assign a rating to every cell in the matrix. Ratings should be provided only where there is worthwhile information which will have a significant bearing on the risk assessment.

The overall rating for each inherent risk (the bottom cell in the matrix) is based on the ratings assigned to the inherent risks in the individual areas of focus. It is emphasized that this requires judgement and is not a simple adding up exercise. The question being addressed is: ‘Given our assessment of the inherent risk in each of the areas of focus, what rating do we give to credit risk, operational risk and so on for the firm as a whole?

Areas of focus

External risks

Inherent risks

Risk management and governance

Net risk

Direction

Financial resources

Macreconomic

Macroprudential

Credit

Market

Operational

Financial crime

Conduct

Board

Senior management

Internal audit

Risk management

Residential mortgages

Unsecured credit card lending

Real estate lending

Private banking

Overall rating

Documentation

The following documentation should be provided on an agreed and consistent basis:

The rationale for the identified ratings of inherent risk
Including the rationale for any ratings which may be influenced by external or firm-specific factors (in this case the particular focus of mortgage lending in the target market, the strategic impact of unsecured lending and the real estate bubble)
The judgement–based rationale for the overall ratings for the inherent risks

Rating Risk Management and Governance

Having established the most important external and inherent risks, the next stage in the RBS framework is to assess how effectively these are controlled through the firm’s internal controls, senior management and the Board (governance). These are discussed extensively in the earlier TC Notes^[9]. The main functions involved are shown below.

Internal controls

Governance

Local (business unit) controls

Risk management

Compliance

Financial control and reporting

Actuarial

Internal Audit

Financial crime/ML controls

Board (including committees)

CEO

Senior management

In considering the interaction between external/inherent risks and the control and management of these, the following need to be borne in mind:

Ineffective controls may not only fail to mitigate external and inherent risks, but they may actually amplify them. There are multiple examples of firms getting into severe difficulty or even failing as a result of weak controls in areas which were small and/or apparently entailed low inherent risk.
The assessment of the adequacy of controls and management needs to have reference to the underlying inherent risks. The higher the inherent risk, the more demonstrably rigorous and effective the controls need to be.
Supervisors should also have regard to any use that is made of third parties such as external auditors or outsourced compliance or control functions.

The greatest challenge that supervisors face in assessing the adequacy of controls and management is forming a view about their effectiveness. Most organizations will be able to demonstrate that they have control and governance structures in place and that these have remits and terms of reference which appear appropriate. These however provide no guarantee that the structures are effective in delivering the necessary level of control. The assessment of effectiveness inevitably contains a large element of judgement. The following may be helpful in this^[10]:

Supervisors must have full access to everyone in the firm, including the most senior management and Board members. Supervisory bodies should exercise reasonable judgement in whom they ‘field’ to interact with the most senior people – a junior supervisor is unlikely to be able to hold his or her own with an experienced CEO. But no-one, however senior or venerable, is off-limits.
Supervisors should not be excessively deferential towards senior staff or Board members. Supervisors are legitimately seeking information as part of their job. They have a perfect right (an obligation in fact) to ask searching questions and may need – albeit courteously - to remind senior staff or Board members of this.
It is impossible to form a view about the effectiveness of high-level structures or senior staff solely through the use of ‘closed ended’ questions – that is to say questions which have a simple numerical or yes/no answer. This has a number of implications:
Questioning needs to be increasingly open ended along the lines of ‘give me examples of where the Board has made a real difference to risk management’ or even ‘how would you characterize (in your own words) the firm’s attitude to risk’
Interpreting the answers to open-ended questions can be as challenging as framing them. Senior staff are adept at telling a good story (which is often how they have got where they are) and even experienced supervisors can find that they come away from apparently useful meetings having actually discovered very little. It is necessary to have a prior ‘hypothesis’ about what acceptable answers to open ended questions would contain. To emphasize, this concerns the type of answer that is acceptable; it is not to pre-judge the detailed answers themselves.

Question	How often does the Board discuss the attitude to risk? Provide examples of when the Board has visibly influenced the executive’s actions regarding risk.
Hypothesis	Board member should be able to identify of discrete, focused discussions of risk and risk management Able to provide verifiable examples of where the Board’s active engagement provided the executive with clear direction on risk
Not sufficient	We discuss risk continually. It comes up at most meetings Here is a copy of the written risk appetite statement the Board has agreed We have a Risk Committee which receives regular reports from Risk Management All Board members are extremely risk conscious – you have to be in this business
Acceptable	All papers that come to the Board now contain (at our insistence) a section outlining ‘risk implications’ In each of the last two meetings Board members have challenged these sections of papers as follows (this is minuted) The minutes clearly show that the Risk Committee has repeatedly taken a challenging stance towards the executive in its meetings – here are two examples In its last meeting the Board rejected a proposal for a new product on the grounds that the risk implications were unacceptable and outside of its risk appetite (minuted) About six months ago the Board insisted that the management of the Risk Management Committee be strengthened when an experienced senior person retired (minuted). The CEO had not been minded to do this.

In some circumstances, such as where a firm is seen as being particularly high impact or of systemic importance and/or where there are thought to be particular risk issues, a more intrusive approach to the assessment of management and controls may be warranted. This may involve the rigorous validation or checking of processes and documentation, either directly or through the appointment of third parties such as external auditors. The balance between placing judicious reliance on firms’ own processes and undertaking independent validation is itself a risk-based one.^[11]

Given the particular challenges of making assessments in this area, supervisors need clear guidance to assist them. Such guidance should ideally consist of two parts:

An aide memoire covering the key issues to look for when assessing structures and effectiveness. An example of this – as applied for example to risk management- would be as follows:

2. Assessment criteria for determining ratings. In the following example, there are four categories of ratings with descriptive titles (rather than numerical categories):

Common implementation issues

Problems

Good practice

Excessive deference towards senior staff and Board members
Insufficient representation by senior supervisors at meetings with senior staff and Board members
Over reliance on forms or structures rather than effectiveness
Difficulty in establishing an evidence base for effectiveness
Unwillingness to assign meaningful ratings on the basis of judgement and in the absence of empirical evidence

Senior staff may attempt to bully supervisors or place them at a psychological disadvantage. In some countries Board members are venerable former senior politicians or officials. They nevertheless have an obligation to be cooperative with supervisors and to demonstrate their effectiveness
It is not reasonable to expect junior supervisors, however capable, to interact on equal terms with senior executives and Board members. Seniors need to be involved in meetings with board members and senior management and to provide consistent support junior staff
Supervisors need to develop approaches to assessing effectiveness along the lines set out above and to provide thorough training in these
Supervisors need to be trained in techniques of probing and assertive questioning to enable them to establish the evidence base for their conclusions
Assessments need to be based on evidence but recognizing that needs to go beyond narrow empirical or compliance-based approaches and to involve judgement

E Illustration: rating risk management and governance

The supervisory assessment (based on on- and off-site work) revealed the following issues:

Function	Issues identified
	Area specific	Firm-wide
Board	Unsecured credit card lending: some evidence of challenge of management’s assessment of credit risk in this area and pressing for stronger controls Single discussion of mortgage mis-selling issue; no challenge to proposed follow up Very little engagement with AML	Structures and procedures look acceptable on paper But board generally passive and non-challenging Doubts whether it has sufficient depth of expertise
Senior management	Director of retail lending provided evidence of controls over credit risk and strategic grasp But little evidence of assessment of risks embodied in strategic expansion in this area Weak and partial response to mis-selling issue. Remuneration structures still encourage this New head of commercial lending shows real signs of independence and willingness to challenge CEO and has good grip on risk issues	Dominant CEO – acts as ‘gate keeper’ to Board and very dominant in dealings with Board Cost pressures have led to significant cuts in budgets for controls functions (Risk Management and Internal Audit) No fundamental grasp of issues driving mis-selling issue MLRO adopts a formulaic, non-challenging approach
Internal Audit	Commercial lending had an IA review 1 year ago. Not all findings have been followed up No separate review following mis-selling but one is scheduled Retail lending is scheduled to be reviewed in three months as per IA’s schedule IA review of Private banking scheduled for six months’ time	Evidence that Head of IA is diligent but has limited effectiveness: a) because of lack of support from CEO; and b) lack of independent access to Board and Audit committee
Risk Management	Very little detailed engagement with business areas RM receives and processes pro forma information from the business areas No systematic assessment of financial crime risk	Head of RM is former Head of Compliance Demonstrated no grasp or acceptance of need for a pro-active approach to risk management

Implications for the assessment

Firm-wide issues are:

Overall ineffectiveness of Board
Performance of CEO and lack of support for control functions
IA is diligent but effectiveness is limited by lack of support
Weak Risk Management

Area specific issues:

Senior management in Retail appears to have limited effectiveness and unconvincing response to mis-selling issue
Senior management in Commercial has more of a grip
Modest Board engagement with Retail (unsecured credit strategy)
IA engagement with business areas has been good but limited scope for high level follow up
Risk Management is weak across the Board
Adequate but unimpressive AML procedures

The implications of this for the matrix might be as follows:

The ratings categories are Weak, Needs Improvement, Acceptable, Strong
The criteria are as set out on page 16
A useful first step is to consider any evidence of the effectiveness of the functions in each area of focus. The second step is to assess overall effectiveness of functions (bottom row)
As with the rating of inherent risk, it is neither possible nor necessary to assign a rating to each cell on the matrix

Areas of focus

External risks

Inherent risks

Risk management and governance

Net risk

Direction

Financial resources

Macreconomic

Macroprudential

Credit

Market

Operational

Financial crime

Conduct

Board

Senior management

Internal audit

Risk management

Residential mortgages

Unsecured credit card lending

Real estate lending

Private banking

Overall rating

Documentation

The following documentation should be provided on an agreed and consistent basis:

The rationale for any ratings assigned at an area-specific level
The rationale for the overall (firm-wide) assessments
In both cases, these need to be evidence-based bearing in mind: a) that these assessments will contain a larger element of judgement than those for inherent risks; and b) they are more likely to be challenged

Net Risk, Direction of Risk and Overall Net Risk

At this stage, information about the inherent risks and management and control issues is combined. In assessing net risk the question is: ‘what is the overall level of risk in each area of focus given the perceived level of inherent risk combined with the mitigation provided by controls and management?’ This is achieved by combining the ratings for inherent risk and those for the relevant controls. There is inevitably some ‘arithmetic’ linkage involved – ‘weak’ controls combined with ‘medium low’ inherent risk are likely to result in a net risk which is ‘medium high’ or even ‘high’. In this, as in the other ratings, however, it is essential to apply judgement to arrive at a plausible rating.
Having arrived at a rating for net risk for each area of focus, supervisors need to take a view on the direction of net risk for each area of focus. There are often good reasons to suppose that the net risk in, say, twelve months may be different from the level today, with implications for the supervisory programme. It may be for example that inherent credit risks are set to increase as the result of a projected economic downturn whilst there is no evidence of a strengthening of controls. Alternatively, inherent risk may be expected to remain stable while controls or management are about to be strengthened, but as part of a programme that will take several months to complete.
The question for supervisors is therefore whether net risk is likely to increase, decrease or remain stable over a given time period –the next twelve months say. Here too, judgment needs to be applied. Any weakening of management/controls may need to be weighted particularly heavily along the lines of the table below.
Possible outcomes of changing inherent and control risks

The table illustrates two important principles:

Wherever management/controls are becoming less effective, that should prima facie be taken as evidence of an increasing trend for net risk even if some reduction in inherent risk is also in prospect - unless there is compelling evidence to the contrary (the case shown in the top left cell)
Where inherent risk is set to increase, net risk can only be judged to be stable where a strong case can be made that more effective management/controls are keeping pace with this. Otherwise, there is a prima facie case that net risk will increase (bottom right)

The final step in this stage is to take a view on overall net risk. This applies to the institution as a whole and represents the summation of everything that is known about the following:

The inherent risks and controls within each area of focus (net risks and direction)
The adequacy of management and controls at a firm-wide level – which will often be the most meaningful level of aggregation for these (that is, it is more meaningful to assess the overall effectiveness of the Board than its effectiveness in the specific area of, say, retail lending)

As noted in the earlier TC Notes on this subject, some supervisors choose to include within the assessment of overall net risk the firm’s financial resources (principally capital and liquidity). That is a choice for independent supervisory bodies. In this example, it is assumed that financial soundness is assessed at the end of the process and after the assessment of overall net risk.

The question in assessing overall net risk on this basis is “given all of the available information about areas of focus, inherent risks and the adequacy of management and controls, how much risk does this firm as a whole pose to our objectives?” This should then be given an overall rating. A categorization of H, MH, ML or L has been found to work well.

Some supervisors introduce a further formal step here of assessing the ‘importance’ of each of the identified areas of focus, effectively creating the basis for assessment based on a weighted average. It is possible for example that the area which is identified as being of most visible concern may still (by dint of its size or other significance) represent only a modest risk to the enterprise as a whole.

It is a matter of choice for supervisors whether or not they adopt this further formal step in the assessment process. Whilst it imposes a useful discipline on the assessment process it also raises the potential for double counting. Areas of focus have already been chosen because of their potential (if things go wrong) to have a significant adverse impact on the firm and hence the supervisor’s objectives (a proxy for impact). The introduction of a further stage of assessing relative importance recognizes that some have more impact than others. Alternatively, the assessment of overall risk can be left as a matter of judgement.

Once the assessment of overall net risk has been made, the supervisor needs (metaphorically) to ‘stand back’ and consider whether the rating for overall net risk, as well as those for all of the components of the risk matrix, look plausible in the light of everything that is known about the firm and the risk ‘story’ that has emerged as a result of prior knowledge and the on- and off-site supervisory work that has been undertaken. If the rating does not ‘feel’ right there are two possible interpretations:

The structured process of completing the matrix may indeed have provided insights into risk which should be taken into account in a revised risk ‘story’; or
The scores in the matrix need to be revisited

In either case, comparison of the matrix with wider perceptions of risk provides an important reality check. Further reality checks should be provided later in the process through the use of panels and peer reviews.

The rating of overall risk is a particularly important part of the assessment because many supervisors choose, as part of their communication with supervised firms, to share this. It is generally very unwise to share finer details of the assessment (such as individual matrix scores) because firms are likely to cavil over this, creating a distraction from the main objective of identifying and addressing risks. In many cases however it is useful to share the summary overall risk rating together with the risk issues that drive it as a basis for the supervisory discussion and follow up actions that the assessment should trigger.

Problems

Good practice

Failure to recognize (in assessing net risk) the link between the adequacy of controls and the severity of inherent risk
Failure to recognize that weak controls can amplify inherent risks
The use of a purely ‘arithmetic’ approach to the assessment of net risk and/or direction
The use of a purely ‘arithmetic’ approach to the assessment of overall net risk
A failure to ‘stand back’ and compare the outcome of the matrix process with common sense feel for the level of risk

While it is an important principle that inherent and control risks are assessed separately there is nevertheless a relationship between them. If a firm is undertaking business that involves particularly high levels of inherent risk, controls need to be commensurately strong and effective to be judged ‘acceptable’. One size does not fit all in this context
If, for example, inherent risk is rated ML, controls rated as ‘weak’ or ‘needs improvement’ do not simply fail to mitigate the risk (resulting in net risk of ML) but may actually amplify it, potentially resulting in a rating (in this case) of MH
In a scenario in which inherent risk is MH and controls are rated as acceptable, there may be a tendency automatically to rate net risk as ML. While this may be the correct outcome, more thought needs to be given to the interaction of these. It is possible that even with broadly effective management and control the net risk may still be MH. This should be a matter of judgement.
Here too this should not be just an ‘adding up’ exercise but should involve judgement to develop a rating which accords with the supervisor’s understanding of the overall level of risk

While an intuitive feel for risk will not always be reliable (which is the rationale for having the matrix) it nevertheless provides a useful and important reality check.

F Illustration: rating net risk and direction of risk and overall risk

Combining the information for inherent and management/controls shows the following:

Residential mortgages: medium high credit risks; controls that generally Need Improvement (NI)
Residential mortgages: medium high conduct risk; controls that are Weak or Need Improvement (NI)
Unsecured credit card: medium high inherent credit risks with some Board engagement in strategy (A) but little management grasp of strategic implications (NI)
Real estate lending: medium high credit risk with acceptable (A) local controls but weak (W) Risk Management
Internal Audit is well and diligently run but effectiveness is limited by lack of engagement of other senior management and Board
The level of conduct risk in mortgage lending remains relatively high with no real strengthening of controls
The level of risk in unsecured credit card lending may be set to increase because of the firm’s chosen strategy
The level of risk in real estate lending may be set to increase because of an emerging bubble
Anti-money laundering controls are applied in a relatively narrowly compliance-based way. The overall risk in private banking is judged to be ML however

In terms of direction:

The net risk in residential mortgages is relatively high but there is no reason to think that it is increasing (→)
The strategy is for an increase in unsecured credit card debt with no sign of commensurate strengthening of controls (↑)
There is an emerging bubble in commercial real estate lending with no sign of commensurate strengthening of controls (↑)
The risk of financial crime is stable (→)

The implications for the matrix are as follows:

Areas of focus

External risks

Inherent risks

Risk management and governance

Net risk

Direction

Financial resources

Macreconomic

Macroprudential

Credit

Market

Operational

Financial crime

Conduct

Board

Senior management

Internal audit

Risk management

Residential mortgages

→

Unsecured credit card lending

↑

Real estate lending

↑

Private banking

→

Overall rating

Documentation

The following documentation should be provided on an agreed and consistent basis:

The rationale for the net risk ratings
The rationales for the perceived directions of net risk

The assessment of overall risk reflects total level of risk of the firm as a whole taking account of all external and inherent risks and the extent to which these are mitigated by management and controls. In the current example it does not, at this stage, include an assessment of financial soundness. The assessment of overall risk, like that of net risk, is a matter of judgement.

In the example, the net risk assessments for residential mortgages and real estate lending are MH while that for unsecured credit card lending and private banking are ML. On a purely arithmetic or averaging basis the overall net risk would be marginal. The decision in this case is that it should be rated MH. Does that sound plausible on the basis of judgement? The answer in this case is ‘yes’ because:

The four areas of focus are broadly equivalent in terms of their significance to the firm
The inherent risks (credit and conduct) in residential mortgages are still particularly acute because of the target customer base
There is particular uncertainty about the future of commercial real estate values
There remain potentially serious shortcomings in controls over mortgage selling practices
There remain significant shortcomings in the quality of Risk Management and the Board
There is scope for improvement in AML controls even though they are adequate overall

An overall net risk rating of MH therefore appears warranted. The direction of overall net risk would seem to be increasing on the basis that this is the direction of net risk for two of the areas of focus and there are no signs of offsetting mitigation or declining risks elsewhere in the business.

The implications of this assessment for the matrix are as follows:

Areas of focus

External risks

Inherent risks

Risk management and governance

Net risk

Direction

Financial resources

Macreconomic

Macroprudential

Credit

Market

Operational

Financial crime

Conduct

Board

Senior management

Internal audit

Risk management

Residential mortgages

→

Unsecured credit card lending

↑

Real estate lending

↑

Private Banking

→

Overall rating

↑

Documentation

The following documentation should be provided on an agreed and consistent basis:

The rationale underlying the distillation of the detailed ratings into the overall rating
A narrative reconciling the overall rating to a broader perspective of risk in the institution

Financial Resources

This part of the assessment considers the adequacy of the financial resources available to the firm. These are:

Earnings. The sources, stability and reliability of earnings are an indicator of the profitability and financial well-being of the firm. Retained earnings are an important potential source of capital.
Capital. This is the most fundamental aspect of a firm’s financial well-being. If the firm is under-capitalized, this needs to be remedied as a high priority. Where the firm is part of a wider group, the group needs to be a source of capital strength (and not of weakness). In the short term, the higher the level of net risk being run, the more capital (or solvency in the case of insurers) will be required to mitigate this. But the only sustainable response to a high level of net risk is to reduce it. Capital provides an important palliative but cannot provide a long-term offset to excessive net risk.
Liquidity. For banks in particular, adequate liquidity is fundamental to their ability to meet their financial obligations.

The approach suggested here is that each of these three elements is considered at a firm-wide level and in relation to the assessment of overall net risk. The questions for the supervisors is: “We judge overall net risk to be (say) MH. In that context, do we see the firm’s earnings, capital and liquidity as adequate in the sense that they go some way to mitigating that level of net risk?”

This is not, however, the only approach that could be adopted. Each of these elements could be considered at the level of individual areas of focus. Experience suggests that it is most meaningful to look at earnings and capital from a firm-wide perspective. There is however a much stronger case for looking at liquidity on a more disaggregated, area of focus, basis. There is also the additional option of looking at liquidity or asset and liability management (ALM) itself as an area of focus. Supervisory bodies need to decide for themselves which approach works best for them and the decision will be guided in part by the business models and practices of the firms in their jurisdiction.

As with other aspects of the assessment, supervisors should be provided with clear assessment criteria. There is not scope in this Note to set these out in detail but the following provide illustrations based on suggested ratings categories of Strong, Acceptable, Needs Improvement and Weak.

Earnings

Capital

The supervisory assessment of capital needs to draw heavily on the Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process (SREP) both of which are key parts of the Basel capital framework and which supervisory bodies should implement independently of any move to RBS^[12]. This has some implications for timing: risk-based reviews should ideally be undertaken simultaneously with – or at least shortly after – the ICAAP process.

The ICAAP process requires firms to assess, on an ongoing basis, the amounts, types and distribution of capital that it considers adequate to cover the level and nature of the risks to which it is, or might be, exposed. In the EU, the Own Risk and Solvency Assessment (ORSA) places similar requirements on insurers as part of the Insurance Capital Standard. Other jurisdictions are introducing similar requirements. Such internal assessments should cover all major sources of risk to firm’s ability to meet its obligations as they fall due and incorporate stress testing and scenario analysis based on plausible but severe scenarios.

A key point about the ICAAP or the ORSA is that the firm must demonstrably own and manage the assessment. The firm’s management body who should oversee and formally approve it and it should be used as integral part of management and decision making. It is not merely as a device to ensure compliance with regulatory requirements.

The SREP is the process by which supervisory bodies assess the adequacy of banks’ ICAAPs - both in terms of the process and its ownership and its results as regards the identification of risk and capital adequacy. It is on the basis of the SREP that the supervisory body will determine firm-specific capital requirements within the Basel capital framework.

Drawing on this framework, assessment criteria for capital might look as follows:

Liquidity

If, as discussed above, the decision is taken to evaluate liquidity as part of the assessment of overall financial strength as discussed above (rather than assessing it or ALM as a separate ‘process’) similar criteria should be developed. The Basel Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio frameworks along with other jurisdiction-specific requirements, which firms should be implementing independently of any move to RBS should be the starting point. In the EU and elsewhere firms are now required to undertake an Internal Liquidity Adequacy Assessment Process (ILAAP) which is similar to the ICAAP for capital.

Assessment criteria for liquidity should have regard to:

The adequacy of liquidity and sources of liquidity to ensure that the firm is able fully to meet its obligations in full and on time, including in periods of stress
The likely trend in liquidity over the next twelve months, and
The extent to which liquidity management processes conform to accepted industry standards and are demonstrably owned by, and embedded within, the management of the institution

Common implementation issues

Problems

Good practice

A tendency to view financial strength in a static context, focusing on financial indicators as of today rather than how they are likely to evolve
An excessive focus on compliance with regulatory requirements. Insufficient attention on how the firm manages and monitors financial resources
Failure to emphasize that processes for managing capital and liquidity should be fundamental to the firm’s management not merely aimed at meeting supervisory requirements
Insufficient insistence of rigorous stress testing

As with all aspects of the assessment, the assessment of financial strength should be forward looking and include an assessment of the adequacy of processes for its management
Firms need demonstrably to ‘own’ processes for ensuring financial strength. They should form an integral part of management and boards should take an active and continuous interest in them
As above, firms should be able to demonstrate that the forward-looking management of financial strength is fundamental to their management and governance
This must be overseen and owned by senior management and the board who should act on the results. It should not be a narrow exercise undertaken by statisticians or quants but a key source of management information

G Illustration: assessing financial resources

The supervisory findings as per the framework set out on pages 25-27 are as follows:

Earnings

Sound and stable earnings.

No reliance on unusual or one-off sources of earnings and strong outlook

Capital

Strongly capitalized and in excess of regulatory targets

Weakness in Risk Management function raises questions about the ability to identify and address all (current and potential) sources of risk

Scope for more Board engagement with risk and capital planning

Liquidity

Strong liquidity position resulting from conservative ALM practices

Well in excess of LCR targets

This is consistent with an overall finding as follows:

The financial strength of the firm and in particular its current capitalization is adequate for the level of risk it is running
But the following elements need to be included in any supervisory programme:
- Strengthened Risk Management
- Strengthened capital planning
- Greater Board engagement

Documentation

The following documentation should be provided on an agreed and consistent basis:

The ICAAP; SREP; ORSA; ILAAP documentation
The basis for the assessments of earning and liquidity
The basis for the overall assessment of financial strength and any remedial/follow up actions which are required

Recovery Planning

All financial institutions need to prepare and maintain recovery plans which outline how the business would be conducted, and viability restored, in periods of serious stress. The recovery plan should outline a range of credible and feasible recovery options focused particularly on the restoration of capital and liquidity.

Such plans need to be drawn up by senior management and approved by Boards as part of ‘business as usual’ – that is to say in anticipation of potential future stress. Risk Management has a central role to play inasmuch as the plans address critical risks (to the firm’s viability) and the choice of recovery options itself needs to be risk-based. Supervisors need to satisfy themselves that recovery plans are comprehensive and credible.

There is no universal agreement on how recovery planning should be incorporated into risk frameworks. It might be regarded as a firm-wide process and hence warrant a separate ‘row’ in the risk matrix. Alternatively, it might be seen as an explicit factor in assessing the adequacy of senior management or financial resources. It is essential however that supervisory bodies explicitly recognize the importance of recovery planning and are able to assess its effectiveness within their chosen RBS frameworks.

Supervisory Follow Up

Undertaking the risk assessment is not of course an end in itself. Rather it should form the basis for a supervisory programme developed in conjunction with the firm and implemented by management for rectifying perceived areas of weakness or risk. It is not within the scope of this Note to set out how such programmes should be devised. In terms of the illustration, however, any programme is likely to involve the following:

A rigorous analysis (by the firm) of the risk implications of the strategic decision to increase the volume of unsecured credit card lending
An analysis (by the firm) of the risk implications of an emerging real estate bubble
A strengthening of senior management in the commercial lending area
A review (probably by independent experts) of senior management focusing on: a) the role of the CEO; b) the risk management function; c) the independence of internal audit leading to actions within six months
A review (internal or external) of the application of the AML framework
A strengthening of the capital planning framework and visibly greater engagement with this
Any supervisory plan should also incorporate recovery and resolution action

Conclusions

Individual jurisdictions need to develop RBS frameworks which are appropriate to their needs and the specifics of their financial systems. Earlier TC Notes set out the characteristics and principles of RBS and the implications for management of adopting such a framework. This Note set out in more detail how risk-based assessments should be undertaken. It draws on experience and identified good practice but, as with other aspects of RBS, supervisory bodies need to apply to exercise judgement in creating a risk-based framework suitable for their jurisdictions.

Key References

Bank of England. Prudential Regulation Authority. The Prudential Regulation Authority’s Approach to Banking Supervision. October 2018.

https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/approach/banking-approach-2018.pdf?la=en&hash=3445FD6B39A2576ACCE8B4F9692B05EE04D0CFE3

Bank of England. Prudential Regulation Authority. The Prudential Regulation Authority’s Approach to Insurance Supervision. October 2018.

https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/approach/insurance-approach-2018.pdf?la=en&hash=4055BBB0B728E1F9E536AB09D69107D01236C658

Canada. Office of the Superintendent of Financial Institutions. Supervisory Framework. 2010. http://www.osfi-bsif.gc.ca/Eng/Docs/sframew.pdf

United States. Office of the Comptroller of the Currency. Comptroller’s Handbook: Examination Process. Version 1.0. June 2018.

www.occ.gov/publications/publications-by-type/comptrollers-handbook/bank-supervision-process/pub-ch-bank-supervision-process.pdf

Wright, Paul. Implementing Risk Based Supervision: A Guide for Senior Managers. TC Note. Toronto: Toronto Centre, July 2018.

https://www.torontocentre.org/index.php?option=com_content&view=article&id=84:implementing-risk-based-supervision-a-guide-for-senior-managers&catid=10&Itemid=99

Wright, Paul. Risk-Based Supervision. TC Note. Toronto: Toronto Centre, March 2018. https://www.torontocentre.org/index.php?option=com_content&view=article&id=82:risk-based-supervision&catid=10&Itemid=101

Additional Readings

Bank of England. Prudential Regulation Authority. The Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process (SREP). February 2017.

www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2017/ss3115-update

Basel Committee on Banking Supervision. A Framework for Dealing with Domestic Systemically Important Banks. October 2012. www.bis.org/publ/bcbs233.pdf

Briault, Clive. Assessing the Suitability of Key Individuals in Financial Institutions. TC Note. Toronto: Toronto Centre, May 2017. https://www.torontocentre.org/index.php?option=com_content&view=article&id=76:assessing-the-suitability-of-key-individuals-in-financial-institutions&catid=9&Itemid=99

Briault, Clive. Improving Corporate Governance in Regulated Firms. TC Note. Toronto: Toronto Centre, January 2016. https://www.torontocentre.org/index.php?option=com_content&view=article&id=64:improving-corporate-governance-in-regulated-firms&catid=9&Itemid=99

[1] This note was prepared by Paul Wright on behalf of Toronto Centre

[2] Paul Wright, Risk-Based Supervision, TC Note (Toronto: Toronto Centre, March 2018), https://www.torontocentre.org/index.php?option=com_content&view=article&id=82:risk-based-supervision&catid=10&Itemid=101.

[3] Paul Wright, Implementing Risk Based Supervision: A Guide for Senior Managers, TC Note (Toronto: Toronto Centre, July 2018, https://www.torontocentre.org/index.php?option=com_content&view=article&id=84:implementing-risk-based-supervision-a-guide-for-senior-managers&catid=10&Itemid=99.

[4] Wright, Risk-Based Supervision.

[5] See for example, Basel Committee on Banking Supervision, A Framework for Dealing With Domestic Systemically Important Banks, October 2012, www.bis.org/publ/bcbs233.pdf.

[6] Wright, Risk-Based Supervision.

[7] Wright, Risk-Based Supervision.

[8] Wright, Implementing Risk Based Supervision: A Guide for Senior Managers.

[9] Wright, Risk-Based Supervision.

[10] Two other TC Notes also provide valuable background in this area: Clive Briault, Assessing the Suitability of Key Individuals in Financial Institutions, May 2017, and Clive Briault, Improving Corporate Governance in Regulated Firms, January 2016.

[11] See for example, United States, Office of the Comptroller of the Currency, Comptroller’s Handbook: Examination Process, June 2018, www.occ.gov/publications/publications-by-type/comptrollers-handbook/bank-supervision-process/pub-ch-bank-supervision-process.pdf.

[12] See for example, Bank of England, Prudential Regulation Authority, The Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process (SREP), February 2017, www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2017/ss3115-update, and International Association of Insurance Supervisors, ComFrame, www.iaisweb.org/page/supervisory-material/common-framework.

TC NOTE