Drivers of External and Inherent Risks in Risk Based Supervision
Tuesday, Nov 29, 2022

Drivers of External and Inherent Risks in Risk Based Supervision

This TC Note and accompanying podcast provides useful background on issues to be considered in assessing risk when guidance does not exist.

Read their biographies. Read the transcript. Read the TCN.

Listen to the Podcast:

Read the TCN:



Identifying and assessing external and inherent risks is a key aspect of risk-based supervision (RBS). This Note supplements earlier Toronto Centre publications on RBS and provides supervisory authorities and front-line supervisors with additional guidance. In particular: 


  • The treatment of external (including macroeconomic and macroprudential) risks in risk assessments.
  • The categorization of inherent risks and whether issues such as climate change and fintech constitute risks in their own right or can be included in other categories. 
  • A discussion of the drivers of inherent risk. This includes what supervisors should look for in assessing inherent risks, and factors that may lower or increase the level of risk associated with particular products or activities.

This Note may be of particular interest to functions (such as Practices Groups) within supervisory authorities that “own” the risk-based framework and provide guidance for front-line supervisors, for example in the form of risk cards.[2] Where no such central guidance exists, the Note provides useful background on issues to be considered in assessing risk. Even where guidance does exist, it may often be relatively general. The Note will help front-line supervisors assess the risk factors specific to individual firms and how the norms set out in guidance may need to be modified in individual assessments.

RBS background and context

A fundamental principle of RBS is that supervisors need to apply analysis and judgment when identifying and assessing external and inherent risks facing supervised firms. Supervisors must also assess these separately from the quality of controls, risk management, governance, and financial resources.  


The key elements of RBS have been set out in a range of Toronto Centre Notes:[3]  


  • Supervisors need a thorough knowledge of a supervised firm’s business – the activities it is engaged in and its performance, business plans, and strategy.
  • This enables supervisors to identify and assess the key external and inherent risks the firm faces.
  • They need to assess how effectively these risks are managed through controls, risk management, and governance. 
  • Putting this information together (in a matrix) helps supervisors view the overall (net) risk faced by the supervised institution and the likely future direction of risk.
  • Supervisors then assess whether the firm’s financial resources are adequate given the identified level of net risk.
  • The purpose of this activity is to identify and require supervised firms to implement corrective measures to address net risks judged unacceptable or unsustainable.

The main steps are summarized here:



















While these principles are well established, day-to-day supervisors sometimes stumble over a number of issues in identifying and assessing external and inherent risks:  


  • Supervisors may have difficulty identifying or interpreting external risks and their implications for firm-wide risk.




The Financial Stability Department of Central Bank A reports that the commercial property market is experiencing bubble conditions, but an impending economic downturn will likely result in a sharp drop in property prices within 12 months.  



What type of risks are being identified (for example, prudential and conduct risks) and how should supervisors incorporate them into their risk assessments?



  • The coverage of some inherent risk categories may prove problematic. For example, some supervisory authorities may include issues within ‘Operational Risk’ that others identify as separate categories of inherent risk. 




The supervisory authority in jurisdiction B defines operational risk to include reputational damage to firms as well as more conventional operational risks, such as failures of systems or people. The supervisor in neighbouring jurisdiction C (who collaborates in colleges) has a separate risk category (shown as a column on the risk matrix) for reputational risk.



Is one approach ‘right’ and the other ‘wrong’? Does it matter? 



  • Many supervised firms will offer similar products or business lines as part of their significant activities. But:


  • The correct rating of inherent risks embedded in these activities may vary across firms even though the activities/products are apparently the same.
  • The rating of the risk for any given firm may change over time. 
  • The rating of inherent risk for similar products may vary across jurisdictions.



Firm D provides savings products to retail customers. As such, it incurs conduct risk – the risk that customers will suffer losses due to the firm providing insufficient information, offering unsuitable products to particular customers, or actively misleading them, for example. The supervisor of Firm D may find that:

  • The level of inherent conduct risk has increased over the past 12 months even though the nature of the product has not changed.
  • The level of inherent conduct risk is higher than in Firm E even though it provides a similar product.
  • The savings products involved are seen as carrying higher levels of conduct risk than in Firm D’s home jurisdiction, a fact discovered in a college discussion with supervisors from a neighbouring jurisdiction.



How can these differences in perceived levels of inherent risk over time, across firms, and across jurisdictions be understood? Note that these changes/differences have nothing to do with controls or risk management, which are assessed separately.



This Note aims to provide guidance on these types of issues


Important points


  • The principles and approaches set out here are based within the existing RBS methodology, which has been set out in earlier TC Notes.
  • They apply across all sectors.
  • The requirement that external and inherent risks are assessed separately from controls and risk management remains paramount. This Note deals with identifying and classifying external and inherent risks and their ‘drivers.’ Assessing the effectiveness of controls, risk management, governance, and financial resources in light of these risks is an essential further step; however, this is not the subject of this TC Note.[4]



External risks

One feature that distinguishes RBS from other (for example, compliance-based) forms of supervision is its breadth. It requires supervisors to be aware of all relevant risks that firms face – not just today but in the foreseeable future. These risks are not confined to those originating within a supervised firm or its operations. All firms operate within a wider context and face risks from the wider sector or economy.


Macroeconomic risks 

Macroeconomic risks originate from conditions in the wider domestic or global economy. The effects of these on some supervised firms will be direct. For example, a downturn in world trade will directly affect major financial institutions involved in trade finance, providing lending or insurance facilities to global firms, and operating on international financial markets.


Other firms may experience effects that are less direct but no less severe:

  • Smaller lending institutions with purely domestic operations may find the creditworthiness of some borrowers is reduced due to a domestic recession or increased unemployment.
  • Inflation may erode both living standards and the value of savings, with potentially significant effects on creditworthiness, the appetite for saving, and the risk preferences of savers.
  • Policy-driven changes in interest rates may have wide-ranging effects on the affordability of outstanding credit facilities, the valuations of long-term savings products (such as annuities and pensions), and on firms’ own asset and liability management.

Macroeconomic risks are (by definition) external to supervised firms, which are not responsible for these risks and cannot control or influence them directly. However, firms must be aware of such risks and think through their implications and the appropriate response in controls and risk management.  


Macroeconomic risks also pose significant challenges for supervisors. It is not part of the job of front-line supervisors to identify and assess the risk of a global recession, for example. Other authorities such as the Financial Stability Department of the central bank or the International Monetary Fund produce authoritative forecasts of economic trends. The challenge for supervisory authorities is to identify an authoritative source and arrange for forecasts to be ‘translated’ into relevant guidance for supervisory decisions.[5] External risks (macroeconomic and macroprudential risks, discussed further on) therefore need to be interpreted to allow supervisors to consider their implications for individual firms.




The Financial Stability Department of central bank F forecasts that a significant rise in energy prices on world markets will likely result in a sharp contraction in disposable incomes in country F as a growing proportion of incomes are allocated to heating and other energy use over the winter. This in turn will likely result in an increase in corporate failures and unemployment in sectors (such as restaurants and tourism) particularly sensitive to trends in disposable income.


Armed with this information, supervisors (who should adopt this as their ‘house view’) should:

  • Translate these general economic trends into a set of supervisor-usable risk implications for inherent risks. It is highly likely, for example, that these developments will have implications for credit risks and possibly for market and conduct risks as well. These impacts need to be considered in detail.
  • Incorporate these risk trends into their firm-facing work. Firms should be asked about the likely impacts on them and how they are responding. Internal supervisory processes (such as panels and Quality Assurance) should be used to establish that supervisors are appropriately aware of these elevated risks.
  • In undertaking this translation of macroeconomic risks into inherent risk implications, consider worst- as well as central-case scenarios, not least to provide a basis for questioning firms on their own stress and scenario testing. 



Macroprudential risks

A wide range of risks may legitimately be described as macroprudential. What they have in common is that they reach all, or significant parts of, the financial sector and are therefore common to a range of firms and not specific to individual ones. As such, individual firms may contribute to them but are not directly responsible for or able to control them.  


Some examples of macroprudential risks are:


  • Asset price cycles in which the prices of property, commodities, or financial assets are volatile and prone to fall unexpectedly. Financial institutions may assume too much risk when prices are rising and not plan adequately for price drops. Such cycles may or may not correlate with macroeconomic developments.
  • Vulnerabilities inherent in parts of the financial system, such as incentive structures and structural issues like interconnected networks, or volatile or vulnerable funding sources. Supervised firms and supervisors need to ensure that controls are effective in the face of such vulnerabilities and be alert to any marked changes in them.
  • Market conditions such as increased (or reduced) competition, new technologies or product innovations that are not specific to individual firms but may impact them. Also in this category are changes in insurance or reinsurance underwriting conditions, saturation of markets, and the willingness of firms to increase leverage or adopt new or opaque types of risk. 
  • Changes in market conditions may also be prompted by wider social or legal changes in the balance of the state and the private sector in pension or care arrangements, for example, or measures to liberalize financial systems that were previously tightly controlled. Such changes will have implications for the commercial opportunities faced by firms and the attendant risks.



The financial crisis of 2008 drew particular attention to risks that spread through entire sectors or large groups of firms. Such macroprudential factors may often drive changes to what were previously seen as prudent and acceptable industry behaviours. Firms may be willing to allow increases in leverage, aggressive selling practices, weaker loan covenants, looser customer take-on requirements, or lower underwriting standards. All of these can be seen as increasing inherent risks in response to changes in external risks – though some may also weaken controls or risk management.  


Serious macroprudential risks have often been the result of a form of industry- or sector-wide ‘group think’ in which the managements and boards of supervised firms allow, or actively encourage, what proves to be irrational exuberance. The challenge for supervisors is to identify this phenomenon and not succumb to it themselves but be a source of challenge to the management and boards of their firms.[6]


Important points: 


  1. The distinction between macroeconomic and macroprudential risks may not always be precise. 


The boundary between types of external risk can become blurred. For example, low and persistent interest rates may result in savers being encouraged to take higher risks in pursuit of higher returns on savings and investments. This could be classed as a macroeconomic phenomenon (low interest rates) or a macroprudential one (changed behaviour on the part of firms and consumers). In this and other cases, the two types of risk are highly correlated – changed economic conditions often give rise to changes in industry practices.


  1. The boundary between external and inherent risks may not always be precise. 


Unsustainable (bubble) conditions may, for example, arise in residential property markets, leading to increased credit risks for this type of lending. This will be exacerbated if the bubble conditions result in a willingness to lend to purchasers who may be less creditworthy than under earlier standards. In this case, there is a clear relationship between the macroprudential risk (the bubble) and inherent (credit) risk.


  1. Because of this lack of precision, the external risk column in the supervisory matrix should be treated as a cue for further thought rather than a distinct and definite risk category. 


  • This makes the external risk column different from other risk categories, which have clear, conceptually separate meanings. While credit or operational risks contribute directly to the risk profile of a firm, external risks should be considered as drivers of other categories of inherent risk. Supervisory authorities need to consider such cases carefully in the context of supervisory panels and Practices Groups.[7]
  • The macroprudential risk arising from the housing price bubble in point 2 might (for example) be rated medium high and this might translate to a similar rating for the credit risk on mortgages.  
  • There may not be as much precision in the classification of external risks as is required for other inherent risks. This itself is not of great importance, if:  
    • External risks are identified somewhere.
    • Careful thought is given to how these affect inherent risks.
    • Supervisors are consistent in how they view external risks and their implications across cases and time.



Other external risks

Firms and their supervisors need to be alert to any external factors with implications for the risks that firms face. Not all of these fit neatly under the heading of macroeconomic and macroprudential risks; supervisors must ensure that they are recognized and their implications managed by firms. This is more important than their being precisely categorized. Some other external risks include:


  • Pandemics. COVID-19 had profound implications for supervised firms – both in terms of inherent risks and their ability to control them – many of which are still being worked through.[8]
  • Political instability. Wars, conflicts, and other less destructive forms of political instability may have major implications for supervised firms and the markets in which they operate.
  • Climate change. The pervasive impacts of climate-related risks are already evident, with direct and visible implications for supervised firms. Some lending projects and general insurance propositions are less viable than in the past. Some financial assets, such as the liabilities of what may be seen as climate-unfriendly companies, may become ‘stranded.’

Supervisors have given considerable thought to whether climate change represents a new and distinct risk category, similar to credit risk. It is more helpful to consider climate change as an external factor, which, like macroeconomic and macroprudential risks, can have possibly profound effects on conventional inherent risks. This is discussed further in the next section.


  • Fintech and new technology. Technology-based distribution channels for financial products are everywhere and can create real benefits in access to financial products for groups who may previously have been excluded.[9] They also bring a range of risks, prompting a similar question to that posed by climate change – should supervisors include a separate fintech or technology risk category in their assessments? As with climate change, it is more helpful to consider fintech as a ‘driver’ of more conventional inherent risks rather than as a category on its own. This is discussed later in this Note. 


Important points:


  • Look beyond purely internally generated risks in firms.
  • Few firms are immune to external factors and for many, these are critical drivers of risk.
  • Firms’ management and boards must be alert to external risks and their implications.
  • The most useful approach is to consider external risks explicitly as ‘drivers’ that may intensify (or in some cases diminish) conventional inherent risks.
  • Supervisors need to check that management and boards are alert to external risks and adopt a challenging approach to reassure themselves that this is the case.
  • Meeting this key requirement is much more important than seeking to precisely classify external risks.



Sorting out risks – the ‘hopper’

Multiple external risks can potentially affect the risk profiles of supervisory firms. The most efficient way of incorporating these into risk assessments is to carefully consider their effect on conventional inherent risks.  


In doing this, supervisors sometimes refer to the existence of a ‘risk hopper.’ A hopper was originally a device used to sort grain or other agricultural produce. It is an apt phrase for a mechanism that all supervisors should employ in some form. The principle can be illustrated using the diagram below.






As shown in the diagram, the hopper is (figuratively speaking) a device for turning generalized concerns into specific risk factors that supervisors are able to use in their risk assessments. In practice, this is most likely to take place in periodic meetings within the supervisory authority where such issues can be discussed and turned into usable supervisory inputs.

Classification of inherent risks

The risk categories typically used in an RBS matrix are broad. The usual categories are

  • Credit risk
  • Market risk
  • Insurance risk
  • Conduct risk
  • Financial crime/money laundering risk
  • Operational risk.

Some supervisors extend the list to include categories such as business or strategic risk, or legal and reputation risk. These additional categories are discussed below.


The use of these conventional categories is sometimes challenged on two grounds:


  1. The categories are too broad. Credit risk, for example, can arise from many types of lending as well as underwriting, position taking, and providing guarantees. These (it is argued) are very different activities and carry different types of risks. Similarly, the conduct risks associated with providing a short-term loan through a mobile phone platform may be very different from those arising from the sale of a long-term pension product involving sales staff. Perhaps the broadest category of all is operational risk, which encompasses failures of personnel and systems, legal, reputational, and fraud risk.


  1. There may be too few risk categories. As discussed above, given their obvious importance, it can be argued that there should be separate headings for climate change, fintech, economic or political risk, for example.


The choice of risk categories is one for each individual supervisory authority and will depend mainly on its supervisory objectives. Supervisory authorities without insurance responsibilities clearly do not need to include insurance risk, while those whose responsibilities are purely prudential are unlikely to need to include conduct risk. 


There are a number of principles to be kept in mind when deciding on the risk headings to include in the supervisory matrix:


  • There is a trade-off between the apparent precision resulting from increasing the number of risk categories and the greater complexity this imparts to the risk matrix. The matrix should help structured thought – bringing together relevant information about a supervised firm. As such, there is considerable benefit in keeping it manageable and relatively simple. Using broad risk categories can achieve this and allow rigorous, comprehensive risk assessment if the various drivers of the risks are carefully considered. These drivers are examined below. It is also worth noting that where more than one significant activity has been identified (typically the case for a firm of any size), the same inherent risk (credit, for example) will be rated separately and possibly differently for each significant activity. In this way, the risk matrix is able to capture considerable detail even within the same broad risk category.


  • Although conventional risk headings (credit, conduct, operational, and so on) are broad, they also have the perhaps contradictory advantage of being relatively specific. Credit risk is fundamentally different from conduct risk, which is different from operational risk.  While ‘new’ headings often appear to address specific issues, in reality they may not. As noted, climate change and political instability are very real issues with major consequences for supervised firms.[10] However, it’s necessary to be clear exactly what is meant if these are to be used as risk categories. Often, these can be further reduced to other conventional risks that are more meaningful and manageable for supervisors. This is where a hopper mechanism may be helpful.




The Advisory Board of supervisory authority G decided at an offsite meeting that climate change is a major risk facing the planet and supervisors should ‘give it priority’ in their supervisory assessments. This was communicated to all staff.  


Scenario 1

While fully agreeing with the sentiments, supervisors were unclear about what exactly this meant for their supervisory work. Without further guidance, they defaulted to asking supervised firms how they were responding to climate change risks. Some responses were meaningful, outlining actual changes and business practices and the risk consequences of these. Other responses lacked substance and were merely an extension of the firms’ own ‘greenwashing’ efforts.


Scenario 2

The Practices Group within the supervisory authority undertook an exercise to identify specific ways in which climate change may affect inherent risks. They identified:

  • Increased credit risk of borrowers who might be impacted by climate change.
  • Increased (general) insurance risk of property insurance in areas at higher risk of flooding.
  • Increased conduct risk from firms inaccurately describing investments as having attractive ‘green’ credentials.

These broad findings were communicated to supervisory teams, who were able to incorporate them into their assessments of inherent credit, insurance, and conduct risks.


Scenario 2 illustrates how a general heading of ‘climate change’ or ‘climate risk’ can effectively be made operational by being distilled into conventional risk headings.






The conventional risk heading with least precision is perhaps operational risk. This is defined by the Basel Committee (2021) as:


The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.  


Most supervisors will recognize failures of internal processes, people, or systems as operational risk. Insufficient staff numbers or skills, over-reliance on cumbersome, non-IT-based systems, or poorly specified or inadequate IT systems are covered by this. In other respects, there is some room for ambiguity:


  • External events can be important drivers of operational risk. The COVID-19 pandemic created problems that made it difficult for firms to function, while climate change may also have direct effects on firms’ operations.


  • For most firms, there is a potential connection of compliance risk (the risk that a supervised firm will fail to comply with regulatory or supervisory requirements), legal risk (the risk of loss due to legal action), and reputation risk (the risk of loss of business or franchise value due to its actions and possible sanctions). These may occur separately or may be highly correlated. Supervisory authorities need to decide whether to include these risks under operational risk and if so, at what level of detail.


Some supervisors identify strategic risk as a distinct category with a specific column on the matrix. This raises the question of what is meant by strategic risk and how it might be included.  Some supervisors view strategic risk as resulting from specific, high-profile strategic initiatives that, if misguided or unsuccessful, would lead to significant losses. Others would include the absence of any coherent strategy in a broader definition of strategic risk.  


Again, there is no simple answer to whether supervisors should separate out these risks (as explicit risk headings) or include them within existing headings. The principle remains that supervisory authorities should always think carefully before introducing additional complications to RBS frameworks. They should only do so where there is a clear rationale and where the supervisory assessment will be demonstrably improved as a result.




Supervised firm H’s business model involved the sale of savings products to relatively unsophisticated, low-income women and men. This made it susceptible to conduct risk: it was difficult to meet all conduct requirements to ensure that customers were being adequately informed and treated fairly. The firm had also run into past legal problems due to its loan recovery practices and its reputation was viewed as fragile.  


Supervisors were taking a close interest in the firm, for which the sale of savings products was the main significant activity. Two recommendations were considered by the management of the supervisory authority:


Recommendation A: In view of the issues identified, the RBS matrix should be modified to exclude less relevant categories (such as credit risk) but to include separate headings for conduct, compliance, legal, and reputation risks.


Recommendation B: The matrix should continue to have conventional risk headings (external, credit, conduct and operational risk) but the guidance provided to supervisors about the constituents of conduct risk should be reviewed. This would ensure that it explicitly covered misconduct on the part of the firm; the likelihood of misconduct resulting in compliance failures or legal proceedings; and reputational risk.


It was decided to go with recommendation B for the following reasons:

  • The firm was actually running credit risk; removing this category in the interests of simplicity may result in overlooking risks.
  • The conduct, compliance, legal, and other risks identified were highly correlated. Separating them would create the risk of double counting and complicating the matrix while doing little to improve the quality of the risk assessment.
  • Guidance to supervisors was adequate and would be effective in allowing them to assess all aspects of the misconduct issue and to undertake any necessary supervisory intervention, if needed.





Supervised firm I


Firm I had been operating an unchanged business model for many years in a mature and saturated market. New management decided to introduce a radical change in strategic direction. This involved considerable costs and closing several business lines. The new strategy received extensive publicity and many commentators said this was a ‘make or break’ initiative for the firm.  


Two recommendations were considered by the management of the supervisory authority:


Recommendation A: Introduce an additional category of ‘strategic’ risk along with the existing inherent risks.


Recommendation B: Identify the implications of the new strategy for the existing (unchanged) list of inherent risks (credit, market, conduct and operational risk) – noting that the new strategy would also require extensive changes in personnel and systems.


It was decided to go with recommendation A on the grounds that the future soundness of the firm was tied to the new strategy. It was possible in this case to single out strategic risks that were highly significant and not adequately covered by more conventional risk definitions. Introducing a separate heading for strategic risk would make the risk assessment more comprehensive and focused.







Main conclusions from this section:

  • There should be a general bias against including additional risk categories beyond the conventional ones listed.
  • There needs to be clear guidance to supervisors about the components of the various risk categories and their drivers.

In some exceptional cases, it may make sense to introduce additional risk categories, but only where there is a clear rationale and the supervisory assessment will be demonstrably improved as a result. 


Drivers of inherent risk


Once the relevant external and inherent risks have been identified, a key next step is for supervisors to assess the inherent risks. A typical scale will have four ratings: high (H); medium high (MH); medium low (ML) and low (L).[11] 


Multiple inherent risks

Many significant activities will include more than one inherent risk. There will usually be a principal inherent risk but others may also be present.  




Credit card lending has been identified as a significant activity of bank J.


  • The principal risk associated with credit card lending is credit risk – borrowers may be unable or unwilling to meet their repayment obligations in full and on time.
  • The bank has a large number of credit card customers whose accounts need extensive, real-time processing. This gives rise to operational risk.
  • The bank is also required to spell out in detail the terms and conditions for credit card business. It may fail to fully meet these obligations or be judged to have treated customers unfairly, giving rise to conduct risk.
  • Other risks may also be present, such as financial crime/money laundering and reputation risks.



Supervisors who are new to RBS often face the question of whether it is necessary to give explicit ratings to all the risks associated with an activity. In the example above, it would clearly be appropriate to provide a rating for credit risk – the principal inherent risk. Generally, however, it is not necessary to rate all other ‘subsidiary’ inherent risks. Where a risk is present but unlikely to be a significant contributor to the risk profile, it can be given an appropriately low rating, or in some cases, no rating at all. Providing a rating (and accounting for this in documentation) has the value of providing a rationale and audit trail for decision making and makes it easier to check consistency – for example, by supervisory panels.






Continuing with the case of supervised bank J, supervisors concluded:

  • The principal risk associated with mortgage lending is credit risk. It would be inconceivable that this would not be assessed in this case.
  • Bank J is known to have had issues with credit card processing. The introduction of a new IT system has taken longer than expected and some operating issues are still not resolved. In these circumstances, it makes sense to assess operational risk in this significant activity.
  • All firms undertaking credit card business face some level of conduct, financial crime, money laundering, and reputation risk. There is nothing in the particular circumstances of bank J, its product, or its customers that makes it especially susceptible to these risks. It was decided to rate these inherent risks as ‘Low.’  



What factors – or drivers – govern the rating for an inherent risk?

For many supervisors starting out with RBS, rating inherent risks is a daunting task. Providing formal criteria and guidance for ratings is a necessary step to assist front-line supervisors, but it may also be necessary to supply examples of risk drivers, and in some cases, baseline ratings for certain products or activities. These may be contained in risk cards, an example of which is given in the Annex.


Several factors may contribute to the level of inherent risk in a significant activity. For example: 

  • The nature of the product(s) involved in the significant activity.[12]
  • The existence and robustness (or not) of risk mitigants embedded in the product.
  • The design of the product.
  • The nature of the target market.
  • The way in which the product is sold or marketed (distribution channels).

The factors above will vary across products, providers (even of similar products), and jurisdictions, all of which contributes to the complexity of assessing inherent risk.  


It is not possible to provide an exhaustive account of risk drivers. To keep this Note manageable, the following sections provide a range of examples. These illustrate some of the relevant factors to enable supervisors to identify drivers that may be particularly relevant to the risks in their jurisdictions and financial systems.  


It also needs to be noted that operational risk, because of its diverse nature, has a particularly extensive and diverse set of drivers. Product design and distribution channels are highly relevant to the incidence and severity of many operational risks, but it is harder to generalize about the drivers of all forms of operational risk such as fraud or process failures.


Nature of the product

Some products, because of their nature, have intrinsically higher levels of inherent risk than others – even those in the same broad category, such as ‘corporate lending’ or ‘medium term savings.’[13] See four examples of this below. To keep it simple, each case considers just one inherent risk and its drivers. In reality, other inherent risks will often be present and it will be necessary to consider their drivers as well.


Example 1: Retail mortgages

Inherent risk considered here: credit (others will be operational and conduct)

Nature of the product: 

  • Long term loans provided for house purchase
  • Secured with the mortgaged property
  • Fundamental to home ownership – failure to repay may result in the loss of the borrower’s home.

Implications: These product characteristics often result in residential mortgages being seen as relatively low risk.


Example 2: Small business/startup lending

Inherent risk considered here: credit (others will include operational)

Nature of the product

  • Loans to small and new businesses
  • Generally unsecured
  • Small and startup businesses generally have quite high failure rates.

Implications: These product characteristics may result in the product being viewed as relatively high risk.


Example 3: 20-year pension product

Inherent risk considered here: conduct (others will include credit)

Nature of the product

  • Consumers make regular contributions over a long period (20 years)
  • Funds are invested by pension provider
  • Pension is paid after 20 years – the level depends on the performance of the investment portfolio
  • Investment performance and terms and conditions may vary in unforeseeable ways over a long period
  • Pension payment is fundamental to a consumer’s well-being in later life.

Implications: These characteristics may result in the product being viewed as relatively high risk.


Example 4: Investment accounts offered solely online 

Inherent risk considered here: operational (others will include credit and conduct)

Nature of the product

  • Suitability and risk preference checks are highly automated and conducted online
  • Investors provide funds that are invested and managed using IT platforms
  • Funds are switched frequently between assets and bank deposits 
  • Investors are offered real-time, online valuations of their assets.

Implications:  The heavy reliance on IT means the product is susceptible to operational (technology) risk. This may result in its being seen as relatively high risk.


Other examples of how the nature of products may affect risks include:


  • Market risk – will tend to be higher in products that are highly leveraged and traded on volatile markets.
  • Insurance risk – will tend to be elevated in cases where companies provide cover against particularly high risks or for particularly high-risk policy holders.
  • Money laundering risk – will be elevated in products identified (for example in FATF’s typologies) as being particularly susceptible to this risk (because of the difficulty of establishing or checking beneficial ownership of assets, for example).



The nature of the product is the starting point for assessing inherent risk. The kind of analysis/thought process outlined above can, in principle, be applied to any product or significant activity.


Embedded mitigants

Some products or businesses have risk-mitigating features (mitigants) embedded within them. In assessing inherent risk, supervisors may need to determine the availability and reliability of these features. These mitigants – which may vary across similar products offered by different firms – are intrinsic features of the products concerned. They are quite separate from the controls implemented by firms to mitigate risks, which are the subject of separate assessment within RBS. Examples of such mitigants and the kinds of questions supervisors should ask about them follow. To keep it simple, each case considers just one inherent risk. In reality, there will be others whose drivers also need to be considered.

Example 1: Retail mortgages

Risk considered: credit 

Embedded mitigants: Lenders can realize security in the event of non-payment (reducing loss given default).

Possible limitations: Does the legal or regulatory framework allow lenders to exercise their rights fully in these cases? Are there limitations on the amounts recoverable or are the time and costs involved in exercising the rights prohibitive?


Example 2: Medium-term savings products

Risk considered: conduct 

Embedded mitigants: The product is capital certain (depositors will get back the principal they have deposited as long as the provider remains solvent). Depositors can withdraw funds early if they require them or the product does not meet their needs.

Possible limitations: Are the terms of early withdrawal onerous? Possibly more so than was clear at the time the product was sold?


Example 3: Life assurance

Risk considered: conduct 

Embedded mitigants: Policy holders can terminate their contracts at any time.

Possible limitations: Termination may be more difficult and costly than was apparent when the contract was signed. Replacement costs (the cost of entering into a new contract with the existing or a new firm) may also be excessive.


Example 4: Securitized lending

Risk considered: credit (to holders of the securities)

Embedded mitigants: Credit enhancements, seniority of securities created, credit ratings of securities created

Possible limitations: Apparent enhancements may be illusory or based on elements of securitization structures that are unclear, impossible to verify, and ultimately ineffective. 



In addition to built-in embedded features, firms may be required by policy makers or regulators to embed some risk mitigation features. These are most common in the case of retail purchases of financial products designed to reduce conduct risk. Examples are cooling-off periods (customers can decide not to proceed with transactions within a specified period at no cost), complaints mechanisms, and settlement/arbitration arrangements. These mechanisms will mitigate conduct risk but only to the extent they are effective. Firms may outwardly comply with the requirements but in practice make it difficult for consumers to make use of them. For example, they may create barriers to exercising cooling-off periods or have complaints or redress procedures which are difficult for consumers to follow. Supervisors need to evaluate the effectiveness of these ‘required’ mitigants as part of their assessment of conduct risk.


Product design

Products may be designed in ways that increase (or sometimes decrease) their intrinsic or inherent risks compared to other products that are nominally[SH1] the same. Their design may, for example, render them particularly clear or unclear, simple or complex – all of which will affect the level of inherent risk. Product performance returns or costs may be linked to future (and potentially unpredictable) future events, with implications for their affordability.   


The following examples show how product design may influence inherent risks. ‘Design’ is interpreted widely to include features of a product that may encourage (or even require) providers to outsource aspects of its operation. To keep it simple and for illustration only, each case here discussed just one inherent risk. In reality, there will often be others.


Example 1Medium-term savings/investment product

Risk considered: conduct

Risk-increasing design features

Risk-decreasing design features

  • Complex underlying investment
  • Unclear nature of product
  • Variable returns with unclear basis for adjustment
  • Unclear terms and conditions, including difficult withdrawal provisions
  • Clarity/simplicity of product (for example, bank deposit, unit trust)
  • Clearly communicated basis for adjusting returns
  • Clear terms and conditions, including for withdrawal

Example 2Mortgage lending by credit cooperative

Risk considered: credit 

Risk-increasing features

Risk-decreasing features

  • Limitations or stickiness[SH2] in resetting mortgage terms
  • Ready availability of refinancing by borrowers
  • Variable rates aligned to deposit rates
  • Limitations on refinancing by borrowers

Example 3: Online investment management

Risk considered: operational

Risk-increasing features

Risk-decreasing features

  • Frequent, complex asset switching 
  • Use of complex algorithms by IT platforms
  • Extensive and uncoordinated IT outsourcing 
  • Ambitious real-time reporting on asset holdings and valuation
  • Rigorous controls over asset allocation
  • Backup IT systems and firm resilience
  • Limited, controlled outsourcing
  • Realistic reporting on asset holdings and valuations

Example 4Pensions

Risk considered: conduct

Risk-increasing features

Risk-decreasing features

  • Unclear basis for changes in charges or projected returns throughout product life
  • Lack of clarity about investment strategy and alignment to holder’s risk preferences
  • Inflexibility of terms and conditions as holder’s circumstances change
  • Clarity regarding terms and conditions throughout product life
  • Clear investment strategy aligned with holder’s risk preferences
  • Flexibility of terms and conditions (contributions and withdrawals)

Example 5General (property) insurance

Risk considered: insurance

Risk-increasing features

Risk-decreasing features

  • Pricing incentives (for example, for rollover of contracts) that do not reflect the underlying insurance risk
  • Low or non-existent provisions for payment of excesses by policy holders
  • Open-ended cover with limited exclusions


  • Pricing that adequately reflects new and emerging (as well as existing) risks
  • Reasonable excess conditions limiting claims
  • Specific exclusions clearly spelled out


These examples show that it’s possible for product design to give rise to conflicts between the interests (and potential well-being) of providers and those of consumers. In the mortgage lending example, the ability to easily refinance mortgages as wider economic conditions change may benefit consumers but may complicate asset and liability management for the provider. Similar conflicts are also present in the general insurance example. Such conflicts are inevitable and there is nothing intrinsically wrong with them, if:


  • They do not involve misconduct on the part of the firm (for example, where a firm seeks to increase profitability by not disclosing material aspects of the terms and conditions of the product); and 
  • Firms have carefully considered the implications of such conflicts. For example, providing terms that are advantageous for borrowers or counterparties may affect the firms’ prudential soundness. This is something supervisors should discuss with firms. 

Target markets

The examples shown all relate to the nature and design of financial products. Risk will also depend heavily on the market or market segment to which the product is sold. There is explicit recognition of this in the restrictions many supervisors impose on sales of some products and services (such as execution-only trading in financial products and sales of some derivatives products), which are permitted only to market counterparties or qualified individuals. In such cases, the use of such products and services by unqualified retail consumers would create unacceptable risks.


However, other product choices of target markets are a legitimate strategic decision for supervised firms. Decisions to give the same product (such as mortgages or corporate lending) the same characteristics and design in different consumer or market segments can have profound implications for risk and its controls. Supervisors need to be alert to control issues where firms offer products to ‘vulnerable’ consumers – those on very low incomes or who have a particular need for clear and accessible information about products.



Example 1Unsecured personal lending


  1. Bank K operates strict take-on procedures to closely align credit facilities with conservative measures of ability to pay. This results in loans being available only to medium and high net worth individuals.
  2. Bank L operates an explicit policy of offering credit facilities to ‘those who have difficulty getting loans elsewhere,’ meaning borrowers on lower incomes and with generally lower levels of measured creditworthiness.


Risk implications

Credit risk - Bank L has higher inherent credit risk resulting from this significant activity than Bank K. How this translates to net risk depends on how the facilities are priced and the strength of management and controls.  

Conduct risk - Bank L has higher conduct risk than Bank K because there may be an intrinsically higher risk of mis-selling to the lower income group (some of whom may be vulnerable consumers). Again, how this translates into net risk depends on how effectively the risk is controlled.


Example 2Fund management


  1. Fund manager M offers a number of funds whose underlying investments (vintage wine and teak forests) are exotic, hard to value, and relatively illiquid. It has a strict policy of marketing these only to other fund managers (‘funds of funds’) and others who attest to being experienced, such as long-term investors with a high tolerance for risk.
  2. Fund manager N offers identical funds that it markets (through extensive advertising) to general retail investors.


Risk implications

Conduct risk - Fund manager N has a much higher level of conduct risk because the information needs of the target market and the need for clarity about the risks of the product will be much greater than for experienced investors. In reality, there may be regulatory restrictions on the sales of such products to the general public.


Example 3General insurance


  1. General insurer O offers motor insurance against theft and damage to vehicles and legal claims against drivers. Policies are sold only to drivers above the age of 35 who can demonstrate good driving records.
  2. General insurer P offers an identical product but to higher-risk customers with the advertising slogan, “Turned down by other insurers? Then come to us.”


Risk implications:

Insurance risk - Insurer P is clearly operating with a much higher level of inherent insurance risk than Insurer O. How this translates into net risk depends on its pricing and reserving policies and the quality of risk management.




There are a number of additional points to be made about target markets and their implications for risk:


  • There is nothing wrong with supervised firms offering products and services to higher-risk target markets. This is a legitimate business decision, but its higher inherent risks must be appropriately managed and resourced.


  • An important element of managing the risks of dealing with higher-risk target markets will often involve meeting consumers’ different (usually greater) information needs. Groups of women and men who, for various reasons, have traditionally had less access to financial products and services will be less experienced and knowledgeable and their information needs are likely to be particularly great. Exactly what level and type of information is needed raises important issues of judgment for supervisors.[14] 


  • Targeting particular market segments may not always be a strategic decision on the part of firms. It may be the result of wider government policies designed to increase financial inclusion or requiring banks to direct lending to particular groups of men and women or businesses in the society or economy. Such measures may result in supervised firms extending products or services to groups or individuals outside those within their preferred business model. However, the implications for required mitigation are the same. Any additional information needs must be met, and firms’ controls and risk management strengthened to match.



Example 1


The government in jurisdiction Q imposed a requirement that long-term savings facilities, including private pensions, be extended to previously excluded (mostly low-income) groups.  A target of 15% was set, to be met over a five-year period.


Risk implications (conduct): To meet the obligations created under the target, an investment firm decided to take on some customers who would not previously have met its criteria. To address the potentially higher conduct risks, the firm revamped its customer take-on process to provide consumers with more extensive information and to align terms and conditions with the needs of the new customer segment.


Example 2


The government in jurisdiction R imposed a requirement that bank lending to small agricultural cooperatives was to be increased by 5% for each of the next four years.  


Risk implications (credit):  Bank S found itself required to lend to borrowers who would not previously have met its lending criteria. To address the potentially increased credit risks, the bank reviewed its charges and strengthened its monitoring of the loans. 


Distribution channels

The way products are sold or delivered may be an important determinant of inherent risk. The most profound change in the way financial products are distributed in recent years has been the increased use of digital platforms. Adopting such platforms, which may involve bypassing or partnering with traditional providers, can be of great value to consumers by providing greater access to insurance, credit and less conventional forms of finance such as crowdfunding.


The use of new technology carries additional risks:[15]  

  • Such channels, by definition, are IT-based. This gives rise to potential operational risks, either directly as a result of the inadequacy of firms’ own IT platforms or indirectly in the extensive use of outsourcing (operational risk).
  • The absence of face-to-face contact may increase the risk that consumers are not supplied with adequate information about products or that providers may actively mis-sell them (conduct risk).
  • There may be an elevated risk of financial crime or money laundering if customer take-on procedures are less rigorous.
  • Consumers’ data may be compromised as a result of poor data management procedures or cyber crime (operational risk).

All of the above are ways in which existing inherent risks may be increased by the widespread adoption of digital methods of delivery (fintech). Whether or not this happens in practice will depend on how well the additional risks are managed and controlled. For this reason, fintech or the use of IT platforms to deliver financial services may be an important driver of a range of existing inherent risks.


A further important driver of risk is remuneration. There have been numerous cases in which inherent risks have increased as a direct result of the type of remuneration offered to staff in supervised institutions. These are typically cases in which remuneration, often in the form of bonuses, is directly linked to revenue generation without regard for the attendant risks. For this reason, remuneration structures should be a key focus for supervisors.





General insurer T sells most of its products through third-party agencies. A previous program in which agents received a combination of a flat payment plus a modest commission was replaced by one that was entirely commission-based, with generous incentives for new sales of insurance products and renewal of policies. This was found to increase inherent risks across the board:


  • Conduct risk increased because agents, in pursuit of commissions, had an incentive to mis-sell policies. This eventually led to reputational damage as the number of disputes around contested payouts increased. 
  • Insurance risk increased because policies were written on increasingly high risks with insufficient attention paid to the usual underwriting criteria.
  • Operational risk increased because the increase in the number of policies sold put the (already stretched) policy documentation and claims management systems under further strain.


In banking, there have been numerous instances of inappropriate arrangements increasing credit risk (resulting from the extension of inappropriate loans); conduct risk (as loans and other products are marketed inappropriately); and market risk (resulting from traders and others taking on higher levels of risk in pursuit of trading gains).


Note that incentive programs that reward firms’ management solely on the basis of ‘bottom line’ profitability may also weaken control and risk management processes that incur costs but do not contribute to revenue.



Concentrations of business

An underlying principle is that inherent risks will be amplified by the existence of concentrations of business. This may be marked in credit and insurance risk, where supervisors need to be alert to the concentration of credit or insurance in single name exposures, particular sectors or geographic locations, and sectors or locations likely to be closely correlated. Similarly, market risks run by insurance and investment firms will be increased where investments are concentrated by type or issuer. An awareness of concentration risk is a fundamental issue in supervision and the topic has been extensively documented elsewhere. It is therefore not a main focus of this Note, although it is important to remember that concentrations will intensify the drivers outlined.


Main conclusions from this section:


  • There will often be more than one inherent risk associated with a given significant activity.  There will usually be a principal one that must be assessed. Subsidiary risks that may have a significant impact on the risk profile should be rated. Those that are not particularly significant can be given low ratings or sometimes omitted altogether (but kept subject to review).
  • Supervisors will often have prior views about the level of risk associated with given significant activities or business lines. Mortgages are often seen as having relatively low credit risk while pensions may be expected to have high levels of conduct risk.  
  • These ‘priors’ are of some value but only as a starting point. Inherent risks need to be evaluated with reference to detailed drivers, such as the nature of the product, its design, the target market, and how it is distributed. These may lead to marked differences in the inherent risks associated with what are apparently the same products offered by different providers and in different jurisdictions.


Risk cards and ‘baselines’

Many supervisory authorities aim to distil the issues in guidance to front-line supervisors or risk cards. These may provide a reminder of what is meant by different categories of inherent risk (such as credit risk); how this manifests itself (for example, in different products); the drivers of the relevant risk; and expectations regarding management and controls. See an example of the elements of a risk card in the Annex to this Note.


Such guidance often indicates the levels of inherent risk that may be associated with different types of products or significant activities, based on analysis of the type of drivers along with historical trends.  




Supervisory authority U provides its supervisors with risk cards, which indicate the likely levels of credit risk associated with a range of lending products, among other things.  For example: 


‘Residential mortgages tend to be viewed as having relatively low credit risk.’ The rationale for this is as follows:

  • Mortgages are secured on the underlying residential property.
  • The legal and institutional arrangements for repossessing property in the event of default are quite robust.
  • Historical data show that default rates on mortgages are low[16] and recovery rates on the security on defaulted mortgages are high.


Supervisors should take this as a starting point but consider whether this baseline needs to be revised given the particular circumstances of the firm.


‘Lending to small startup companies tends to be viewed as having relatively high credit risk.’  The rationale for this is as follows:

  • Such lending tends to be unsecured or secured on assets of questionable value (especially in the event of default).
  • Loan covenants on such lending tend to be weak and hard to enforce.
  • Historical data show that losses on this type of lending are relatively high.


Again, supervisors should consider whether this starting point needs to be revised given the particular circumstances of the firm.



To summarize many of the issues raised in this Note, guidance/risk cards can be of considerable value if they are seen as guidance and a starting point only and not a substitute for the use of judgment by front-line supervisors. In making their assessments, supervisors should ask themselves:


“The risk guidance/risk card indicates that the level of inherent risk attached to this significant activity is likely to be [risk level, such as Medium High]. Is there anything in the circumstances of this specific firm – the external risks it faces, the nature of its products, its target market, or its distribution channels – that indicates the inherent risk may be higher or lower?”


Supervisors should also remember that in posing this question, they are considering factors likely to change baseline ratings of inherent risks. These do not include the effectiveness of management or controls.


This Note aims to clarify a number of issues arising out of the identification, classification, and assessment of external and inherent risks. Supervisory authorities need to develop frameworks that are appropriate to the particular characteristics of their jurisdictions and financial systems. RBS allows for considerable flexibility in doing this. The principles set out in this Note support thinking through the fundamental issues supervisors may encounter.




Annex: Elements of a risk card

Many supervisory authorities provide front-line supervisors with risk cards or other guidance to assist them in their risk assessments. These may be extensive, addressing all main inherent risk types and external risks. They may also be quite intensive, providing considerable detail about what supervisors should look for in making their assessments. Similar cards can also cover governance, risk management, and financial resources.

This Annex aims to set out the main elements a sample risk card might contain as a starting point for supervisory authorities wishing to introduce risk cards or revise existing ones to give them more risk-based focus.  


Elements of a risk card covering inherent credit risk


1 Definition


Credit risk is the risk of financial loss resulting from a borrower, issuer, surety, guarantor, or counterparty failing to meet its obligations in agreed terms.

2 How does credit risk arise in different firms/lines of business?


  • Banks and credit unions – mostly loans but also holdings of assets/investments or guarantees.
  • Insurers – payment obligations from others (for example, reinsurers), receivables, and holdings of financial assets.
  • Investment firms – holdings of financial assets, receivables.

3 External risks

  • What external (macroeconomic, macroprudential or other) risks are likely to affect credit quality? [Example: an impending economic downturn will depress personal incomes]
  • How do these external risks translate into inherent risks? [Example: credit risk will tend to increase for retail and corporate borrowers]

4 Principal drivers of credit risks

  • Nature of the product – does the nature of the product have a bearing on the level of credit risk? [Example: the lending is backed by available high-quality security, which tends to limit the attached credit risk]
  • Target market – does the targeting of particular markets or customers have a bearing on the level of credit risk? [Example: the product is targeted at highly rated corporates]
  • Distribution channels – is the product distributed in a way that may have a bearing on the level of credit risk?  [Example: loans are arranged only through face-to-face interviews with salaried advisers]  
  • Concentration [does the institution have particular sector, geographic, single name, or correlated exposures?]

5 General guidance on ratings


Medium High (MH) inherent credit risk is usually associated with:

  • Products whose nature and characteristics tend to result in relatively high loss and default rates.
  • Products targeted at less creditworthy borrowers.
  • Products distributed in ways that result in their being taken up by less creditworthy borrowers.

Note that all of the above factors may be worsened by high levels of concentration risk and exacerbated (or mitigated) by external conditions.

6 Baseline assessments of risk


  • On the basis of past experience, lending to small and medium-sized enterprises tends to be rated medium high.
  • The rationale for this is as follows:
    • The lending is usually unsecured or secured on questionable collateral.
    • The failure rate of small and medium-sized enterprises is historically high.
    • Default and loss rates on this type of lending are typically high.

Overall message to front-line supervisors:

The above is to be used as guidance only to support supervisory assessments of credit risk. In making their assessments, supervisors should consider the circumstances of the individual supervised firm and how external circumstances and the characteristics of its products/significant activities combine to determine inherent risk.



Additional risk cards should address the assessment of governance, risk management, and financial resources. A section dealing with the management and governance of credit risk might look as follows: 


Control and governance issues


  • How effective are local controls over credit?
  • How effective is senior management in identifying, monitoring, and controlling credit risk?
  • How effective is Risk Management in identifying, overseeing, and monitoring credit (and other) risk?
  • Does Internal Audit undertake regular and effective reviews of lending functions?
  • Do management and the board have a clear strategy for credit risk and a clear statement of their appetite for risk?
  • Does the board receive regular useful information about credit risk?  How do they ensure that the risk appetite policy is being met?



Examples of baseline risks (this is purely illustrative as baseline ratings are specific to particular jurisdictions):



Inherent risk rating


Product/significant activity


Student loans

Start-up companies

Venture capital companies


Medium High

Project lending

Construction lending

Credit equivalents for OTC derivatives

Commercial real estate

Unsecured lines of credit

Retail credit cards

Small to medium-sized enterprises

Medium Low

Large corporate lending

Corporate credit cards

Auto loans


Loans to banks

Domestic sovereign lending (government or state)

Major country sovereign debt

Residential mortgages





Basel Committee.  Revisions to the Principles for the Sound Management of Operational Risk.  March 2021.   


Government of Ireland.  Misjudging Risk: Causes of the Systemic Banking Crisis in Ireland. March 2011.


Toronto Centre.  Risk Based Supervision. March 2018a.


Toronto Centre.  Implementing RBS: A Guide for Senior Managers. July 2018b.


Toronto Centre.  The Development and Use of Risk-Based Frameworks. January 2019a.


Toronto Centre.  Turning Supervisory Assessments into Supervisory Actions. August 2019b.    


Toronto Centre.  Supervising Fintech to Promote Financial Inclusion. December 2019c.


Toronto Centre.  A Guide to Supervision in the COVID-19 World. October 2020.


Toronto Centre.  A Climate Risk Toolkit for Financial Supervisors. November 2021.


Toronto Centre.  Supervisory Implications of Artificial Intelligence and Machine Learning. July 2022a. 


Toronto Centre.  Risk-Based Supervision of Retail Conduct. October 2022b.




[2] See the Annex for an example of a risk card.

[3] See Toronto Centre (2018a, 2019a and 2019b).  

[4] These matters, along with approaches to supervisory intervention, are discussed in some detail in Toronto Centre (2019a and 2019b).  

[5] This may not be completely straightforward – for example, if the forecasting authority produces a range of possible outcomes with probabilities attached. In such cases, the ‘translator’ within the supervisory authority may need to decide the best forecast to use, which may need to be adjusted if the central forecast becomes increasingly uncertain over time. Alternative forecasts may also be used as a basis for stress and scenario testing, at least for larger institutions. In all cases, a mechanism must be put in place to turn forecasts into usable guidance for the supervisory process. The process will be all the more effective if it can be done in collaboration with the authority producing the forecast.

[6] For a discussion of this phenomenon in the context of the Irish banking crisis, see Government of Ireland (2011). 


[7] For a discussion of supervisory panels and practices groups, see Toronto Centre (2018b). 

[8] Supervisory issues arising out of the Covid 19 pandemic are discussed in Toronto Centre (2020).  

[9] Fintech issues are discussed in Toronto Centre (2019c).   

[10] See Toronto Centre (2021).  

[11] For a detailed discussion of rating inherent risks, see Toronto Centre (2019a). 

[12] Most significant activities will involve a product. Where the significant activity is narrowly defined (such as mortgage lending), it will be wholly identified with a product (mortgages). In other cases, significant activities will be defined more broadly – commercial lending, for example. In this case, it will be necessary to consider drivers in connection with all the products it encompasses. In a few cases, significant activities may not involve products at all. An example might be asset and liability management, which is largely internal to the firm. In this case, identifying product-based generic drivers is of limited value.

[13] For more extensive discussion of the drivers of conduct risk, see Toronto Centre (2022b). 

[14] This is a difficult issue about which it is not possible to generalize. Supervisors have to operate on the basis that there is an acceptable type and standard of communication/disclosure that provides the average consumer the information they need to make a rational and informed judgment. How this requirement varies with different target groups has to be judged on a case-by-case basis.

[15] These risks are discussed in Toronto Centre (2019c and 2022a).  

[16] Technically, the use of past data on defaults is an imperfect indicator because it reflects outcomes that are the net effect of inherent risks and applying controls and risk management. However, it is a useful approximation and can be justified if the data reflect an ‘average’ quality of controls.

[SH1]Not sure ‘nominally’ is the right word. Do you mean “somewhat similar”? or “not really similar”?

[SH2]unclear what this term means here