Tuesday, Nov 29, 2022
Drivers of External and Inherent Risks in Risk Based Supervision
This TC Note and accompanying podcast provides useful background on issues to be considered in assessing risk when guidance does not exist.
Read their biographies. Read the transcript. Read the TCN.
Listen to the Podcast:
Read the TCN:
Introduction[1]
Identifying and assessing external and inherent risks is a key aspect of risk-based supervision (RBS). This Note supplements earlier Toronto Centre publications on RBS and provides supervisory authorities and front-line supervisors with additional guidance. In particular:
- The treatment of external (including macroeconomic and macroprudential) risks in risk assessments.
- The categorization of inherent risks and whether issues such as climate change and fintech constitute risks in their own right or can be included in other categories.
- A discussion of the drivers of inherent risk. This includes what supervisors should look for in assessing inherent risks, and factors that may lower or increase the level of risk associated with particular products or activities.
This Note may be of particular interest to functions (such as Practices Groups) within supervisory authorities that “own” the risk-based framework and provide guidance for front-line supervisors, for example in the form of risk cards.[2] Where no such central guidance exists, the Note provides useful background on issues to be considered in assessing risk. Even where guidance does exist, it may often be relatively general. The Note will help front-line supervisors assess the risk factors specific to individual firms and how the norms set out in guidance may need to be modified in individual assessments.
RBS background and context
A fundamental principle of RBS is that supervisors need to apply analysis and judgment when identifying and assessing external and inherent risks facing supervised firms. Supervisors must also assess these separately from the quality of controls, risk management, governance, and financial resources.
The key elements of RBS have been set out in a range of Toronto Centre Notes:[3]
- Supervisors need a thorough knowledge of a supervised firm’s business – the activities it is engaged in and its performance, business plans, and strategy.
- This enables supervisors to identify and assess the key external and inherent risks the firm faces.
- They need to assess how effectively these risks are managed through controls, risk management, and governance.
- Putting this information together (in a matrix) helps supervisors view the overall (net) risk faced by the supervised institution and the likely future direction of risk.
- Supervisors then assess whether the firm’s financial resources are adequate given the identified level of net risk.
- The purpose of this activity is to identify and require supervised firms to implement corrective measures to address net risks judged unacceptable or unsustainable.
The main steps are summarized here:
While these principles are well established, day-to-day supervisors sometimes stumble over a number of issues in identifying and assessing external and inherent risks:
- Supervisors may have difficulty identifying or interpreting external risks and their implications for firm-wide risk.
Example
The Financial Stability Department of Central Bank A reports that the commercial property market is experiencing bubble conditions, but an impending economic downturn will likely result in a sharp drop in property prices within 12 months.
Question What type of risks are being identified (for example, prudential and conduct risks) and how should supervisors incorporate them into their risk assessments?
|
- The coverage of some inherent risk categories may prove problematic. For example, some supervisory authorities may include issues within ‘Operational Risk’ that others identify as separate categories of inherent risk.
Example
The supervisory authority in jurisdiction B defines operational risk to include reputational damage to firms as well as more conventional operational risks, such as failures of systems or people. The supervisor in neighbouring jurisdiction C (who collaborates in colleges) has a separate risk category (shown as a column on the risk matrix) for reputational risk.
Question Is one approach ‘right’ and the other ‘wrong’? Does it matter?
|
- Many supervised firms will offer similar products or business lines as part of their significant activities. But:
- The correct rating of inherent risks embedded in these activities may vary across firms even though the activities/products are apparently the same.
- The rating of the risk for any given firm may change over time.
- The rating of inherent risk for similar products may vary across jurisdictions.
Example
Firm D provides savings products to retail customers. As such, it incurs conduct risk – the risk that customers will suffer losses due to the firm providing insufficient information, offering unsuitable products to particular customers, or actively misleading them, for example. The supervisor of Firm D may find that:
Question How can these differences in perceived levels of inherent risk over time, across firms, and across jurisdictions be understood? Note that these changes/differences have nothing to do with controls or risk management, which are assessed separately.
|
This Note aims to provide guidance on these types of issues.
Important points
|
External risks
One feature that distinguishes RBS from other (for example, compliance-based) forms of supervision is its breadth. It requires supervisors to be aware of all relevant risks that firms face – not just today but in the foreseeable future. These risks are not confined to those originating within a supervised firm or its operations. All firms operate within a wider context and face risks from the wider sector or economy.
Macroeconomic risks originate from conditions in the wider domestic or global economy. The effects of these on some supervised firms will be direct. For example, a downturn in world trade will directly affect major financial institutions involved in trade finance, providing lending or insurance facilities to global firms, and operating on international financial markets.
Other firms may experience effects that are less direct but no less severe:
- Smaller lending institutions with purely domestic operations may find the creditworthiness of some borrowers is reduced due to a domestic recession or increased unemployment.
- Inflation may erode both living standards and the value of savings, with potentially significant effects on creditworthiness, the appetite for saving, and the risk preferences of savers.
- Policy-driven changes in interest rates may have wide-ranging effects on the affordability of outstanding credit facilities, the valuations of long-term savings products (such as annuities and pensions), and on firms’ own asset and liability management.
Macroeconomic risks are (by definition) external to supervised firms, which are not responsible for these risks and cannot control or influence them directly. However, firms must be aware of such risks and think through their implications and the appropriate response in controls and risk management.
Macroeconomic risks also pose significant challenges for supervisors. It is not part of the job of front-line supervisors to identify and assess the risk of a global recession, for example. Other authorities such as the Financial Stability Department of the central bank or the International Monetary Fund produce authoritative forecasts of economic trends. The challenge for supervisory authorities is to identify an authoritative source and arrange for forecasts to be ‘translated’ into relevant guidance for supervisory decisions.[5] External risks (macroeconomic and macroprudential risks, discussed further on) therefore need to be interpreted to allow supervisors to consider their implications for individual firms.
Example
The Financial Stability Department of central bank F forecasts that a significant rise in energy prices on world markets will likely result in a sharp contraction in disposable incomes in country F as a growing proportion of incomes are allocated to heating and other energy use over the winter. This in turn will likely result in an increase in corporate failures and unemployment in sectors (such as restaurants and tourism) particularly sensitive to trends in disposable income.
Armed with this information, supervisors (who should adopt this as their ‘house view’) should:
|
Macroprudential risks
A wide range of risks may legitimately be described as macroprudential. What they have in common is that they reach all, or significant parts of, the financial sector and are therefore common to a range of firms and not specific to individual ones. As such, individual firms may contribute to them but are not directly responsible for or able to control them.
Some examples of macroprudential risks are:
|
The financial crisis of 2008 drew particular attention to risks that spread through entire sectors or large groups of firms. Such macroprudential factors may often drive changes to what were previously seen as prudent and acceptable industry behaviours. Firms may be willing to allow increases in leverage, aggressive selling practices, weaker loan covenants, looser customer take-on requirements, or lower underwriting standards. All of these can be seen as increasing inherent risks in response to changes in external risks – though some may also weaken controls or risk management.
Serious macroprudential risks have often been the result of a form of industry- or sector-wide ‘group think’ in which the managements and boards of supervised firms allow, or actively encourage, what proves to be irrational exuberance. The challenge for supervisors is to identify this phenomenon and not succumb to it themselves but be a source of challenge to the management and boards of their firms.[6]
Important points:
The boundary between types of external risk can become blurred. For example, low and persistent interest rates may result in savers being encouraged to take higher risks in pursuit of higher returns on savings and investments. This could be classed as a macroeconomic phenomenon (low interest rates) or a macroprudential one (changed behaviour on the part of firms and consumers). In this and other cases, the two types of risk are highly correlated – changed economic conditions often give rise to changes in industry practices.
Unsustainable (bubble) conditions may, for example, arise in residential property markets, leading to increased credit risks for this type of lending. This will be exacerbated if the bubble conditions result in a willingness to lend to purchasers who may be less creditworthy than under earlier standards. In this case, there is a clear relationship between the macroprudential risk (the bubble) and inherent (credit) risk.
|
Other external risks
Firms and their supervisors need to be alert to any external factors with implications for the risks that firms face. Not all of these fit neatly under the heading of macroeconomic and macroprudential risks; supervisors must ensure that they are recognized and their implications managed by firms. This is more important than their being precisely categorized. Some other external risks include:
- Pandemics. COVID-19 had profound implications for supervised firms – both in terms of inherent risks and their ability to control them – many of which are still being worked through.[8]
- Political instability. Wars, conflicts, and other less destructive forms of political instability may have major implications for supervised firms and the markets in which they operate.
- Climate change. The pervasive impacts of climate-related risks are already evident, with direct and visible implications for supervised firms. Some lending projects and general insurance propositions are less viable than in the past. Some financial assets, such as the liabilities of what may be seen as climate-unfriendly companies, may become ‘stranded.’
Supervisors have given considerable thought to whether climate change represents a new and distinct risk category, similar to credit risk. It is more helpful to consider climate change as an external factor, which, like macroeconomic and macroprudential risks, can have possibly profound effects on conventional inherent risks. This is discussed further in the next section.
- Fintech and new technology. Technology-based distribution channels for financial products are everywhere and can create real benefits in access to financial products for groups who may previously have been excluded.[9] They also bring a range of risks, prompting a similar question to that posed by climate change – should supervisors include a separate fintech or technology risk category in their assessments? As with climate change, it is more helpful to consider fintech as a ‘driver’ of more conventional inherent risks rather than as a category on its own. This is discussed later in this Note.
Important points:
|
Sorting out risks – the ‘hopper’
Multiple external risks can potentially affect the risk profiles of supervisory firms. The most efficient way of incorporating these into risk assessments is to carefully consider their effect on conventional inherent risks.
In doing this, supervisors sometimes refer to the existence of a ‘risk hopper.’ A hopper was originally a device used to sort grain or other agricultural produce. It is an apt phrase for a mechanism that all supervisors should employ in some form. The principle can be illustrated using the diagram below.
As shown in the diagram, the hopper is (figuratively speaking) a device for turning generalized concerns into specific risk factors that supervisors are able to use in their risk assessments. In practice, this is most likely to take place in periodic meetings within the supervisory authority where such issues can be discussed and turned into usable supervisory inputs.
Classification of inherent risks
The risk categories typically used in an RBS matrix are broad. The usual categories are
- Credit risk
- Market risk
- Insurance risk
- Conduct risk
- Financial crime/money laundering risk
- Operational risk.
Some supervisors extend the list to include categories such as business or strategic risk, or legal and reputation risk. These additional categories are discussed below.
The use of these conventional categories is sometimes challenged on two grounds:
- The categories are too broad. Credit risk, for example, can arise from many types of lending as well as underwriting, position taking, and providing guarantees. These (it is argued) are very different activities and carry different types of risks. Similarly, the conduct risks associated with providing a short-term loan through a mobile phone platform may be very different from those arising from the sale of a long-term pension product involving sales staff. Perhaps the broadest category of all is operational risk, which encompasses failures of personnel and systems, legal, reputational, and fraud risk.
- There may be too few risk categories. As discussed above, given their obvious importance, it can be argued that there should be separate headings for climate change, fintech, economic or political risk, for example.
The choice of risk categories is one for each individual supervisory authority and will depend mainly on its supervisory objectives. Supervisory authorities without insurance responsibilities clearly do not need to include insurance risk, while those whose responsibilities are purely prudential are unlikely to need to include conduct risk.
There are a number of principles to be kept in mind when deciding on the risk headings to include in the supervisory matrix:
- There is a trade-off between the apparent precision resulting from increasing the number of risk categories and the greater complexity this imparts to the risk matrix. The matrix should help structured thought – bringing together relevant information about a supervised firm. As such, there is considerable benefit in keeping it manageable and relatively simple. Using broad risk categories can achieve this and allow rigorous, comprehensive risk assessment if the various drivers of the risks are carefully considered. These drivers are examined below. It is also worth noting that where more than one significant activity has been identified (typically the case for a firm of any size), the same inherent risk (credit, for example) will be rated separately and possibly differently for each significant activity. In this way, the risk matrix is able to capture considerable detail even within the same broad risk category.
- Although conventional risk headings (credit, conduct, operational, and so on) are broad, they also have the perhaps contradictory advantage of being relatively specific. Credit risk is fundamentally different from conduct risk, which is different from operational risk. While ‘new’ headings often appear to address specific issues, in reality they may not. As noted, climate change and political instability are very real issues with major consequences for supervised firms.[10] However, it’s necessary to be clear exactly what is meant if these are to be used as risk categories. Often, these can be further reduced to other conventional risks that are more meaningful and manageable for supervisors. This is where a hopper mechanism may be helpful.
Example
The Advisory Board of supervisory authority G decided at an offsite meeting that climate change is a major risk facing the planet and supervisors should ‘give it priority’ in their supervisory assessments. This was communicated to all staff.
Scenario 1 While fully agreeing with the sentiments, supervisors were unclear about what exactly this meant for their supervisory work. Without further guidance, they defaulted to asking supervised firms how they were responding to climate change risks. Some responses were meaningful, outlining actual changes and business practices and the risk consequences of these. Other responses lacked substance and were merely an extension of the firms’ own ‘greenwashing’ efforts.
Scenario 2 The Practices Group within the supervisory authority undertook an exercise to identify specific ways in which climate change may affect inherent risks. They identified:
These broad findings were communicated to supervisory teams, who were able to incorporate them into their assessments of inherent credit, insurance, and conduct risks.
Scenario 2 illustrates how a general heading of ‘climate change’ or ‘climate risk’ can effectively be made operational by being distilled into conventional risk headings.
|
The conventional risk heading with least precision is perhaps operational risk. This is defined by the Basel Committee (2021) as:
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Most supervisors will recognize failures of internal processes, people, or systems as operational risk. Insufficient staff numbers or skills, over-reliance on cumbersome, non-IT-based systems, or poorly specified or inadequate IT systems are covered by this. In other respects, there is some room for ambiguity:
- External events can be important drivers of operational risk. The COVID-19 pandemic created problems that made it difficult for firms to function, while climate change may also have direct effects on firms’ operations.
- For most firms, there is a potential connection of compliance risk (the risk that a supervised firm will fail to comply with regulatory or supervisory requirements), legal risk (the risk of loss due to legal action), and reputation risk (the risk of loss of business or franchise value due to its actions and possible sanctions). These may occur separately or may be highly correlated. Supervisory authorities need to decide whether to include these risks under operational risk and if so, at what level of detail.
Some supervisors identify strategic risk as a distinct category with a specific column on the matrix. This raises the question of what is meant by strategic risk and how it might be included. Some supervisors view strategic risk as resulting from specific, high-profile strategic initiatives that, if misguided or unsuccessful, would lead to significant losses. Others would include the absence of any coherent strategy in a broader definition of strategic risk.
Again, there is no simple answer to whether supervisors should separate out these risks (as explicit risk headings) or include them within existing headings. The principle remains that supervisory authorities should always think carefully before introducing additional complications to RBS frameworks. They should only do so where there is a clear rationale and where the supervisory assessment will be demonstrably improved as a result.
Examples
Supervised firm H’s business model involved the sale of savings products to relatively unsophisticated, low-income women and men. This made it susceptible to conduct risk: it was difficult to meet all conduct requirements to ensure that customers were being adequately informed and treated fairly. The firm had also run into past legal problems due to its loan recovery practices and its reputation was viewed as fragile.
Supervisors were taking a close interest in the firm, for which the sale of savings products was the main significant activity. Two recommendations were considered by the management of the supervisory authority:
Recommendation A: In view of the issues identified, the RBS matrix should be modified to exclude less relevant categories (such as credit risk) but to include separate headings for conduct, compliance, legal, and reputation risks.
Recommendation B: The matrix should continue to have conventional risk headings (external, credit, conduct and operational risk) but the guidance provided to supervisors about the constituents of conduct risk should be reviewed. This would ensure that it explicitly covered misconduct on the part of the firm; the likelihood of misconduct resulting in compliance failures or legal proceedings; and reputational risk.
It was decided to go with recommendation B for the following reasons:
Supervised firm I
Firm I had been operating an unchanged business model for many years in a mature and saturated market. New management decided to introduce a radical change in strategic direction. This involved considerable costs and closing several business lines. The new strategy received extensive publicity and many commentators said this was a ‘make or break’ initiative for the firm.
Two recommendations were considered by the management of the supervisory authority:
Recommendation A: Introduce an additional category of ‘strategic’ risk along with the existing inherent risks.
Recommendation B: Identify the implications of the new strategy for the existing (unchanged) list of inherent risks (credit, market, conduct and operational risk) – noting that the new strategy would also require extensive changes in personnel and systems.
It was decided to go with recommendation A on the grounds that the future soundness of the firm was tied to the new strategy. It was possible in this case to single out strategic risks that were highly significant and not adequately covered by more conventional risk definitions. Introducing a separate heading for strategic risk would make the risk assessment more comprehensive and focused.
|
Main conclusions from this section:
In some exceptional cases, it may make sense to introduce additional risk categories, but only where there is a clear rationale and the supervisory assessment will be demonstrably improved as a result.
|
Drivers of inherent risk
Once the relevant external and inherent risks have been identified, a key next step is for supervisors to assess the inherent risks. A typical scale will have four ratings: high (H); medium high (MH); medium low (ML) and low (L).[11]
Multiple inherent risks
Many significant activities will include more than one inherent risk. There will usually be a principal inherent risk but others may also be present.
Example
Credit card lending has been identified as a significant activity of bank J.
|
Supervisors who are new to RBS often face the question of whether it is necessary to give explicit ratings to all the risks associated with an activity. In the example above, it would clearly be appropriate to provide a rating for credit risk – the principal inherent risk. Generally, however, it is not necessary to rate all other ‘subsidiary’ inherent risks. Where a risk is present but unlikely to be a significant contributor to the risk profile, it can be given an appropriately low rating, or in some cases, no rating at all. Providing a rating (and accounting for this in documentation) has the value of providing a rationale and audit trail for decision making and makes it easier to check consistency – for example, by supervisory panels.
Example
Continuing with the case of supervised bank J, supervisors concluded:
|
What factors – or drivers – govern the rating for an inherent risk?
For many supervisors starting out with RBS, rating inherent risks is a daunting task. Providing formal criteria and guidance for ratings is a necessary step to assist front-line supervisors, but it may also be necessary to supply examples of risk drivers, and in some cases, baseline ratings for certain products or activities. These may be contained in risk cards, an example of which is given in the Annex.
Several factors may contribute to the level of inherent risk in a significant activity. For example:
- The nature of the product(s) involved in the significant activity.[12]
- The existence and robustness (or not) of risk mitigants embedded in the product.
- The design of the product.
- The nature of the target market.
- The way in which the product is sold or marketed (distribution channels).
The factors above will vary across products, providers (even of similar products), and jurisdictions, all of which contributes to the complexity of assessing inherent risk.
It is not possible to provide an exhaustive account of risk drivers. To keep this Note manageable, the following sections provide a range of examples. These illustrate some of the relevant factors to enable supervisors to identify drivers that may be particularly relevant to the risks in their jurisdictions and financial systems.
It also needs to be noted that operational risk, because of its diverse nature, has a particularly extensive and diverse set of drivers. Product design and distribution channels are highly relevant to the incidence and severity of many operational risks, but it is harder to generalize about the drivers of all forms of operational risk such as fraud or process failures.
Nature of the product
Some products, because of their nature, have intrinsically higher levels of inherent risk than others – even those in the same broad category, such as ‘corporate lending’ or ‘medium term savings.’[13] See four examples of this below. To keep it simple, each case considers just one inherent risk and its drivers. In reality, other inherent risks will often be present and it will be necessary to consider their drivers as well.
Example 1: Retail mortgages Inherent risk considered here: credit (others will be operational and conduct) Nature of the product:
Implications: These product characteristics often result in residential mortgages being seen as relatively low risk.
Example 2: Small business/startup lending Inherent risk considered here: credit (others will include operational) Nature of the product
Implications: These product characteristics may result in the product being viewed as relatively high risk.
Example 3: 20-year pension product Inherent risk considered here: conduct (others will include credit) Nature of the product
Implications: These characteristics may result in the product being viewed as relatively high risk.
Example 4: Investment accounts offered solely online Inherent risk considered here: operational (others will include credit and conduct) Nature of the product
Implications: The heavy reliance on IT means the product is susceptible to operational (technology) risk. This may result in its being seen as relatively high risk.
Other examples of how the nature of products may affect risks include:
|
The nature of the product is the starting point for assessing inherent risk. The kind of analysis/thought process outlined above can, in principle, be applied to any product or significant activity.
Embedded mitigants
Some products or businesses have risk-mitigating features (mitigants) embedded within them. In assessing inherent risk, supervisors may need to determine the availability and reliability of these features. These mitigants – which may vary across similar products offered by different firms – are intrinsic features of the products concerned. They are quite separate from the controls implemented by firms to mitigate risks, which are the subject of separate assessment within RBS. Examples of such mitigants and the kinds of questions supervisors should ask about them follow. To keep it simple, each case considers just one inherent risk. In reality, there will be others whose drivers also need to be considered.
Example 1: Retail mortgages Risk considered: credit Embedded mitigants: Lenders can realize security in the event of non-payment (reducing loss given default). Possible limitations: Does the legal or regulatory framework allow lenders to exercise their rights fully in these cases? Are there limitations on the amounts recoverable or are the time and costs involved in exercising the rights prohibitive?
Example 2: Medium-term savings products Risk considered: conduct Embedded mitigants: The product is capital certain (depositors will get back the principal they have deposited as long as the provider remains solvent). Depositors can withdraw funds early if they require them or the product does not meet their needs. Possible limitations: Are the terms of early withdrawal onerous? Possibly more so than was clear at the time the product was sold?
Example 3: Life assurance Risk considered: conduct Embedded mitigants: Policy holders can terminate their contracts at any time. Possible limitations: Termination may be more difficult and costly than was apparent when the contract was signed. Replacement costs (the cost of entering into a new contract with the existing or a new firm) may also be excessive.
Example 4: Securitized lending Risk considered: credit (to holders of the securities) Embedded mitigants: Credit enhancements, seniority of securities created, credit ratings of securities created Possible limitations: Apparent enhancements may be illusory or based on elements of securitization structures that are unclear, impossible to verify, and ultimately ineffective.
|
In addition to built-in embedded features, firms may be required by policy makers or regulators to embed some risk mitigation features. These are most common in the case of retail purchases of financial products designed to reduce conduct risk. Examples are cooling-off periods (customers can decide not to proceed with transactions within a specified period at no cost), complaints mechanisms, and settlement/arbitration arrangements. These mechanisms will mitigate conduct risk but only to the extent they are effective. Firms may outwardly comply with the requirements but in practice make it difficult for consumers to make use of them. For example, they may create barriers to exercising cooling-off periods or have complaints or redress procedures which are difficult for consumers to follow. Supervisors need to evaluate the effectiveness of these ‘required’ mitigants as part of their assessment of conduct risk.
Product design
Products may be designed in ways that increase (or sometimes decrease) their intrinsic or inherent risks compared to other products that are nominally[SH1] the same. Their design may, for example, render them particularly clear or unclear, simple or complex – all of which will affect the level of inherent risk. Product performance returns or costs may be linked to future (and potentially unpredictable) future events, with implications for their affordability.
The following examples show how product design may influence inherent risks. ‘Design’ is interpreted widely to include features of a product that may encourage (or even require) providers to outsource aspects of its operation. To keep it simple and for illustration only, each case here discussed just one inherent risk. In reality, there will often be others.
Example 1: Medium-term savings/investment product Risk considered: conduct |
|
Risk-increasing design features |
Risk-decreasing design features |
|
|
Example 2: Mortgage lending by credit cooperative Risk considered: credit |
|
Risk-increasing features |
Risk-decreasing features |
|
|
Example 3: Online investment management Risk considered: operational |
|
Risk-increasing features |
Risk-decreasing features |
|
|
Example 4: Pensions Risk considered: conduct |
|
Risk-increasing features |
Risk-decreasing features |
|
|
Example 5: General (property) insurance Risk considered: insurance |
|
Risk-increasing features |
Risk-decreasing features |
|
|
These examples show that it’s possible for product design to give rise to conflicts between the interests (and potential well-being) of providers and those of consumers. In the mortgage lending example, the ability to easily refinance mortgages as wider economic conditions change may benefit consumers but may complicate asset and liability management for the provider. Similar conflicts are also present in the general insurance example. Such conflicts are inevitable and there is nothing intrinsically wrong with them, if:
- They do not involve misconduct on the part of the firm (for example, where a firm seeks to increase profitability by not disclosing material aspects of the terms and conditions of the product); and
- Firms have carefully considered the implications of such conflicts. For example, providing terms that are advantageous for borrowers or counterparties may affect the firms’ prudential soundness. This is something supervisors should discuss with firms.
Target markets
The examples shown all relate to the nature and design of financial products. Risk will also depend heavily on the market or market segment to which the product is sold. There is explicit recognition of this in the restrictions many supervisors impose on sales of some products and services (such as execution-only trading in financial products and sales of some derivatives products), which are permitted only to market counterparties or qualified individuals. In such cases, the use of such products and services by unqualified retail consumers would create unacceptable risks.
However, other product choices of target markets are a legitimate strategic decision for supervised firms. Decisions to give the same product (such as mortgages or corporate lending) the same characteristics and design in different consumer or market segments can have profound implications for risk and its controls. Supervisors need to be alert to control issues where firms offer products to ‘vulnerable’ consumers – those on very low incomes or who have a particular need for clear and accessible information about products.
Example 1: Unsecured personal lending
Risk implications Credit risk - Bank L has higher inherent credit risk resulting from this significant activity than Bank K. How this translates to net risk depends on how the facilities are priced and the strength of management and controls. Conduct risk - Bank L has higher conduct risk than Bank K because there may be an intrinsically higher risk of mis-selling to the lower income group (some of whom may be vulnerable consumers). Again, how this translates into net risk depends on how effectively the risk is controlled.
Example 2: Fund management
Risk implications Conduct risk - Fund manager N has a much higher level of conduct risk because the information needs of the target market and the need for clarity about the risks of the product will be much greater than for experienced investors. In reality, there may be regulatory restrictions on the sales of such products to the general public.
Example 3: General insurance
Risk implications: Insurance risk - Insurer P is clearly operating with a much higher level of inherent insurance risk than Insurer O. How this translates into net risk depends on its pricing and reserving policies and the quality of risk management.
|
There are a number of additional points to be made about target markets and their implications for risk:
- There is nothing wrong with supervised firms offering products and services to higher-risk target markets. This is a legitimate business decision, but its higher inherent risks must be appropriately managed and resourced.
- An important element of managing the risks of dealing with higher-risk target markets will often involve meeting consumers’ different (usually greater) information needs. Groups of women and men who, for various reasons, have traditionally had less access to financial products and services will be less experienced and knowledgeable and their information needs are likely to be particularly great. Exactly what level and type of information is needed raises important issues of judgment for supervisors.[14]
- Targeting particular market segments may not always be a strategic decision on the part of firms. It may be the result of wider government policies designed to increase financial inclusion or requiring banks to direct lending to particular groups of men and women or businesses in the society or economy. Such measures may result in supervised firms extending products or services to groups or individuals outside those within their preferred business model. However, the implications for required mitigation are the same. Any additional information needs must be met, and firms’ controls and risk management strengthened to match.
Example 1:
The government in jurisdiction Q imposed a requirement that long-term savings facilities, including private pensions, be extended to previously excluded (mostly low-income) groups. A target of 15% was set, to be met over a five-year period.
Risk implications (conduct): To meet the obligations created under the target, an investment firm decided to take on some customers who would not previously have met its criteria. To address the potentially higher conduct risks, the firm revamped its customer take-on process to provide consumers with more extensive information and to align terms and conditions with the needs of the new customer segment.
Example 2:
The government in jurisdiction R imposed a requirement that bank lending to small agricultural cooperatives was to be increased by 5% for each of the next four years.
Risk implications (credit): Bank S found itself required to lend to borrowers who would not previously have met its lending criteria. To address the potentially increased credit risks, the bank reviewed its charges and strengthened its monitoring of the loans. |
Distribution channels
The way products are sold or delivered may be an important determinant of inherent risk. The most profound change in the way financial products are distributed in recent years has been the increased use of digital platforms. Adopting such platforms, which may involve bypassing or partnering with traditional providers, can be of great value to consumers by providing greater access to insurance, credit and less conventional forms of finance such as crowdfunding.
The use of new technology carries additional risks:[15]
- Such channels, by definition, are IT-based. This gives rise to potential operational risks, either directly as a result of the inadequacy of firms’ own IT platforms or indirectly in the extensive use of outsourcing (operational risk).
- The absence of face-to-face contact may increase the risk that consumers are not supplied with adequate information about products or that providers may actively mis-sell them (conduct risk).
- There may be an elevated risk of financial crime or money laundering if customer take-on procedures are less rigorous.
- Consumers’ data may be compromised as a result of poor data management procedures or cyber crime (operational risk).
All of the above are ways in which existing inherent risks may be increased by the widespread adoption of digital methods of delivery (fintech). Whether or not this happens in practice will depend on how well the additional risks are managed and controlled. For this reason, fintech or the use of IT platforms to deliver financial services may be an important driver of a range of existing inherent risks.
A further important driver of risk is remuneration. There have been numerous cases in which inherent risks have increased as a direct result of the type of remuneration offered to staff in supervised institutions. These are typically cases in which remuneration, often in the form of bonuses, is directly linked to revenue generation without regard for the attendant risks. For this reason, remuneration structures should be a key focus for supervisors.
Example
General insurer T sells most of its products through third-party agencies. A previous program in which agents received a combination of a flat payment plus a modest commission was replaced by one that was entirely commission-based, with generous incentives for new sales of insurance products and renewal of policies. This was found to increase inherent risks across the board:
In banking, there have been numerous instances of inappropriate arrangements increasing credit risk (resulting from the extension of inappropriate loans); conduct risk (as loans and other products are marketed inappropriately); and market risk (resulting from traders and others taking on higher levels of risk in pursuit of trading gains).
Note that incentive programs that reward firms’ management solely on the basis of ‘bottom line’ profitability may also weaken control and risk management processes that incur costs but do not contribute to revenue.
|
Concentrations of business
An underlying principle is that inherent risks will be amplified by the existence of concentrations of business. This may be marked in credit and insurance risk, where supervisors need to be alert to the concentration of credit or insurance in single name exposures, particular sectors or geographic locations, and sectors or locations likely to be closely correlated. Similarly, market risks run by insurance and investment firms will be increased where investments are concentrated by type or issuer. An awareness of concentration risk is a fundamental issue in supervision and the topic has been extensively documented elsewhere. It is therefore not a main focus of this Note, although it is important to remember that concentrations will intensify the drivers outlined.
Main conclusions from this section:
|
Risk cards and ‘baselines’
Many supervisory authorities aim to distil the issues in guidance to front-line supervisors or risk cards. These may provide a reminder of what is meant by different categories of inherent risk (such as credit risk); how this manifests itself (for example, in different products); the drivers of the relevant risk; and expectations regarding management and controls. See an example of the elements of a risk card in the Annex to this Note.
Such guidance often indicates the levels of inherent risk that may be associated with different types of products or significant activities, based on analysis of the type of drivers along with historical trends.
Examples
Supervisory authority U provides its supervisors with risk cards, which indicate the likely levels of credit risk associated with a range of lending products, among other things. For example:
‘Residential mortgages tend to be viewed as having relatively low credit risk.’ The rationale for this is as follows:
Supervisors should take this as a starting point but consider whether this baseline needs to be revised given the particular circumstances of the firm.
‘Lending to small startup companies tends to be viewed as having relatively high credit risk.’ The rationale for this is as follows:
Again, supervisors should consider whether this starting point needs to be revised given the particular circumstances of the firm.
|
To summarize many of the issues raised in this Note, guidance/risk cards can be of considerable value if they are seen as guidance and a starting point only and not a substitute for the use of judgment by front-line supervisors. In making their assessments, supervisors should ask themselves:
“The risk guidance/risk card indicates that the level of inherent risk attached to this significant activity is likely to be [risk level, such as Medium High]. Is there anything in the circumstances of this specific firm – the external risks it faces, the nature of its products, its target market, or its distribution channels – that indicates the inherent risk may be higher or lower?”
Supervisors should also remember that in posing this question, they are considering factors likely to change baseline ratings of inherent risks. These do not include the effectiveness of management or controls.
Conclusion
This Note aims to clarify a number of issues arising out of the identification, classification, and assessment of external and inherent risks. Supervisory authorities need to develop frameworks that are appropriate to the particular characteristics of their jurisdictions and financial systems. RBS allows for considerable flexibility in doing this. The principles set out in this Note support thinking through the fundamental issues supervisors may encounter.
Annex: Elements of a risk card
Many supervisory authorities provide front-line supervisors with risk cards or other guidance to assist them in their risk assessments. These may be extensive, addressing all main inherent risk types and external risks. They may also be quite intensive, providing considerable detail about what supervisors should look for in making their assessments. Similar cards can also cover governance, risk management, and financial resources.
This Annex aims to set out the main elements a sample risk card might contain as a starting point for supervisory authorities wishing to introduce risk cards or revise existing ones to give them more risk-based focus.
Elements of a risk card covering inherent credit risk
|
|
1 Definition |
Example: Credit risk is the risk of financial loss resulting from a borrower, issuer, surety, guarantor, or counterparty failing to meet its obligations in agreed terms. |
2 How does credit risk arise in different firms/lines of business? |
Examples:
|
3 External risks |
|
4 Principal drivers of credit risks |
|
5 General guidance on ratings |
Example: Medium High (MH) inherent credit risk is usually associated with:
Note that all of the above factors may be worsened by high levels of concentration risk and exacerbated (or mitigated) by external conditions. |
6 Baseline assessments of risk |
Example:
|
Overall message to front-line supervisors: The above is to be used as guidance only to support supervisory assessments of credit risk. In making their assessments, supervisors should consider the circumstances of the individual supervised firm and how external circumstances and the characteristics of its products/significant activities combine to determine inherent risk.
|
Additional risk cards should address the assessment of governance, risk management, and financial resources. A section dealing with the management and governance of credit risk might look as follows:
Control and governance issues |
Examples:
|
Examples of baseline risks (this is purely illustrative as baseline ratings are specific to particular jurisdictions):
Inherent risk rating
|
Product/significant activity |
High |
Student loans Start-up companies Venture capital companies
|
Medium High |
Project lending Construction lending Credit equivalents for OTC derivatives Commercial real estate Unsecured lines of credit Retail credit cards Small to medium-sized enterprises |
Medium Low |
Large corporate lending Corporate credit cards Auto loans |
Low |
Loans to banks Domestic sovereign lending (government or state) Major country sovereign debt Residential mortgages |
References
Basel Committee. Revisions to the Principles for the Sound Management of Operational Risk. March 2021.
Government of Ireland. Misjudging Risk: Causes of the Systemic Banking Crisis in Ireland. March 2011.
Toronto Centre. Risk Based Supervision. March 2018a.
Toronto Centre. Implementing RBS: A Guide for Senior Managers. July 2018b.
Toronto Centre. The Development and Use of Risk-Based Frameworks. January 2019a.
Toronto Centre. Turning Supervisory Assessments into Supervisory Actions. August 2019b.
Toronto Centre. Supervising Fintech to Promote Financial Inclusion. December 2019c.
Toronto Centre. A Guide to Supervision in the COVID-19 World. October 2020.
Toronto Centre. A Climate Risk Toolkit for Financial Supervisors. November 2021.
Toronto Centre. Supervisory Implications of Artificial Intelligence and Machine Learning. July 2022a.
Toronto Centre. Risk-Based Supervision of Retail Conduct. October 2022b.
[1] This Note was prepared by Paul Wright. Please address any questions about it to This email address is being protected from spambots. You need JavaScript enabled to view it..
[2] See the Annex for an example of a risk card.
[3] See Toronto Centre (2018a, 2019a and 2019b).
[4] These matters, along with approaches to supervisory intervention, are discussed in some detail in Toronto Centre (2019a and 2019b).
[5] This may not be completely straightforward – for example, if the forecasting authority produces a range of possible outcomes with probabilities attached. In such cases, the ‘translator’ within the supervisory authority may need to decide the best forecast to use, which may need to be adjusted if the central forecast becomes increasingly uncertain over time. Alternative forecasts may also be used as a basis for stress and scenario testing, at least for larger institutions. In all cases, a mechanism must be put in place to turn forecasts into usable guidance for the supervisory process. The process will be all the more effective if it can be done in collaboration with the authority producing the forecast.
[6] For a discussion of this phenomenon in the context of the Irish banking crisis, see Government of Ireland (2011).
[7] For a discussion of supervisory panels and practices groups, see Toronto Centre (2018b).
[8] Supervisory issues arising out of the Covid 19 pandemic are discussed in Toronto Centre (2020).
[9] Fintech issues are discussed in Toronto Centre (2019c).
[10] See Toronto Centre (2021).
[11] For a detailed discussion of rating inherent risks, see Toronto Centre (2019a).
[12] Most significant activities will involve a product. Where the significant activity is narrowly defined (such as mortgage lending), it will be wholly identified with a product (mortgages). In other cases, significant activities will be defined more broadly – commercial lending, for example. In this case, it will be necessary to consider drivers in connection with all the products it encompasses. In a few cases, significant activities may not involve products at all. An example might be asset and liability management, which is largely internal to the firm. In this case, identifying product-based generic drivers is of limited value.
[13] For more extensive discussion of the drivers of conduct risk, see Toronto Centre (2022b).
[14] This is a difficult issue about which it is not possible to generalize. Supervisors have to operate on the basis that there is an acceptable type and standard of communication/disclosure that provides the average consumer the information they need to make a rational and informed judgment. How this requirement varies with different target groups has to be judged on a case-by-case basis.
[15] These risks are discussed in Toronto Centre (2019c and 2022a).
[16] Technically, the use of past data on defaults is an imperfect indicator because it reflects outcomes that are the net effect of inherent risks and applying controls and risk management. However, it is a useful approximation and can be justified if the data reflect an ‘average’ quality of controls.
[SH1]Not sure ‘nominally’ is the right word. Do you mean “somewhat similar”? or “not really similar”?
[SH2]unclear what this term means here