Risk-Based Supervision: Some Practical Implementation Issues
Thursday, Nov 16, 2023

Risk-Based Supervision: Some Practical Implementation Issues

This TC Note and podcast address issues encountered by introducing risk-based supervision. These range from technical matters to more complex challenges, such as:

  • appropriate calibration of ratings;
  • risk-management controls;
  • managing on- and off-site work;
  • significant enterprise-wide activities;
  • treating ‘unsupervisable’ structures;
  • independent local boards; and
  • upstreaming of profits to parent institutions.


Paul Wright, Program Leader, Toronto Centre


Chuin Hwei Ng, Senior Program Director, Toronto Centre

Read the transcript hereRead their biographies here


Listen to the Podcast: 

Read the TC Note:



The appropriate calibration of ratings

Weak controls can increase the rating of net risk above that of inherent risk

The management of on-site and off-site work

Projects as significant activities

The treatment of ‘unsupervisable’ structures

Independence of local boards

Upstreaming of profits to parent institutions


Annex: Suggested criteria for rating inherent risk and quality of risk management



Copyright © Toronto Centre. All rights reserved.

Toronto Centre permits you to download, print, and use the content of this TC Note provided that: (i) such usage is not for any commercial purpose; (ii) you do not modify the content of this material; and (iii) you clearly and directly cite the content as belonging to Toronto Centre.

Except as provided above, the contents of this TC Note may not be transmitted, transcribed, reproduced, stored or translated into any other form without the prior written permission of Toronto Centre.

The information in this TC Note has been summarized and should not be regarded as complete or accurate in every detail.




The Toronto Centre has worked with numerous supervisory authorities in the development and implementation of risk-based supervision (RBS). The purpose of this Note is to set out seven stumbling blocks that are commonly encountered in the implementation of RBS and to suggest ways of overcoming them. Most of these are of general relevance while two (numbers 6 and 7) arise specifically in the context of cross border supervision. All apply to the supervision of banking, insurance, and securities and the first five to pension funds also.

The issues are as follows:

  1. The appropriate calibration of ratings (for inherent risks, controls and governance and financial resources).
  2. The scope for weak controls to increase the rating of net risk beyond that of inherent risk.
  3. The management of on-site and off-site work.
  4. The treatment of enterprise-wide activities (such as projects) as significant activities.
  5. The treatment of ‘unsupervisable’ structures.
  6. Problems of independence of local boards.
  7. The upstreaming of branch or subsidiary profits to parent institutions.

An RBS framework is a mechanism for bringing together informed judgements about supervised firms in a coherent and systematic way. While there are some general principles that need to be followed – for example the assessment of sources of risk beyond the supervised entity, the separate treatment of inherent risks and controls, and the adoption of a forward-looking perspective – supervisory authorities can and should exercise considerable discretion in deciding the exact detail of the framework that works for them. The RBS framework promoted by the Toronto Centre and the advice contained in this Note should not therefore be seen as a set of rigid instructions that must be followed but rather as support to supervisory bodies in developing their own approaches.

The appropriate calibration of ratings

The problem: supervisors who are new to RBS tend to assign too many ‘extreme’ ratings, in particular the rating of inherent risks as ‘high’ and controls and management as ‘weak’. 

Suggested approach: while supervisors should not shrink from using extreme ratings when these are warranted, most inherent risk ratings should be rated as ‘medium low’ and ‘medium high’ (in a system with four ratings categories).  Similarly, ratings for controls and governance should mostly cluster around ‘acceptable’ and ‘needs improvement’.  Supervisory Panels and Practices Groups should be alert to a tendency to over- (or under-) rate risks.2


Key steps in undertaking a risk-based assessment of a firm are the assignment of ratings to the severity of the inherent risks associated with its significant activities, the effectiveness of controls, management, and governance in controlling these risks (collectively termed QRM – the quality of risk management) and the adequacy of its financial resources.  In its various Notes on risk-based supervision (RBS) the Toronto Centre suggests the following ratings categories:


The following recommendations are also made in respect of ratings:

  • It is best to have four categories of ratings.  Having an odd number (three or five) encourages supervisors – once they have got over their initial tendency to over-rate risk – to concentrate ratings at a single central/average level.  An even number of categories requires supervisors to think more carefully about levels of risk.
  • Risk ratings should be given descriptors (such as ‘high’, ‘medium high’, ‘needs improvement’ and so on) rather than numbers. The use of numbers creates a spurious impression that risk assessment is a precise or scientific activity.  It also encourages arithmetic approaches to the aggregation of risks (for example in assessing net risk) rather than the use of informed judgement.

Examples of criteria for rating both inherent risk and QRM are given in Annex 1. The ratings for inherent risk capture the severity of the risks associated with a given significant activity and the scope for them to create significant risks to the supervised firm (and hence to supervisory objectives) if not adequately controlled.

The ratings for QRM refer to the effectiveness with which identified inherent risks are managed and controlled.

Supervisors new to RBS often rate too many inherent risks as ‘high’ and too many control or management functions as ‘weak’. There are a number of possible reasons for this:

  • Supervisors are naturally risk-averse.  When they identify an elevated level of inherent risk they may often default to a position that this equates to ‘high’ risk – particularly if there are also concerns about the strength of controls (although this is not relevant to the assessment of inherent risk). In reality, while high inherent risks certainly can exist, they are a relatively unusual occurrence.  A high rating means that, in the absence of strong controls, it is very likely that risks will crystallize within a fairly short time period (say twelve months) which can cause significant damage to the firm and/or to supervisory objectives. A ‘weak’ rating for controls means that these are almost wholly ineffective in controlling inherent risks – and, as noted below, this may actually amplify the overall level of net risk in the firm.
  • There is sometimes a tendency to confuse the scale of an inherent activity with the amount of risk embedded in it.  An example of this might be a supervisor rating the credit risk in retail lending which has been identified as a significant activity in a bank. The supervisor might apply the following thought process: a) there is significant credit risk embedded in the retail lending; b) this activity accounts for a large proportion (say 70%) of the bank’s assets; c) therefore the risk must be high. This line of reasoning is incorrect – the rating for inherent risk should reflect only the risk characteristics of the activity concerned, not its scale.
  • Some supervisors adopt a ‘worst case’ approach to ratings such that they interpret the rating as reflecting the worst possible outcome for the risk concerned.  On this basis inherent risks tend to be rated high because (for example) a bank’s loan book could suffer serious deterioration, or an insurer could experience an extreme level of unexpected losses.  This however is not the approach adopted under RBS where the rating should reflect the most likely plausible outcome, not an extreme worst case one.


In a properly functioning RBS system ratings for the inherent risks in each significant activity are likely to show something of a central tendency around ‘MH’ and ‘ML’. For a substantial sample of firms, the distribution of inherent risk and overall risk ratings would look something like that in the diagram below.  A similar distribution would be seen for QRM and financial resources, ratings with a tendency to center on ‘A’ and ‘NI’. The diagram is purely for illustration - it is not possible to attach percentages to the relative ratings as this will depend on both the levels of risk in the jurisdiction concerned and the supervisory authority’s attitude to this (its risk tolerance). The relative occurrence of ratings should not therefore be taken as prescriptive. 


As noted, supervisors should use ‘H’ or ‘L’ ratings for inherent risks, or ‘W’ or ‘S’ ratings for controls, management, and financial resources, where these are warranted.   But this should be subject to scrutiny and challenge.

  • The supervisor concerned needs to ask themselves ‘is the inherent risk really high?’ If so this would imply: a) that (if it is not adequately controlled) there is a real risk of serious detriment either to the firm or supervisory objectives in the short term; and b) that there is ‘nowhere else to go’ in that the inherent risk is as serious as it could be and there is no scope for it to increase in severity (and hence for the rating to be higher). Similarly, a rating of ‘W’ for a control function means that the function is almost wholly ineffective in managing inherent risks and that there is an urgent and critical need for improvement.
  • Supervisory Panels (which should scrutinize all assessments of supervised firms beyond a certain level of impact) and Practices Groups (which have oversight and ownership of the supervisory framework) need to be alert to excessive numbers of extreme ratings – certainly ‘H’ for inherent risks and ‘W’ for controls. An RBS system cannot function properly if too many risks are rated as high (or low) because it becomes impossible to prioritize effectively.  Moderation by Panels and other structures may be necessary, drawing on their broader perspective of actual and assigned risks.3

Weak controls can increase the rating of net risk above that of inherent risk

The problem: some supervisory authorities, while accepting that weak management or controls may fail to mitigate risk, find it hard to accept that such weaknesses may result in net risk being rated higher than inherent risk.

Suggested approach: supervisors need to be especially alert to weak management and controls and to recognize that: a) such weakness can result in net risk being rated higher than inherent risk; and b) they are a particular priority for remediation.


Toronto Centre materials on RBS often contain charts such as that below showing, in broad terms, the inter-relation between levels of inherent risk and the adequacy/strength of controls, and how these might combine to give net risk as shown in each of the boxes.4

The diagram is simplified and intended for illustration only.5 As always with diagrams of this kind, the interpretation of the extremes is straightforward: firms with high inherent risks and weak controls will be a source of considerable concern (net risk in this case represented as high while those with low inherent risks and strong controls will not (net risk shown as low).  The challenge comes from the more ambiguous permutations shown in the yellow boxes. 

There are many instances of firms deliberately choosing business models embodying quite high levels of risk. The question in such cases is whether controls and management are as effective as they need to be in mitigating the attendant risks (bearing in mind that supervisors need to take into account the nature and level of inherent risks in their assessment of QRM).  Where the controls and management are found to be highly effective and attuned to the high level of inherent risk, supervisors may conclude that net risk is medium high or medium low. 

Conversely there are many examples of firms undertaking activities ostensibly embodying low levels of inherent risk but where controls have been ineffective, creating scope for breakdowns in disciplines such as credit or underwriting limits and in some cases higher risk business being taken on (and inadequately controlled).6 In such cases net risk is rightly assessed as being higher than inherent risk.

Some supervisors take the view that the worst outcome that can arise from weak controls is simply that they fail to mitigate inherent risk. The implication of this is that net risk can never be assessed as higher than inherent risk. In fact, weak controls should be seen as an independent significant source of risk which is additional to inherent risk. Weakness of controls can therefore result in net risk being assessed as higher than inherent risk (reflected in the diagram in the darker shading of the top right combination than the lower left one).  


Two firms, A and B have following ratings for the same significant activity:

Firm A

Inherent risk:  ML

Controls:  Acceptable

Firm B

Inherent risk:  ML

Controls:  Weak

If the maximum impact of controls and management is that they simply fail to mitigate inherent risks then the rating for net risk in both cases will remain ML. This defies the common-sense interpretation that the level of net risk in Firm B is higher – perhaps considerably so. This is because the weakness of controls and management is itself an independent risk factor contributing to a higher rating for net risk. A sound, judgement based, assessment might be that net risk in Firm B is MH.

Supervisors need to recognize that weak controls are a significant independent source of risk. In terms of the risk matrix the implication of this is that net risk may be assessed as higher than inherent risk.  In practical supervisory terms this means that weaknesses in controls, management and governance should be seen as a separate high-risk factor when undertaking supervisory assessments and are likely to require remediation as a high priority.

The management of on-site and off-site work

The problem: many supervisory bodies operate with separate on- and off-site supervisory teams, sometimes located in different departments. Coordination between these teams may be ineffective, to the detriment of supervision overall.7

Suggested approach: it is not inevitable that supervision needs to be divided between on- and off-site teams and this is arguably not ideal. Where such a division is seen as necessary there needs to be complete clarity about the functions and objectives of the teams, which need to collaborate in working towards shared supervisory goals.


In many authorities, supervisory tasks are divided between on- and off-site teams. In some cases these have unclear or overlapping mandates, differing approaches to supervision (for example in the extent to which they embrace RBS) and few mechanisms for effective coordination. It is not uncommon to find a lack of clarity regarding final accountability for decisions about ratings or supervisory interventions. In such circumstances the relationship between teams may be competitive or even adversarial. At the very least this may mean that supervision is not as effective as it should be in identifying and mitigating risk and in some cases organizing supervision in this way may actually militate against effective supervision.

While exact arrangements differ between supervisory authorities, the tasks of on- and off-site teams might broadly be characterized as follows:

  • Off-site teams are likely to receive and process data and written information from the supervised firm.  This will include supervisory and other returns and information about the business, its structure and governance. The analysis of this material can provide important information about financial soundness and trends – for example changes in earnings, profitability, capital, or liquidity. Off-site work is particularly suited to the collection and examination of factual information such as financial indicators and what in other contexts the Toronto Centre has described as the ‘characteristics’ of controls and management.8 This can be of great value in informing issues that need to be pursued further through on-site work.
  • It is generally recognized that, at least for firms above a certain level of impact it is necessary to undertake risk-focused on-site work. Supervisors need to spend time on site at firms to understand fully their business and how controls, management and governance actually work. This needs to extend far beyond the use of formulaic ‘checklist’ based questions and involves the focused and penetrating questioning of relevant personnel up to and including board level. To undertake this work effectively supervisors need the skills to develop the right (usually open-ended) questions, to frame the discussion and, crucially, the capacity to understand and evaluate the responses given.9  Lower impact firms may not warrant extensive on-site work of this kind but supervisors may still need to visit these and conduct substantive risk-based discussions as part of thematic or horizontal reviews.10 


The rationale for the division of supervision between separate on- and off-site teams is often not very clear. It is frequently a legacy of earlier, non-risk based, supervisory approaches. Where there is such a division of functions, the managements of the authorities concerned should think carefully about whether this continues to be warranted and to consider merging the functions into single supervisory teams. 

Where, for whatever reason, it is decided that supervision should continue to be divided between on- and off-site teams the paramount requirement is that these work collaboratively in pursuit of a common supervisory goal, namely a full understanding of risks and the use of supervisory interventions to mitigate these effectively. In practice this means:

  • On- and off-site supervisors need to be fully trained in risk-based supervision (RBS). In some cases RBS is seen, incorrectly, as relevant only to one team and not the other.  Training needs to establish a common understanding of the objectives of supervision and what each activity contributes to effective assessment and remediation in pursuit of these objectives. 
  • Wherever possible, opportunities should be found for joint working involving, for example, members of the off-site team taking part in on-site visits. This will help to cement common understanding and approaches.
  • The completion of the risk-assessment matrix and the identification of subsequent supervisory interventions should be a collaborative exercise. If one (for example the on-site) team initially takes the lead in doing this, this should be spelled out formally and the input of the off-site and any specialist teams should be sought and incorporated.
  • Supervisory infrastructure such as the Practices Group, through the guidance provided to supervisory teams, and supervisory panels, in their scrutiny of supervisory assessments and interventions, have an important role to play in helping to ensure that effective collaboration leading to risk-based outcomes is taking place.
  • If on- and off-site functions have different reporting lines (which is far from ideal) there needs to be clarity about responsibilities and objectives and an explicit expectation of collaboration. As a last resort there may need to be some kind of formal understanding such as an internal MoU setting out responsibilities and expectations.
  • The effectiveness of collaboration will depend ultimately on the appropriate messaging and incentives from senior management. If the overall head of the supervisory function communicates clearly the expectation of effective collaboration and demonstrably provides the appropriate incentives for this it is likely to succeed. Otherwise it will not.

Projects as significant activities

The problem: supervisors often judge it appropriate to treat projects as significant activities but are unclear whether this is ‘acceptable’ (in terms of RBS methodology) and what this might entail.

Suggested approach: it may be appropriate to treat projects in this way but the bar for doing so (in terms of the project’s importance and the risks embodied in it) needs to be set quite high.  Careful thought needs to be given to the nature and severity of the risks involved.


An essential early step in undertaking a risk-based assessment of a supervised firm is the identification of significant activities. These are defined as areas or activities which because of their nature and importance are capable, if inadequately managed, of posing significant risks to supervisory objectives.11 Significant activities are usually business lines or significant components of these such as retail lending, general insurance, or securities trading. 

The point is often made that many firms undertake projects which are sufficiently wide-ranging in their scope and impact that it would make sense to treat these as significant activities also.

This may be particularly true of IT related projects aimed at improving operational efficiency and controls at an enterprise-wide level. Such an approach would involve including the project as a separate ‘row’ on the risk assessment matrix as shown below.12 (The table also contains a column called ‘project specific management’ which is not a ‘conventional’ management/control heading but, as explained at d) below, it may be appropriate to include this where a project is being treated as a significant activity).

In deciding whether to go down this route supervisors need to consider the following issues:

a.) Is the project itself a significant source of risk? As always in RBS it is important to recall that ‘risk’ in this context is the risk of an outcome which has the potential to prevent the achievement of supervisory objectives.

b.) Projects such as IT upgrades are typically introduced with the aim of improving something such as the effectiveness of business processes or controls. There is always the possibility that the project will not be successful in the sense that it fails to achieve its goals and/or involves significant cost and timing over-runs. While such outcomes would be important for the entity concerned, they may not always represent significant risks in an RBS context.

 The table below gives some examples of where this may, or may not, be the case.

c.) Is it meaningful to assign conventional inherent risks to the project? Projects do not normally involve inherent risks such as credit, market, or insurance risks.  However, they may well embody strategic, operational, reputational, and legal risks.  Considerable clarity of thought is needed here to ensure that the risks identified and assessed are those attaching to the project itself and do not become mixed up with existing inherent risks.


  • Insurer X is introducing a wide-ranging IT project designed to improve data capture, processing (including claims management), record keeping and aspects of risk management. 
  • Claims management is currently seen as a significant area of weakness in the firm.  This is reflected in a score of MH for operational risk in the ‘general insurance’ significant activity.
  • The supervisory team has identified that the wide scope, limited staffing, and imprecisely defined objectives of the project mean that it carries significant operational risks – these are currently rated as MH.
  • The team has also identified a number of deficiencies in the management and oversight of the project, leading them to rate ‘local controls’ and ‘senior management’ as ‘needs improvement’ in respect of the project. 

If the project is successful, one consequence will be that the level of operational risk associated with claims management in general insurance will be reduced – possibly to ML. 

For the duration of the project however, it is important to distinguish between these two sources of operational risk.

  • The rating for operational risk in the general insurance significant activity should continue to reflect the current problems with claims management. 
  • The rating for operational risk in the project significant activity should reflect the operational challenges of the project itself. 

These two sources of risk are separate and should not be conflated – otherwise there will be double counting of the risks.14 On completion of the project the implications for the general insurance function should be evaluated.

d.) Is it meaningful to assess management, control, and governance specifically in connection with the project? Yes - local and senior management and the board have responsibility for oversight of all significant projects. Where projects are treated as significant activities there may be a case for including a column for ‘specific project management’ as shown in the matrix above.

e.) Does the separate inclusion of the project add value in terms of making a material difference to the accuracy of the risk assessment of the firm? This should be a criterion for the choice of any significant activity.  For example, whether to separate mortgage lending from credit cards as separate significant activities rather than having a blanket ‘retail lending’ activity should depend on whether the additional granularity adds anything in terms of the accuracy or richness of the risk assessment. This may be the case if the risk profiles of the activities are markedly different. But in many cases additional granularity adds little value in practice. Similar considerations apply in the case of projects. The table below outlines some possible considerations.



There is no reason in principle why projects cannot be treated as significant activities and it will sometimes make sense to do this. The bar for doing so however should be set quite high and as the above discussion makes clear:

  • Projects need to be genuinely ‘significant’ in the sense that their failure would pose serious risks to the firm concerned and to supervisory objectives.
  • In assessing the inherent risks and the effectiveness of controls, management and governance associated with a project, care needs to be taken to ensure that these focus on the risks of the project itself and that supervisors do not double count existing identified risks (even if the eventual outcome of the project may have an impact on these).
  • In common with the choice of all significant activities, supervisors need to ask themselves the question “will the level of granularity implied by treating the project as a separate significant activity materially alter the accuracy or richness of my supervisory assessment?”

The treatment of ‘unsupervisable’ structures

The problem: supervisors sometimes find that aspects of a supervised firm’s organization, structure, location, or range of activities make it difficult or impossible for it to be supervised effectively.

Suggested approach: in such cases it is necessary to go back to basics. Supervisors need to ask the question ‘what does effective supervision actually entail?’ They then need to consider whether this could be achieved through more effective supervision (involving better coordination with other relevant supervisory bodies for example) or whether the firm should be required to restructure itself. Ultimately, unsupervisable structures should not continue to be authorized.


Supervisors sometimes find that, notwithstanding their best efforts, it is not possible to supervise an entity in terms of identifying the full range of risks that it poses to supervisory objectives and overseeing effective remediation. This is a serious issue which needs to be addressed; there are multiple examples from history of unsupervisable structures failing because supervisors were unable to get a grip on the risks they were posing or how (or where) these risks were being managed.15

i.) Back to basics: ‘supervisability’

The supervisability of an individual entity is taken to mean that supervisors:

  • Are able to develop a comprehensive knowledge of the business – a clear oversight of an entity’s activities and an understanding of the inherent risks these pose.
  • Have a clear understanding of the effectiveness of controls, management, and governance.
  • Are able to form a clear view about net risks (that is, the extent to which identified inherent risks are being effectively managed) and of the adequacy of the entity’s financial resources in the context of these.
  • Can require effective remediation involving a meaningful dialogue with the management of the entity about the need for remediation, the form this should take and how progress will be monitored.

The above list is deliberately focused on what is needed for practical supervision rather than on formal requirements. Supervisors sometimes (incorrectly) confuse compliance – such as the timely submission of pro forma reporting – with effective supervision. 

ii.) Complexity

Structures may be unsupervisable because they are opaque and complex so that supervisors cannot penetrate or understand them and the above conditions are not met. There may be a variety of reasons for this:

  • Complex structures may have developed organically as the firm has evolved through mergers and acquisitions.
  • There may be a degree of deliberate or engineered complexity designed for example to optimize or minimize tax liabilities.16
  • In some cases there may be no clear rationale for complexity other than as a response to regulation itself.
    • Firms may be engaging in regulatory arbitrage – for example by deliberately locating businesses in parts of the group where they are subject to less onerous regulation or no regulation at all.
    • In a minority of cases firms or groups may operate opaque structures with the sole purpose of preventing supervisors from having a clear oversight of their activities.

iii.) Authorization/licensing

A necessary but not sufficient solution to this issue is to say that supervisors should not authorize unsupervisable structures in the first place. Authorization and licensing are themselves risk-based activities and supervisory bodies need to make a decision about their risk tolerance in this area. The bar for licensing may be set relatively high implying that, once authorized, firms will pose few supervisory challenges, at least initially. Or the requirements may be interpreted more loosely implying that more active supervision may be required post authorization.  Whatever their risk tolerance supervisory authorities should never authorize entities which, for whatever reason, cannot be effectively supervised. However, the problem of unsupervisability often arises not at the authorization stage but later as the evolution of business models, mergers, acquisitions or changes in ownership or control create serious obstacles to supervision

iv.) Group issues

Meeting the requirements for supervisability set out above will be more challenging when entities are parts of wider groups.  This may take a variety of forms:

  • Groups operating within the supervisor’s jurisdiction but involving activities in multiple sectors which are subject to different supervisory regimes. This may be the case even where the supervisory body is nominally unified if, for example, there are separate teams for banking, insurance and securities supervision working to different regulations.
  • Groups operating across national borders with a parent established in one jurisdiction operating branches, subsidiaries, or joint ventures in others.17

In such cases it is inevitably more difficult for any single supervisor to develop a full oversight of a group’s activities or the potential sources of risk to the part of the group for which they have supervisory responsibility.  The following issues are commonly encountered in the supervision of groups:

  • Regulatory requirements across the jurisdictions in which group entities operate may differ so that activities in some entities are subject to lighter regulation, or no regulation at all. Parts of the group operating where regulation is deficient or non-existent may constitute what are called ‘dark corners’.
  • It may be difficult to identify where significant management and strategic decisions are taken in practice. Such decisions may not, as would be expected, be taken at group management level but by individuals or groups who have a dominant influence despite not being formally designated as the most senior level of management.  In such cases it is difficult for supervisors to identify or engage with the de facto ‘mind and management’ of the group.

The requirements for effective group supervision are the same for an individual entity. Supervisors working collectively must be able to develop a comprehensive overview of the group’s activities leading to a clear understanding of the risks facing the group and how effectively these are being managed. 


When faced with an apparently unsupervisable structure supervisors need to ask themselves whether: a) this reflects a shortcoming of supervision; or b) is a feature of the organization of the firm/group which its management should be required to rectify.

a.) Is it possible to establish the necessary level of understanding and oversight either by intensifying supervision or (in the case of a group) through improved collaboration with other supervisors? Colleges of supervisors are intended to achieve precisely such improved oversight and to provide an opportunity to discuss the risk implications of structures, including those driven by regulatory arbitrage.

b.) If, after such self-examination, the conclusion is that the structure remains unsupervisable then change will be required. This message needs to be conveyed to the board and the most senior management.  If the unsupervisable structure is a group (or part of a group) a concerted message conveyed by all relevant domestic and cross border supervisors (for example through the supervisory college) will carry considerable force. Firms are likely to resist necessary restructuring particularly where opacity is deliberately intended to minimize tax or frustrate supervision.  The following principles should be followed in such cases:

  • Restructuring needs to be implemented by the firm/group as part of a remedial program agreed between it and the relevant supervisors (with the lead or home supervisor taking a leading role). There may be some scope for discussion about the exact form this should take and the extent to which other objectives such as tax efficiency can be achieved. 
  • While supervisors may be open minded (to a degree) about the detail, the key principle – that restructuring must result in a structure that is supervisable (in the sense set out above) - is paramount. This cannot be subordinated to issues such as tax or operational efficiency and this principle should be regarded as non-negotiable. 
  • Supervisors should be aiming for a productive dialogue in which supervisory concerns and requirements are spelled out clearly and the firm’s/group’s management accept and embrace the need for change – albeit not always with enthusiasm. Recalcitrant firms may need to be reminded of the basic principle that supervisability is a requirement for continued authorization. Enforcement – even to the point of restricting business or closure – is regarded as a last resort by many supervisors but needs to be available as a tool if the firm is persistently unable or unwilling to deliver a supervisable structure through persuasion.

The final two topics covered in this Note relate specifically to issues frequently encountered in the supervision of entities that are parts of cross-border groups.

Independence of local boards

The problem: locally incorporated subsidiaries of entities with overseas parents may have boards which are seen as insufficiently independent of the parent institution. Host supervisors may be concerned that the local board cannot be relied upon to provide the independent oversight and control required in the host jurisdiction.

Suggested approach: while there is no simple solution to this (common) problem it needs to form part of a more general approach to corporate governance.  In the case of cross border groups it may be necessary to introduce formal requirements (for example in respect of local/independent non-executives) at the host level and to monitor actively the governance of the firm in collaboration with the home supervisor.


Supervisors often have responsibility for subsidiaries of entities whose parent is domiciled in other jurisdictions. Such subsidiaries (unlike branches) are locally incorporated and, as such, have distinct legal personalities requiring them to have their own balance sheets and governance arrangements, including local boards. Frequently these boards comprise individuals (either board members or senior management) of the parent institution who are ‘parachuted’ in to fulfil this governance requirement in the host jurisdiction.  Such individuals, as representatives of the shareholder (the parent), are expected to ensure that the subsidiary acts in a way which is consistent with the strategy and values of the parent.  But they should also exercise a reasonable degree of independence in directing and overseeing the activities and controls of the subsidiary itself. 

Ideally there should be no conflict between these functions. Board members should aim to oversee the implementation of strategy and controls in the subsidiary consistent with the direction set by the parent.  In practice, however, this may be a difficult balancing act.  Host supervisors often judge that board members are not sufficiently independent, perceiving their primary responsibility as being to the parent institution rather than the subsidiary and that they fail to provide the necessary level of challenge and control within the supervised entity. 

This is a common issue to which there are no simple solutions. Supervisors faced with it may wish to consider two aspects of a possible solution, the first of which is based in regulation while the second goes to supervisory practice in respect of governance.

As a matter of regulation, many supervisors have specific requirements concerning the appointment of independent local non-executive directors (iNEDs). There may be a requirement for example that such boards have a minimum of two local iNEDs who are independent in the sense that: a) they are locally domiciled; and b) they are not employees of, and do not have any other direct association with, the parent firm. The expectation is that such iNEDs will be able to provide the necessary challenge and independence of view.  One potential limitation of such a regulation is that in some jurisdictions there may be a limited pool of individuals qualified to undertake such a role. This makes them hard to find or opens the possibility of creating a cadre of such individuals who are ‘professional iNEDs', sometimes with a large number of such appointments, who see their role as pro forma rather than substantive.18

While such requirements may go some way to dealing with the problem, regulation alone cannot provide the solution. As set out in Toronto Centre (2016 and 2022), supervisors need to engage actively with board members to remind them of their responsibilities and to satisfy themselves that these are being carried out effectively. Specifically this means:

  • Providing guidance setting out supervisors’ expectations and requirements of local NEDs and how these will be assessed.
  • Local board chairs should be required to explain to supervisors how local NEDs are recruited, what they are told about their prospective roles and how their performance is assessed, including with respect to independence.
  • Supervisors may also vet prospective local NEDs themselves to satisfy themselves that they understand their responsibilities, including the need to demonstrate their independence.
  • Supervisors should regularly challenge all board members of subsidiaries (not just local NEDs) on how they view their role and how their decisions demonstrate independence and a concern for the soundness of the subsidiary (whilst balancing this with their responsibilities to the parent).


What is proposed above is a combination of regulation regarding the composition of local boards combined with an inquisitive/challenging supervisory stance – an approach which is applicable to the supervision of corporate governance in general. It is recognized that such a challenging stance would be a departure for many supervisors, many of whom have no tradition of interacting with board members in this way. These issues were discussed in Toronto Centre (2022). Such steps cannot be a panacea for the difficult issues supervisors face in this area but they can provide a significant way forward in this, and in wider aspects of supervising corporate governance. 

Upstreaming of profits to parent institutions

This problem arises most frequently in cross border financial groups.

The problem: funds are remitted from subsidiaries to the parent institution on a scale that the host authority views as excessive.

Suggested approach: this is a legitimate subject for discussion with both the home supervisor and management of subsidiary and the parent institution. The key question for the host supervisor is whether the remittance of funds is on a scale which is a source of prudential (or other) risk.


This is a significant source of concern to many host supervisors. The remittance of funds may take a variety of forms but there are two common scenarios.

a.) The parent institution provides a service to a subsidiary such as IT or some aspect of control such as internal audit for which it imposes a charge. Host supervisors are often concerned that such charges are excessive leading to an unwarranted flow of funds to the parent.

b.) In other cases the parent institution upstreams profits from the subsidiary in the form of dividends on a scale that the host supervisor sees as excessive. There is nothing objectionable in principle in parents being paid dividends on capital they have injected into subsidiaries but host supervisors often express concern about the size of these.

Where the sums upstreamed are seen as excessive this is often a particular concern to host supervisors. In keeping with the principles of RBS however the key question for supervisors is whether this is a source of risk to the subsidiary.

Such upstreaming could be a source of risk where it is:

i.) On a scale which could undermine the financial strength of the subsidiary. Upstreaming which erodes the capital position of a subsidiary (or the potential for building capital through earnings) is a legitimate source of concern.  Host supervisors need to be satisfied that, where funds are upstreamed, the subsidiary will be left with adequate capital (the regulatory minimum plus any Pillar 2 add-on and the subsidiary’s own required capital as calculated as part of the ICAAP or ORSA and a prudent buffer).

ii.) A reflection of weak governance or controls in the subsidiary. Where payments are significant, supervisors might reasonably challenge the board and management of the subsidiary to establish that they have satisfied themselves about the purpose, legitimacy, and scale of the payments. The issue here may be not so much the scale of the payments itself as what this indicates about broader issues of management and governance.

iii.) An indicator of a potentially unsustainable group financing An example of this would be where a holding company issues debt which, in turn, is downstreamed as equity in the subsidiaries. Upstreamed payments or dividends may then be necessary on a scale that allows a potentially over-leveraged parent or holding company to service the debt. Here too the issue may not be the scale of the payments so much as what it reveals about group-wide financing issues – something that should be pursued with the home supervisor, possibly within a supervisory college.19

Other concerns may arise with upstreaming but these may not be of direct concern to supervisors provided that none of the issues discussed in i) to iii) above are present.

  • The upstreaming may be part of a strategy to avoid/minimize tax in the host jurisdiction. The issues discussed earlier in this Note are also relevant in this context. As noted there, tax optimization may not in itself be a source of supervisory concern provided it does not involve misfeasance on the part of the subsidiary. Whether this is an issue for discussion with the tax authorities will depend on the circumstances set out in footnote 16 above. Similar considerations will apply if the upstreaming is designed to circumvent exchange controls in the host country.
  • Where the payment is for a service being provided by the parent, this should be viewed in the same way as any outsourcing arrangement. It is incumbent on the management of the subsidiary to satisfy itself that the service is effective, particularly in addressing risk. Whether the size of the payment is reasonable is not generally something that supervisors should seek to second guess. This may not be an appropriate use of supervisors’ time or straightforward since (unlike a dividend payment) there is no direct link with the profitability of the subsidiary concerned. 


While payment of ‘excessive’ dividends or charges from subsidiaries to parents is often a source of concern to host authorities, in keeping with the principles of risk-based supervision it is necessary to think clearly about what risks it actually poses. The most serious of these potentially is to the financial soundness or stability of the subsidiary itself.  Unless such risks can be clearly identified it is questionable whether this is something on which supervisors should spend much time. They should certainly be wary of seeking to second guess whether the level of payments for services from the parent is appropriate – though this may be a subject for discussion with local managements and boards.


This Note has set out a number of issues that are frequently encountered in the implementation of RBS both for purely domestic institutions and cross sector/cross border ones. 

It is inevitable that in implementing a new and sophisticated approach to supervision such as RBS a range of problems and stumbling blocks will arise, many stemming from the specific features of the financial system in the jurisdiction concerned. Toronto Centre Notes like this are intended to provide guidance in dealing with such implementation issues. 

By applying the principles and general approach embodied in RBS and thinking clearly about the risks posed by emerging problems and how potential solutions will mitigate these, supervisory authorities should become increasingly confident in finding risk-based solutions themselves as further issues arise.

Annex: Suggested criteria for rating inherent risk and quality of risk management

The following tables are intended to give a broad indication of how ratings for inherent risk and the quality of risk management (controls, management, and governance) might be rated for a bank, insurer, securities firm, or pension fund. These are intended to provide guidance only.  Supervisory authorities need to develop their own assessment criteria based on their attitude to risk and the specifics of their financial systems.20

Inherent risk


Quality of risk management


Toronto Centre (January 2016). Improving Corporate Governance in Regulated Firms.

Toronto Centre (March 2018). Risk Based Supervision.

Toronto Centre (January 2019). The Development and Use of Risk Based Assessment Frameworks.

Toronto Centre (February 2020). Risk Based Supervision for Securities Supervisors (and other supervisors of small firms).

Toronto Centre (December 2021). The Risk Based Supervision of Cross Border Groups.

Toronto Centre (January 2022). Supervising Corporate Governance: Pushing the Boundaries.


1This Toronto Centre Note was prepared by Paul Wright. Please address any questions about this Note to This email address is being protected from spambots. You need JavaScript enabled to view it.

2Supervisory panels comprise senior individuals from the supervisory authority as well as representatives from other supervisory teams and should scrutinize supervisory assessments and programs for all firms above a certain impact or size.  The Practices Group is the ‘owner’ of the risk framework. These structures are discussed in Toronto Centre 2018.

3Panels should, for example, aim to compare ratings assigned in broadly comparable entities and activities. If for example insurance risk is rated as H for a significant activity in one general insurer and MH in another with a broadly similar business model and target market, panels should probe the reasons for the difference. Panels should also be ready to investigate the reasons for ratings of ‘L’ for inherent risks and ‘S’ for QRM.

4Net risk is inherent risk as mitigated (or not) by controls and management. 

5In its full form such a matrix would have four rows and four columns (equating to the four ratings categories) and the assessed net risk resulting from each permutation would reflect the supervisory authority’s attitude to risk.

6The taking on of higher risk business is, technically, a case of actual inherent risk being higher than perceived inherent risk but this may still be the result of weak controls or oversight.

7There is a distinction between: a) teams which undertake analysis of returns and other information on a largely desk-based basis; b) teams which regularly visit firms on-site; and c) specialist teams and functions which may assess specific areas such as credit management, actuarial functions, or AML through a combination of desk-based and on-site work.  For the purposes of this Note, ‘off-site’ means the type of activity at a). Specialist functions may provide support to on-site or off-site supervisors, or to both.

8'Characteristics’ typically refers to the existence and composition of controls, management, and governance.  It is possible to identify through off-site work whether the supervised firm has a risk management function or board committees, their terms of reference and levels of staffing. However, in order fully to understand the effectiveness of such structures it is also necessary to assess their performance through on-site work – how they work in practice and how effective they are in managing and mitigating risk. These issues are discussed in Toronto Centre (2019) and (2022).

9See Toronto Centre (2016) and (2022).

10See Toronto Centre (2018) and (2020) for a discussion of horizontal and thematic work.

11Toronto Centre (2019) has a detailed discussion of Significant Activities.

12A separate question that is sometimes raised is whether aspects of enterprise-wide financial management (such as asset and liability management) should be treated as significant activities. This raises other, potentially complex, issues. Toronto Centre (2019) describes a ‘conventional’ approach to the assessment of liquidity as part of an entity’s financial resources. The implications of the alternative possible approach discussed here will be examined in a forthcoming Toronto Centre Note. 

13Of course, if the failure of such a project had very serious commercial implications it may be a source of strategic or reputational risk. In general, anything that goes wrong in a supervised firm could be interpreted in this way as a possible risk. The advice when applying RBS is to consider only fairly direct linkages to supervisory objectives.

14The prospect of a reduction in the rating for operational risk in the wider business may be taken into account in the assessment of the future direction of risk although care needs to be taken if this is reliant on the success of the project.

15The Toronto Centre has referred to a number of these in its programs:

  • BCCI (closed 1991) was characterised by an opaque structure and uncertainty about the location of ‘mind and management’, leading to a non-alignment of de facto control with the legal structure and serious communications issues.
  • Barings (closed 1995) failed because of losses incurred in a poorly controlled overseas subsidiary financed by a parent with weak corporate governance on a basis which was opaque to supervisors.

16The supervisory response to this can be quite complex. Supervisors are not tax inspectors and their primary concern may not be the tax avoidance itself but the implications of the structures for whether effective supervision is possible. Provided it is legal and does not frustrate effective supervision, supervisors may have limited interest in tax efficiency or even avoidance. Whether they wish, or are able, to engage with the tax authorities on this will depend on the legislation and conventions of the jurisdiction concerned – whether, for example, the necessary gateways exist. Where tax avoidance spills over into illegal tax evasion however the issues are altogether more serious, raising issues of the fitness and propriety of management and of legal and reputational risks which are of direct relevance to supervisors.  

17These issues are discussed further in Toronto Centre (2021).

18For this reason some jurisdictions place limits on the number of NED roles individuals are able to take on. Even where there is no formal limit supervisors may, as part of their discussion with such prospective NEDs, ask how feasible it will be for them to find the time to make a meaningful contribution in an additional NED position.

19The issue of whether sufficient equity is available to the group on a consolidated basis should be a regular agenda item for all supervisory college or other coordination meetings.

20The tables are based on those set out in Toronto Centre (2019) but with alterations intended to make them more cross sectoral in application. It should be emphasized again that these are intended to provide an illustrative framework only and will need to be adapted to supervisory authorities’ specific needs.