Risk-based Supervision

What is Risk-Based Supervision?

Risk-Based Supervision (RBS) is gradually becoming the dominant approach to regulatory supervision of financial institutions around the world. It is a comprehensive, formally structured system that assesses risks within the financial system, giving priority to the resolution of those risks.

RBS is often contrasted with rules-based regulation. The latter, also known as principles or compliance-based supervision, is a method of regulation which involves checking for and enforcing compliance with rules – legislation, regulations or policies – that apply to an entity.

What is the purpose of RBS and why is it important?

RBS has a regulatory emphasis of “focusing on what matters” – assessing the degree of risk in the company's business operations and determining how to reduce the risk as required.

With RBS, entities are always being monitored, both for compliance with the rules and for how they approach risk management. Failure to comply or to manage well is noted, and action is taken according to the appropriate legislation, to deal with any concerns. In a RBS regulatory system the following are considered:

  • finding contraventions of the law, regardless of materiality
  • reconciliation of data, counting the securities, other detailed checking
  • business strategy
    • financial analysis
    • on-site Inspections
    • market intelligence
  • management style, attitude to risk, control environment
    • Within agency
    • With regulated

 RBS versus a Compliance Approach

 

RBS

Compliance

Formal education

Extensive

Low to Moderate

Industry knowledge

Extensive

Low to Moderate

Company knowledge

Extensive

Low to Moderate

Ability to apply judgment

Extensive

Low

Interaction and communication across supervisory teams

Extensive

Low

Communications skills:

Extensive

Extensive

Low

Low

Management oversight

Extensive

Low

QA Processes

Extensive

Some

Practices (i.e. documented procedures)

Robust framework & supporting guidance required

Check list and some guidance

RBS - A journey not a destination

Four considerations of RBS:

A prerequisite for good RBS is knowledge of the institution, its industry and operating environment. These can all be observed by creating a risk profile of an institution:

  • institution’s activities
  • risks in those activities
  • quality of risk management (day-to day management and Oversight)
  • capital required to support operations
  • identifying the key risks within an institution that may affect its risk profile
  • that its supervisory activity and resources applied are commensurate with the level of risk
  • Off-site monitoring – Review the financial data filed by the institution, using ratios and other methods of analysis

Based on the financial institutions’ risk profile the regulator can determine the allocation of supervisory resources. Rather than rules-based, the regulator may focus on:

 

How Does FSC Assess Risk?

  • On site monitoring – Review information obtained by FSC’s Examinations Division during on-site examinations at various regulated entities

The RBS Process and Main Types of Risk

In the risk rating process, there are two areas that should be evaluated – inherent risk and quality of risk management (risk mitigation). Institutions may have the same level of inherent risk (the types of businesses are almost identical) but one institution may have much better risk management processes than the other. This approach of first assessing inherent risk and then assessing the quality of risk management is now being generally accepted around the world. 

All institutions are exposed, to a greater or lesser extent, to certain broad types of risk such as credit risk, market risk, operational risk, etc. These categories fall under “inherent risks” because they are inherent to being in business. For each of these categories there are ways to consistently and objectively assess the level of risk:

  • Operational Risk – everyday risks of operating and managing a business. This includes the quality and reliability of an institution’s IT system, as well as the competence of management.
  • Market Risk – relates to the possible change in value of market prices, e.g., an institution’s portfolio of common stocks is subject to market risk because the market value may change very quickly.
  • Credit Risk – the risk of not being paid by entities owing money to the institution, e.g., the institution may have loaned money to investors by buying their debentures and is yet to be repaid.  
  • Related Party Risk – when transactions occur between related parties, the normal discipline of market negotiation is not present; therefore, transactions between related parties such as shareholders and supervised institutions are subject to the risk that the interests of the institution will be subjugated to those of the shareholders.
  • Liquidity Risk – the risk that the institution will require liquid funds but not be able to access such when required to meet an obligation that is due and payable, e.g., a short-term insurance company has invested most of its funds in real estate; it requires liquid funds to pay claims and would therefore have high liquidity risk.
  • Underwriting Risk, Provisioning Risk – these are risks that are specifically applicable to insurance companies. Other types of institutions may have other unique risk categories.