The move to risk‑based supervision

Rapid regulatory change has led to a steep increase in data volumes and policies, and a new environment has opened up for discussions on effective regulatory supervision and a transition to risk-based supervision.

In the past decade, financial firms have faced tremendous change and so have the regulators overseeing them. Traditionally, supervisors have performed their prudential supervisory role by way of compliance-based supervision, but the tougher rules enforced to ensure banks can remain safe and sound following the global financial crisis have led to new challenges for regulators.

While supervised entities are expected to comply with prudential rules, and regulators continue to ensure that the regulated entities comply with them, the way the latter is undertaken is changing. Previously commonplace methods have been deemed outdated, following the pressure regulators have been under to introduce stricter policies to improve oversight, and the new rule-heavy environment has led to regulators signalling a need to avoid a one-size-fits-all approach to supervision and risk assessments.

As regulators have continued to face a data overload following the financial crisis and the introduction of new reporting requirements, the multidimensional approach to supervising regulated entities has become more difficult to maintain without regulators significantly increasing head count. In other words, the traditional way of dividing resources equally between regulated entities is losing momentum because it is no longer necessarily an optimal way to safeguard the financial system.

Justin McCarthy, chairman of the global board at the Professional Risk Managers’ International Association (PRMIA), explains that, in the past, “regulators may have spread their resources, including staff, evenly across many regulated entities”, but “we have realised that allocating them in a risk‑driven manner is a more effective way to do this”. While the old way of splitting resources between regulated entities may still work for some, in most jurisdictions it is no longer seen as the most effective way to supervise the financial market because the size and reach of different entities will modify the risk they pose to the financial markets.

Following increased regulatory focus on mitigating systemic risk, regulators have needed to rethink their approach, and the result has been a transition to risk-based supervision. For regulators, the significant benefit of a move to a risk-based solution is improved efficiency, as they can better allocate resources, and more economies are realising that taking a risk‑based approach is the best way to protect the market. “It has been well adopted in developed economies,” says McCarthy, who was involved in the adoption of risk-based supervision by the Irish Financial Regulator at the Central Bank of Ireland following recommendations from the European Central Bank.

 

Tackling systemic risk

Risk-based supervision requires regulators to assess the risk of individual entities and, by collating the resulting view of these entities, they can judge the systemic risk to the wider economy. McCarthy explains that, instead of giving every single bank a fair lookover, regulators are now asking: “Where are the risks in our economies?” To protect investors and mitigate systemic risk in the market, regulators taking a risk-based approach can spend more time supervising entities that pose increased risk. By adopting this approach, regulators can allocate their limited resources to the entities with the greatest risk and focus on the areas within these entities deemed to be high risk.

An important concept within risk-based supervision is the difference between the probability of an adverse event at a supervised entity and the impact that this event may have on the wider economy. Despite the probability of a large firm failing being minimal, the focus for the regulator may need to be on allocating resources to supervising that entity if the collapse of that firm could have a severe impact on the wider economy. 

This approach also means there needs to be an acceptance that some smaller entities may have fewer resources allocated to their supervision because their collapse would have a limited impact on the wider economy. It may even be that some of these firms fail from time to time, but that too needs to be accepted when the impact of their failure on the wider economy is minimal. McCarthy explains that if, for example, a regulator only has a small team looking at a thousand foreign exchange shops, one of the thousand may fail and someone may lose a small amount of money, but this outcome could be overseen by the ombudsman.

 

Taking the leap

For many regulators, the move to a risk-based approach will represent a significant change, with staff being asked to supervise in a new way and the regulator having to implement new risk assessment software. Initially, a regulator would need to rely on the data and tools to assess risk, rather than judgement, and a combination of expertise, data and technology will create a recipe for success. “When they’re bringing in a risk-based approach, they have to appreciate it will take time to build the resources and skills needed,” says Joanne Horgan, chief innovation officer, Vizor Software. 

The first step will be to encourage staff engagement, and PRMIA’s McCarthy says informing staff about the new way of supervising, and explaining that their organisation will be doing things differently going forward, will be key. Supervisory staff will need to be educated in where risk lies and how to report those risks to their managers. 

In addition, regulators will need the appropriate tools to succeed with risk-based supervision, including the software and data required to assess risks of individual entities. With modern technology, regulators can collate and consolidate data, set key risk indicators (KRIs) and identify inherent risks. 

A prerequisite for generating the most value from risk systems will be getting the data right, and regulators moving to risk-based supervision may also have to address data challenges to improve its consistency, reliability and integrity. Traditionally, regulators may have used paper reviews and stored data in disparate systems, creating potential for duplication and errors. Manual and paper-intensive processes can compromise data quality, and to improve efficiencies and succeed with a risk-based approach it is essential for firms to combine data in a single system and enhance automation. Horgan emphasises the importance of ensuring supervisors are making decisions based on data that is up to date and centralised to provide a holistic view of risk. 

Bringing data sources together in a single system also means firms benefit from enhanced access to data, which can be used to produce early-warning reports. With Vizor Risk-Based Supervision, for example, regulators have online access to up-to-date KRIs that might inform early supervisory interventions. “Timeliness is really important. You’re not going to do a full risk assessment every week,” says Horgan, who explains that timely access to information offers regulators the opportunity to react quickly to a market event and re-evaluate a group of firms on a particular focus area – cyber security, for example. 

In fact, the aim of risk-based supervision is to deliver a control system that enables regulators to identify risks early enough to notify regulated entities before it is too late to act. For regulators to succeed with this, the system in place must offer flexibility and opportunities to make any necessary changes. Although data can be collated and analysed within a system, there is also a need for human decision-making at some stage in the process, and the system needs to handle both a data-based approach and a judgement-based approach. “You have to have a system that allows you to react,” says Horgan, who stresses the importance of a risk-based approach allowing regulators to be proactive: “There could be something happening outside an established data approach that a supervisor needs to override.”

 

Setting KRIs

When making technology decisions, another important factor will be KRIs, and a system’s ability to both automatically calculate KRIs and combine them with other insights. KRIs are one of the tools that will help regulators assess the risk each supervised entity poses to the wider economy. Thus, establishing and setting up appropriate KRIs can help turn data into a powerful tool. 

As part of a risk-based approach, regulators need to come up with key ratios or use out-of-the-box KRIs. Vizor Risk-Based Supervision, for example, offers out-of-the-box KRIs per sector that are auto-calculated quarterly or annually. The KRIs are populated with data that a supervisor partly acquires during regular prudential returns, such as quarterly results. “The key to successful implementation of risk-based supervision is agreeing or acquiring a useful set of KRIs that can be easily assembled using data from sources such as prudential returns,” says McCarthy, who explains that it is a source of great frustration for compliance teams when regulators make ad hoc data requests instead of reusing data from prudential returns, where possible: “If a jurisdiction is perceived to have a more expensive cost of compliance, then this may give a financial entity some concerns about being regulated in that jurisdiction.”

In addition to making better use of the financial data collected, there has also been a shift to looking at other elements of the supervised entities, and supervision has expanded into considering business plans and overall viability of a supervised entity. Vizor’s Horgan says there is now other data that regulators need to collect and, in addition to the business plan, this could be information on cyber security or the performance of the board of directors. Individual risks such as credit, market and operational risk may be well managed and mitigated in an entity, but the additional information could assess whether the overall business model is sustainable. “An entity may be able to show they are complying with the prudential rules set by the supervisor, but the supervisor would now also look at whether the way they are doing business is putting consumers at risk,” explains McCarthy.

To perform an overall risk assessment, regulators also need to take on-site and off-site assessments into account. Data from these assessments needs to be integrated with other data sources, and regulators approach assessments very differently. Some may choose to use a questionnaire as part of an on-site assessment, and the value of the entries could then be entered into the system and contribute to the risk score. In other cases, assessments will be judgement-based, but the observations will still be valuable for the overall risk score, and regulators need systems to be flexible enough to allow for a mix of judgement and data in risk assessment. 

With advances in data management and technology, regulators can also analyse the risk scores by comparing entities to peers and looking at specific sectors of the financial markets to manage emerging systemic risk across the wider economy. Making comparisons means regulators can take a consistent approach to supervision across a sector and reduce the possibility of criticism once risks are identified and being mitigated.

The next steps on the journey to risk-based supervision will now be continuing to leverage new technology to boost efficiency. “A machine can come up with the same response as humans, and we need to get better at delegating to computers,” says McCarthy. Technology such as machine learning can play an important role in enhancing supervision of smaller regulated entities, which may be allocated fewer resources under a risk-based approach.

Although machine-learning algorithms are not new, there are now clear opportunities for regulators to leverage machine learning to obtain an overview of risks associated with the regulated entities whose collapse would not have a severe impact on the wider economy. The data on these entities is still collected, and leveraging technology to analyse the data means regulators can gain a market-wide view of risk. According to Horgan, regulators can also use historical data and algorithms to allow a machine to assess where certain behaviours have led to a problem in the past and thus anticipate risks in a certain sector. “We definitely see opportunities with machine learning based on published results from trials by the UK Financial Conduct Authority and the Bank of England, among others,” she says. 

As the evolution to risk-based supervision continues, demand will grow for flexible systems that can be tailored to cater for the different needs of regulators, using a mix of data-driven and judgement-based approaches. The wave of regulatory change in recent years has strengthened the case for regulators to leverage technology that can allow for increased flexibility and reduced time to action. In the current market, innovative technology, training of supervisors and complete and timely data are all stepping stones on the road to promoting stability in the financial system.

 

_{This article forms part of the Central Banking Risk-based supervision focus report, published in association with Vizor}

Sponsored content