Risk Appetite

Framework & Approaches

Contents
Introduction ............................................................................................................................................ 3
What is Risk Appetite ............................................................................................................................. 4
The Risk Universe ................................................................................................................................... 4
Risk Appetite Framework ....................................................................................................................... 5
Designing a Successful Risk Appetite Framework ................................................................................. 6
Purpose of a Risk Appetite Statement ................................................................................................... 7
Features of an effective Risk Appetite Statement ................................................................................. 7
Roles & Responsibilities ......................................................................................................................... 8
Top-Down and Bottom-Up Approaches to Risk Appetite ..................................................................... 9
Cascading Risk Tolerances and Risk Limits ............................................................................................ 9
Overview............................................................................................................................................. 9
Enterprise Approach......................................................................................................................... 10
Allocating Risk Limits........................................................................................................................ 11
Case Studies .......................................................................................................................................... 13
HSBC .................................................................................................................................................. 13
EBRD ................................................................................................................................................. 15
Common Challenges and Good Practices ............................................................................................ 16
Final Thoughts ...................................................................................................................................... 17

2
Introduction
For banks or financial institutions, risk appetite is a particularly important component of an end-to end
risk management framework. It needs to be supported by other risk management components, such
as a comprehensive risk taxonomy, robust risk identification and assessment processes, data and
analytics capabilities, and a risk aggregation and prioritization logic based on risk materiality. Risk
appetite needs to be integrated into risk governance and oversight, reporting, and risk decision making
and mitigation actions.

While there is general industry agreement regarding the usefulness of risk appetite frameworks, there
is no industry consensus on what it actually means to establish and embed a proper risk appetite
framework. Setting enterprise-wide risk appetite is a necessary step that enables a board to identify a
firm’s key risks – and to set limits for those threats. However, to be effective, risk appetite statements
must be developed in ways that are directly actionable for business and risk teams. This is likely why
the risk appetite statement is generally considered the hardest part of any Enterprise Risk
Management implementation. Further still, translating risk appetite statements into action is another
obstacle. Limits or Key risk indicators (KRIs) establish risk guideposts throughout the year, but those
metrics can at times be disconnected from the risk appetite statement.

Another important challenge to note is that, at banks or financial institutions, setting risk appetite for
financial risks is an extensive, regulatory-driven practice to manage risks to the balance sheet, profit-
and-loss statement, and cash flows. The objective is to limit the credit, market, and liquidity risk
capacity of financial assets and liabilities in relation to capital and funding. At the same time, executives
need to trade off allocation of scarce capital and funding with risks to optimize returns, which are
measured by the return on equity and risk-adjusted capital. For non-financial or operational risks,
setting risk appetite is a much more elusive and theoretical concept than for financial risks. This is
because operational risk is pervasive, managed across the organisation and is often just a consequence
of operating the business. In addition, operational risk has been more difficult to quantify than market
and credit risk, and besides (imperfect) capital measures there is no ‘common currency’ for operational
risk. As a result, senior management teams are frequently challenged by the mandate to define and
express operational risk appetite in a way that is understood and accepted across the organisation and
can be used to guide business decisions.

Given the challenges in the foundational elements of risk appetite, it is immediately evident that
prescribing or allocating limits in a group wide structure will be no easier feat. The purpose of this
paper is therefore the following:

• To revisit the concept of risk appetite

• Establish clear terminology and understanding of important definitions
• Describe a risk appetite framework
• Explain the purpose of Risk Appetite Statement
• Outline the principles and content of a consistent framework
• Consider different approaches to aggregation
• Provide suggestions to cascade risk tolerances and limits
• Present case studies of examples used by leading financial institutions

Furthermore, without clearly defined, measurable tolerances or limits the whole risk cycle and any risk
framework is arguably at a halt

3
Risk appetite statements have become the norm in banking – but there remains considerable variation
in the implementation of these statements across the financial services industry.

What is Risk Appetite

The Financial Stability Board (FSB) defined risk appetite succinctly as an articulation of “the aggregate
level and types of risk that a financial institution is willing to accept, or to avoid, in order to achieve its
business objectives…It should also address more difficult to quantify risks such as reputation and
conduct risks as well as money laundering and unethical practices”1

A clear risk appetite statement is crucial for effective enterprise risk management (ERM) as it provides
guidance and parameters for decision-making and risk-taking within an organisation. Furthermore, it
is a key component in a proactive and adaptable corporate strategy. Organisations can navigate
uncertainty more effectively by using risk appetite as a guiding set of principles as they make strategic
decisions that position them for success in today’s unpredictable world.

Clearly defining risk appetite enables an organisation’s leaders to identify and prioritise potential risks,
establish limits and thresholds, and allocate resources effectively.

The Risk Universe

Risk appetite is closely related to other concepts and components within an organisation’s risk
universe:

• Risk profile — Snapshot of an organisation’s risk portfolio at a specific point in time. It is crucial
for the risk profile to align with the business model and strategy of the organisation.

• Risk capacity — Quantifies the maximum amount of risk an organisation can prudently handle,
given its resources and financial capabilities. The organisation will not be able to sustain losses
beyond its capacity, as it will become insolvent. It is the absolute maximum loss a company is
able (not just willing) to take on.

• Risk tolerance — The quantitative expression of risk appetite but expressing the same level of
risk taking applied to specific risk categories, business units or products. Certain risk tolerances
are policy limits that should not be breached (hard limits) while other risk tolerances are
trigger points for risk reviews and mitigation (soft limits). Whereas risk appetite is a strategic
determination based on long-term objectives, risk tolerance can be seen as a tactical approach
to manage risk within established parameters. Risk tolerance is defined within the context of
the related objective using the metrics in place to measure performance against that objective.
Term is used interchangeably with risk limits.

When taken together, these elements align strategic aspirations with risk-taking capabilities to create
a comprehensive framework that guides an organisation’s approach to risk management.

1
r_131118.pdf (fsb.org)

4
Risk Appetite Framework
The Risk Appetite Framework (RAF) is the overall approach, including policies, controls and systems,
through which risk appetite is established, communicated and monitored.

A RAF should generally be composed of four main parts:

• Risk Spectrum: A consistent expression of the scale of risks. Defining and interpreting appetite
both in terms of approach (averse, neutral, tolerant etc.) and aligning appetite with impact.

• Risk Appetite Statement: The Risk Appetite Statement is the Output. It describes the
organisation and/or business unit’s risk appetite for each principal risk type separately. (N.B. a
Risk Appetite Statement is only needed for important/critical risks. It is not a laundry list.) This
is a combined qualitative and quantitative statement where possible. Note that it is important
to assess regulatory requirements and expectations which would typically serve as minimum
criteria. Furthermore, risk appetite statements are typically communicated at the Level 1
Category2.

• System for risk limits and triggers: The risk quantification & limit system is the methodical
core of risk management that defines the way in which all risk types can be assessed in a
consistent and aggregated manner, which perspectives (in which dimensions) must be
considered, and which KPIs are used to translate risk appetite into operational limits and/or
triggers. Common tools are KRIs (qualitative and quantitative), Limits (qualitative and
quantitative), and Losses (quantitative – post risk materialisation). KRIs and control
requirements can be set at a Level 2 Category as these are more specific and more adapted to
quantitative limits and restrictions.

• Governance system: A governance system assigns clear responsibilities for adjusting risk
appetite and limits, as well as for monitoring, reporting and escalation. As a result, the
organisation is able to respond proactively to potential changes and adjust its own risk
appetite accordingly.

The development and establishment of an effective RAF is an iterative and evolutionary process that
requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation.

The Senior Supervisors Group (SSG)3 outlined key principles and success factors for the RAF, which
include:

• Risk appetite should be aligned to strategy and considered a forward-looking view of an

organisation’s desired risk profile in a variety of scenarios

• Board and senior management should be actively involved, and strong accountability
structures and clear incentives and constraints should be in place

• Risk appetite statements should be operationalised through use of the right level and type of
information, fostering strong internal relationships, and establishing risk limits with actionable
input for risk/business managers

2
See Basel or ORX definitions for Level 1 and Level 2 categories
3
Senior Supervisors Group Report titled “Risk Management Lessons from The Banking Crisis of 2008,” October
21, 2009

5
 • The need for a strong risk culture and “tone at the top"; linkage among the strategy, business
plans, and risk appetite; collaboration between risk management, finance, strategy, and
business units; and the regular assessment of the organisation’s risk profile against risk
appetite.

Designing a Successful Risk Appetite Framework

There is no one universally defined template that will work for all. Below are typical features of risk
appetite frameworks (see Figure 1) from best practices across different sectors and from organisations
of different scales to illustrate possible formats:

• A set of key risk categories that encompass an organisation’s entire risk universe — what it is
facing today and what may occur in the short to medium term.

• A clear link to business objectives.

• Scales used are the same as the organisation’s risk matrix and are clear on the impact
categories (e.g., financial, reputational, or regulatory).

• Quantification of risk appetite per key risk category, when possible.

• A description of the risk appetite, per key principal risk category, which explains the
quantification and the broader organisational context.

• Identification of key risk indicators, threshold warnings, and action limits to support proactive
monitoring.

• Stakeholders who understand how the key risk category fits into the organisational context;
the number of stakeholders impacted by risk determines the amount of focus required.

Figure 1:

6
Purpose of a Risk Appetite Statement
As mentioned above, Risk Appetite Statements are the Output. However, creating an appetite is not
about merely writing a set of statements. While the main purpose is to establish limitations on risk, it
also provides the following important benefits which must be understood and communicated:

• Aligning business strategy with risk management. It involves providing a decision-making tool
to enable prioritisation and the deployment of resources, and to drive considered, risk-based
decisions.

• Developing a common understanding and language for discussing risk at the board,
management, and business levels.

• Promoting risk awareness and enforcing the desired risk culture throughout the organisation.

• Integrating risk appetite with other ERM tools, including RCSAs, KPIs, KRIs, Economic Capital
and Stress Testing.

• Meeting the needs of external stakeholders (e.g. regulators, investors, rating agencies) for risk
transparency, soundness and sustainability.

N.B. The right risk appetite is one that maximises risk vs reward and not the one that only limits
downside risk. Therefore, opportunity and seeking risk within risk profile to maximise that opportunity
is the ultimate objective. This important distinction must be made clear from the outset and is the
primary driver of the “purpose”.

Features of an effective Risk Appetite Statement

The FSB recommends that an effective risk appetite statement4 should:

• Include key background information and assumptions that informed the financial institution’s
strategic and business plans at the time they were approved;

• be linked to the institution’s short- and long-term strategic, capital and financial plans, as well
as compensation programs;

• establish the amount of risk the financial institution is prepared to accept in pursuit of its
strategic objectives and business plan, taking into account the interests of its customers (e.g.
depositors, policyholders) and the fiduciary duty to shareholders, as well as capital and other
regulatory requirements;

• determine for each material risk and overall the maximum level of risk that the financial
institution is willing to operate within, based on its overall risk appetite, risk capacity, and risk
profile;

• include quantitative measures that can be translated into risk limits applicable to business lines
and legal entities as relevant, and at group level, which in turn can be aggregated and
disaggregated to enable measurement of the risk profile against risk appetite and risk capacity;

4
r_131118.pdf (fsb.org)

7
 • include qualitative statements that articulate clearly the motivations for taking on or avoiding
certain types of risk, including for reputational and other conduct risks across retail and
wholesale markets, and establish some form of boundaries or indicators (e.g. non-quantitative
measures) to enable monitoring of these risks;

• ensure that the strategy and risk limits of each business line and legal entity, as relevant, align
with the institution-wide risk appetite statement as appropriate; and

• be forward looking and, where applicable, subject to scenario and stress testing to ensure that
the financial institution understands what events might push the financial institution outside
its risk appetite and/or risk capacity.

Although developed in 2013, these principles still serve as guiding measures for many institutions. On
a simpler note, the following is also advised to more simply benchmark the effectiveness of a risk
appetite statement.

• Easy to understand; this is crucial for subsequent embedding of risk appetite in the
organisation.

• Provide a definition of the risk sub-type; important to avoid second-guessing of what is

included.

• Contain a link to strategic objectives; this sounds like an obvious point it is still quite common
for statements with no direct reference to strategy, objectives or business plans.

• Outline accountability, which will include a risk owner, subject matter expert or relevant
committee.

• Reference to KRIs and key controls; thereby validating the statement to set clear expectations.

• Contain a response framework, stating the consequences of breaching the appetite.

Roles & Responsibilities

Governance is a necessary condition for effective risk appetite structures, and policies and procedures
must define what to do and who is accountable for various actions.

The process of developing, implementing, and renewing a comprehensive Risk Appetite Statement
(RAS) framework should involve key stakeholders from every level of the organisation. Essentially, this
would happen through a collaborative process between top management, the Board, and the CRO
team acting as facilitators and overseers. Figure 2 provides a summary of the main roles and
responsibilities for the business units, executive management, and the board. The Risk Appetite
Statement itself should document specific roles and responsibilities for carrying out the risk policy,
including reporting and exception-management processes as previously mentioned.

8
Figure 2

Top-Down and Bottom-Up Approaches to Risk Appetite

Risk management theory states that risk appetite must be defined top-down, beginning with the
board, with risk exposure allocated to the different businesses and translated into the corresponding
risk management measures at different levels of the organisation. This is also the approach recognised
by regulators and risk institutes.

However, it is worth noting that there is an alternative view, namely bottom-up. It is based on the
premise that risk appetite is the sum of what you are doing. Defining risk appetite bottom-up will
create risk appetite statements that reflect the accepted level of risk taking in a firm, which can then
be observed in business practices and policies. But this method is useful in well-controlled and risk
mature environments. It is often recommended in mid-size organisations (size complicates bottom-up
exercises) that have generally well documented and controlled business operations but find it difficult
to describe their risk appetite.

The purpose of this section is to make transparent the alternative approaches available. Though for a
standard in a more complicated setting, top-down is considered the preferrable approach.

Cascading Risk Tolerances and Risk Limits

Overview
One of the main challenges in formulating risk appetite is translating it into meaningful practice, which
essentially means identifying levels of tolerance and prescribing limits across an organisation. There is
no universally accepted method to risk allocation. The process varies by organisation and is heavily
dependent on bank size and familiarity with risk appetite program and capital allocation concepts.
Regardless of the approach selected, the method applied should be meaningful to the bank and meet
management and key constituent objectives.

For small to medium-sized organisations where the same senior executives sit at the table taking most
of the relevant business and operational decisions, a single top-of-the-house appetite is sufficient. For
larger firms with multiple lines of hierarchy or international presence, the appetite needs to be

9
disseminated and translated at lower levels of the organisation, typically either based on business
entity or business line.

• Business lines, usually at a global level, require a risk appetite statement which is cascaded
from the corporate/parent statement.

o Quantitative limits are then allocated to the business based on various parameters
including their revenue share. For example, the threshold for the overall expected loss
amount can be split into lower sub-component limits attributed to various businesses.

o Qualitative indicators may apply in exactly the same way (for example, conduct,
people, or fraud-related indicators); with business units being given identical or more
restrictive thresholds. Some measures may be relevant to a specific area only; for
instance, rogue trading metrics will be monitored by the markets business only and
will not apply to other business lines.

• Material group entities, in particular, subsidiaries or legal entities that operate with their own
board of directors, will also need to develop their own appetite, for approval by their board.
The entity’s appetite statement will represent a hybrid cross-over between the business lines
operating out of that entity alongside a cascade of the corporate/parent statement.

• Industry research has shown that it is more common to allocate risk limits to principal risks
firstly and/or business units secondly. It is less common to allocate to legal entities,
furthermore these are only to material legal entities.

• Statements need to operate consistently at a consolidated level and at a sub-strata level.

• When allocating it is important to consider the level of risk category as previously mentioned.

• A response framework needs to be in place within both the business lines and the entities.

As previously mentioned, the ultimate responsibility for approving the appetite lies with the board of
directors of the organisation. The second line risk function plays a crucial role in developing the
approach; articulating the firm’s position; working with subject matter experts and risk owners to make
sense of the framework; and proposing statements and thresholds.

Enterprise Approach
An effective Risk Appetite Statement (RAS) should provide a “cascading” structure of risk exposures
and limits at the board, executive-management, and business-unit levels. This structure allows for
drilling down to underlying exposures (e.g., “What business activities make up our strategic risk
exposure to Turkey?”). Similarly, this structure permits aggregation of business-level or legal entity
exposures upward to the enterprise level (e.g., “What is our total net credit exposure to UBS across
the entire enterprise?”). The level of detail visible for each metric depends on the needs of the specific
audience (i.e., board, corporate management, or business unit). The RAS would be at its most dynamic
at the business level, where managers may choose to make changes based on risk/return opportunities
while respecting board- and management-level risk tolerances.

There are many ways to determine risk tolerances. It is up to each organisation to determine which
ones work best. The list below offers some approaches that an organisation may take to determine
risk tolerance levels. Sometimes, a blended approach is best. For example, one may initially set a risk
tolerance level using statistical analysis (95% confidence level observation) and then adjust it up or
down according to management judgment.

10
 1. Board and management judgment

2. Percentage of earnings or equity capital

3. Regulatory requirements or industry benchmarks (e.g. capital requirements, Basel III)

4. Impact on the achievement of business objectives

5. Stakeholder requirements or expectations

6. Statistics-based (e.g., 95% confidence level based on historical data)

7. Model-driven (e.g., economic capital, scenario analysis, stress-testing)

Certain types of risk metrics can readily be aggregated across the organisation, while others are unique
to specific business and operational units. Since the board and executive management RAS reports are
focused on strategic and enterprise-wide risks, the risk metrics that can be aggregated should be well
represented in these reports. Furthermore, the focus as previously noted is solely on principal risks
that are material. Examples of metrics include:

• Earnings-based, including earnings-at-risk and unexpected earnings volatility.

• Value-based, including shareholder value-added and market/book ratios.

• Loss-based, such as actual losses, operational loss-to-revenue ratios, stress-testing, or

scenario-based losses.

• Cash-flow-based, such as cash-flow-at-risk and liquidity-coverage ratios.

• Financial risk metrics, including market risk and credit/counterparty risk exposures.

• Number of incidents, such as policy exceptions, cyberattacks with business impact, and legal
and regulatory issues.

• Key stakeholder metrics, such as retention of high-performance employees or levels of

customer satisfaction.

Finally, the RAS should provide a “common language” for the ERM program. This would consist of a
glossary of relevant business or technical terms and acronyms as well as a data dictionary that
describes each risk metric, how it is calculated, where the underlying data is generated, and why it is
included.

Allocating Risk Limits

After setting enterprise-level risk limits, the next step is to allocate these limits to the various business
units and/or material legal entities within the banking group. Remember the lower-level limits should
be derived from those above to enable aggregation unless there is something specific or unique to a
business unit or legal entity that must be captured solely within that level but expressed at an
enterprise level. This allocation is typically done based on a blend of the following factors:

• Risk Capacity: The ability of each business unit/material legal entity to absorb losses without
jeopardizing the bank's financial stability.

• Strategic Importance and Revenue Based Allocation: The role of each business unit/material
legal entity in achieving the bank's strategic objectives as well as proportion of revenue or
assets managed.

11
 • Economic Capital: Similar to the above point, economic capital is often a method to determine
allocation though this is largely for quantitative metrics such as Credit Risk and Market Risk.

• Risk Profile: The inherent risk associated with the activities of each business unit/material
legal entity.

• Historical Performance: Past risk events and loss experiences in each business unit/material
legal entity.

• Regulatory Requirements: Specific regulations that may apply to different business

units/material legal entity, such as capital adequacy requirements for trading desks.

• Scenario Analysis & Stress Testing: Examines potential future events, such as economic
downturns, changes in interest rates, or geopolitical risks, and assesses their impact on each
business unit or legal entity. This helps determine which units need tighter risk limits. Similarly,
stress testing involves creating extreme but plausible scenarios to test the resilience of each
business unit. Units that are more resilient under stress might be allocated higher risk limits.

• Expert Judgement: Expert judgment from senior management, risk committees, and other
stakeholders plays a critical role in the final allocation process. While quantitative measures
may form the backbone of risk limit allocation, expert judgement is a crucial element that
cannot be discounted particularly for qualitative assessments.

Examples:

Market Risk

Let's assume the bank has set an enterprise-level VaR limit of 1.5% of total capital for market risk. This
limit must now be distributed among the business units that engage in market risk activities, such as
investment banking, treasury, and asset management.

• Investment Banking: Given its high exposure to trading and market-making activities, it might
be allocated a higher proportion of the market risk limit, say 0.8% of the total capital.

• Treasury: Responsible for managing the bank’s liquidity and investments, the treasury unit
might be allocated 0.5% of the total capital for market risk.

• Asset Management: Typically involved in managing client portfolios with a more conservative
risk approach, it might be allocated 0.2% of the total capital for market risk.

These allocations should be regularly reviewed and adjusted based on changes in market conditions,
business strategy, and the performance of each unit.

Operational Risk

• Quantitative Measures

Enterprise Level: The bank sets a KRI that operational system downtime should not exceed 0.1%
annually.

Allocation to Legal Entities: If a subsidiary has critical operations accounting for 50% of total bank
transactions, the downtime tolerance for that subsidiary might be 0.05% annually.

• Qualitative Measures (Money Laundering example)

Enterprise Level:

12
 • Compliance Culture: The bank mandates a strong anti-money laundering (AML) culture where
all employees are aware of the importance of compliance with AML regulations.

• Training and Awareness: All staff, especially those in high-risk areas, must undergo regular AML
training.

• Customer Due Diligence (CDD): Entities must implement rigorous CDD and Know Your
Customer (KYC) processes, with additional scrutiny for high-risk customers.

• Governance and Oversight: The bank’s risk appetite includes robust oversight mechanisms,
such as the establishment of a dedicated AML compliance team in each legal entity.

Allocation Across Legal Entities:

• High-Risk Entities: In regions with higher AML risks (e.g., jurisdictions with weaker regulatory
environments), the qualitative measures might include mandatory enhanced due diligence
(EDD) for all new clients, more frequent audits, and closer oversight by the central AML
compliance team.

• Lower-Risk Entities: In well-regulated jurisdictions, the focus might be on maintaining the

standard AML procedures but with periodic reviews to ensure no complacency.

Case Studies
HSBC
The extract below is the enterprise-wide Risk Appetite Statement from HSBC Risk Review published in
20235.

Our risk appetite encapsulates the consideration of financial and non financial risks. We define
financial risk as the risk of a financial loss as a result of business activities. We actively take these types
of risks to maximise shareholder value and profits. Non-financial risk is the risk to achieving our
strategy or objectives as the result of failed internal processes, people and systems, or from external
events. Our risk appetite is expressed in both quantitative and qualitative terms and applied at the
global business and regional levels, and to material operating entities. Every three years, the Group
Risk and Compliance function commissions an external independent firm to review the Group’s
approach to risk appetite and to help ensure that it remains in line with market best practice and
regulatory expectations. This review was last carried out in 2021 and confirmed the Group’s risk
appetite statement (‘RAS’) remains aligned to best practices, regulatory expectations and strategic
goals. Our risk appetite continues to evolve and expand its scope as part of our regular review process.
The Board reviews and approves the Group’s risk appetite regularly to make sure it remains fit for
purpose. The Group’s risk appetite is considered, developed and enhanced through:

• an alignment with our strategy, purpose, values and customer needs

• trends highlighted in other Group risk reports;
• communication with risk stewards on the developing risk landscape;
• strength of our capital, liquidity and balance sheet;
• compliance with applicable laws and regulations;

5
240221-risk-review-2023-ara.pdf

13
• effectiveness of the applicable control environment to mitigate risk, informed by risk ratings from
risk control assessments;
• functionality, capacity and resilience of available systems to manage risk;
• and– the level of available staff with the required competencies to manage risks.

We formally articulate our risk appetite through our RAS. Setting out our risk appetite helps ensure
that we agree a suitable level of risk for our strategy. In this way, risk appetite informs our financial
planning process and helps senior management to allocate capital to business activities, services and
products.

The RAS is applied to the development of business line strategies, strategic and business planning, and
remuneration. At a Group level, performance against the RAS is reported to the Group Risk
Management Meeting alongside key risk indicators to support targeted insight and discussion on
breaches of risk appetite and any associated mitigating actions. This reporting allows risks to be
promptly identified and mitigated and informs risk-adjusted remuneration to drive a strong risk
culture.

Each global business, region and material operating entity is required to have its own RAS, which is
monitored to help ensure it remains aligned with the Group’s RAS. Each RAS and business activity is
guided and underpinned by qualitative principles and/or quantitative metrics.

We recognise the importance of a strong culture, which refers to our shared attitudes, beliefs, values
and standards that shape behaviours including those related to risk awareness, risk taking and risk
management. All our people are responsible for the management of risk, with ultimate supervisory
oversight residing with the Board. Our risk appetite defines the level and types of risk that we are
willing to take, while informing the financial planning process and guiding strategic decision making.

The following principles guide the Group’s overarching appetite for risk and determine how our
businesses and risks are managed.

Financial position

– We aim to maintain a strong capital position, defined by regulatory and internal capital ratios.

– We carry out liquidity and funding management for each operating entity on a stand-alone basis.

Operating model

– We seek to generate returns in line with our risk appetite and strong risk management capability.

– We aim to deliver sustainable and diversified earnings and consistent returns for shareholders.

Business practice

– We have no appetite for deliberately or knowingly causing detriment to consumers, or incurring a

breach of the letter or spirit of regulatory requirements.

– We have no appetite for inappropriate market conduct by any member of staff or by any Group
business.

– We are committed to managing the climate risks that have an impact on our financial position and
delivering on our net zero ambition.

– We consider and, where appropriate, mitigate reputational risk that may arise from our business
activities and decisions.

14
– We monitor non-financial risk exposure against risk appetite, including exposure related to
inadequate or failed internal processes, people and systems, or events that impact our customers or
can lead to sub-optimal returns to shareholders, censure, or reputational damage.

Enterprise-wide application

Our risk appetite encapsulates the consideration of financial and non financial risks. We define
financial risk as the risk of a financial loss as a result of business activities. We actively take these types
of risks to maximise shareholder value and profits. Non-financial risk is the risk to achieving our
strategy or objectives as the result of failed internal processes, people and systems, or from external
events.

Our risk appetite is expressed in both quantitative and qualitative terms and applied at the global
business and regional levels, and to material operating entities. Every three years, the Group Risk and
Compliance function commissions an external independent firm to review the Group’s approach to
risk appetite and to help ensure that it remains in line with market best practice and regulatory
expectations. This review was last carried out in 2021 and confirmed the Group’s risk appetite
statement (‘RAS’) remains aligned to best practices, regulatory expectations and strategic goals. Our
risk appetite continues to evolve and expand its scope as part of our regular review process.

The Board reviews and approves the Group’s risk appetite regularly to make sure it remains fit for
purpose. The Group’s risk appetite is considered, developed and enhanced through:

– an alignment with our strategy, purpose, values and customer needs

– trends highlighted in other Group risk reports;
– communication with risk stewards on the developing risk landscape;
– strength of our capital, liquidity and balance sheet;
– compliance with applicable laws and regulations;
– effectiveness of the applicable control environment to mitigate risk, informed by risk ratings from
risk control assessments;
– functionality, capacity and resilience of available systems to manage risk; and
– the level of available staff with the required competencies to manage risks.

EBRD
The extract below is a snapshot of EBRD’s Operational and Reputational Risk Appetite Statement6.
Furter details and a breakdown of other risks and metrics can be found in the report.

6
1723794933548 (licdn.com)

15
Common Challenges and Good Practices
• Losses Only: Previously, risk appetite was defined via a limit on aggregate losses. While this is a
good start, quantitative measures alone are insufficient as they are typically backward-looking and
do not provide guidance on behaviours. They need to be supplemented with descriptive
statements and qualitative key risk indicators.

• Zero Tolerance: A declaration of zero tolerance frequently features in the narrative. However, this
does not apply to reality. If the firm has zero tolerance for fraud, it may as well consider exiting the
business because some instances of fraud will inevitably occur. A better approach to the language
would be to state the firm/bank has a risk-averse approach to financial crime, and aims to mitigate
the risk by maintaining a robust control environment, while also recognising that occasional
instances of fraud may occur.

• Use of distributions and percentiles: Bringing statistics into this domain is not always helpful.
Probability of loss at % confidence level statements will not easily be understood or actionable.

• Stakeholders not engaged: Engagement at multiple levels of the organisation is critical to success.
All relevant parties have responsibilities, and more importantly, bring a different perspective or
expertise. This exercise is a collaborative effort.

• Benchmark with industry peers: Risk Appetite Statements are, to an extent, publicly available. It
is very useful and recommended to compare against those published.

• Language easy to understand: Statements do not have to be over-complicated. On the contrary, if

they can be explained simply enough for every employee to understand then the employees can
read, understand and make concerted efforts to comply with them.

16
Final Thoughts
The Risk Appetite Statement establishes a board-approved policy that aligns the organisation’s risk
tolerances with strategic objectives, risk profile, and risk management capabilities. It is a foundational
component of an effective ERM program. For the board, executive management, and business and
operational staff, the RAS addresses a central question: “How much risk are we willing to accept to
pursue our business objectives?”

Improving a risk appetite and tolerance framework is an ongoing and dynamic process that requires
feedback, learning, and adaptation. You should solicit and incorporate feedback from your board,
senior management, and other stakeholders on the effectiveness and relevance of your framework.

Disclaimer:

This document is intended for informational and educational purposes only. The views and opinions
expressed here are those of the authors and do not necessarily reflect the official policy or position of
any financial institution, regulatory body, or professional organisation.

This document does not constitute legal, financial, or investment advice. Readers should not rely solely
on the information provided herein for making financial or business decisions. The content is not
intended to replace professional consultation or advice tailored to your specific circumstances.

While every effort has been made to ensure the accuracy of the information provided, the authors and
publishers make no representations or warranties, either express or implied, regarding the
completeness, accuracy, reliability, or suitability of the information contained in these articles.

The authors and publishers disclaim any liability for any direct, indirect, or consequential loss or
damage arising from reliance on the information contained within these articles. Always seek the
advice of a qualified professional with any questions you may have regarding risk management or other
financial topics.

17