127017438_RMA_OperationalRiskAppetite_v1.0

RMA GUIDANCE NOTE #2
OPERATIONAL
RISK APPETITE
July 2014

Operational Risk Appetite | RMA Guidance Note #2 | 2
CONTENTS
1. Introduction................................................................................................................................................................................................................4
2. Key definitions..........................................................................................................................................................................................................5
3. Operational Risk Appetite: Objectives, Benefits and Critical Success Factors..........................................................................6
4. Components of Operational Risk Appetite Statements (ORAS)........................................................................................................8
5. Operational Risk Appetite formulation, implementation and governance.................................................................................11
–– Operational Risk Appetite formulation principles..........................................................................................................................11
–– Operational Risk Appetite formulation process.............................................................................................................................12
–– Operational Risk Appetite implementation......................................................................................................................................18
–– Operational Risk Appetite Governance...............................................................................................................................................22
Appendices
A. Example of Operational Risk Appetite Statements............................................................................................................................. 24
B. Roles & Responsibilities...................................................................................................................................................................................27
C. Acknowledgements.............................................................................................................................................................................................28
Version Number Date Issued Summary of Changes
1.0 4 July 2014 Final and approved version
© 2014 Risk Management Association Inc (Vic), ABN 95 057 024 197
PO Box 20468, World Square, NSW 2002 Phone: 0403 170 792 Email secretariat@rmaaustralia.org
www.rmaaustralia.org
Disclaimer
The Guidance Note does not intend to prescribe a way of formulating Operational Risk Appetite, the information contained in this document is intended only to
provide some suggestions based on industry experience, and considerations that should be given in implementation of this management tool. It is not intended
to be comprehensive. It does not constitute, nor should it be treated as, legal advice or opinions. Users are encouraged to obtain professional advice about the
application of any legislation or standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in
this guide.
The RMA Australia accepts no liability for any loss suffered as a result of reliance on this publication. This document has been published without prejudice.
The information contained herein is current as at the date of this document.
You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within
your organisation.

FOREWORD
Following the successful release of the Risk and Control
Self Assessment Guidance Note in March 2013, the RMA
Interbank Operational Risk Forum agreed to prepare the
next industry Guidance note on Operational Risk Appetite
(ORA). This subject matter was selected for a number of
reasons, the main factor being that a majority of Australian
Financial Institutions are all facing the challenge of maturing
their existing Operational Risk Appetite Statements. To
this end the Interbank Operational Risk Forum agreed
to establish a working group to document a combined
industry approach on defining, developing, setting and
implementing operational risk appetite. We hope that the
accompanying document can serve in supporting member
organisations in developing and rolling out their own
tailored approach.
The Guidance Note is not intended to be prescriptive in the
manner in which an organisation should develop its risk
appetite. Rather, it provides some guidance and practical
examples to assist organisations in the development
and implementation of ORA, given their size and level
of maturity.
This guidance note has been the culmination of
collaboration between 24 dedicated operational risk
professionals across 12 member banks. The sharing of
their collective knowledge and their contribution to the
principles and processes of this guidance note has been
an extremely rewarding journey for all involved. In addition,
this exercise has continued to grow and strengthen the
network of operational risk professionals across the
Australian banking fraternity, and I have personally enjoyed
the interactions, learning and friendships that developed
during this project.
In closing, I would like to personally thank RMA Australia for
their continued support and commitment to our Interbank
Operational Risk Forum and PwC for their professional
advice and significant work in facilitating and guiding the
discussion and debate along the way. I would also like
to thank the Editorial Committee for their unbridled work
in collating and consolidating the work of the syndicate
groups, and finally to each of the member banks and their
representatives for their contribution and commitment to
developing this Guidance Note.
Regards
Ian Falls
Chair, RMA Interbank Operational Risk Forum

1 INTRODUCTION
The Interbank Operational Risk Forum, under the
sponsorship of Risk Management Association (RMA)
of Australia, established an Industry Working Group
to develop this Guidance Note on Operational Risk
Appetite (ORA).
For many Banks, ORA is a fundamental component of their
Operational Risk Management Framework (ORMF), and
provides guidance on the amount of risk the organisation
is willing to accept and the boundaries within which its
employees must operate. However, the challenge has been
to bring this concept to life and to make ORA meaningful
for the business.
ORA is often thought of through the sporting analogy of
‘staying within the field of play’, that is, operating within
clear and predefined boundaries. This analogy is also
relevant for businesses, which need to be able to deliver on
their strategic objectives without taking undue risk.
The objective of this Guidance Note is to produce industry
relevant guidance for financial services organisations on
the defining, setting and use of risk appetite as a key
component of their management of operational risk.
The ORA Guidance Note outlines the:
• Objectives for and benefits of having an ORA.
• Critical success factors.
• Method for developing ORA.
• Building blocks for formulating ORA.
• Implementation and Use of ORA.
• Purpose and application of Governance.
This Guidance Note is not prescriptive, nor will it
provide standardised templates. Rather it will outline
the foundations needed to enable financial services
organisations to develop and tailor ORA for their
organisation, at their level of maturity.

Definitions of typical Risk Appetite terms will
often differ between institutions and as a result
the same term may have a different meaning. For
the purposes of this Guidance Note, the following
definitions apply.
Operational Risk The risk of direct or indirect loss resulting from inadequate or failed internal processes, people
and systems or from external events.
Risk Appetite The amount and type of risk that an organisation is prepared to seek, accept or tolerate in the
pursuit of its long term objectives.
Risk Appetite Statement Collection of individual statements within a single document or can relate to the overall
document.
Risk Capacity The maximum resources (financial and non-financial) the organisation has available to pursue
its objectives.
Risk Culture Describes the values, beliefs, knowledge and understanding of risk commonly shared by
individuals within an organisation that then informs and governs their actions and behaviours.
Risk Measure Metric used to express the organisations tolerance for a risk. It may be expressed in a
quantitative or qualitative form.
Risk Profile Point in time assessment of the financial institution’s gross and, as appropriate, net risk
exposures (after taking into account mitigants) aggregated within and across each relevant risk
category based on forward looking assumptions.
Division Division is used as a general reference to denote: divisions, business units, business line etc.
2 KEY DEFINITIONS

Risk Appetite is about more than just writing
a series of risk appetite statements. The real
value is demonstrated when risk appetite sets
clear boundaries that assist Management to
prioritise and deploy resources in the pursuit of
their strategic objectives, while not exceeding the
organisations prescribed level of risk.
OBJECTIVES
The objectives for the formulation, implementation and use
of risk appetite are three-fold:
• Set clear expectations on how much risk is appropriate
to take in the pursuit of the organisation’s strategic
objectives.
• Provide Management with a tool for effective decision
making through the articulation of minimum standards,
‘acceptable’ activities and corresponding metrics
and limits.
• Establish a benchmark against which to measure,
monitor and report on operational aspects of business
performance.
Organisations who define and use ORA should expect
to realise some of the following benefits as ORA is
implemented and its use and application matures
over time.
BENEFITS
Support, reinforce and meet strategic targets
ORA supports on-going decision making in due diligence
activity, new product approval processes and key business
objectives. This use of ORA provides a means of assessing
the level of risk being introduced and whether that level of
risk is appropriate for the organisation.
Generate efficiencies and improved cost management
Provides Management with a benchmark against which
to measure, monitor and report on operational aspects
of business performance. Such monitoring and reporting
provide Management with greater insight into business
capability, capacity and vulnerabilities on the current and
forecasted risk and control environment, and highlight
where action is required to ‘dial up’ or ‘dial down’ risk
and controls.
These insights aid Management to determine an
appropriate course of action and, act to seek efficiencies
and optimise investment in the control environment to
generate cost savings. Considerations that drive the
scale, depth and sustainability of the response include the
urgency posed by the risk and degree to which acceptable
limits have been breached.
When faced with these decisions, ORA provides
management with a tool for effective and efficient decision
making without the need for unnecessary escalation.
ORA: OBJECTIVES,
BENEFITS AND
CRITICAL SUCCESS
FACTORS3
EXAMPLE:
WHERE THE CHANGES REQUIRES
GEOGRAPHIC EXPANSION DOES THE
ORA SUPPORT SUCH A MOVE?
EXAMPLE:
WHERE OUTSOURCING/OFFSHORING
FORMS PART OF AN ORGANISATION’S
STRATEGY, THE ORA CAN OUTLINE
THE ACTIVITIES THAT OUTSOURCING/
OFFSHORING CAN BE USED TO
PROVIDE SUPPORT.

3 Prioritisation of investment spend
Articulation of ORA assists in prioritisation of business
initiatives and the corresponding investment spend. When
aligned with a risk acceptance process, risks considered
outside of risk appetite are escalated for management
attention. Where insufficient funding is available to address
key remedial initiatives, management is prompted to review
their program of funding and determine if and where re-
prioritisation/re-allocation of funding is required.
Extract more value from existing risk and other
supporting frameworks
The formulation and use of ORA creates a direct link
between management activity, Risk Control Self-
Assessment (RCSA) and capital. The existence of this
link provides the foundation to set operational policy
and to develop associated procedures and guidance.
Through these mechanisms adverse behaviours and poor
performance can be identified, and the ‘right’ behaviour
incentivised to drive good risk culture.
Strong risk culture
ORA strengthens an organisation’s risk culture by setting
clear expectations for the management of operational
risk. Cultural maturity is a function of how well the
Board, relevant risk committees, Divisional leaders and
staff understand and embrace the organisation’s risk
management processes and systems and apply these in
day to day business activities and decision making.
CRITICAL SUCCESS FACTORS
Several factors contribute to the successful formulation and
implementation of ORA. These include:
Support of the Board
Tone from the top underpins the successful implementation
of ORA. The Board needs to be engaged early and play
a significant role in the formulation of the organisation’s
ORA. If the Board is indifferent about the organisation’s
ORA, then this attitude will most likely permeate throughout
the organisation.
Knowledge of the organisation’s strategy and internal
and external factors
A thorough knowledge of the organisation’s strategy,
internal and external operational risk drivers, the business
environment and risk profile are minimum requirements to
define ORA. This is critical because the implementation
of ORA is most effective when it is integrated with
existing strategic planning /budgeting and capital
management processes.
Established ORMF
The organisation must have in place a functional ORMF
in order to:
• Provide a clear definition of operational risk, it’s
inclusions and exclusions (i.e. inclusion of compliance
within the definition of operational risk, or not) that is
uniformly understood by all stakeholders.
• Ensure that material risks and the associated control
environments are identified, measured, managed and
monitored. An understanding of the organisation’s
material risks is a minimum requirement to set ORA.
• Integrate ORA into the organisation’s policies and
procedures, code of conduct, and any other relevant
guidance governing the behaviour of its people and the
performance of business activities.
Governance Structure
Governance structures established under the organisation’s
ORMF must be well defined to enable effective oversight
and governance of ORA. The effective operation of these
governance structures is dependent on risk management
systems and tools to support the monitoring of ORA.
Ideally these should be in place prior to the formulation
of the ORA.
Defined accountability for Operational
Risk Management
The use and application of ORA depends on a clear
understanding across the organisation of accountabilities
and role and responsibilities as they relate to ORM. For
example, accountability for the consideration of ORA in
strategic and capital management planning needs to be
defined. The effective execution of these accountabilities
should be subject to oversight and challenge in
accordance with the requirements of the organisation’s
governance framework.

The form and composition of the ORAS will be
influenced by the organisation’s risk management
philosophy and the nature of the operational risks
it faces. While there are many different formats
and styles for ORAS, the content needs to support
the organisation’s understanding of its material
operational risks and clearly define the parameters
within which it expects these risks to be managed.
The key areas of operational risk, for which the
organisation or Division wishes to articulate an appetite,
should be clearly defined in the ORA. The ORA risk types
are reflective of the businesses’ primary operational risk
exposures and its strategic focus i.e. market segments,
customer base, technological capability etc. Specific
risks can be grouped into risk categories to support
organisational monitoring and reporting.
The following section sets out a list of components (non-
exhaustive) that may be incorporated into an ORAS.
Appendix A sets out alternative examples for expression
of an ORAS.
The content of an ORAS is primarily focused on articulating
for the material operational risks faced, the level of appetite
the organisation has for those risks and how they are
measured. Key components typically observed in an
ORAS include:
• Scale: The scale provides a means of qualitatively
expressing the organisation’s ORA and establishing the
level of appetite for a given risk.
• Risk Measures: Are typically used to translate high
level qualitative statements into more granular Divisional
or risk specific metrics. This enables thresholds or
triggers to be established to support early warning
and regular reporting on the organisation’s level of risk
exposure relative to its risk appetite.
COMPONENTS
OF OPERATIONAL
RISK APPETITE
STATEMENTS (ORAS)4
EXAMPLE
ORAS can be documented in many formats and styles and it is up to each organisation to determine the most
appropriate approach.
Consideration should be given to the level at which operational risk appetite is expressed. It can be expressed at
various levels of the organisation. For example:
1. At the highest level of the organisation, i.e. As an organisation we have an appetite for operational risk losses not
exceeding X% of income.
2. Expressed in a more granular manner for the organisation’s material risks that are specific to the activities and/or
strategic intentions of the business concerned (operational risk, outsourcing, compliance, etc).
3. Expressed using Basel categories (Internal fraud, External fraud, Employment practices and workplace safety,
Clients, Products and Business practices, Damage to physical assets, Business disruption, Execution, delivery and
process management).
4. Expressed in relation to key areas an organisation considers important to the execution of its strategy. An example
would be a Level 1 risk category of ‘Business disruption’ which may articulate a Low risk appetite for continuous
disruption to key processes, premises or systems and then a Level 2 risk type within that category for the Retail
Banking operation of ‘key systems availability’ which may require key systems to be available for 99.5% of the time.
Regardless of the level at which appetite is expressed, the following components of Scale and Risk Measures can
be used.

4 SCALE
Using a scale to articulate appetite in the first instance
assists in communicating it to a wide audience at all levels
of the organisation and provides a point of reference
for discussions and decisions around risk choices. In
the absence of explicit risk measures a scale provides
guidance as to how much risk the organisation is willing
to accept.
Key considerations in establishing an effective
scale include:
1. The number of points on the scale. Typically there is a
minimum of 4 points and no more than 6 or 8 points on
the scale. It is recommended that the scale use an even
number (rather than an odd number) of points to prevent
a ‘middle’ option, and consequently promote robust
discussion and definitive positioning on the scale.
2. The basis of articulating the points on the scale. Options
include numeric ( e.g. 1-5) or descriptive ( e.g. Very
Low, Low, Medium, High) or posture statements
(e.g. Expansionary, Conservative) which indicate the level
of appetite tolerable in the pursuit of the organisation’s
strategic objectives. The basis of expression could be in
absolute terms or relative to some benchmark (current
state, peers, market levels etc.).
3. Use of a ‘zero appetite’ level. Typically, this concept is
only applied if the risk can be avoided or completely
eliminated. If that is not possible due to the nature of the
business giving rise to such risks, it is recommended
that ‘zero or no appetite’ not be applied.
Examples of alternative scales that may be applied and possible descriptions are detailed below:
Scale Type Scale Description
Numeric 1 Avoidance of risk as much as possible.
2 Acceptance of a low return due to an unwillingness to accept risk beyond a
limited exposure.
3 Desire for a balanced approach between risk and reward.
4 Willing to accept exposure to risk to maximise return.
Descriptive
(Absolute)
1 Avoid exposure to the risk.
2 Minimise/reduce to risk as much as possible.
3 Take a balanced approach to risk and controls.
4 Willing to pursue (seek/ take) risk.
Descriptive
(Absolute)
Alternative
Very low Not willing to accept risk or reward.
Low Unwilling to accept even a low amount of risk unless it is significantly outweighed
by the reward.
Moderate Willing to accept some risk if the circumstances include reward.
Modest Willing to accept risks commensurate with the potential reward.
High Willing to accept a high level risk in circumstances where there are significant or
important reward.
Descriptive
(Relative)
Very low Willing to accept losses only if they are significantly below industry norms.
Low Willing to accept losses only if they are below industry norms.
Medium Willing to accept losses only if they are within industry norms.
High Willing to accept losses only if returns are above industry norms.
Postures
(Relative)
Conservative Will accept below market returns in order to minimise the risk.
Neutral Will adopt a risk position that achieves returns in line with market expectations.
Expansionary Will accept higher levels of return in pursuit of superior risk–adjusted returns.

4 RISK MEASURES
Each operational risk type requires a measure to enable the
organisation to determine the level of exposure to that risk
type. Measures may be qualitative or quantitative.
Measures specific to operational risk appetite can include
the level of operational risk capital, the value of operational
risk loss amounts for a given period, scenario analysis
estimates of operational risk exposures, and tolerances or
thresholds on key risk indicators.
The number and type of measures used should be
appropriate to the audience. At the Board level, there tends
to be more focus on qualitative statements of appetite, with
only a small number of key measures used (e.g. operational
risk capital or losses). As the risk appetite is cascaded
down to lower levels of the organisation, the measures
are translated into a larger number of more detailed and
operational metrics, with trigger points aligned to appetite
within the relevant business.
There are potentially hundreds of metrics that can be
identified, and it is important to evaluate which ones
add value and provide a meaningful indicator of the
risk. Consideration should be given as to whether the
measure and underlying data is readily available and can
be produced at a level of frequency that will support the
required degree of monitoring. Furthermore, consideration
should be given as to whether a measure provides a
backward looking view of expected outcomes, or whether
it can provide a more leading indication of potential
unexpected outcomes. There should be a mixture of both
leading and lagging indicators.
The relevance of a measure may also change over time,
and the measures used should be those that are most
relevant to the current business strategy and operational
risk profile.
In some cases it may not be possible to quantify a
measure, for example indicators relating to people, culture
and behaviour will often require a qualitative assessment
based on subjective judgment. These will need to be
monitored using a more qualitative approach. In all cases,
an organisation should be mindful of potential unintended
consequences arising from measuring operational risk
against set tolerances, and should aim to ensure that the
measures it selects drive appropriate behaviours across
the organisation.
The risk measures may change over time as better data
becomes available or more relevant measures emerge.
In turn, this may impact operational risk management and
monitoring practices for the risk concerned and hence alter
the organisation’s appetite for that risk.

The remainder of the Guidance Note
focuses on the principles and processes for
formulating, implementing and governing ORA.
OPERATIONAL RISK APPETITE
FORMULATION PRINCIPLES
ORA should set the ‘tone from the top’ in terms of the
behaviours and expectations of the organisation’s Senior
Leaders with respect to its risk culture, norms and
attitudes. It should reference and/or be consistent with
the organisations vision, values, and behavioural norms.
Developing ORA requires a clear understanding of the
organisations strategy and objectives, including key
priorities for the business. This is because the risk appetite
defines the risks the organisation is prepared to take and
the parameters within which it must operate in pursuing its
strategic objectives.
ORA and the measures that are put in place to monitor
it should align with the timelines of the strategic business
plan and organisational objectives. This ensures that
the setting of risk appetite aligns with the timeframes
within which the objectives are being undertaken.
Differing timeframes could result in excessive or
insufficient risk taking and undermine the achievement
of strategic objectives.
While it would be repetitive to include them (either in
part or by listing them), ORA should make clear that the
organisation’s policies and procedures are themselves an
articulation of the organisation’s risk appetite. This point
is also important in developing policies and procedures
– they should be set with reference to the overall ORA
of the organisation.
ORA will need to be supported by well-developed
measures to give practical guidance as to what is expected
within the organisation. For efficiency these should,
where possible, leverage organisational Key Performance
Indicators (KPI) and other existing metrics. In turn, the
setting of these KPIs and metrics should also take into
account ORA.
Some of the measures used will not be ‘additive’ in the
sense that they cannot be added up across the individual
organisational units to arrive at a whole of organisation
view. Such an example is staff turnover. Individual Divisions
may have a higher staff turnover metric and still be
consistent with the overall organisation wide staff turnover
metric. As such it is important to ensure that there is a
common understanding as to how these measures are
set such that the overall objective is achieved. If done in
isolation, the outcome could easily be inconsistent with the
intent of the organisation-wide level ORA.
OPERATIONAL
RISK APPETITE
FORMULATION,
IMPLEMENTATION
AND GOVERNANCE5
SUMMARY OF KEY PRINCIPLES FOR
ORA FORMULATION:
• Set ‘tone from the top’ and guide decision making
within the organisation.
• Align with the organisations strategic objectives and
its definition of operational risk.
• Align with and form part of the strategic planning
cycle of the organisation.
• Be supported by specific measures which should
ensure consistency of risk taking across all levels
of the organisation.

5
1.1 Identify supporting information to be considered
in drafting the ORAS
Examples of information and supporting data collated in
the planning stage include strategy/business plans, existing
operational risk profiles, external and internal loss data,
emerging risks and the ORMF and policies.
The extent to which these factors influence the ORAS
will depend on which level of the organisation the ORA is
being formulated.
1.2 Stakeholder Engagement: Key to planning the ORA
formulation is engagement of key stakeholders
This includes strong engagement with: the Board who will
establish the ‘tone from the top’; the Senior Leadership
required to apply the ORA in practice; and key business
partners who support its application, for example,
technology providers, human resources functions and
control owners. An example of likely stakeholders to be
engaged is set out on page 17.
1.3 Format and use: The form and purpose of the ORA
needs to be determined up front
This is influenced by the level in the organisation for which
the ORA is being formulated. A Board level statement is
set for the whole organisation and should guide the Group
in its decision making and risk taking activities. A Division
specific or risk specific statement guides decision making
in relation to relevant operational activities. In the planning
stage, operational risk and ORA should be clearly
defined, the linkage to overarching organisational strategy
established and the connection with other risk appetite
statements made.
1.4 Ownership
Allocation of ownership of the ORA involves determination
of: accountability for its maintenance to ensure it is
business relevant; and custodianship for administering
changes and updates. Typically the Risk Management
function is the custodian and the business or Board has
accountability for the ongoing application of the ORA,
depending on the level at which it is articulated.
CHALLENGES AND CONSIDERATIONS
• The availability and quality of data and information
required as inputs to ORA formulation.
• Timeframes to complete formulation, in particular
the time required to engage with key stakeholders.
Alignment of the ORA engagement strategy with
the existing governance calendars can streamline
the process.
PLANNING1
REVIEW &
VALIDATE
4
Figure 1: ORA formulation process
PLANNING1 CONDUCT2 DRAFTING3 APPROVE5
OPERATIONAL RISK APPETITE FORMULATION PROCESS
ORA by its nature must be a ‘top down’ statement
that establishes a frame of reference for the rest of
the organisation. The structure and form of an ORAS can
vary significantly from one organisation to the next.
It is influenced by who and how the ORAS is formulated.
There is no single way to develop an ORAS, but the
following section provides some key steps and a few
fundamental approaches in formulating ORA.

5
2.1 Initial engagement
Engaging with stakeholders is critical to build awareness
and commitment, determine material operational risk
categories and establish initial appetite preferences,
in order to enable risk measures and tolerances to
be established.
2.2 Facilitation
The process for identifying and confirming material
operational risks and risk appetite preferences is typically
facilitated by the Risk Management function (i.e. Group
for Board level ORA and Division Risk Management for
Divisional level ORA). The Risk Management function
is responsible for conducting this phase in accordance
with the project plan, timelines and costs. In large
organisations the Head of Operational Risk would typically
lead discussions/sessions with identified stakeholders
and the Chief Risk Officer (CRO) would have the right of
veto in reviewing the proposed content and structure – for
example, a divergent view of the organisations risk appetite
for external fraud will be settled by the CRO.
In smaller organisations the roles of facilitation of
discussions and challenging business views on risk
appetite might be played by the Head of Risk.
The process for ORA formulation may involve a range of
engagement techniques such as surveys, interviews and
workshops in order to determine and agree the following:
• Definition and purpose of ORAS.
• Categories of operational risk and risk types that are
material to the organisation or business concerned.
• Means of articulating risk appetite i.e. Scale and Risk
Measures to be used.
• Structure of the statement in terms of articulating both
narrative and associated metrics, or a statement which
is supported by a separate Operational Risk Dashboard
setting out performance against agreed quantitative
metrics and limits that are aligned to each risk category.
• Views on the appetite for the operational risks selected.
An example of survey questions that can be used to
facilitate the articulation of risk appetite preferences is
provided on the following page.
2.3 Consolidation and review
The facilitation process leads to: a defined ORA structure
and scope; proposed content; and a determination of the
appropriate level of detail and initial risk appetite positions.
In large organisations a draft ORAS document would
typically be presented to the CRO for discussion and
approval before proceeding to the next phase.
CONDUCT2
• Providing education and building awareness of the
value of the ORA in order to generate stakeholder
buy in.
• Determining if the defined ORA is representative
of current state or is aspirational. Where a
stakeholder is outlining what appears to be an
unrealistic aspirational view, be prepared to
discuss how this might be attained, resources
that would be required and the likely timeframes
to be within appetite. A key consideration is how
achievable are the measures in the ORA? Now, in
1 year or in 3 years?
• Tackling ‘zero’ tolerance: This is often a popular
response when the level of operational risk
appetite is discussed. In most cases this is
unrealistic. Guide stakeholders away from its
use by suggesting other means of framing
risk appetite.
• Using the right language: The ORA needs to
be relevant to the business and expressed in
language that the business uses. If the Basel
event types do not resonate with the business,
do not use them.

5 EXAMPLE ORA SURVEY QUESTION
An example of the types of questions that might be included in a survey for the development of an
operational risk appetite statement are outlined below:
Governance
Inadequate oversight/governance of critical decisions
1a Do you consider the
inadequate oversight
of critical (material)
decisions to be a
material risk for your
organisation?
1b Which of the following
represents your view
of your organisation’s
desired appetite for
this risk?
1c Given the risk appetite
option selected,
what would be the
appropriate risk
metric to manage
this risk within your
organisation’s risk
appetite?
Example measures may include the following or please specify other
measures in the free text box provided.
Yes No
Low
Appetite
Medium
Appetite
High
Appetite
Peer reviews on all decisions above a defined
threshold
Board approval required for decisions above a defined
theshold
Scenario analysis conducted for all material decisions,
including downturn or worse case scenario
A set of business actions specified to respond to a
defined set of scenarios relating to the decisions
Other performance measure, please define
The risk is one for
which the exposure
and management
approach should be
visible to the Board
Low – The risk should be
minimised, regardless of the
cost or capacity constraints
associated with the associated
risk management approach
required; OR
Medium – The risk can be
managed within defined
parameters; OR
High – The risk can be
increased, if it gives rise to
protentially higher returns.
Low – Board
approval required
for decisions above
a defined theshold
and Peer reviews on
all decisions above a
defined threshold
Medium – Peer reviews
on all decisions above a
defined threshold
High – Scenario
analysis conducted for
all material decisions,
including downturn or
worse case scenario

5
3.1 Objective
Formally articulate risk appetite for operational risk,
determining content, measures and narrative (qualitative
and quantitative), taking into consideration information
gathered during the planning and conduct phase.
3.2 Articulation
Typically, in large organisations the CRO or in small
organisations the Head of Risk is accountable for drafting
the Group RAS. This involves incorporating stakeholder
feedback, validating that the measures are appropriate
(available and measurable) and guiding the document
through the socialisation process.
The CRO/Head of Risk may be the party that reviews the
document and ensures alignment with the key elements
and information captured throughout the planning and
conduct phase. There is also a requirement for the Risk
Management function to identify impacted policies to be
updated to reflect and cross reference the ORA.
Given decisions with operational risk impacts are not
made in isolation and will depend, among other factors,
on the organisation’s goals and financial situation, the ORA
articulated by an organisation may need to incorporate
consideration of specific risk-return trade-offs. Where
operational risk occurs, the organisation may have a
preferred hierarchy for impact types, for example significant
customer/reputational impacts may be considered less
acceptable than financial impacts. Systemic regulatory
impacts may be the least acceptable.
Once the organisation’s decision-making attributes
are understood, management are better able to make
consistent trade-off decisions. A hierarchy of these decision
preferences can be included as part of the ORA to enable
greater consistency and efficiency in decision making.
Specific trade-0ff decisions may also be expressly included
in the ORA to allow for transparency and a clear link
between the ORA and strategy. Tolerances may also be set
and monitored to ensure that these trade-off decisions are
made within the parameters expected.
• Ensuring Division level ORAs do not replicate the
Board level ORA but do not conflict or exceed
Board level risk appetite statements and associated
measurements.
• Ensuring that stakeholder expectations have
been met. Approval will be difficult to gain where
expectations do not align.
• Successful application and use of ORA in the
Business relies on the language used to express
appetite being aligned and consistent with the
behavioural outcomes the organisation is looking
to drive.
DRAFTING3

5
4.1 Reconcile
Reconcile the draft ORA against further feedback provided
by the business and other relevant stakeholders following
formal drafting.
4.2 Validate
A validation exercise should be completed to ensure that
the final draft of the RAS reconciles to:
• Strategic objectives.
• Policies and procedures.
• Culture and organisational values.
• Regulatory standards.
Determining how measures will be sourced, from where
and how frequently is critical to making ORA operational.
Where data is not available, alternative measures need
to be selected and approved, and potentially timeframes
established for upgrading the measures as data
becomes available.
Where ORA is defined at Divisional level, a process of
review needs to be in place to ensure these statements
reconcile to those set by the Board.
The validation process is also essential to determine
completeness of the ORA and to align the statements
to current organisational policies and procedures.
5.1 Approve
Obtain explicit approval of the ORA by the appropriate
approving body e.g. Board and/or key stakeholders, to
ensure on-going ownership and practical application.
5.2 Communicate
Visibility of the ORA will be determined by the
approving body and then the document will be made
available accordingly.
• Providing access to the ORA can be contentious if
there is commercially sensitive information contained
in the ORA.
• Determining the most appropriate party to conduct
the validation is important. They need to be objective
and able to assess if the ORA is ‘fit for purpose’
before it is implemented.
• Some organisations test the ORA for a period of time
in management discussions and planning processes
before finalising.
• The most significant challenge is data availability for
the proposed measures. Selecting measures that
can be obtained and have integrity will be critical to
the success of the ORA.
REVIEW &
VALIDATE
4
APPROVE5

5 NUMBER AND LEVEL OF ORAS
Depending on the nature and scale of the organisation,
lower level ORAS can be developed. This helps to cascade
the overall statement within the organisation. It also allows
for the development of measures more suited to the
specific strategy and objectives of each subsidiary, division
or business unit.
Lower level ORA should be aligned to the way in which
the organisation is managed and be consistent with how
strategic objectives are cascaded. For some organisations
this will mean that the ORAS are developed along divisional
or business unit lines. For other organisations this will mean
that ORA will be developed according to legal entities.
It is not expected, nor is it likely to be practical, for ORA to
be developed below that of the key strategic or divisional
units of an organisation. However, smaller units can set
individual measures to help implement the ORA. These
must be aligned to the overall divisional (and organisational)
ORA and help translate ORA into measures that are
meaningful to the day-to-day business needs. Beyond
this, appetite is operationalised and evidenced via the
businesses Operational Risk Profiles.
ROLES & ENGAGEMENT OF KEY STAKEHOLDERS
The roles, engagement and input of key stakeholders are a critical aspect of the Planning phase of defining the ORA of the
organisation. These key stakeholders (and their primary Role/Responsibilities) should include the following:
Key Stakeholder Primary Role/Responsibility
Board Exercise oversight by defining the Operational Risk it considers acceptable.
Note: Operational Risk Appetite is more often defined in qualitative terms at the Board level
and largely addresses the attitudes and behaviours of the organisation as a whole.
Senior Leadership Interpreting and translating the stated position of the Board (in meaningful metrics) by
defining a set of tolerances that ensures alignment to the Board’s overall appetite.
Note: Operational Risk Appetite at a Division level is expressed in quantitative terms usually
by a set of metrics.
Risk/Business Owners Track and monitor their performance against defined tolerances established by Senior
Leadership and escalate any breaches of defined thresholds.
Risk Management
function (Line 2)
Facilitate the process of gauging the intent of the Board and Senior Leadership in addition
to over-sighting the process undertaken in formulating ORA.
Risk Management
Specialists (Line 1)
Assist the Division in identifying tracking tolerances (though a process of trial and error)
– can be done in collaboration with the Risk Management function.
Note: Under a more mature three lines, the role of the 2LOD should be to objectively
challenge the ORA.
Regulators Regulators that supervise the management of specific risks within the articulated ORA
should be considered in the formulation process. For example, APRA and AUSTRAC have
minimum requirements in relation to the management of particular operational risks such as
outsourcing and AML/CTF. These requirements may shape the types of measures selected
and the trigger levels established.

5 OPERATIONAL RISK APPETITE
IMPLEMENTATION
Once the formulation of the ORA is complete,
organisations need to integrate and embed the outputs
into the operating rhythm of their business activities. This
means organisations should be able to demonstrate
the use and application of ORA (including targets
and measures) in business decision-making. Use and
application of ORA should include consideration of
the overall business risk profile, capital management
(including scenarios and relevant measures) and
organisational strategy.
The development of specific measures ensures that
appetite statements are meaningful to the business by
providing a means to track business performance against
those measures.
Practical examples of how ORA can be implemented within
this framework and the challenges to its effective use and
application are discussed below.
COMMUNICATION
To assist the business to implement and embed risk
appetite, when approved, ORAS should be formally
communicated to the business. The effectiveness of
any communication is increased when it is issued by
Senior Leadership (reinforcing the ‘tone from the top’)
and considered in the context of business strategy.
For example, informing the business that the ORAS
has been updated as part of regular Senior Leadership
communication newsletters or e-mails.
Organisations should also consider the most effective
means of building awareness of the ORA as a key
component of the ORMF. Typically the Risk Management
function (either at a Group or Division level) would facilitate
the communication of the ORA. Examples of how this
could be performed include:
• Including discussions on ORA (and any changes/
updates) as part of regular meetings /discussions
between risk management and the business.
• Including the ORAS in ORMF document repositories
on the intranet (or equivalent) in order to allow staff to
access the document.
• Integrating ORA considerations into training on
the ORMF.
SUMMARY OF KEY PRINCIPLES FOR
ORA IMPLEMENTATION
• ORA is effectively communicated and understood
across the organisation.
• ORA integrates with existing frameworks and
supporting mechanisms across the organisation.
• Effective measures to cascade both the general
understanding of the ORA as well as specific
appetite requirements must be established.

The first area in which ORA can influence decisions and
drive operational risk management awareness is through
the strategy development process. How ORA is used in the
development of strategy throughout the organisation will
directly impact the way in which operational risk is measured
and monitored.
Typically ORA is considered in the strategy development
process through the business leadership and Risk
Management teams coming together to determine the
operational risk parameters within which the business strategy
will be executed. The strategy development process is
usually formalised with annual or semi-annual business plans
developed for the organisation and its Divisions. Within these
business plans the tolerances and thresholds established
within the ORA can be applied in expressing strategic
parameters such as avoidance to risk exposure and service
level arrangements, where operational risk measures are
relevant such as processing times or error rates.
Consideration of the ORA in this process helps ensure that the
risk capacity of the organisation is considered in formulating
business objectives and operational risk constraints and their
implications for the achievement of objectives are understood.
This may influence factors such as the time horizons
associated with achieving strategic outcomes or the level of
investment required in systems and processes to support
operational performance.
The ORA should be challenged by the stakeholders
developing strategy to ensure it is fit for purpose and is
consistently reflected across the organisation. ORA is also
an instrument to support the resolution of conflicts between
business objectives and risk appetite preferences or regulatory
or compliance requirements.
The foremost benefit of incorporating ORA into the strategy
development process is the discussion it drives, moving the
organisation from a mindset of ‘loss minimising’ to one of
optimising the organisation’s risk-return profile.
5
COMMON CHALLENGES
• Common definition and understanding of the
statements within the ORAS to enable consistent
application across the organisation. Consider the
wording of statements and associated measures to
reduce the scope for interpretation.
• Leadership support is required in order to ensure
Risk Management has a voice in the strategy
development process.
• Measurement of the success of strategic outcomes
should include risk-adjusted measures to ensure the
incorporation of the ORAS is valid.
• Driving a culture that understands the need to align
business objectives with operational risk appetite.
STRATEGY DEVELOPMENT
PRACTICAL IMPLEMENTATION OF ORA
Embedding the ORA into existing business practices across
the end to end value chain requires determining where
operational risk guidance needs to be clearly defined to
support business performance. Key areas in which the ORA
should be applied include:
• The development of new or revised products.
• Significant organisational changes such as supply
chain model variations, operating model changes or
organisational restructures.
• Major business projects where processes or systems will
be transformed and operational risk exposures changed.
• Investment initiatives such as acquisitions and divestments.
Using and applying ORA in the processes described above
requires consideration of how these processes are executed
in practice and how operational risk appetite preferences are
relevant. For example, in the development of new products
consideration should be given as to whether the product
and/or its implementation introduce risks that are outside
of appetite. A practical approach to ensuring that ORA is
embedded in this process is to establish a new product
development lifecycle that requires operational risk analysis
and risk profile impact assessments to be performed prior to
approval. In addition, post implementation reviews should be
performed to confirm risk profile movements/outcomes.
OPERATIONAL EXECUTION
COMMON CHALLENGES
• Embedding ORA into the organisation’s operating
rhythm requires Senior Leadership support to ensure
it is not considered a standalone component of the
ORMF. This requires review of policy and procedure
so that appetite is appropriately referenced and
any conflicts resolved. For example, the alignment
between ORA and business policies and procedures
(i.e. do limits stated in policies align to the overall
appetite of the organisation or do procedures/
system controls allow staff to inadvertently exceed
desired appetite).
• Developing a consistent understanding and
application of ORA across the organization so it can
be effectively applied to business processes and
initiatives. As ORA typically covers a diverse range
of business activity and processes, statements in
the document are not usually specific (for example,
referring to general system availability/up time rather
than referring to specific systems by name).

5
The ability of ORA to influence business decisions and
activities is driven significantly by the way organisations
measure and monitor operational risk exposures.
Translating the appetite statements into operational
targets against which risk exposures and limits can be
actively monitored is key to providing guidance to the
business in the pursuit of its strategic and operational
objectives. Measures are typically identified by business
areas which then relate to specific appetite statements.
Where measures are consistent across various business
operations, the Risk Management function can help to
ensure consistency of definition to enable the measures to
be compared across the organisation. While consistency
of measures is required to enable comparison, target levels
may vary by Division.
Reporting against ORA should be, to the extent possible,
integrated into existing business reporting frameworks
and promote discussion on the trade-off between risk and
reward.
Key features of monitoring and reporting activities that
support the embedding of ORA include:
• A timely escalation process for measures which exceed
appetite. The frequency of reporting and materiality of
measures may influence the escalation process; however,
where possible this should be integrated into existing
business as usual processes. Typically this would involve
initially escalating to line management prior to its inclusion
in Risk Committee/forum reporting. Emphasis should be
placed on treatment plans or acceptance being sought by
the Risk Committee/forum.
• Monitoring of strategic decisions approved outside ORA.
If the Risk Committee (or equivalent body) provides the
appropriate approval, the business may operate outside
of appetite. The reasons for this could be, for example,
to enable the organisation to pilot a new approach, or
allow time to implement more robust controls/mitigation
strategies. These decisions should be reviewed and
reported to the approving body to ensure the exposure
is monitored. The frequency of the monitoring should be
commensurate with the risk exposure and duration of the
exemption to appetite.
• Action plan development to meet aspirational or a future
state ORA. ORA may contain appetite statements that the
organisation may currently not fully adhere to. This may
reflect management or the Board’s aspiration to change
the organisation’s level of appetite. This change may not
be possible to initiate quickly and therefore action plans
should be put in place to outline the approach and timeline
for meeting the aspirational future state. Progress against
these plans should be monitored and reported to the Risk
Committee (or equivalent body).
In addition, monitoring informs the recurring practice of
revisiting and refreshing ORA targets to ensure relevance,
currency and optimisation. The triggers used to monitor
ORA should enable timely validation of settings and appetite
levels. The output of this reporting (in conjunction with the
other components of the ORMF) can be used to assess
whether the business is taking too much or too little risk and
therefore targets can be adjusted accordingly. Changes to the
statements, measures, and targets should be subject to the
appropriate governance approval process.
COMMON CHALLENGES
• The definition of data, the type of data, its source,
accuracy, integrity and completeness is paramount
to developing reporting for monitoring of ORA. For
example, key questions to be answered in relation
to these elements include:
–– Data definition: Determining what measures
should be monitored ( e.g. should a measure
on staff turnover be limited to voluntary leavers?
Should it include contract staff as well as full-
time staff? Should it be a point in time or a rolling
historic measure?)
–– Data completeness: What is the coverage of the
dataset being used? ( e.g. are all required areas of
the business included in the dataset?)
• ORA may contain a mix of current and aspirational
appetite statements. It is important to ensure that
the document considers the current risk environment
and organisational capability in order to ensure the
statements are achievable within desired timeframes.
• Aspirational targets could also be ‘signposted’ in the
document to provide clarity during implementation
(e.g. ‘it is our desire to reduce the current external
fraud exposures. In this financial year we will be
investing further resources to improve fraud controls
and support bringing external fraud exposures within
the organisation’s low risk appetite’).
• Recognition that the monitoring process will need to
evolve and be improved as the process develops.
MANAGEMENT & MONITORING

5
COMMON CHALLENGES
• The level at which the ORA is applied within the
organisation needs to determined.
• Once determined the challenge then is to establish
KPIs or translate ORA measures into appropriate
KPIs that are meaningful for the assessment of
performance to the levels to which accountability for
ORA is assigned.
• Current level of risk management maturity: The
maturity of an organisation’s ORMF and supporting
culture can influence the understanding of the
concept of risk appetite, the ownership and
accountability in relation to ORA and the degree to
which it is embedded in the organisation. The current
level of maturity needs to be considered to determine
the strategies needed to support the implementation
of ORA.
• Consistent understanding of ORA: Mechanisms
to communicate and reinforce a consistent
understanding of ORA include training, reporting and
monitoring, and a risk culture which encourages the
right behaviors.
The measurement of business and individual performance
provides a means for expressing and embedding operational
risk appetite. A core component of a performance
measurement framework is KPIs used to evaluate
performance. KPIs tend to serve their most practical
purpose in conjunction with a system of thresholds; when a
KPI breaches its associated threshold, it triggers a review,
escalation or management action.
Desired operational risk management behaviours are
supported by alignment of KPIs with the ORAS. Senior
Leadership rewards should include performance against ORA.
Linking incentives to ORA provides an effective and optimal
mechanism to measure broader adherence to, and to ensure
that Senior Leadership will be held accountable for ORA in
their businesses. Embedding such KPIs in Senior Leadership
incentives allows top-down adoption of ORA. Linking
performance KPIs to ORA will encourage embedding ORA at
all levels of decision making, from strategic to operational. Use
of the ORAS should be part of the BAU process and not be
seen as an additional task.
Effective use of performance measurement helps drive
towards a culture of risk-based decision making at all levels of
the organisation. In addition, empowering individuals across
all levels to buy into ORA and use and apply it in decision-
making provides an effective risk management tool.
PERFORMANCE MEASUREMENT
SITUATION
Bank X was considering a capital
investment decision to improve and
upgrade their perimeter network
to provide greater protection from
unauthorised access and external
fraud (hacking). The Bank had
been provided reports from its
Technology department indicating
that the legacy system design had
limitations in containing evolving
external threats.
The Bank had also noticed recent
external events where a number
of US based banks were victims
to attacks by external hacking and
capture of credit card information
which was being used to support
fraudulent transactions on
customer’s accounts.
CHALLENGE
Bank X had also seen attacks
increasing on its own systems
and had a rising cost of external
fraud losses which was starting
to approach the upper tolerance
of operational risk appetite for the
number and frequency of attacks
on the bank’s systems and total
losses due to external fraud. The
system hacking was also increasing
the number and severity of the
system outages, which in turn
was impacting the bank’s risk
appetite on business availability for
critical systems.
ORA IMPLEMENTATION
OUTCOME
With the provision of this risk
information on the impact of recent
events to the Program Steering
Committee, Senior Leadership
approved a decision to provide the
necessary investment into improve
the system. This involved a multi-
year program of work, including
major infrastructure redesign
and application redevelopment.
The capital investment business
case was approved based on
the existing identified risks and
the expected future impact of
breaching availability operational
risk appetite thresholds for
external fraud and business
system availability.
AN EXAMPLE OF THE APPLICATION AND
IMPLEMENTATION OF OPERATIONAL RISK

5 OPERATIONAL RISK
APPETITE GOVERNANCE
Once the ORA has been formulated at the organisational
level, it is up to the Board to approve the appetite. Where
appetite is translated down into Divisions, the governing
body should be the appropriate Board-delegated oversight
body at the highest level at which ORA is set. In either
instance, it is the role of the Risk Management function and
the appropriate Risk Committees to oversee and challenge
the ORA positions taken.
The purpose of ORA governance is to ensure that the
organisation has a defined risk appetite and that it is
appropriate given its strategic objectives and desired
level of risk. This requires a process that supports both
formulation of appetite and its ongoing application across
the organisation.
Key steps in the governance process should include:
• Board engagement in the formulation and
implementation processes.
• Board and Senior Leadership challenge of the outcome
of formulation.
• Board approval of appetite levels.
• Regular evaluation of appetite and making strategic
or tactical changes as appropriate.
Figure 2: ORA governance process
REVIEW CYCLE AND TRIGGERS
The ORA should be formally reviewed during the strategic
planning cycle (typically annually) follow the Board and
Senior Leadership to challenge objectives and targets
by asking the right questions on the amount and type of
risk the organisation is prepared to tolerate in pursuit of
it’s strategy.
There may be times however where it does not provide
adequate guidance which necessitates revisiting the ORA
contents or the risk position taken. The ability to accept
changes to appetite and the flexibility this provides needs
to be balanced with the goal of influencing changes in
behaviour and business practices. This is enabled through
a robust governance framework and process that oversees
changes to the ORA.
Examples of such triggers may include (but are not
limited to):
• Major changes to strategy.
• External Events.
• Regulatory or Legislative Changes.
• New or material changes to products or services.
• Organisational Change (Restructure).
• Entry into new markets.
• Significant internal events.
• Major breaches of appetite or trends towards
exceeding appetite.
• Significant changes to the economic environment
(e.g. volatility, downturn, upturn).
The materiality of any change to ORA should be considered
to determine approval requirements. This assessment
would be done by the Group Risk Management function
as part of its responsibilities to challenge and provide
advice on ORA. Approval arrangements might be defined
as follows:
• Minor changes (i.e. not a change to actual appetite, just
clarification) for noting.
• Material changes (i.e. change to appetite) for approval.
The role of the Board also includes monitoring performance
against the ORA and overseeing the use and application
within the organisation. Trigger events must be monitored
by the business and Risk Management, and overseen by
the Board to ensure ORA outcomes remain current.
ORA reporting should be relevant, timely and useable for
the business, taking into consideration the purpose and
intended audience. ORA reporting should cover areas of
key risks for consideration, in order to provide the business
with insight and to drive informed decision-making. ORA
reporting should be written in the context of the business,
avoiding risk jargon and acronyms where possible.
Engage
Evaluate Challenge
Approve
Formulate
Implement
SUMMARY OF KEY PRINCIPLES
FOR ORA GOVERNANCE
• The ORA should be set by the organisation’s Board.
• The Board should periodically review ORA.
• Oversight of organisational performance within ORA
parameters is a key responsibility of the Board.

5 ROLES AND RESPONSIBILITIES
ROLE OF THE BOARD
1. Challenge formulated risk appetite and proposed changes with consideration to:
–– Is appetite consistent with the firm’s short- and long-term strategy, business and capital plans, risk capacity as
well as compensation programs?
–– Are there any current activities, risks or control frameworks inconsistent with the appetite being approved?
–– Have unintended consequences been considered?
2. Approve Organisation’s Appetite.
3. Other activities performed may include:
–– Hold the CEO and other Senior Leadership accountable for the integrity of ORA, including the timely identification,
management and escalation of breaches in risk limits and of material risk exposures.
–– Satisfy itself that there are mechanisms in place to ensure Senior Leadership can act in a timely manner to
effectively manage, and where necessary mitigate, material adverse risk exposures, in particular those that are
close to or exceed the approved ORAS.
ROLE OF THE EXECUTIVE (SUPPORTED BY RISK COMMITTEE)
1. Challenge formulated risk appetite and proposed changes with consideration to:
–– Same considerations the Role of the Board plus.
–– Does the Division’s appetite align to the organisations ORA?
–– Where multiple Divisional ORA’s are present, can the executive provide a view of the aggregation of appetite
against the organisations ORA (if not, approval may have to be sent to a higher Governance body for approval)
2. Approve Division Appetite (where relevant).
3. Other activities performed may include:
–– ensure that annual business plans are in line with the approved ORA and incentives/disincentives are included in
the compensation programmes to facilitate adherence to ORA.
–– include an assessment of risk appetite in their strategic discussions including decisions regarding mergers,
acquisitions, and growth in business lines or products.
–– regularly review and monitor actual versus approved risk limits ( e.g. by business line, legal entity, product, risk
category), including qualitative measures of conduct risk.
–– discuss and determine actions to be taken, if any, regarding ‘breaches’ in risk limits.
–– ensure adequate resources and expertise are dedicated to operational risk management to support the
application of the ORAS across the organisation.
–– ensure risk management is supported by adequate and robust IT and MIS to enable identification, measurement,
assessment, analysis and reporting of operational risk in a timely and accurate manner against ORA.
–– Ensure Risk Profile reflects changes made in line with to ORA.

Example of Operational Risk Appetite Statement(s) showing different levels of granularity.
A
APPENDIX A:
EXAMPLE OF
OPERATIONAL
RISK APPETITE
STATEMENTS
HIGH LEVEL OPERATIONAL RISK APPETITE STATEMENT
Bank X has a risk appetite of ‘Expansionary’ – Will accept higher levels of risk in pursuit of superior
risk–adjusted returns.
Bank X has a growth revenue strategy over the next 12 months and therefore is prepared to accept increased
operational risk exposure related to taking on new products and services to ensure targets and benefits are achieved.
Enablement functions must continue to consider a balanced approach to their risks and controls.
Overall the bank has an appetite for operational risk losses not exceeding X% of enterprise revenue.

A
Risk
Category
Risk Appetite Statement Metric Risk
Target
Above
Target
Tolerance
Internal
Fraud
Very Low
Very low tolerance for internal fraud,
even though it may be unlikely to
occur, and considers that fraud by its
employees is unacceptable behaviour.
Any employees found to have
committed fraud will be dismissed.
Loss Value/p.a. (cumulative) ≥$x $y -$x <$y
Percentage critical
systems overdue for user
recertification
0% 1% – 9% 10%
Number of significant
unauthorised activities or
instances of internal fraud
0 1
External
Fraud
Medium
Bank accepts that as a financial
institution it is exposed to a significant
inherent level of external fraud. Within
the limits determined the Bank is willing
to tolerate financial losses resulting from
external fraud.
Average system security
compliance status (%)
≥80% 70% –
79%
<70%
# IT Infrastructure
vulnerabilities detected/qtr
<2 2-5 >5
Employment
Practices &
Workplace
Safety
Very Low
Bank is committed to providing
and maintaining a safe and healthy
workplace that will contribute to the
wellbeing of all employees, contractors,
clients and visitors and has a low
tolerance for employment practices
and workplace safety events however
infrequently they may occur.
Lost time occurrence
incidence rate (percentage of
lost time/FTE /qtr)
≤1.0% 1.0%
-1.2%
>1.2%
Clients,
Products
& Business
Practices
Low
Bank has a low tolerance of activities or
negligent failure to meet its obligations
to its customers and for systemic non-
compliance with regulatory obligations.
Number high risk findings >6
months outstanding /qtr
1 2
Workforce compliance
training penetration: %
Employees receive training
per year (cumulative)
≥95% 90%
-95%
<90%
DETAILED OPERATIONAL RISK APPETITE STATEMENT
Appetite Definition
Very Low Avoid exposure to the risk
Low Minimise/reduce to risk as much as possible
Medium Take a balanced approach to risk and controls
High Willing to pursue (seek/take risk)

A
Risk
Category
Risk Appetite Statement Metric Risk
Target
Above
Target
Tolerance
Business
disruption
and system
failures
Medium
Bank has a moderate tolerance for
infrequent (i.e. once in ten year events)
major business disruption and system
failure related events and accepts that
there will be instances that necessitate
significant management action
to remediate.
% critical systems tested/
tested successfully in last 12
months
≥85% ≥85% <80%
Damage
to physical
assets
Medium
Bank has a moderate tolerance for
infrequent (i.e. once in ten year events)
physical asset damage events and
accepts that there will be instances that
necessitate significant management action
to remediate.
Loss Value/p.a. (cumulative) ≥$x ≥$x <$y
Number of instances of major
damage to physical assets/qtr
2 2-5 5
Execution,
Delivery &
Process
Management
Medium
Bank accepts that a number of manual
processes exist and that as a result
expects that a minor level of execution,
delivery & process management related
risks is almost certain.
Bank will accept a moderate level
of outsourcing risk to achieve
commensurate savings.
Average Annualised Voluntary
Staff Turnover
<10 10-12 >12
Workforce training
penetration: % Employees
receive training per year
(cumulative)
≥90% 85%
-90%
<85%
# of incidents related to
processing failures/qtr
<20 20-30 >30

The role of the three lines of defence in developing Operational Risk Appetite:
APPENDIX B:
ROLES AND
RESPONSIBILITIESB
1ST LINE OF DEFENCE: BUSINESS
• Develop the division ORA in alignment with the Board and/or Group operational risk appetite.
• Monitor adherence to ORA.
• Report and escalate where indicators suggest business is operating outside of appetite.
• Take action to remediate when the business is outside of ORA.
• Communicate expectations for use of the ORA into decision-making processes, so they are reflected in business
activities (processes and procedures).
• Align policies and procedures to ORA tolerances and limits where appropriate.
• Ensure alignment between Board and Divisional ORA and identify and escalate inconsistencies for resolution.
2ND LINE OF DEFENCE: INDEPENDENT RISK MANAGEMENT FUNCTION
• Ensure the Group-wide ORA is in alignment with the Board and/or Group operational risk appetite.
• Own the ORA framework (Note: this may be part of Operational Risk Management Framework and /or broader Risk
Appetite Framework).
• Support the development of Divisional ORA (alignment, metrics, measures etc.).
• Provide constructive review and challenge of the key elements of Divisional ORAS ( e.g. capacity, targets
and measures).
• Provide linkages and consistency to existing elements of Operational Risk Management Framework.
• Collect, analyse and independently report and challenge the business lines information (measures and metrics).
• Monitor adherence to ORA.
• Independently review and challenge the alignment between Board and Divisional ORA.
3RD LINE OF DEFENCE: INTERNAL AUDIT
• Independently review the effectiveness of the governance and framework.

C
Acknowledgements for the development of the
Operational Risk Appetite Guidance Note are
outlined below.
Risk Management Association for establishing and
sponsoring the ORA Working Group.
ANZ and NAB for coordinating development of the ORA
Guidance Note.
PwC’s Rachael Phelan and Shari Emin for facilitation and
coordination of the ORA workshops and Guidance Note.
The RMA would like to acknowledge the contributions
of representatives of the following member banks to the
development of this Guidance Note:
Graeme Alexander – Rabobank
Kirsten Allen – Westpac Banking Group
Jodi Altona – Rabobank Australia & NZ
Maria Apostolopoulos – ME Bank
Michael Barr – NAB Group
Anthony Barreiro – Westpac Banking Group
Jacqui Boddy – Bank of Queensland
John Evans – CBA
Ian Falls – ANZ Banking Group
Allison Gray – Bendigo and Adelaide Bank
Greg Gokavi-Whaley – ANZ Banking Group
Rebekah Heavan – Westpac Banking Group
APPENDIX C:
ACKNOWLEDGEMENTS
Viet Huynh – Bendigo and Adelaide Bank
Dominique Layt – Suncorp Group
Susan Mackenzie – Bank of Queensland
Richard Michael – HSBC
Tamara Monaghan – NAB Group
Peter Papasarantopoulos – ANZ Banking Group
Tony Petkovski – CBA
Larren Sher – Investec
Stephen Smith – Suncorp Group
Nicole Spratt – ME Bank
Tony Tronolone – CBA
Emily Watchorn – Macquarie Group Limited

127017438_RMA_OperationalRiskAppetite_v1.0

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a 127017438_RMA_OperationalRiskAppetite_v1.0

Semelhante a 127017438_RMA_OperationalRiskAppetite_v1.0 (20)

127017438_RMA_OperationalRiskAppetite_v1.0