[OR] [AmB] [E2] [P1] [S4] [C6] Confirming Risk Appetite

Confirming Risk Appetite in the Plan Phase of Operational Resilience Planning for AmBank Malaysia

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

In the financial sector, defining and confirming risk appetite is a crucial step in ensuring an effective operational resilience strategy.

For AmBank Malaysia, confirming risk appetite within the “Plan” phase of its Operational Resilience Planning Methodology establishes clear boundaries for risk-taking while aligning resilience efforts with the bank’s business objectives and regulatory expectations.

The “Confirm Risk Appetite” stage helps AmBank Malaysia determine the level of operational disruption it can withstand, ensuring that critical business services remain available even under adverse conditions.

This article outlines the key implementation steps for confirming risk appetite, supplemented with examples relevant to the bank’s operational environment.

Implementation Steps for Confirming Risk Appetite

Step 1: Define the Scope of Risk Appetite for Operational Resilience

Objective:

To set the boundaries for risk-taking across critical business services, functions, and supporting infrastructure.

Actions:

• Identify critical business services that require resilience planning, such as retail banking operations, digital banking platforms, treasury operations, and payments processing.
• Define key operational risks, including cybersecurity threats, third-party service failures, IT disruptions, and regulatory non-compliance.
• Establish acceptable thresholds for operational disruption, such as maximum allowable downtime (MAD) and recovery time objectives (RTO) for core services.

Example:

AmBank Malaysia determines that its real-time gross settlement (RTGS) system must recover within one hour in the event of a cyberattack, ensuring uninterrupted high-value transactions.

Step 2: Align Risk Appetite with Regulatory and Strategic Objectives

Objective:

To ensure the bank’s operational resilience, the risk appetite is consistent with Bank Negara Malaysia (BNM) regulatory guidelines and AmBank’s overall risk management framework.

Actions:

• Review BNM’s Operational Risk and Resilience Guidelines to align risk appetite with compliance requirements.
• Ensure risk appetite aligns with AmBank’s corporate strategy, such as the expansion of its digital banking services and financial inclusion initiatives.
• Consult key stakeholders, including the Board of Directors, Risk Management Committee, and business unit leaders, to validate alignment.

Example:

AmBank Malaysia aligns its risk appetite for digital banking downtime with BNM’s expectations by setting a maximum allowable disruption time of 30 minutes for its online banking services, ensuring compliance with digital banking resilience standards.

Step 3: Establish Risk Metrics and Tolerance Levels

Objective:

To define quantifiable risk appetite statements and set specific risk tolerance thresholds.

Actions:

• Develop risk appetite statements that outline acceptable risk levels for different types of disruptions.
• Identify key risk indicators (KRIs) that measure adherence to risk appetite, such as:
• System uptime percentage (e.g., 99.9% availability for digital banking).
• Transaction failure rate (e.g., less than 0.5% of digital transactions fail).
• Third-party service recovery time (e.g., critical vendors must restore services within two hours).
• Define action triggers when risk metrics approach tolerance limits.

Example:

AmBank Malaysia implements a real-time monitoring system for its ATM network. If the transaction failure rate exceeds 1%, an automatic escalation process is triggered for immediate investigation and remediation.

Step 4: Conduct Stress Testing and Scenario Analysis

Objective:

To test the practicality of risk appetite thresholds under various operational disruption scenarios.

Actions:

• Develop resilience scenarios, such as cyberattacks, IT system failures, third-party disruptions, and natural disasters.
• Simulate worst-case operational disruptions and evaluate whether AmBank’s risk appetite tolerances are realistic.
• Adjust risk appetite statements based on test results, ensuring that business services can recover within the defined limits.

Example:

AmBank Malaysia runs a cyber resilience stress test where its digital banking platform is subjected to a simulated ransomware attack. The test reveals that customer login failures exceed the bank’s acceptable threshold of 0.5%, prompting adjustments in cybersecurity investment and incident response protocols.

Step 5: Formalise and Communicate Risk Appetite Statements

Objective:

To ensure all stakeholders understand and adhere to the bank’s operational resilience risk appetite.

Actions:

• Document and approve the Operational Resilience Risk Appetite Statement as part of the bank’s enterprise risk management (ERM) framework.
• Communicate risk appetite levels to all relevant teams, including risk management, IT, operations, and third-party service providers.
• Integrate risk appetite statements into business continuity and incident response plans for seamless execution during disruptions.

Example:

AmBank Malaysia formally includes its risk appetite for digital payment processing in its ERM policy, ensuring that the IT and payments operations teams proactively monitor and mitigate risks that could exceed defined tolerance levels.

Confirming risk appetite is a critical component of AmBank Malaysia’s operational resilience planning. By defining clear risk tolerance thresholds, aligning with regulatory requirements, implementing quantifiable risk metrics, conducting stress testing, and ensuring organization-wide communication, AmBank strengthens its ability to withstand operational disruptions.

A well-defined risk appetite enables the bank to balance risk-taking with resilience, ensuring uninterrupted financial services for its customers while meeting regulatory and strategic objectives.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.