[OR] [MBT] [E2] [P1] [S4] [C6] Confirming Risk Appetite

Confirming Risk Appetite

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

Confirming the organisation’s risk appetite is a foundational step in the plan phase of operational resilience. For Metrobank, this means setting the boundaries of acceptable risk and disruption for its critical operations, aligning these with strategic objectives, regulatory expectations, and the bank’s inherent risk profile.

At this stage, Metrobank must translate its high-level risk appetite into operational resilience-specific parameters: how much disruption it can tolerate, what kinds of threats are acceptable, and which scenarios demand response.

This chapter elaborates on how Metrobank should implement the “Confirm Risk Appetite” step, describes the key implementation steps in a structured way, and provides examples aligned with the regulatory requirements under the Bangko Sentral ng Pilipinas (BSP) Guidelines on Operational Resilience.

Implementation Steps

Below are the implementation steps Metrobank should follow to confirm its operational resilience risk appetite, with elaboration and examples.

Align risk appetite with strategic objectives and business model

Description:

Metrobank must ensure that its risk appetite framework for operational resilience is rooted in its broader risk appetite statement, strategic goals (growth, customer service, digital expansion), and its business model in the Philippines.

The board and senior management must consider how much operational disruption the bank will accept in pursuit of its objectives.

Key activities:

• Review Metrobank’s enterprise-wide risk appetite statement, strategy, and major initiatives (e.g., digital banking growth, overseas branches).
• Identify the bank’s strategic priorities (e.g., expanding Philippine retail banking, enhancing digital channels, and cross-border operations).
• Map how operational resilience supports continuity of those strategic priorities — for example: continuous access to payments and deposits, uninterrupted digital banking service, and branch operations during natural disasters.
• Define high-level risk appetite indicators specific to operational resilience (for example: maximum acceptable downtime for digital channels, maximum number of customers unable to transact, maximum losses or reputational damage from service disruption).

Example for Metrobank

• Metrobank may decide that, given its strategic emphasis on digital banking and customer service excellence, the bank sets a risk appetite for operational resilience such that:
• Digital banking services must be restored within two hours following a significant outage else reputational damage exceeds tolerance.
• In-branch critical services (cash withdrawals, deposits) may tolerate up to four hours of disruption during natural disasters, provided alternative channels operate.
• The bank will accept up to a 1 % drop in daily transaction volumes for no more than one day in a severe disruption scenario; otherwise, this is deemed outside the bank's appetite.
  This aligns with Metrobank’s high service-level expectations and its role as a systemically relevant Philippine bank.

Define operational-resilience-specific risk appetite parameters: tolerance for disruption and thresholds

Description:

Operational resilience demands that Metrobank define its “tolerance for disruption” — the maximum level of disruption for critical operations that it is willing to accept — and set thresholds and metrics that make that appetite measurable. Under the BSP guidelines, this is mandatory.

Key activities

• Identify critical operations (in a later stage) and then for each, define quantitative and qualitative metrics: e.g., maximum acceptable downtime (hours), maximum number of customers impacted, maximum financial loss, maximum number of channels unavailable.
• Set a time-based metric (e.g., hours of disruption) and other relevant metrics (volume of transactions impacted, value of business unaffected, number of customers served).
• Define thresholds: for example, Green (within appetite), Amber (approaching threshold), Red (breach of appetite).
• Ensure board approval of these operational-resilience-specific risk appetite parameters. According to the BSP guidelines, “tolerance for disruption shall be set … and a mechanism should be in place for review, challenge and board approval”.
  

Example for Metrobank

• Metrobank’s board approves that the bank’s tolerance for disruption for its mobile banking channel is a maximum of one hour of unplanned outage during business hours; any outage longer triggers escalation.
• For the internal clearing and settlement platform supporting deposit withdrawals, Metrobank defines that no more than 0.5 % of transactions may be delayed beyond the standard SLA for more than two hours.
• For the contingency plan regarding a natural disaster at a central branch cluster in Metro Manila, Metrobank sets a threshold of no more than one day of branch closure (with alternative channels available) before the business interruption falls outside its risk appetite.
• The board and senior management maintain an appetite statement: “Metrobank accepts operational risk events that result in disruption of critical operations only so long as they remain within the defined tolerance metrics; any scenario where disruption exceeds the defined tolerance is a matter for escalation to the board and may trigger strategic review.”

Embed risk appetite into governance, roles & responsibilities

Description:

The risk appetite for operational resilience must be formally approved, communicated, and embedded into the governance structure of Metrobank. Under the BSP guidelines, governance is a core element: the board must oversee, senior management must implement, and the three lines of defence must be specified.

Key activities:

• The Board of Directors approves the operational resilience risk appetite statement, tolerance metrics, and thresholds.
• Senior management (e.g., Chief Risk Officer, Chief Operational Resilience Officer) is assigned responsibility for implementing and monitoring the risk appetite in respect of operational resilience.
• Define ownership: first line (business units and operations) implement within appetite; second line (risk management, compliance) monitor exposures vs. tolerance; third line (internal audit) provides independent assurance. This aligns with BSP’s three lines of defence requirement. Bangko Sentral ng Pilipinas
• Ensure that the appetite and tolerance metrics are incorporated into relevant risk reports, dashboards, and escalation processes.
• Communication and training: ensure business units understand what the appetite means in practice (e.g., what constitutes a breach of appetite, how to escalate).

Example for Metrobank:

• Metrobank’s Board Risk Committee receives the operational resilience risk appetite statement and approves it, specifically noting: “Board acknowledges the tolerance for disruption of up to two hours for online channels and up to one day of branch closure for high-priority branch clusters.”
• Senior Management assigns the Head of Operational Resilience (reporting to the CRO) to monitor resilience metrics monthly, escalate instances nearing tolerance thresholds to the Risk Committee, and ensure escalation of breaches to the full Board.
• Heads of each business unit (e.g., Retail Banking, Digital Channels, Operations) receive training on the risk appetite for resilience and how their operations must be aligned. For example, Digital Channels management monitors downtime and transaction delay metrics and reports on “amber” status when nearing thresholds.
• Internal Audit includes within its annual audit plan a review of adherence to the operational resilience risk appetite and whether processes remain within tolerance.

Link risk appetite to scenario analysis and the severity of plausible disruptions

Description:

Confirming risk appetite must include considering the bank’s exposure to severe but plausible disruption scenarios and determining how the established appetite holds up under those scenarios.

The BSP guidance emphasises that institutions must determine severe but plausible scenarios in setting tolerance for disruption.

Key activities:

• Develop a set of disruption scenarios (natural disasters, cyber-attack, third-party failure, major system outage) that reflect Metrobank’s operating environment in the Philippines (typhoons, earthquakes, digital channel cyber risk, business continuity of service providers).
• For each scenario, assess the impact on critical operations and compare the expected resultant disruption with the tolerance metrics.
• Determine whether the current risk appetite and resilience capabilities enable maintaining the delivery of critical operations within tolerance in each scenario. If not, appetite or the resilience capability has to be adjusted (either narrowing appetite or strengthening resilience).
• Document the scenario-based stress to the risk appetite. Use this to validate that the risk appetite is realistic and achievable.

Example for Metrobank:

• Scenario A: A magnitude 7.2 earthquake along the West Valley Fault hits Metro Manila, disabling main data-centre operations and a major branch cluster for 24 hours. Metrobank assesses: the mobile banking channel may be disrupted for two hours, the branch network for 12 hours, and transaction delays increase by 3 %. The tolerance for the mobile channel (2 hours) is just met, the branch closure threshold (1 day) is just met, but the transaction delay (3 % > 0.5 %) breaches the tolerance. Metrobank, therefore, concludes that either it must strengthen its resilience for transaction processing (e.g., alternate processing site, fail-over) or revise its appetite.
• Scenario B: A simultaneous ransomware attack hits Metrobank’s payment settlement system, and a key third-party service provider fails. Metrobank models this as three three-hour outages for settlement, increased manual work, potential financial loss of PHP 50 million, and customer delays. This is compared to its tolerance of, e.g., up to one hour outage for settlement and maximum PHP 20 million loss. The scenario shows the appetite is likely exceeded, so Metrobank deliberates whether to accept this risk (and revise appetite) or invest to reduce exposure.
• Scenario C: Typhoon hits regional centre, causing branch closures for 36 hours; transaction volumes drop by 2 %. Tolerance for branch closure (one day) is exceeded (36 h = 1.5 days). The bank must decide whether to accept the breach, activate contingency plan (alternative channels) to bring disruption within tolerance, or revise appetite downward.
  These scenario exercises help confirm whether Metrobank’s risk appetite is consistent with its exposure to plausible disruptions.

Document and communicate the risk appetite and tolerance framework

Description

Having defined the risk appetite and tolerance metrics for operational resilience, Metrobank must document the framework, formalise approval, communicate across the organisation, and integrate into policies, procedures, and risk reporting.

Key activities

• Prepare a formal Operational Resilience Risk Appetite Statement, approved by the board, which includes definitions of critical operations, tolerance metrics, thresholds (Green/Amber/Red) and links to resilience capabilities.
• Update relevant policies (operational risk, ICT risk, business continuity, third-party risk) to reflect the appetite and tolerance framework.
• Communicate across the bank: business units, operations, ICT, risk management, internal audit, and crisis management teams. Conduct training or awareness sessions emphasising what the appetite means in practice and what triggers escalation.
• Integrate key metrics into dashboards and monthly/quarterly reports to senior management and the board. Establish reporting frequency, trigger thresholds, and escalation paths.
• Ensure the framework is reviewed periodically (see later step) and updated as the business model, threat landscape, or regulatory environment changes.

Example for Metrobank

• Metrobank issues a Board-approved document titled “Metrobank Operational Resilience Risk Appetite Statement – 2025” which states: “Metrobank’s appetite for disruption of mobile banking service is up to 1 hour of unplanned outage; branch network may close up to 24 hours; transaction delays must not exceed 0.5 % volume beyond SLA; any breach will be escalated to the Board Risk Committee within 24 hours.”
• The bank updates its Business Continuity Policy, Third-Party Risk Policy, and ICT Risk Policy to refer to the operational resilience tolerance metrics and escalation protocol.
• A training session for business units emphasises: “If you anticipate that downtime will exceed 30 minutes (50 % of tolerance) you must initiate the escalation and remediation plan.”
• Senior Management receives a monthly resilience dashboard showing ‘Time to restore service’ for each critical operation, number of service-provider failures, volume/transaction delays, and a ‘colour’ status (Green/Amber/Red) relative to thresholds.
• The bank also schedules an annual review of the operational resilience risk appetite framework (or sooner if business model changes) to ensure alignment.

Monitor, review, and adjust the risk appetite

Description

Risk appetite is not static. Metrobank must monitor adherence, capture breaches or near-breaches, feed in lessons from tests, incidents, and a changing business environment, and adjust the risk appetite or tolerance if needed.

This ties into the later “Review” phase of the resilience methodology, but it is relevant to the confirmation of appetite. The BSP guidelines require periodic review and update of the operational resilience framework in line with appetite, business model, complexity, and threats.

Key activities:

• Monitor operational resilience metrics and produce periodic reports on adherence to tolerance thresholds.
• Capture incidents or disruptions: record actual vs. tolerated downtime, customer impact, losses, third-party failures. Escalate when thresholds are breached.
• Post-incident and post-exercise lessons-learned: assess whether the tolerance metrics remain appropriate in light of actual experience or changing threats (e.g., shift toward cloud services, increased cyber-threats, frequency of natural disasters).
• Review business model changes (e.g., new digital offering, M&A, geographic expansion) and assess whether risk appetite remains valid or needs tightening/relaxing.
• Facilitate formal board review (e.g., annually) of the operational resilience appetite and tolerance, and update as necessary.

Example for Metrobank

• After a large tropical storm caused a two-day regional branch closure, Metrobank reviewed its branch closure tolerance (previously one day). At the board’s review meeting, the tolerance was adjusted to 36 hours for that region (with alternative channel activation), given enhancements made in digital channel capacity, but the tolerance for major national-scale outage was tightened to 24 hours.
• A ransomware incident caused six hours of downtime on the payments platform; the bank exceeded its one-hour tolerance. A root-cause review found deficiencies in third-party service provider oversight and a lack of an alternative processing site. The board decided to maintain the one-hour tolerance but invest in an alternate processing centre, and set a policy that any such incident must trigger immediate remediation steps and board escalation.
• The monthly dashboard showed that the mobile banking channel had experienced several near-breach events (45 minutes of downtime) in the past 12 months due to maintenance. Metrobank decided to adjust its tolerance for downtime for mobile services from one hour to 45 minutes to align with the strategic priority of digital reliability, and committed to reducing maintenance-related outages via improved release management.

Regulatory & Compliance Context for Metrobank in the Philippines

For Metrobank’s operational resilience planning, understanding and aligning with the regulatory requirements under the BSP’s “Guidelines on Operational Resilience” is essential. Below are key compliance points relevant to this “Confirm Risk Appetite” step:

• The guidelines apply to all BSP-supervised financial institutions (BSFIs), including banks operating in the Philippines, such as Metrobank, on both a solo and group-wide basis.
• The guidelines require that a BSFI define its “tolerance for disruption” for its critical operations, and such aspects of risk appetite must be approved by its board of directors.
• The guidelines require that the BSFI utilise its existing governance structure to implement the operational resilience approach, specifying the roles of the board, senior management, and the three lines of defence.
• The BSFI must determine severe but plausible scenarios and link them to the tolerance for disruption.
• The BSFI must disclose in its annual report its overarching approach to operational resilience (which includes risk appetite/tolerance) and must notify the BSP within 24 hours of activating the incident response plan for critical operations.
• The BSP supervisory framework will assess whether a BSFI’s operational resilience framework (including risk appetite) is robust, credible, and feasible in enabling the institution to deliver critical operations through disruptions.

For Metrobank, therefore, the confirmation of risk appetite must satisfy these regulatory expectations.

The bank’s documentation of tolerance, metrics, board approval, and alignment with severe-but-plausible scenarios will be subject to supervisory scrutiny and may form part of the BSP’s self-assessment questionnaire and supervisory review.

In summary, the “Confirm Risk Appetite” stage is critical for Metrobank’s operational resilience planning because it establishes the boundary between acceptable disruption and unacceptable risk.

By aligning the bank’s strategic objectives with its operational resilience needs, defining concrete tolerance metrics, embedding these within governance, testing them via scenario analysis, documenting and communicating them, and maintaining an ongoing review process, Metrobank sets a sound foundation for its resilience programme.

Importantly, these actions also ensure compliance with the BSP’s Guidelines on Operational Resilience, which require a clear tolerance for disruption, board-approved appetite, scenario analysis and integration into the bank’s governance and risk management structures.

Once Metrobank has completed confirming its risk appetite, it can proceed to the next steps of identifying critical operations, mapping interdependencies, and building out its resilience capabilities with the confidence that its appetite and tolerance have been established and approved.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Plan" Phase of the Operational Resilience Planning Methodology
C2	C3	C4	C5	C6	C7

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.