BANK 7.2.4 Principle 4: risk appetite and tolerance

(1) A banking business firm must approve and review its risk appetite and tolerance for operational risk.
(2) The firm must consider:
(a) all relevant risks;
(b) the firm’s level of risk aversion;
(c) its current financial condition; and
(d) its strategic direction.
(3) The firm must set out the various operational risk appetites within the firm and must ensure that they are consistent. The firm must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.
(4) The firm must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance. Such a review must consider changes in the external environment, significant increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume and nature of breaches of limits.
(5) The firm must monitor management’s adherence to the statement and must provide for timely detection and remediation of breaches.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)