Integrating Resilience into a Risk Appetite Framework

Part of our "Resilience and Readiness" Blog Series

Why It’s Time to Rethink the Risk Appetite Framework

Resilience has become a core business capability, not a buzzword. In today’s volatile environment - marked by economic uncertainty, geopolitical instability, and systemic digital threats - financial institutions must evolve their risk appetite frameworks (RAFs) to explicitly reflect their capacity to withstand, adapt, and recover from disruption.

For Canada’s federally regulated financial institutions, this is not only a strategic imperative but also a regulatory expectation. OSFI’s Guideline E-21: Operational Risk and Resilience calls on institutions to proactively embed resilience into governance, planning, and operations. A well-structured RAF offers a crucial mechanism for doing just that.

From Reactive to Resilient: Expanding the Scope of Risk Appetite

Historically, RAFs have centered on risk-taking in financial terms—market volatility, credit exposure, capital adequacy. More recently, institutions have started to include non-financial risk elements in their RAF, however, most measures tend to be backwardc looking. A modern RAF must account for a broader question: How much disruption can we tolerate and still serve our customers, protect our brand, and meet our obligations?

Resilience-informed RAFs shift the lens from risk avoidance to operational endurance, and shift measurements from lagging indicators to forward-looking measurements.

Key Elements of a Resilience-Integrated RAF

1. Clear Resilience Objectives

Risk appetite statements should reflect strategic resilience goals—such as maintaining access to payment systems, safeguarding customer data during outages, or withstanding economic stress. These qualitative goals frame the organization’s tolerance for service disruption and reputational impact.

2. Operational Tolerances

Quantitative thresholds—such as maximum allowable downtime for critical systems, recovery time objectives (RTOs), or acceptable backlogs in collections—could be incorporated in early drafts of risk appetite statements. These serve as measurable limits that help define when resilience is at risk. However, these measures are backward looking or lagging indicators. Consideration should be given to establish more forward looking indicators, or early warning indicators (EWIs). Examples could include Indicators of Compromise for cybersecurity, late remediation of issues and internal audit findings, and metrics arising from scenario analysis.

3. Integration of Stress Testing

Scenario-based stress testing provides insight into the organization’s ability to absorb shocks. This includes simulations of prolonged interest rate hikes, cyber breaches, prolonged disruption to the business such as power outages, or macroeconomic contractions. These insights inform both strategic planning and risk tolerance calibration.

4. Use of Early Warning Indicators

As seen in recession readiness frameworks, economic indicators—like changes in delinquency rates, consumer spending, or cyber threat levels—can serve as triggers for escalation. These can be integrated into the RAF to prompt timely reassessments or action.

Governance and Accountability

Resilience doesn’t reside in a single function—it requires enterprise-wide alignment. However, risk and audit functions play key roles in validating the appropriateness of risk appetite statements, monitoring breaches, and ensuring governance processes escalate issues effectively.

Executive risk committees and boards must also be actively engaged. They should review resilience-linked breaches with the same diligence applied to capital or liquidity issues, reinforcing the importance of resilience at the highest levels.

Conclusion: Making Resilience a Strategic Lever

Integrating resilience into the RAF represents a shift toward a more mature and adaptive risk culture. It ensures that business decisions—from outsourcing agreements to credit policy adjustments—are grounded in a transparent view of operational risk capacity.

For Canadian financial institutions navigating today’s uncertainty, resilience-informed risk appetite isn’t just a regulatory checkbox. It’s a strategic lever that can differentiate leaders from laggards in the next crisis.