Contents
- ICT Risk Appetite Statement
- Regulatory Requirement
- Core Elements of the ICT Risk Appetite Statement
- Alignment with Overall Business Strategy and Risk Appetite
- Definition of ICT Risk Categories and Scope
- Quantitative and Qualitative Risk Tolerance Levels
- Impact Tolerance for ICT Disruptions
- Governance, Roles and Responsibilities
- Embedding into the ICT Risk Management Framework
- Residual ICT Risk Acceptance
- Continuous Monitoring and Adjustment
- Purpose and Supervisory Significance
ICT Risk Appetite Statement
Regulatory Requirement
Financial entities shall, as part of their digital operational resilience strategy, define and formalise the ICT risk appetite, including risk tolerance levels and impact tolerance thresholds for ICT disruptions. This statement must articulate the level of ICT risk the institution is willing to accept in achieving its business objectives and serve as a mandatory anchor for all ICT risk management, ICT governance, ICT controls, incident management, continuity planning, and digital operational resilience testing.
Core Elements of the ICT Risk Appetite Statement
Alignment with Overall Business Strategy and Risk Appetite
The ICT risk appetite must:
- Be directly derived from, and explicitly aligned with, the enterprise-wide risk appetite of the financial entity.
- Demonstrate how ICT risk acceptance supports the business model, strategic objectives, and the operational dependencies on digital and outsourced ICT services.
- Ensure that ICT risk tolerance is not defined in isolation but integrated into the institution’s overarching risk governance.
Definition of ICT Risk Categories and Scope
The statement must specify the ICT risk categories to which risk appetite applies, including at minimum:
- ICT system availability and continuity risks,
- ICT security, confidentiality, integrity and authenticity risks,
- Cybersecurity and cyber-threat risks,
- ICT third-party and supply-chain risks,
- Data loss, data corruption and data quality risks,
- Change and deployment risks,
- ICT obsolescence and technical-debt risks,
- Logging, monitoring and detection capability risks.
Each category must include a precise articulation of risk acceptance vs risk intolerance.
Quantitative and Qualitative Risk Tolerance Levels
The ICT risk appetite must define measurable tolerances including, as appropriate:
- Maximum tolerable downtime (aligned with impact tolerances and BIA),
- Maximum tolerable data loss (e.g., RPO thresholds),
- Maximum acceptable number and severity of ICT-related incidents,
- Cyber-attack resilience thresholds,
- Acceptable control failures vs zero-tolerance areas (e.g., segregation-of-duties breaches, privileged-access misuse, non-encrypted transfers of classified data),
- Service-level tolerances for ICT third-party providers supporting critical or important functions.
Quantitative metrics must be complemented by qualitative risk statements governing unacceptable behaviours, systemic weaknesses, governance failures, and cultural expectations.
Impact Tolerance for ICT Disruptions
In accordance with DORA, the ICT risk appetite must explicitly incorporate impact tolerance, including:
- The maximum level of disruption the entity can withstand while continuing to deliver critical or important functions,
- Scenarios describing severe but plausible ICT shocks,
- Thresholds that trigger activation of ICT response, recovery and crisis communication plans,
- Alignment of impact tolerances with the BIA results (Article 11(5) DORA).
These thresholds guide the design of continuity architectures, redundancy, failover mechanisms, and crisis management structures.
Governance, Roles and Responsibilities
The ICT risk appetite statement must specify:
- Approval by the management body, which retains full accountability,
- Oversight by the ICT risk management function,
- Integration with control functions (risk management, compliance, internal audit),
- Mandatory periodic review (at least annually or after major ICT incidents).
Embedding into the ICT Risk Management Framework
The risk appetite must govern:
- ICT risk identification, classification, and assessment,
- Prioritisation of ICT risk treatment measures,
- Residual risk acceptance processes,
- ICT change management and deployment decisions,
- Digital operational resilience testing priorities,
- ICT third-party onboarding and continuous monitoring,
- Budget allocation for resilience capabilities (Article 5(2)(g) DORA).
All controls, policies, processes and testing regimes must be consistent with the defined risk tolerance.
Residual ICT Risk Acceptance
The ICT risk appetite must set:
- Criteria for accepting residual ICT risks exceeding tolerance levels,
- Documentation requirements for such exceptions,
- Escalation to senior management,
- Annual review of all accepted residual risks (in line with Article 3(d) RTS RMF).
Continuous Monitoring and Adjustment
The statement must require:
- Monitoring of changes in the ICT and cyber-threat landscape,
- Ongoing evaluation of whether risk tolerances remain appropriate,
- Adjustment following incidents, audits, resilience testing, or supervisory instructions.
Purpose and Supervisory Significance
The ICT Risk Appetite Statement is the anchor document that operationalises the digital operational resilience strategy. Supervisors will evaluate:
- Whether the risk appetite is specific, measurable, and proportionate,
- Whether it is embedded into ICT governance and control processes,
- Whether ICT risk treatment, residual risk acceptance and continuity measures demonstrably follow the defined tolerance levels,
- Whether the entity’s impact tolerances are realistic, tested, and aligned with BIA outputs.
A vague, unmeasurable or unimplemented ICT risk appetite will be considered not effective under DORA.