In May 2023, the Clop ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit transfer application. The breach ultimately affected more than 2,500 organizations worldwide, with estimated losses reaching $9.93 billion by October 2023. Among those impacted: Deutsche Bank, ING, Postbank, and Comdirect – all major European banks that used the same third-party vendor, Majorel, for account switching services.
The incident exposed a fundamental flaw in how organizations approach risk appetite. The Majorel compromise triggered cyber, operational, and reputational risk simultaneously. Traditional siloed appetite statements prove meaningless when confronted with cascading, interconnected exposures.
This is the integration challenge that Basel II inadvertently created. The 2004 regulatory framework established three pillars that explicitly separated credit risk, market risk, and operational risk as distinct categories requiring separate capital calculations.
Astrid Yee-Sobraques
Organizations built risk appetite frameworks that mirrored this structure because regulatory requirements and organizational charts made silos the path of least resistance. Yet, Basel’s own Pillar 2 – the forward-looking, supervisory review – explicitly demands the integrated horizontal analysis that the Pillar 1-based, siloed appetite statements simply cannot deliver.
The result: Risk appetite statements that look operationally precise but prove strategically unhelpful. “Zero tolerance for cyber incidents” or “moderate appetite for operational disruptions” or “low appetite for reputational risk” fail to guide strategic decisions when interconnected risks trigger simultaneously. Separate appetite statements for each risk type ignore the correlations that define how risks materialize.
The Case for Horizontal Risk Appetite
Enterprise risk appetite must reflect a fundamental reality: Risks do not occur in isolation. Attempting to govern interconnected exposures through separate statements for each risk type misses how modern enterprises face loss events – through cascading scenarios that cross organizational and regulatory boundaries.
The alternative is horizontal risk appetite: identifying the organization’s top enterprise risk scenarios, quantifying the integrated exposure across all risk types within each scenario, and setting appetite thresholds that govern the complete cascade – not its standalone components.
Consider what an integrated risk appetite framework would have revealed for the European banks affected by MOVEit. A “shared critical vendor compromise” scenario would have quantified:
- Direct incident response costs: Forensic investigation, legal counsel, crisis management, technology remediation – these direct costs could represent several million dollars depending on breach scope and the duration of the response effort.
- Regulatory notification and penalties: Under the General Data Protection Regulation (GDPR), notification requirements trigger immediately. While the European banks in the MOVEit incident faced no disclosed penalties, GDPR fines can reach 4% of annual global turnover or €20 million, whichever is greater. A prudent scenario would estimate potential regulatory exposure in the range of millions of dollars.
- Customer remediation obligations: Credit monitoring services, identity theft protection, customer communication campaigns. For breaches affecting thousands of customers with compromised account information, remediation costs would represent a material expense.
- Operational disruption: The MOVEit compromise forced affected banks to suspend or manually process account switching services for weeks. For retail banking operations, this translates to delayed onboarding, customer service costs, and potential revenue loss from customers unable to complete account transfers. The operational impact would be measured in the millions depending on the bank’s scale and the duration of service degradation.
- Reputational impact and customer attrition: The most difficult component to quantify, yet potentially the largest. According to PKWARE research, 38% of customers indicate they would change financial institutions after a breach. For a major European bank with millions of retail customers, even a fraction of that attrition rate could represent tens of millions of dollars in lost lifetime customer value.
This represents the type of integrated analysis that scenario planning should reveal. Rigorous scenario quantification requires granular inputs: specific data types at risk, affected customer populations, operational recovery timelines, and attack vector characteristics. The four European banks knew they used Majorel to process sensitive customer data.
From Risk Appetite to Capacity Consumption
A hypothetical enterprise risk appetite statement for a MOVEit-like scenario would read: “We accept up to $50 million in integrated losses – including cyber response, regulatory penalties, operational disruption, and estimated customer attrition impacts – from any single critical vendor compromise, provided critical operations are restored within 10 business days.”
This statement does three things traditional siloed statements cannot:
First, it establishes an integrated threshold that accounts for cascading impacts across risk types. The $50 million limit governs the combined cyber, operational, regulatory, and reputational exposure – not separate limits that create false precision.
Second, it includes operational recovery and strategic impact constraints that force scenario testing. A vendor breach that costs $45 million but takes six months to resolve exceeds appetite, even though it’s under the financial threshold. The statement creates testable parameters.
Third, it enables capacity consumption analysis – the mechanism that makes risk appetite operational rather than aspirational.
Capacity consumption operates as both an individual scenario metric and a portfolio view. While each scenario is tested against its specific appetite threshold, the organization must also monitor cumulative capacity consumption across all material scenarios within a rolling 12-month period to ensure aggregate resilience.
Each scenario consumes a percentage of total capacity based on its estimated exposure:
- Shared critical vendor compromise scenario: $50-80 million exposure – 100-160% capacity consumption (using $50M capacity threshold).
- Ransomware with operational disruption scenario: $42 million exposure = 84% capacity consumption.
- Cloud provider outage scenario: $55 million exposure – 110% capacity consumption.
Any scenario exceeding 100% capacity consumption, as the shared critical vendor and cloud outage scenarios clearly do, immediately signals that the organization’s current risk posture exceeds board-approved tolerances and requires a strategic decision: reduce the exposure through mitigation or formally accept residual risk outside appetite.
Making Risk Appetite Actionable
The board’s role is to ensure the organization operates within explicitly approved risk tolerances while pursuing strategic objectives. Enterprise risk appetite statements create the framework for that governance, but only if they force real decisions.
Board conversations should center on managing risk within risk appetite given strategic priorities. This requires three elements:
- Horizontal appetite thresholds that reflect integrated exposures. The suite of top enterprise scenarios should cover all material risk types, with each scenario classified by its primary trigger but quantified across all cascading impacts.
- Capacity consumption metrics that show how current exposures test against approved thresholds. When a new critical dependency emerges, the question becomes, “How much of our risk capacity does this consume, and what trade-offs does that require?”
- Recalibration triggers that define when appetite statements must be revisited. New systemic dependencies, material changes in threat landscape, strategic pivots, or external events (like MOVEit demonstrating previously unquantified vendor concentration risk) should automatically trigger appetite reviews.
For banks operating under Basel III capital constraints, horizontal risk appetite operates above the regulatory capital solvency floor. Risk appetite statements govern strategic tolerance for integrated loss events within the capital buffer above regulatory minimums, exactly the type of forward-looking, judgment-based assessment that Pillar 2 supervisory review demands.
Parting Thoughts
Enterprise risk management has long promised integration but often delivered compilation – collecting siloed risk assessments and presenting them together without addressing how they interact. Risk appetite statements inherited this fragmentation, creating the illusion of governance without the substance.
The shift to horizontal, capacity-tested risk appetite is the governance mechanism that makes measurement frameworks operational. Without appetite statements that reflect how risks cascade, organizations govern in theory but not in practice.
Astrid Yee-Sobraques, FRM, CISSP, is a senior risk executive in Enterprise Risk Management, Operational Resilience and Cybersecurity. Over 25 years at GE Capital, AIG, Citibank, and PwC, she specializes in "risk connectivity” – integrating people, processes, and data to strengthen how organizations anticipate, manage, and respond to cascading financial, operational, and compliance risks. Astrid serves on GARP’s New York Chapter Advisory Committee. She can be reached at Astrid@therisksherpa.com.
Topics: Enterprise, Resilience