XYZ Bank Risk Appetite Statement 1. Purpose This Risk Appetite Statement (“RAS”) sets out the nature and level of risk that XYZ Bank (“the Bank”) is willing to accept in pursuit of its strategic objectives. The purpose of this Statement is to: support sound decision-making across the Bank; align risk-taking with the Bank’s strategy, values and business model; support the protection of customers, depositors and shareholders; maintain the safety and soundness of the Bank; support compliance with legal and regulatory obligations; and provide a framework for governance, escalation and oversight of material risks. This Statement forms a key component of the Bank’s overall Risk Management Framework. 2. Risk Appetite Philosophy The Bank maintains a conservative to moderate risk appetite consistent with its business model as a UK retail bank focused on sustainable growth and long-term customer relationships. The Bank seeks to: generate sustainable and resilient earnings; maintain strong capital and liquidity positions; protect customer trust and confidence; avoid undue complexity; maintain prudent underwriting standards; and operate within a controlled and well-governed risk environment. The Bank has: low appetite for conduct failures and customer harm; low appetite for material operational disruption; low appetite for regulatory breaches; low appetite for financial crime exposure; and limited appetite for activities outside its core retail banking expertise. The Bank recognises that prudent risk-taking is necessary to support commercial objectives and customer service; however, risks should be appropriately understood, governed and managed. 3. Strategic Alignment The Bank’s strategy is focused on: providing retail banking products and services to UK customers; maintaining a simple and understandable business model; delivering sustainable profitability; investing in digital capability and customer service; and maintaining strong customer trust and regulatory credibility. The Bank has no strategic intention to engage in: proprietary trading activities; speculative investment activity; highly complex structured products; high-risk international expansion; or business activities outside its core competencies without enhanced governance and Board approval. 4. Governance and Oversight The Board is responsible for approving the Risk Appetite Statement and overseeing adherence to the Bank’s risk appetite. The Board Risk Committee is responsible for: overseeing risk appetite monitoring; reviewing material breaches or emerging concerns; challenging management actions where appropriate; and recommending amendments to the RAS. Executive Management is responsible for: operating within approved risk appetite; implementing appropriate controls and monitoring; escalating material breaches or emerging risks; and embedding risk considerations within decision-making. Risk appetite metrics and indicators will be monitored regularly and reported through the Bank’s governance framework. 5. Risk Capacity and Risk Appetite The Bank distinguishes between: risk capacity, being the maximum level of risk the Bank could absorb before breaching regulatory or viability constraints; and risk appetite, being the level of risk the Bank is willing to accept in pursuit of its objectives. The Bank seeks to operate materially within its risk capacity and maintain prudent management buffers where appropriate. 6. Risk Appetite by Risk Category 6.1 Credit Risk The Bank has a moderate appetite for retail credit risk within clearly defined underwriting standards and portfolio limits. The Bank seeks to: maintain prudent affordability and credit assessment standards; focus primarily on prime and near-prime retail customers; maintain diversified retail lending portfolios; and avoid excessive concentration risk. The Bank has: low appetite for speculative lending; low appetite for highly leveraged lending; low appetite for material concentrations in higher-risk customer segments; and limited appetite for complex or non-standard credit products. Credit risk appetite will be monitored through metrics including: arrears levels; impairment trends; portfolio concentrations; loan-to-value ratios; and stress testing outcomes. 6.2 Capital Risk The Bank has a low appetite for operating close to minimum regulatory capital requirements. The Bank seeks to maintain: capital levels sufficient to support its strategy; prudent management buffers above regulatory minima; and resilience under stressed conditions. Capital planning should consider: business growth; stress testing outcomes; regulatory developments; and emerging risks. 6.3 Liquidity and Funding Risk The Bank has a low appetite for liquidity or funding stress that could threaten customer confidence or operational stability. The Bank seeks to: maintain strong liquidity coverage; maintain diversified funding sources; rely primarily on stable retail funding; and limit dependence on short-term wholesale funding. The Bank has low appetite for: material funding concentration; excessive refinancing risk; or liquidity positions that could materially impair resilience during stressed conditions. 6.4 Market Risk The Bank has a low appetite for market risk. The Bank does not undertake proprietary trading activity and limits market risk exposure primarily to activities arising from normal banking operations. The Bank seeks to manage: interest rate risk; treasury activities; and balance sheet exposures within approved limits and tolerances. 6.5 Conduct Risk The Bank has a low appetite for conduct failures and customer harm. The Bank seeks to: deliver good customer outcomes; comply with Consumer Duty requirements; maintain fair treatment of customers; and identify and mitigate foreseeable harm. The Bank has very low appetite for: deliberate misconduct; systemic customer detriment; misleading communications; unfair pricing practices; or material failures affecting vulnerable customers. Conduct risk indicators may include: complaints trends; remediation events; customer outcome monitoring; Financial Ombudsman Service outcomes; and customer vulnerability metrics. 6.6 Operational Risk The Bank has a low appetite for operational disruption affecting customers, regulatory compliance or critical business services. The Bank seeks to: maintain resilient operational processes; strengthen operational controls; manage outsourcing risk appropriately; and minimise operational losses and customer disruption. The Bank has low appetite for: unmanaged operational dependencies; material processing failures; significant operational resilience failures; or inadequate change management. Operational risk monitoring may include: operational incidents; service disruption; control failures; operational resilience metrics; and outsourcing performance. 6.7 Technology and Cyber Risk The Bank recognises the importance of technology and digital capability to its business model and customer proposition. The Bank has a moderate appetite for technology investment and controlled innovation, subject to appropriate governance and oversight. The Bank has low appetite for: unmanaged cyber vulnerabilities; technology change implemented without appropriate testing or governance; uncontrolled deployment of emerging technologies; or material technology failures affecting customers or operations. The Bank will apply enhanced governance to material technology transformation and emerging technology initiatives. 6.8 Financial Crime Risk The Bank has a very low appetite for breaches relating to: anti-money laundering; sanctions compliance; bribery and corruption; fraud prevention obligations; or terrorist financing. The Bank seeks to maintain robust financial crime controls and governance arrangements. The Bank may decline business relationships or activities where financial crime risks cannot be adequately mitigated. 6.9 Regulatory and Compliance Risk The Bank has a low appetite for material regulatory breaches or failures to meet regulatory expectations. The Bank seeks to: maintain open and constructive relationships with regulators; identify regulatory developments proactively; remediate issues promptly; and maintain effective compliance arrangements. The Bank recognises that regulatory breaches may result in: customer harm; reputational damage; financial penalties; and increased regulatory scrutiny. 6.10 Reputational Risk The Bank has a low appetite for activities likely to materially damage customer trust, market confidence or regulatory credibility. The Bank seeks to maintain a reputation for: prudent banking; fair treatment of customers; operational reliability; and responsible business conduct. Reputational considerations should form part of material business and product decisions. 6.11 Third-Party and Outsourcing Risk The Bank has a moderate appetite for outsourcing arrangements where these support operational effectiveness and customer service. The Bank has low appetite for: excessive dependency on individual suppliers; outsourcing arrangements lacking appropriate oversight; inadequate contractual protections; or third-party arrangements that could materially impair operational resilience or customer outcomes. Critical outsourcing arrangements should be subject to enhanced oversight and contingency planning. 6.12 People and Culture Risk The Bank recognises that culture, leadership and employee behaviour are critical to prudent risk management and customer outcomes. The Bank seeks to: promote responsible and customer-focused behaviours; maintain appropriate accountability; support effective challenge and escalation; and ensure employees understand relevant conduct and risk expectations. The Bank has low appetite for: inappropriate incentive structures; behaviours inconsistent with the Bank’s values; suppression of challenge or escalation; or material capability gaps in key control functions. 7. New Business Activities and Strategic Change The Bank has a cautious and controlled approach to: new product development; material acquisitions; emerging technologies; significant outsourcing changes; and expansion into new business areas. Material strategic initiatives should: align with the Bank’s strategy and risk appetite; be supported by appropriate governance and challenge; undergo appropriate risk assessment; and demonstrate operational readiness prior to implementation. Activities outside existing business capabilities or risk appetite require Executive Committee and Board approval. 8. Risk Appetite Monitoring and Escalation Risk appetite will be monitored through: risk indicators; management information; stress testing; scenario analysis; control assessments; and governance reporting. Material breaches or emerging concerns must be escalated promptly through the Bank’s governance framework. Management is responsible for: investigating breaches; implementing remediation actions; assessing root causes; and reporting material issues to the Board Risk Committee where appropriate. 9. Review and Approval This Risk Appetite Statement is owned by the Chief Risk Officer and approved by the Board. The Statement will be reviewed at least annually, or earlier where required due to: strategic changes; material regulatory developments; significant risk events; changes to the Bank’s operating model; or material changes to the external environment.