Definition

A Risk Appetite Statement (RAS) formally expresses the type and quantum of risk an organisation will accept in pursuit of its strategic objectives, covering categories such as cyber, technology, third-party, and operational risk. It combines quantitative tolerances (e.g., maximum acceptable annual loss exposure in AED) with qualitative stances (e.g., zero tolerance for regulatory sanction) and must be approved by the board and cascaded into operational KRIs and control thresholds.

Why it matters

The pressure on GRC Advisory programmes is shifting in specific, observable ways:

• SAMA CSF 3.1.1 and NCA ECC-1 2-1-3 require a board-approved RAS linked to specific risk categories; absence during SAMA examination findings in 2023 attracted corrective action letters.
• Without quantified cyber risk appetite (e.g., maximum tolerable downtime of 4 hours, maximum data loss of 1,000 records), CISO budget requests lack an evidence base and are routinely cut by CFOs.
• UAE CBUAE Operational Risk Circular 2023 Art. 5 requires RAS to be reviewed at least annually and after any material incident — a living document, not a one-time exercise.
• Enterprise clients in financial services increasingly embed supplier RAS alignment checks in third-party risk questionnaires (SIG Lite Section G); inability to share a board-approved RAS is a disqualifier.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Board minutes approving RAS — resolution number, date, attending directors, version of RAS appended.
• Risk register extract — each risk entry linked to the RAS threshold it breaches, current residual score, owner.
• KRI dashboard (Power BI / ServiceNow) — metric ID, current value, RAS threshold, RAG status, reporting date.
• Cyber insurance policy schedule — coverage limits (AED) benchmarked against quantitative RAS loss tolerances.
• Annual RAS review memo — changes from prior version, rationale, CRO sign-off, board approval date.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CRO workshops with CISO, CTO, and CFO to agree risk categories and draft qualitative stances; reference FAIR methodology for cyber quantification and CBUAE Circular thresholds for operational risk.
• Day 31–60: Risk Analyst builds quantitative tolerances — minimum 3 scenarios per category modelled in AED using historical loss data and insurance benchmarks; CFO reviews capital adequacy alignment.
• Day 61–90: Draft RAS circulated to board risk committee for challenge; ISMS Manager maps each tolerance to specific UCF control thresholds and KRI targets in ServiceNow GRC.
• Day 90+: Board formally approves RAS at next scheduled meeting; CRO presents cascaded KRI dashboard at subsequent quarterly meeting demonstrating appetite vs. actual.
• Ongoing: Risk Manager reviews RAS triggers (material incident, strategic change, regulatory update) within 30 days; annual full review completed before board strategy session each December.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Number of KRIs breaching RAS threshold in a given quarter — target ≤2 amber breaches, 0 red breaches.
• Time from material incident to RAS review initiation — target ≤10 business days.
• Percentage of risk register entries linked to a named RAS threshold — target 100%.
• RAS quantitative cyber loss tolerance (maximum acceptable annual cyber-related financial loss) — typical range AED 2M–15M depending on revenue band.
• Board approval cycle for RAS updates — target ≤45 days from CRO submission to formal resolution.

The working checklist

Use this list during your next GRC Advisory review cycle. The phrasing is intentionally observable — every item is something a reviewer can sample for, not an aspiration.

• Verify: issue tracker maintained in parallel by audit, risk and compliance.
• Verify: risk appetite statement.
• Verify: policy hierarchy.
• Verify: control catalogue.
• Verify: control testing programme.
• Verify: KRI dashboard.

Pitfalls we keep seeing

Across MAST Consulting Group's GRC Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: KRIs that move but no one is accountable for the response. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: issue tracker maintained in parallel by audit, risk and compliance. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: risk appetite statement that the second line cannot operationalise. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: duplicate controls across ISO/SOC/PCI catalogues with no master mapping. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on GRC Advisory engagements because the integrations are cheap and the evidence is defensible:

• BI tools (Power BI, Tableau) for board dashboards — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• GRC platforms (Archer, ServiceNow IRM, OneTrust) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• or a deliberately spreadsheet-and-Confluence stack for early-stage programmes — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs GRC Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this checklist is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for GRC Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.