“There is a certain uselessness in saying an organization does not want to accept high risk.”
My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips on how to do that in the full article here.
The Risk Dr ® 
I’m always a little confused with risk appetite, I feel it rarely is of value when looking at single incidents but these are always the example I see. When you say ““We do not accept losses associated with IT risk scenarios in excess of US $1 million per incident.”
In reality, the company has a certain budget set aside for that year for information security and maybe another “contingency budget” The risk appetite changes as these budgets are consumed, for example, you deal with risks 200K, 300K, 150K now the 1Milion risk appetite has probably to be reset to something lower.
So how do we practically deal with risk appetite when looking at aggregated risk rather than individual loss events?
Hi Osama! You’ve definitely hit on something. My approach has been to use different values to represent those loss thresholds (capacity, appetite, and limit). Capacity for loss serves as an early warning indicator, appetite as a managing threshold, and capacity for the total amount that can be handled if you had to. I’ve heard other terms used. We don’t usually get past appetite with most organizations, but there are other ways to handle those concepts if you do 😁