I had included a list of risk modelling techniques as part of the Acceptable Risk posting. I extracted the list because the content wasn’t core to that article. Here’s the list if you’re interested.

I’ve seen several techniques to find an approximation of a risk appetite, some of these terms are my terms of art:

• Quantitative Modelling - Express your risk exposure in financial terms (dollars, euros, etc…) then it’s a straight shot to ask what amount over a given period is the organization willing to lose. This is probably doable with methodologies like OpenFAIR. You need to consider both single event and cumulative losses over a period as well in establishing the threshold. The involved bit is that every (significant) issue will need to be modeled to determine how it contributes to the organization’s position relative to the threshold.
• Control Based - You could take the inverse approach and say “we need to do these specific set of things, anything less means we have excessive risk”. Example controls could include the effectiveness of your vulnerability management program. Less than a certain performance implies an excessive level of risk. One could be broader and set compliance against a framework although generally risk appetites should be narrowly constructed. Saying your less than a certain percentage compliant means many companies are above their tolerances and immediate action must be taken; ofcourse it takes time to fix things and staying above the threshold for a long time means management isn’t managing risk properly. Add into it that operational risk is generally about tail risk and bad things likely don’t happen with great frequency to a single company suggests being overly broad in your threshold setting will wear thin pretty quickly.
• Qualitative Framing or Scenario Based - Use descriptive loss scenarios across many dimensions; for example: financial exposure, record loss, business interruption, regulatory impact, reputational damage.Place these dimensions in columns of a grid and then describe the degree of negative outcome in each column. Greater levels of loss are at the top of the grid, lower levels at the bottom. Financial loss might set at more than $1 million in potential loss is “high”, $1 million to $500,000 is medium and less than $500,000 is low. Major regulatory fines might be considered high, small fines medium and no fines low. To determine the risk associated with a given event/scenario, the reader read across each column in the grid selecting the closest fitting loss descriptions in each column. The risk is then assessed based on the highest rated column. Setting the threshold says is basically choosing which descriptions constitute too much loss. Anything below those descriptions is acceptable, anything above is not acceptable. The approach may include cumulative scoring, 3 points for that and 2 for this - 5 points means it’s a medium issue.
• Financial Market Concepts - You could borrow (read: bastardize) concepts from the portfolio management like concentration risk and say we don’t want more than a certain number of records exposed to a given risk scenario. How far you can get with applying other risk concepts such as liquidity and counterparty is an exercise for the reader. To be clear, this appropriation doesn’t lend more credibility but it may make discussions more accessible to stakeholders depending on your business. There may be other operational risk elements that one can appropriate.
• Opinion Based - Opinions are the least defensible; if you’re going with opinions, whose is more right? The most knowledgeable person’s opinion? The most senior? The person that has the most palatable? That said, you can use documented process to develop the opinion. With structure, a small committee, consistent steps and techniques like delphi methods (thanks Josh S!) an opinion becomes more defensible; avoid the opinion of a single person.

There are certainly other options that exist today that I’m not aware of and as the study of operational risk progresses, there will be newer and better methods.