No kidding. It could easily fit into different areas. Feel free to think about it. It surprises me that no one has done this already.
This is not the same as completing a risk assessment and saying,... "whatever our residual risk is, that's our cyber risk appetite statement".