HiPo definition IMO, this sort of definition should be company-specific. It all comes down to the company's risk appetite.
What's an acceptable risk for the Board? What do they deme to be an acceptable level of total risk?
Incidents don't only have personal outcomes, there are financial, reputational, etc outcomes as well.