The value of heat maps in risk reporting
Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.
As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.
Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.
A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.
But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.
- It is a point-in-time report.
When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.
In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.
- It is not a complete picture.
This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.
There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.
- It doesn’t always identify the risks that need attention.
Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.
This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.
- The assessment of impact and likelihood may not be reliable.
I discuss this further in chapter 12 on risk analysis.
- It only shows impact and likelihood
As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.
- It doesn’t show whether objectives are in jeopardy.
As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.
On the other hand, some risk sources (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.
 As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”