Home > COSO, Governance, GRC, IIA, ISO, Risk > The value of heat maps in risk reporting

The value of heat maps in risk reporting

Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.

As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.


Heat Maps

Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.

A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.

But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.

  1. It is a point-in-time report.

When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.

In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.


  1. It is not a complete picture.

This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.

There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.


  1. It doesn’t always identify the risks that need attention.

Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.

This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.


  1. The assessment of impact and likelihood may not be reliable.

I discuss this further in chapter 12 on risk analysis.


  1. It only shows impact and likelihood

As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.


  1. It doesn’t show whether objectives are in jeopardy.

As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.

On the other hand, some risk sources[1] (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.

[1] As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”

  1. June 27, 2015 at 10:57 PM

    Hi Norman,

    Thanks for another intelligent post and insight.

    I wish to point out an issue with ads in your website. please note following screen grab of the post. The images in the ad are not at all appropriate. I understand you might not have control over them, but I am sure you would like to address it.

    [image: Inline image 1]


    *Sammeer* +91 81052 71242 WHY SUXESS MULTIPLIERZ? Suxess Multiplierz ~ Project Excellence Simplified

    On Sat, Jun 27, 2015 at 7:35 PM, Norman Marks on Governance, Risk

    • Norman Marks
      June 28, 2015 at 6:21 AM

      I have no control over ads, sorry. I use an adblocker myself

  2. Doug Anderson
    June 29, 2015 at 5:29 AM


    Good topic. It makes me consider how a CAE should balance communicating with simplicity and completeness. I believe the two-dimensional heat map has serious limitations, but can typical Audit Committee members want more than that? How do we convince them they need more than two dimensions?

    • Norman Marks
      June 29, 2015 at 5:59 AM

      Doug, in the book I talk about the need to focus on communicating the information they need rather than focusing on the traditional tool. If we understand what they need, talk to them to confirm and discuss those informational needs, then we are better placed to figure out how best to provide it.

      One key point is that the board and executives need to know how each of their objectives and strategies are doing, with both performance and risk information in a single communication. The heat map does not provide that information.

    • Norman Marks
      June 29, 2015 at 6:01 AM

      The book is not really about risk reporting by the CAE, but by the risk function. The CAE’s needs will vary depending on whether there is such a risk function and what the board needs to hear from the CAE.

  3. Alevoor V Acharr
    June 29, 2015 at 7:03 AM

    I agree with your view in point No.4 and 5.

  4. Charlie Wright
    June 29, 2015 at 11:45 AM


    Our heat map shows our top 20 risk categories as bubbles using a four dimensional presentation. In addition to impact and likelihood on the x and y scale, we also integrate in preparedness and velocity. Preparedness is illustrated by the size of the bubble. For us, a bigger bubble on the chart means we are less prepared. Velocity is indicated by the color of the bubble. A red bubble is the highest velocity. The bottom line is that we don’t want to see a big red bubble in the top, right-hand corner.


    • Norman Marks
      June 29, 2015 at 11:47 AM

      Charlie, thanks for sharing. How do you get around the issues of (a) whether the risk is at an acceptable level, and (b) the fact that there really is no single consequence and likelihood, but a range?

  5. Bishwajit
    June 30, 2015 at 4:55 AM

    Risk Management has a maturity process of its own. Not all organisations will be equally mature at the same time, not all businesses will have the same risk as well. In short it is a journey and every journey has starting point. A two dimensional Heat map is a good starting point and as the process matures then it can add more dimensions to it to be closer to the ground reality. What is important in this journey is to take every one along with you, else those who are left behind become risk for the process ( Audit Committee/ Management/ Employees) all should be speaking the same language of risk else it remains a nice picture painted in time, which passed away long time back.

  6. June 30, 2015 at 3:26 PM

    I concur with your comments and offer that any heat map, distillation or dashboard has limitations. They also have significant benefits as a communication tool and talking point. Typically I see these as a way to summarize many different data points across the organization and sponsor discussion around risk management , risk tolerance and our overall strategy.
    1.It is a point-in-time report.
    While we use a point-in-time approach we refresh this at each audit committee & risk committee meeting so hopefully it shows a more dynamic view of our view of risk & risk management. We use icons and narrative to explain the dynamics. No dashboard type report is worth much without some effective narrative.
    2.It is not a complete picture.
    It’s as good as we can get it to be at this level. If a risk is not incorporated then it’s because we did not have insight into it when the report was prepared. We talk about seven key risks in our organization and all more granular risks we think fit into that framework. To the extent we have identified risks we evaluate them as best we can as they impact those seven risk, is it perfect? No, but we aim to identify the risks that we think need to be elevated.
    3.It doesn’t always identify the risks that need attention.
    I concur but I am not sure that this is a weakness in the heat map approach, we have high risk areas – that is not ‘bad’ that is often by design – commerce is about taking risks. We do use an impact likelihood approach to identify these areas. What we then focus on is can we effectively manage these risks to an acceptable level – this is also included in the heat map. If we are not at the right residual level management has two levers we can try and adjust – we can change the level of activity to reduce the inherent risk or alter our risk management. We view some of these risks as part of doing the business we are in and they align with our strategy. If they did not align then that is red flag for the activity. Our tolerable risk level is currently addressed through the discussion but we are moving to an explicit statement of expectations.
    4.The assessment of impact and likelihood may not be reliable.
    You may be right, we have developed guidelines that we think work and we review to try and establish consistency and comparability but outside the quantative risk areas this is not an exact science
    5.It only shows impact and likelihood
    I completely concur without an assessment of the risk management environment and acceptable risk the heat map is much less useful to all users.
    6.It doesn’t show whether objectives are in jeopardy.
    We look at all risks as aligning with our strategic objectives at some point and evaluate strategic risk as a risk in and of itself.

  7. Manh Nguyen
    May 4, 2017 at 9:29 AM

    Thanks for your insight. I have practiced couple of time regarding risk heat map but still found some issued. Could you please help to explain:

    Given that the company has issued risk assessment scale, but how do we actually map the new risk which’s never happen in the past. Because, for some risk: its impact could be high or low if happen depend on the actual incident?

    For example: the trader could potential commit fraud, the impact is money lost. The amount of money could be high and also could be low? How do we solve this problem.

    Thanks much

    • Norman Marks
      May 4, 2017 at 9:55 AM

      Exactly. It’s a range not a point. A heat map simply doesn’t work. You also can’t see how it affects the achievement of objectives

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: