Security.com

risk map (risk heat map)

By Mary K. Pratt

What is a risk map (risk heat map)?

A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces. A risk map helps companies identify and prioritize the risks associated with their business.

An important component of enterprise risk management, a risk map facilitates the following:

• drives an understanding of an organization's risk profile and risk appetite;
• clarifies thinking on the nature and impact of risks; and
• improves the organization's risk assessment

How do risk maps work and what are they used for?

In the enterprise, a risk map is often presented as a two-dimensional matrix. For example, the likelihood a risk will occur is plotted on the x-axis, while the impact of the same risk is plotted on the y-axis.

Identified risks that fall in the high-likelihood and high-severity section are typically risks that demand attention. If the organization is dispersed geographically and certain risks are associated with certain geographical areas, risks might be illustrated with a heat map, using color to illustrate the levels of risk to which individual branch offices are exposed.

Organizations use risk heat maps to help identify the risks they are likely to encounter, see the varying levels of concern attached to each risk and depict their risk priorities in an intuitive, self-explanatory fashion.

Risk maps help enterprise executives and their teams understand where they need to prioritize their risk mitigation resources.

In addition, the graphical representation of the potential impact and likelihood of each risk also makes the importance of risk management more tangible to employees, particularly those outside the executive ranks and the enterprise risk function who have no special training in risk management.

In turn, this enables organizational leaders to enlist employees at all levels in discussions about risk and risk mitigation requirements.

What are the main benefits of a risk heat map?

Risk maps enable the organizations to do the following:

1. see the organization's total risk environment at a high level, providing a big-picture view;
2. ensure that risk mitigation priorities -- and resources -- are aligned to the most significant risks;
3. reduce insurance costs -- developing risk maps can help organizations demonstrate a comprehensive, well-aligned risk management strategy to insurance companies and gain more favorable premiums;
4. support collaboration between the organization's risk function and other functional departments, which have greater visibility into risk due to the risk heat map;
5. encourage shared strategic decision-making on risk issues;
6. effectively focus on improving risk management and risk governance;
7. sharpen the enterprise's definition of its risk appetite and risk tolerance;
8. generate better integration of risk management activities across enterprise functions; and
9. give teams throughout the enterprise a common language for discussing risk.

Why is it important to use a risk heat map?

Creating a risk map forces executives and their teams to identify the risks that could threaten the organization and rank their possible impact and likelihood. The exercise can clarify priorities for enterprise leaders and help them get ahead of issues before they threaten the organization's operations.

Furthermore, as noted in the benefits section above, creating a risk map also facilitates interdepartmental dialogues about an organization's inherent risks. It forces greater collaboration between the risk function and other departments within an organization as they must all work together to identify, prioritize and visualize risks. As such, a risk heat map can help the company visualize how risks in one part of the organization can affect operations of other business units across the enterprise.

A risk map also adds precision to an organization's risk assessment strategy and identifies gaps in an organization's risk management processes.

What are the key considerations for creating a risk heat map?

Risk maps are most effective when organizations thoroughly consider the different categories of risk they face and the various risks within each of those categories, as well as their potential probabilities and possible impact on the enterprise.

Organizations should also keep the following other key considerations in mind as they develop risk maps:

• the specific systems and information assets that could be impacted by certain risks;
• the type of impact -- monetary, operational, reputational, etc. -- each risk could have;
• whether there's an acceptable level of impact and, if so, how much of an impact is tolerable for the organization;
• existing internal controls and any additional controls that could or will be implemented; and
• the organization's risk tolerance and risk appetite.

How to create a risk map

Identification of inherent risks is the first critical step in creating a risk map.

Risks can be broadly categorized into strategic risk, compliance risk, operational risk, financial risk, reputational risk and cybersecurity risk. However, organizations should aim to chart their own lists by taking into consideration specific factors that might affect them financially.

Once organizations have identified the risks, they should seek to understand what kind of internal or external events drive those risks.

Next, organizations must evaluate those risks and estimate their potential frequency -- and their potential impact -- as well as identify the control processes to offset them.

They then should rank risks based on that evaluation, prioritizing the management of those risks identified as having the greatest potential for significant impact.

After they've gathered and evaluated the risk data, enterprise leaders need to decide on how to visualize that information in ways that make the most sense for their unique needs.

Risk maps are typically square, but some are rectangular or circular. They're frequently graphs built on an x-y axis, but some are divided into quadrants with the upper-right block designating the most significant risks.

Many maps feature a red-yellow-green color code to indicate whether risks are significant-, moderate- or low-level concerns, although some use varying shades of a singular color to indicate levels of risk.

There are additional variations in presentation, such as the option to present the risk map as a bar graph.

Organizations can use the completed risk map to facilitate discussions and decision-making.

However, they must recognize that risk maps are not static. In fact, it's critical that organizations have a process for reviewing their risk maps regularly to ensure key risks are being managed effectively. They should also have a process for revisiting and adjusting their risk maps as threats evolve and vulnerabilities change.