Communicating risks using a heat map


By Scott McKay

The practical CGMA tool, How to communicate risks using a heat map, shows us how heat maps can be used to quickly and effectively communicate the assessment of entity-wide risks (either interrelated risk groups or similar risk types such as, operational risks or compliance risks). Even more important, heat maps can be used to depict the residual risk footprint of a given area, once managers consider their company’s risk mitigation efforts, such as internal controls, risk sharing and risk avoidance strategies.

Heat maps can be especially useful in risk assessment workshops when using a voting technology that affords quick results, enabling discussion and vetting of the results.  Heat map results bring to light areas of concern and often stimulate robust discussion of the key risk drivers and/or gaps in risk management.  For example, when managers assess and weigh in on the entity-level risk likelihood and potential impact of say, Business Interruption and the ensuing Disaster Recovery efforts, they will consider geo-political, utility supply, terrorism, labor and other important risk factors as they relate to a given geographic area.  Understanding the risk drivers that are most likely to cause the risk event and then a discussion of what mitigation strategies may need shored up brings insight and real value to a company’s risk management efforts.  Further, timely provision of risk assessment results though a heat map affords the opportunity for more precision in determining the residual risk, and gets managers to agree on what should be done to ensure a risk area is appropriately managed.  

Sadly, risk management is often driven by regulatory compliance.  Reacting to regulation provides the wrong motive to manage risk and leads to over control; people don’t “buy in” and efforts are not sustainable.   Instead, spending the time to help busy managers clearly see the risks to achieving their objectives makes more sense—you tend to get better designed controls, management “buy in” and sustainable processes.  When risk management makes sense, one of the de facto byproducts is regulatory compliance.
Said differently, once the group clearly sees the risk and its potential likelihood and impact, it is easier to get them to own how their company should manage the given risk area.

Scott M. McKay, CPA, CGMA, CFE, CIA, CCSA, is the Corporate Controller for Cree, Inc. (Nasdaq “CREE”) and a member of the AICPA Risk Management and Internal Control Advisory Panel.