In the CGMA Resources section, How to communicate risks using a heat map provides information on using heat maps in the risk assessment process. Organizations use heat maps as a way to show how each risk has been assessed as to likelihood and potential impact on ability to achieve objectives. Heat maps are also an effective way to determine and communicate the organization’s risk-tolerance thresholds and, equally important, the amount of risk it is willing to assume for growth, innovation and progress. Projects that involve risks that fall beyond the thresholds are removed and/or closely monitored.
In addition to likelihood and potential impact, some organizations are now looking at velocity, the speed at which the full impact of the risk is anticipated to be realized. In the heat map below, velocity is illustrated by the size of the dot that represents each risk; the bigger the dot, the greater the velocity.
Some organizations may create several heat maps, each showing a different time horizon. Other organizations may have one overall heat map used by the Senior Management and the Board of Directors, showing the top ten risks facing the organization. In addition, each business unit, division and/or function may maintain its own heat map.
The importance of using heat maps is in the discussions that are held on not only what risks are shown on the heat map, but which risks are not. Using the maps can point to interdependencies within the organization or risks outside the organization.
What are other ways a heat map can be used? What about using a heat map to do scenario planning? If a risk falls into the low- remote area of the heat map the organization may not discuss this risk. But what if this low-remote risk moved to low-probable or severe-remote… would there be a discussion and what would the discussion be about? Let us know how you use heat maps.