Risk Heat Map

What is it?


A risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way.

Whether conducted as part of a broad-based enterprise risk management process or more narrowly focused internal control process, risk assessment is a critical step in risk management. It involves evaluating the likelihood and potential impact of identified risks.

Heat maps are a way of representing the resulting qualitative and quantitative evaluations of the probability of risk occurrence and the impact on the organisation in the event that a particular risk is experienced.

The development of an effective heat map has several critical elements – a common understanding of the risk appetite of the company, the level of impact that would be material to the company, and a common language for assigning probabilities and potential impacts.

The 5x5 heat map diagram below provides an illustration of how organisations can map probability ranges to common qualitative characterisations of risk event likelihood, and a ranking scheme for potential impacts. They can also rank impacts on the basis of what is material in financial terms, or in relation to the achievement of strategic objectives. In this example, risks are prioritised using a simple multiplication formula.

Organisations generally map risks on a heat map using a ‘residual risk’ basis that considers the extent to which risks are mitigated or reduced by internal controls or other risk response strategies.

Example risk heat map

Source: Risk assessment for mid-sized companies: tools for developing a tailored approach to risk management. Scott McKay, AICPA, 2011

What benefits do Risk Heat Maps provide ?

  • A visual, big picture, holistic view to share while making strategic decisions
  • Improved management of risks and governance of the risk management process
  • Increased focus on the risk appetite and risk tolerance of the company
  • More precision in the risk assessment process
  • Identification of gaps in the risk management and control process
  • Greater integration of risk management across the enterprise and embedding of risk management in operations.

Questions to consider when implementing a Risk Heat Map

  • How much risk are we willing to accept?
  • What constitutes a material risk to our company?
  • What is the range of acceptable variance from our key performance and operating metrics?
  • How will we define our terms to evaluate the likelihood of risk events and the impact that they might have on our business, so that we can map our potential risk events to our heat map?
Actions to take / Dos Actions to Avoid / Don'ts
  • Use risk self-assessment workshops to take advantage of the insights of managers
  • Prepare an initial ‘straw-man’ risk library to use as a starting point
  • Get consensus on risk tolerances – acceptable levels of missing targets
  • Clarify terms used to establish probability estimates
  • Establish participants’ understanding of the effectiveness of controls and other risk responses used in the organisation
  • Don’t rely on surveys to capture initial thoughts about risks
  • Avoid getting stuck in root cause analysis
  • Don’t forget to quantify risks in terms of potential financial impact on the organisation in terms of cash, earnings etc
  • Don’t forget to consider the state of controls and other risk management practices in place in the organisation



In practice:
Risk Heat Maps


Communicating risk using a heat map

Download the full tool and case study

In the CGMA tool How to Communicate Risks Using a Heat Map, Figure 5 shows a sample heat map for a select set of risks for a hypothetical company. The sample groups these risks together according to their interrelated nature and effect on operations. See the link in Further resources to access the full case study.

The company used its earnings per share sensitivity to establish a range of impacts from trivial (<$25k in earnings) to very material (>$75m in earnings). Risks that were evaluated and grouped for presentation in the example include the following:

  • Obsolescence risk
  • Customer concentration or distribution risk
  • Manufacturing risk
  • New product introduction risk
  • Supply chain risk
  • Safety risk
  • Physical asset risk

By mapping these risks, it was clear that the likelihood and the impact of physical asset risk were relatively low in relation to the risks associated with new product introduction, customer concentration and supply chain. Each of those was considered to be both more likely and to have greater impact.

Lessons learned

A more accurate sales forecasting function was a recurring theme thought to be a key risk indicator associated with several of these interrelated risks.
The perception of supply chain risk increased with the vertical supply chain as viewed by downstream business units.

The likelihood and the potential impact of risk events appeared highest with the new product introduction (NPI) process, indicating that opportunities may exist in how the company is structured and manages NPI.