What is it?
A risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way.
Whether conducted as part of a broad-based enterprise risk management process or more narrowly focused internal control process, risk assessment is a critical step in risk management. It involves evaluating the likelihood and potential impact of identified risks.
Heat maps are a way of representing the resulting qualitative and quantitative evaluations of the probability of risk occurrence and the impact on the organisation in the event that a particular risk is experienced.
The development of an effective heat map has several critical elements – a common understanding of the risk appetite of the company, the level of impact that would be material to the company, and a common language for assigning probabilities and potential impacts.
The 5x5 heat map diagram below provides an illustration of how organisations can map probability ranges to common qualitative characterisations of risk event likelihood, and a ranking scheme for potential impacts. They can also rank impacts on the basis of what is material in financial terms, or in relation to the achievement of strategic objectives. In this example, risks are prioritised using a simple multiplication formula.
Organisations generally map risks on a heat map using a ‘residual risk’ basis that considers the extent to which risks are mitigated or reduced by internal controls or other risk response strategies.
Source: Risk assessment for mid-sized companies: tools for developing a tailored approach to risk management. Scott McKay, AICPA, 2011
What benefits do Risk Heat Maps provide ?
- A visual, big picture, holistic view to share while making strategic decisions
- Improved management of risks and governance of the risk management process
- Increased focus on the risk appetite and risk tolerance of the company
- More precision in the risk assessment process
- Identification of gaps in the risk management and control process
- Greater integration of risk management across the enterprise and embedding of risk management in operations.
Questions to consider when implementing a Risk Heat Map
- How much risk are we willing to accept?
- What constitutes a material risk to our company?
- What is the range of acceptable variance from our key performance and operating metrics?
- How will we define our terms to evaluate the likelihood of risk events and the impact that they might have on our business, so that we can map our potential risk events to our heat map?
|Actions to take / Dos||Actions to Avoid / Don'ts|
Communicating risk using a heat map
In the CGMA tool How to Communicate Risks Using a Heat Map, Figure 5 shows a sample heat map for a select set of risks for a hypothetical company. The sample groups these risks together according to their interrelated nature and effect on operations. See the link in Further resources to access the full case study.
The company used its earnings per share sensitivity to establish a range of impacts from trivial (<$25k in earnings) to very material (>$75m in earnings). Risks that were evaluated and grouped for presentation in the example include the following:
By mapping these risks, it was clear that the likelihood and the impact of physical asset risk were relatively low in relation to the risks associated with new product introduction, customer concentration and supply chain. Each of those was considered to be both more likely and to have greater impact.
A more accurate sales forecasting function was a recurring theme thought to be a key risk indicator associated with several of these interrelated risks.
The likelihood and the potential impact of risk events appeared highest with the new product introduction (NPI) process, indicating that opportunities may exist in how the company is structured and manages NPI.