Heat Maps and Risk Management
Heatmaps are commonly used as reporting and discussion tools in risk management. However, there are two different types/categories of heatmaps, only one of which is useful.
The useful heatmap
The below image is a useful heatmap, showing temperatures across an area or in the below case, the entire world. Note that colour codes are plentiful and linked to explicit quantitative scales. Furthermore, note that the image is based on actual data.
Such heatmaps are snapshots in time, but looking at series of these, you may be able to see trends which may be valuable for your decision making.
My problem is, that I have yet to hear about any one such map ever being used for active risk management of any sort. That is not to say it does not happen, just that it is probably not commonplace.
In the risk management world, a different type of heatmap is more commonly used.
The useless heatmap
The heatmap here is, on the other hand, utterly useless. Scales are undefined and hence subject to the interpretation of the viewer whereby five people will apply five different sets of scales. Colours are used, but holds no added information and “data” are based on biased human perceptions.
Instead of the shown numbers 1-5 many use qualitative descriptions such as “very low, low, medium, high, very high” or the like.
Any one risk is placed in one “cell” ignoring the fact that should the risk materialize, it may have any level of outcome, often not directly related to the likelihood. For instance, look at fire in a large organisation. A fire may be anything from an overheated coffee machine to a complete burnout of a facility. The former surely happens several times annually and still have very limited consequences (placing this in the upper left corner) whereas the latter is fortunately very rare, but costly (placing this in the lower right corner). What to do, what to do?
Still, the heatmap shows a couple of “red” risks to address. However, these may be deliberately and wisely taken risks to pursue strategic objectives. Furthermore, there is no way of telling how many “amber” risks it takes to be as serious as one “red” risk.
Research has shown that such heatmaps are useless on a good day, and downright dangerous on a bad day. See for instance https://onlinelibrary.wiley.com/doi/10.1111/j.1539-6924.2008.01030.x
The even moderately astute risk manager and risk consultancy know this, and know there are better ways to describe and prioritize risks. Those who do not know need to learn to earn their “license to operate” in risk management.
This means that when risk managers and risk consultants are advocating this type of heatmaps, they are committing what I would call professional misconduct.
My problem is, that this use of such risk heatmaps, or risk matrices is all too common in many companies, industries and even governmental institutions.
领英推荐
The way forward
I fully agree with Douglas Hubbard’s brilliant book “The Failure of Risk Management”. In my view, there is one way forward, and one way only. Leverage facts and science. This means:
Scope
Define which decision, target, aspiration you are risk managing. Without a target, there is no telling whether you eventually succeed or fail, and hence no base for risk management.
Do remember to manage good/positive risk as well as negative.
Likelihood
Define which time horizon you are addressing – eventually anything will happen. In some instances, this will be a frequency (e.g., these or those many times annually) in others cases it may be easier to determine the likelihood it will not happen and then subtract this from 1.
Impact
Measure risk impact in the metrics of your performance to link to decision or target.
Recognize that any risk may have an outcome range and define this based on the best facts/insights you have available – it may be subject matter expert viewpoints.
Management
Manage to optimize the likelihood of success (= meeting/exceeding targets) and refrain from being risk centric. Oddly enough, risk management is actually not about managing risks.
Report on the likelihood of meeting targets and related measures, e.g., likelihood of “disaster”, 10% worst case scenario, 10% best case scenario, … as well as most important risks to address if you wish to improve your likelihood.
Integrate risk management into the management and decision process you use already. There is neither need for, nor value in keeping risk management separate.
The above is NOT complicated, not even very cumbersome compared to the value created. Do this before your competitors outperform you and makes it “too late”.
Workplace Investigation-Enterprise Risk Management- Compliance Management- Incident Management- Executive Support- Operations & Humanitarian Emergency- Faith & Development
3 年Well articuated article. I must confess that I have used heat maps not as a means to an end but as a tool to open up objective discussions among risk owners. One of the frustrations I experience is the subjectivity of impact and likelihood scales. In my opinion they begin the trouble in supporting proper analysis to influence decision making either at the operational or strategic level. Further discussions at a (plenary with key risk owners) help to critically question and agree on the priority risk areas in a particular period that require attention and for decision making.
Principal at Enterprise Risk Consulting
3 年Great article, Hans. I agree with the usefulness (?) of heat maps. I've seen a trend where people want pretty things to look at, but the traditional heat map (which I admit I have used) does not send the message it should. Many people I've dealt with think the risk analysis (and whatever graphic representation they want to show with it) is the end of the story, when in fact it's just the beginning.
Group Risk Manager
3 年Heatmaps and risk matrices are often used together and share the same problems and limitations. The colourful graphs including changes in colours create the illusion that risks are being effectively managed even when they are not. I summarized what I considered to be the five biggest problems with risk matrices that can also be applied to heatmaps. They are not totally useless - their practical use is just extremely limited. https://www.dhirubhai.net/feed/update/urn:li:activity:6877501808990834688
Project and Study Manager
3 年In particular, the risk matrix should be adjusted and approved for each series of assessments (risk on a project level is not the same as risk on an enterprise level). But it is only a coarse tool and should never be used as the only risk rating criteria. Most importantly, controls need to be continually reviewed and assessed for effectiveness. Too often, the risk register or heat map are seen as the end result.
Global Director - Risk and Consulting at Hatch
3 年G'day Hans - nice article addressing issues that we all grapple with in our work and our clients. The risk matrix example is a shocker. Fortunately with the clients I work with for capital projects they are more robust with well defined impact and probability criteria - each category also typically has a range which should be a 'heads up' that any risk rating is just a preliminary effort to help prioritise effort for initial actions / response planning. Safety risk can be reasonably designed in the matrix using industry accepted F-N curves and the other impact categories that would align with critical success factors would be workshopped with the Owner to complete the matrix. A key issue we always bump up against is the definition of the level of impact that is to be used for the risk - ie the point JD Solomon raised - sometimes this is defined by Owners as the ML whilst others will define it as the credible maximum impact. Once again if this clear to the group then they should be fully aware that there is a 'risk profile' for each risk. The issue raised by JD Solomon was also addressed by AS4360 back in 2004 that showed the profile for a risk could be plotted on the matrix as a sloping elongated bubble covering the possible impact/probability pairs. The natural progression is then to quantitative risk analysis covering schedule, capex, opex, revenue etc to ultimately produce NPV risk profiles for investment decisions. The APM guide 'Prioritising Risks' is also a useful reference for initial qualitative risk assessments moving into robust QRA that naturally addresses the issues that can be done with the matrix. Unfortunately there is a still a belief out there that all decisions can be made simply by using the matrix - it will be fine for some simple assessments but is only the 1st step in large and/or complex decisions and QRA's for these also have issues that need to carefully considered. Cheers Greg