Ordinary risk heat maps are of limited help for management to steer the company. We need new concepts says Chris Schwager, managing director SRI Strategic Risk Institute
For many years, risk reporting has contained a typical element: a risk heat map. The ordinary risk heat map used is a graphical display of risks on a map, sorted from green for ‘not so relevant’ to red or even black for ‘very relevant risks’.
The ordinates of this type of risk map typically are risk impact and risk probability and the risks themselves are shown as bubbles on the map. Heat maps have been used for many decades as means to easily show to the reader of the map what the critical topics are. The higher the impact and the probability of the risk, the more critical it is and it moves from green to red.
The problem is determining what is actually displayed on the map. Questions you should be asking yourself include:
- Is this information really new or useful for leadership? Or is it rather just a recapitulation of things that are common sense to management?
- Which conclusions are drawn from heat maps?
- How often do the items on the map move?
- And most importantly, does the map really show the most critical topics for the company?
Most of the time, the answer will be no. For example, let’s look at cyber risk - one of the most critical risks of virtually every organisation. When we ask management about the impact and probability of cyber risk so that we can put it on the risk map, the answer is may be a blank face. How exactly do we judge the probability of the cyber risk? Is it 32.4% or 68.5? It is hard to know.
As a second example, take the development risk for new products. What is the probability of risk occurrence for this risk type? The same is true for the impact. Do we show the expected value should the risk occur? Or the worst case? Or real case?
Most of the times the judgment is done intuitively, and the result is artificial and therefore not really helpful to steer a company.
Accordingly, we need new concepts for risk heat maps. The main criteria for this is that it needs to enable management and leadership to make good decisions, monitor what is happening, properly allocate resources and drive the organisation towards strategy execution. Any risk heat map that leadership use to base their actions on them gets a blessing.
Examples are heat maps that show the expected value of the risk or the risk tolerance on one axis and the worst case on the other axis. Let’s take the cyber risk again as an example: The first question is always, whether the risk can occur or not. The answer is 100% probability for yes it can (on an ordinary risk map, the risk should be put at 100% accordingly except if described differently).
The next question is what the damage could be in a best-case scenario, in most likely case and in worst case scenarios. Based on this information it is easy for us to calculate an expected value.
We could even deduct a probability from this information should there be a need e.g. due to compliance reasons. Put the expected value on one axis as it shows the risk in relation to others and put the worst case on the other axis.
The worst case shows the maximum damage. With this information, management can decide on actions like reduction of the worst case scenario, allocation of resources, etc.
The worst case or the expected value can also be shown in relation to the risk tolerance. This makes it easy for management to direct risk response projects until the risks are in line with the respective tolerance level.
For risk managers, it is important to always be aware of the latest methods used for effective risk management. Unfortunately, an ordinary risk heat map with impact and probability isn’t such an instrument. It rather blurs the really important topics, which can’t be displayed properly on such a map.
For risk managers, this can be a key to get higher management attention and to be a supporter for the business to manage the risks the organisation faces in a better way.
To move higher up on the maturity for effective risk management, it is a must to reflect and be innovative with better risk heat maps, also for opportunity management.
Christoph Schwager is Managing Director SRI Strategic Risk Institute and former Chief Risk Officer, Airbus Group