The Problem With Risk Heat Maps and Dashboards
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
Most risk practitioners seem to use some form of visualization, such as a heat map or dashboard, to communicate risk levels. But I have my doubts as to whether these reports are as valuable as they seem.
In the heat map above, two risks are shown. One is asssessed as having a high probability/likelihood of a high impact, the other medium probability of a high impact. The question is whether that is useful information by itself.
To illustrate the issue, let's take a speedometer that shows that the vehicle is moving at 100 mph.
What does this tell you? Does it tell you whether the vehicle is moving at the right speed, the speed you want? Not really.
To be able to assess whether 100 mph is good or bad, and whether you need to change the speed, you need more information — more context. For example:
- What kind of vehicle is this? Is it a car, an airplane, or a boat?
- If it's an airplane, why is it going so slow? Is it in the air or on the ground?
- Let's assume it's a car. What are the road conditions?
- What are the traffic conditions?
- Where is this? On the freeway or in your driveway?
- Is the driver experienced and able to drive safely at this speed?
- If the car is on the autobahn in Germany, and there is no speed limit, is this fast enough?
- When do you need to reach your destination? Is there any benefit for arriving early or penalty for arriving late? What will you do if you arrive early — will that actually cost more (e.g., for parking), or will you be able to use the time to prepare for a meeting?
- Is the vehicle safe to drive at this speed? Does it have enough gas/petrol, and has it been maintained such that the brakes and everything else will work properly?
- What is the speed limit, and is there a police car right behind you?
Knowing the speed is not enough to know whether action is required.
In the same way, knowing the risk level (likelihood and impact) is not enough. It needs to be reported in the context of risk appetite/criteria (I prefer using risk criteria as discussed in ISO 31000:2009). In other words, is 100 mph an acceptable level? Or is it either too high or too low?
Rather than using risk heat maps or similar, I think it is better to find a way to report whether the risk is within acceptable levels — satisfying your risk criteria.
What do you think?
Posted on Jun 20, 2012 by Norman Marks
Share This Article: