A definitive guide to producing, using, and improving a risk heat map at your organization.
A good risk assessment is an important part of the process of putting together a solid internal audit plan. But gathering risk information from throughout the company and organizing it into manageable and actionable material can be a daunting task. Creating a risk heat map can help.
Conducting a risk assessment, either as part of a full enterprise risk management process (ERM) or through a more narrowly focused internal control process, is a critical step to help keep management focused on the key risks that could impact the company. A heat map—a visualization tool to help organize, define, and quickly communicate these key risks—is an indispensable tool in any risk management toolbox and can help cut through the complexity.
Indeed, risk heat maps are a common part of an ERM approach to risk management. The Committee of Sponsoring Organizations’ (COSO) ERM guide, Enterprise Risk Management—Integrated Framework, promotes the use of a risk matrix or heat map to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk responses.
A heat map is a two-dimensional representation of data in which values are typically represented by colors (often red, green, and yellow) and can range in complexity from simple (for example, showing qualitative risks only) to more complex (including qualitative and quantitative risks). In the risk assessment process, visualization of risks using a heat map presents a concise, big-picture view of the full risk landscape to discuss while making decisions about the likelihood and impact of risks within the company. (It’s important to note that a full risk identification and assessment process is generally required before creating a heat map and those steps are not addressed here.)
An Important Risk Management Tool
Risk expert Norman Marks writes in his book, World Class Risk Management, that a heat map can be an important tool to communicate risk within an organization. “A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact,” he writes. “The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.” Let me note here that Marks has some cautions about the use of risk maps that we will get to in a moment.
To make use of a risk map, it’s important for the organization to create a common language around discussions of risk. Terms like “ potential impact” and “likelihood” need to be defined and used throughout the organization and in the design of the heat map so that everyone is on the same page on discussions of risk. It also requires a common understanding of the risk appetite of the organization.
Organizations use a variety of ways to identify entity-wide risks, including surveys, workshops, interviews with business unit managers, risk factors disclosed in financial reports, industry literature, and many others. When the entity-wide risks are identified then each risk is assessed for potential impact, sometimes called “severity” and likelihood of occurring.
Assigning the impact and likelihood scores is easily the most difficult part of the risk-mapping process and much thought and deliberation should go into it. While internal audit can play an important part of this risk scoring, the process should seek major input from the business unit managers, risk management function, and elsewhere.
Read more at internalaudit360.com