Myths In Risk Management — Exposing The Flaws Of Risk Heat Maps

Bruce McCuaig

Recently, I ran a round table discussion on the topic of enterprise risk management (ERM). The participants were all experienced risk managers in the private and public sectors.

During a break, I overheard one participant sharing her experience in presenting a heat map to her board of directors as part of her ERM report. In her mind, the presentation was a disaster, and she decided to never again include a risk heat map as part of her presentation.

So what went wrong? Heat maps, like the one below, have been a staple of the risk management profession for years. For many, they’re the primary vehicle for reporting on risk. I, myself, have frequently used them in my practice as a risk management professional.

Virtually all risk management software I’m familiar with has the ability to plot heat maps, and many of the standard risk management frameworks illustrate various forms of heat maps as reporting tools.

Frequently Used—But Are They Useful?

My disenchantment with heat maps began when I was presented with one while serving as a board member. Charged with the responsibility for organization’s risk oversight, I was forced to ask myself the question “what does this tell me and what should we do about it?”

The simple answer was nothing, and nothing. Distributing a set of risks into a heat map provides little, if any, useful information to management.

Imagine a CFO presenting a heat map that showed the magnitude and frequency of financial statement account balances. I’m sure the board would react the same way to that heat map as the board did to the risk manager in my workshop.

Information about the level, category, and residual risk status of individual risks and their impact on business performance is useful and essential. But providing that information isn’t what heat maps do. Risks in a heat map usually appear without a context, and they provide little insight into any context when one does appear.

The flaw with heat maps is that risk management isn’t really about risk—it’s about how to mitigate risk and create and preserve value. Heat maps don’t provide insight or perspective to those charged with overseeing risk management and delivering value.

What the risk management profession really needs is some solid research into how risks and their impact on value should be reported. Heat maps aren’t the answer.

Please share your thoughts with me. What’ve your experiences been like when using risk heat maps for reporting? Have they been positive or negative? What reporting formats or frameworks do you use for your ERM projects?

Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.