How To Read Risk Heat Maps

This article makes liberal use of irony.

I recently posted an article ‘In defence of risk heat maps’. It received many hundreds of ‘likes’ and quite a number of kind comments saying what a lovely article it was and agreeing with my defence of risk heat maps.

However, several people also opened the article and read it. From their reactions, it is clear that I did not go into sufficient detail about the underlying mathematics of risk heat maps, leaving the reader with some small reservations about whether risk heat maps provide genuine management insight. This article attempts to reassure those readers.

History

Probability theory was developed by people like Cardano, de Fermat, Pascal, Huygens, Laplace, and Bernoulli hundreds of years ago in Europe. It used equations and graphs. In the centuries that followed, it has remained just a theory and its ideas have changed very little. It has stagnated.

Years ago, probability theory was central to risk management. This meant it was based on mathematics rather than common sense and was of no practical value to people dealing with the real world. Since then, enormous progress has been made. Software developers understand that risk management deals with the real world, so they devised enterprise risk management (ERM) software in which equations and graphs could be completely replaced with scores and colours. This revolutionised risk management, making it available to people who never understood maths at school – which is nearly everyone.

Software

The new score and colour system for risk heat maps has been enthusiastically embraced throughout the world. Implementing the system requires sophisticated ERM software or an Excel template. The following ERM products use these heat maps – click the links to see fine examples of their artwork. You may need to look carefully as they are somewhat modest about showing them:

• ACL
• Active Risk Manager
• BWise
• CURA
• IBM OpenPages
• LogicManager
• MetricStream
• Resolver
• Risconnect
• RSA
• Rsam
• SAI Global

These software products are very, very expensive - so they can be trusted. They appear in Gartner’s Magic Quadrant for Integrated Risk Management. Over half are assessed as visionaries too, which is very impressive and reassuring.

The following ERM products do not use the modern colour system:

• Pelican

Just one, which tells you something! Pelican is new but, perversely, is based on old-fashioned probability ideas. It tries to hide this fact by making it easy to use. It isn't as expensive as the qualitative systems, which means it is rubbish. Pelican is developed by a Belgian company. Belgium, the capital of Brussels, is the reason the UK has Brexit. Naturally, nobody trusts Belgium. Europeans occasionally drive quickly through Belgium on their way to work or to visit friends, stopping only to buy chocolate or beer at the gift shop. They do not stop to buy software. You should not either.

Risk heat map mathematics

This section describes the rules and laws that are at the foundation of colouring risk heat maps. It is written for the ardent researcher. Risk managers and decision-makers are advised to skip this section unless they are curious about how risk heat maps drive their decisions.

We begin with the standard framework of a 5x5 risk matrix. The horizontal axis (chance) and vertical axis (impact) are divided into five sections, each labelled with descriptions like {Very Low, Low, Medium, High, Very High}. They are given ascending scores between 1 and 5, which produces a very pleasing grid, like the one shown in Figure 1.

Figure 1: A very pleasing grid

The expert is asked to place each identified risk into one of the squares. It is best practice to offer guidance on what is meant by Low, High, etc. for both scales since one person’s Medium is another person’s High. The impact scale will depend on the size of the business. The key factor in defining the ranges encompassed by each category is deciding how one category relates to another. There are three options for both scales:

1. Make each category a constant addition to the previous category (A). This is called an arithmetic scale by mathematicians
2. Make each category a constant multiple of the previous category (M). This is called a geometric scale by mathematicians. If a geometric scale is used for Impact, one could use the same multiplier for chance (I) or a different multiple (M).
3. Customize – i.e. do what you like (C)

Figure 2 gives examples of what this could look like:

Figure 2: Examples of category definitions that could be used

Qualitative risk analysis allows one to choose whichever scheme you want – there are no rules, none - giving 12 combinations. This provides a lot of flexibility which is essential for a good ERM system. But it gets better! The indices {1,…5} for chance and impact can be either added together or multiplied, whichever is preferred. That gives 24 different possible combinations! They are summarised in Figure 3.

Figure 3: the 24 different combinations that are possible with qualitative risk analysis

The flexibility of qualitative risk analysis is truly astonishing. Quantitative risk analysts and thought leaders don’t understand any of these combinations, except the two shown in red. Their constant complaining represents a potential threat to consulting, diploma and software sales but thankfully the risk management community has rallied together as one and agreed to ignore them.

Nonetheless, as a professional qualitative risk analyst, or risk manager, you may find yourself needing to defend your heat maps against these people. They generally do not understand MBA-speak, so you will have to learn their language. The remainder of this article provides you with all the ammunition you need to show how ridiculous their arguments are. We will first look at the two combinations from Figure 3 that the quantitative risk analyst understands and show how impractical they are. We will then dive into one of the most popular combinations and marvel at the extraordinary risk management insights it provides.

The A,A option with multiplication

Figure 4 shows an example where chance and impact scales increase arithmetically, and their scores are multiplied.

Figure 4: Impact increased in $2M increments, chance in 20% increments

Mathematicians like this a lot. They say that, in this grid, each risk point is worth the same amount. For example, in this case $400k. Mathematicians miss two key points:

1. They don’t realise that index values aren’t intended to mean anything. They are just for figuring out the colour of the square and determining the risk management strategy;
2. Although the probability scale is quite reasonable, the impact scale is ridiculous - nobody is going to say a $2M loss is very low! And how about health and safety - where Very Low might be a person with a grazed knee, and Very High could be someone dead, or several people, or many, many people. Five grazed knees does not equal a human catastrophe! 

Clearly this is not a viable option for real-world risk management.

The M,I option with addition

Figure 5 shows an example where chance and impact scales increase geometrically with the same multiplier, and their scores are added.

Figure 5: Impact and chance increase by multiples of 10

Mathematicians say they like this one too. They say if you use the same multiplier k (here 10) then the difference in index values between risks equals how many multiples of k one risk is worth more than the other. For example, a risk with a score of 7 is 1000 (10 x 10 x 10) times bigger that a risk with a score of 4. Admittedly, that actually works out, but again they miss two key points:

1. The two marked squares now have to be orange instead of green for consistency. This means that a top risk (Very High scores for both chance and impact) can never become green by either making its chance or impact super-tiny alone, which undermines the value of risk management;
2. This time the chance scale is completely crazy! Nobody thinks about risks with 0.0001 or 0.001 chance, so all risks will end up with a Medium, High or Very High chance and will be orange or red. Executives would get extremely worried seeing so much orange and red, which is very poor risk management

A really useful heat map scoring system

Clearly, a more practical approach is required. The most obvious solution is to use an arithmetic scale for the chance and a geometric scale for the impact. Something like the heat map shown in Figure 6. Ranges have also been used instead of point estimates. Since we know Risk = chance x impact we obviously multiply the indices. This is a very standard setup, validated by many years of risk reporting, and used in most businesses around the world. Doing the same thing in your business will give you a competitive advantage.

Figure 6: An example of the most common type of setup for a risk heat map

This type of setup provides insights that simply would not be apparent using mathematics. For example:

• It is clear from the matrix that no risk can ever occur more than once. This fact alone makes heat maps worth the enormous effort invested in drawing them. Strikes, accidents, floods, whatever - once they have occurred they can be removed from the heat map. The strategic insight this brings is immeasurable.
• For a risk with a Very Low chance, it is never worth spending money to reduce its impact because it will always keep the same score! In the real world, most risks have <20% chance so the savings can be enormous! The savings alone that qualitative risk analysts make for their company this way easily justify the higher salary they receive than people using maths, enabling them to repay their MBA tuition fees.
• It is efficient risk management practice to value pre-mitigation risks with chances just above the thresholds separating each category. This will maximise the benefit:cost ratio of any risk management strategy because reducing the chance even slightly will change the colours. Senior management will quickly appreciate the added value as the safer colours become more frequent. The same principle applies for impacts.
• Always focus on risk management strategies that reduce the chance, not the impact, of risks. For example, a risk with 30% chance and impact of $5M, gives a score of 8. If you could halve the chance or halve the impact, the choice is clear – halving the chance reduces the score to 4 and the risk changes from orange to green, whilst halving the impact wouldn’t change the score or colour at all! Quantitative risk analysts cannot give senior management such clear guidance.

Summary

The additional insights that come from qualitative risk analysis are simple to calculate and simple to illustrate with clear, attractive, simple charts. In the modern era where simple, quick and attractive are essential elements of the high quality reporting that busy executives demand, it is no wonder that qualitative ERM systems are so popular and so expensive.

If your budget does not extend to purchasing a qualitative ERM system, your three options are, in descending order of merit:

1. Save up until you can afford one
2. Build an Excel template – there are many video tutorials available on YouTube to show you how
3. Buy Pelican, the quantitative ERM system, from Belgium in Brussels