Risk assessments and heat maps remain central components in most enterprise risk management (ERM) programs. Yet there is considerable debate about their effectiveness and both tools have no shortage of critics. In 2011 Howard Sklar, a Forbes contributor, outlined one of the most popular criticisms regarding companies that viewed risk assessments as a document instead of a risk management process. He noted, “Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know.”
Similarly, others deride heat maps as nothing more than “colorful guesses.” Brian Priezkalns, in the not-too-subtly titled article, Why I hate Heat Maps, says “Heat maps are just a terrible terrible terrible way to understand, communicate about, and decide how to respond to risks. They either mess up what you already knew, or they hide the fact you are too ignorant to make a rational decision. Everything that can be done with heat maps would be done better with actual numbers.”
If the risk assessment and risk heat map have such fierce critics, then why are they still central to most ERM programs? In this article, we’ll examine what drives the limitations, and the key missing ingredient that turns them into powerful assets.
Problems with risk assessments and risk heat maps
An examination of the plentiful critiques of these tools reveals four commonly cited issues.
1. Failing to include the upside
Without considering both the opportunity and the risk at the same time, any risk management process process will struggle to succeed. As noted in How to Map Your Risks, “To be sure, the benefits of identifying and assessing both risks and opportunities at the same time might seem obvious. Yet it is rarely practiced. One reason is that the two most widely used tools currently employed in ERM risk assessment are the risk register and risk heat map. The focus of both of these is only the perceived threats to an organization–they provide no consideration of the positive value that could be created by taking risks.”
Priezkalns further clarifies this limitation, “The upsides never get plotted on the heat map, because there is nowhere to plot them. So how are you supposed to properly judge how to respond to a risk, if you cannot differentiate between a risk that has a massive potential upside, and a risk which has no upside whatsoever?”
2. Lack of alignment with goals
Our recent discussion with Michael Yip, Vice President, Risk Management with DFW International Airport, focused on the critical importance of linking ERM efforts with organizational goals and objectives. “That is the first connection that needs to be made,” Yip says.
Bank News’ Steven Minsky includes this lack of alignment as one of his six biggest risk management issues. He says, “If risk management is considered a completely independent initiative – reducing it to a “compliance checklist” – it’s difficult to align it with strategic goals. The program then turns into a burdensome responsibility, not a useful tool. It also becomes difficult to identify which activities are the greatest hindrance to strategic goals and objectives, and allocate limited resources to those areas.” Ultimately, if the output from heat maps and risk assessments doesn’t tie-in to organizational goals, stakeholder engagement is unlikely.
3. Relying on static snapshots
One key limitation of the risk assessment and risk heat map is their describing of factors at one specific moment in time, perhaps long since passed by the time the management reviews the data. Norman Marks, a prominent voice in the COSO and ISO “great debate”, discusses the static nature of these tools. “When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.”
4. Not providing context to enterprise risk data
Digitalist Magazine’s Bruce McCuaig identifies two critical questions to consider when evaluating the data from tools such as risk heat maps, “what does this tell me and what should we do about it?” All too often with these tools, he asserts, the answers are “nothing and nothing.”
McCuaig points to the lack of context inherent in most analytical tools. “Risks in a heat map usually appear without a context, and they provide little insight into any context when one does appear. The flaw with heat maps is that risk management isn’t really about risk—it’s about how to mitigate risk and create and preserve value. Heat maps don’t provide insight or perspective to those charged with overseeing risk management and delivering value.”
Tolerance, a natural context
An initial step for shifting away from “nothing and nothing” is to examine each risk relative to the organization’s respective tolerance or appetite. As Norman Marks advises, “Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’, because the likelihood of a significant impact is assessed as high, doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.”
Instead of relying on the risk heat map and risk assessment alone to prioritize risks by likelihood and impact, focus on the gap between tolerance and actual. Where is the organization incurring greater risk than acceptable? Conversely, where is it expending additional resources to mitigate a risk far below tolerable levels? This is the type of context that management needs and, as Marks notes, eliminates the noise of highlighting risks that the organization has already decided to accept.
Completing the risk management process
Risk heat maps and risk assessments can be highly effective when viewed as the first step in a process. They provide the structured, organized data needed to identify tolerance gaps. This narrows the focus to issues where the organization is not sufficiently handling a risk, and areas where the organization is committing more resources than necessary to control.
The second step is to ask the questions laid out by Bruce McCuaig for each of those risks. “What does this tell me?” prompts examining the underlying reason why this risk is falling outside acceptable levels (the context) and also what upsides need to be factored in. “What should we do about it?” includes examinations of current controls, risk tolerance/appetite levels, and related objectives. The conversation and analysis sparked by these two questions are what yield the high-value information management demands. That context converts abstract data into actionable reports.
Putting it all together
With this focus on providing more contextual and insightful data to management, a modified approach to risk assessments and risk heat maps can address the five common critiques of these tools.
- Include the upside when asking “What does this tell me?”
- Align responses with organizational objectives when asking “What should we do about it?”
- Utilize a flexible RMIS with powerful reporting to avoid relying on dated snapshots
- Use tolerance gaps to identify which risks require additional context
- Complete the additional step of asking the two questions for any risks with large tolerance gaps
Once this approach is taken, the final step is to consider how to push these insights down to the operational level. As the Bank News article notes, “the true value of a risk assessment is unlocked when it’s pushed to the front line, or process level, where issues first materialize. That information can be used to identify cost-effective solutions, building the business case at the appropriate decision-making level.”
Realizing the potential of risk heat maps and enterprise risk assessments
These much-maligned tools, on their own, may not produce the actionable data management expects from an ERM program. However, when used as the foundation for exploration of risks outside of tolerance levels, they begin to approach their true potential.
Howard Sklar describes the possibilities. “And the worse part of the pitiful state of most risk assessments is that they could be so much more. Risk assessments can serve as a vehicle for early buy-in, a method to secure budget and resources, a gauge for progress, a way to avoid fire-drills and set priorities for your program, a natural reporting-out format, and proof for regulators of the adequacy of your program. All that from a process that most companies don’t comprehend or utilize to its fullest. Or worse, misuse to the point where it’s either value-neutral or even detrimental to the program. In some cases, the risk assessment can become a risk.”
The conversations and framing around the risk assessment and risk heat map, relative to tolerances, objectives, and upsides, is what unlocks the real value. Without that, the activity around these tools is just a resource-burning chore nobody wants or uses. With context, on the other hand, these tools become the drivers of a strong viable ERM program. As Sklar puts it, “Ask yourself, which do you want, a document you put on a shelf, or an ongoing process that gives you significant benefits over time?”
Get in touch with an Origami enterprise risk management expert today to see how you can turn risk assessments and risk heat maps into powerful drivers for your organization.