The Issue with the Heat mapRisk Assessment tends to look at the impact and likelihood of risk events. These get nicely plotted onto heat maps of all dimensions. There are varieties of heat maps that replace likelihood with frequency, which is similar on an abstract level. There are varieties that look at risk readiness rather than likelihood; the idea being that it is more important to understand whether the organization is ready for the event rather than know the likelihood of the event's occurrence. Once the risk event strikes, you better know what to do. Debating its likelihood is no longer relevant. You need to act.
There are varieties of heat maps that look at detectability. Can you see the risk event before your organization incurs additional damage? There are varieties that look at multiple dimensions of risk and the different impacts from risk. Impact to finance may be minimal but reputational damage may still be significant. Most heat maps evaluate inherent (gross) and residual (net) loss.
See previous blogs on this topic, some of which include thoughts on risk targets (where do we want to be). There are multiple ways to prioritize risk; there is no best way. Risk prioritization needs to fit a particular organization's needs and a particular situation. Perhaps, at an enterprise-wide level, detailed IT risks need to be assessed differently than strategic risks.
But don't forget: putting risks on a heat map is about creating awareness and setting priorities. It is basically about risk response: what do you do now that you have an understanding of a potential risk event. Do you accept it, do you stop facing this risk, do you strengthen your control measures, or, perhaps, do you find a way to transfer the risk, in order to ensure it is properly handled?
It is not about actually putting a true business value behind the risk; for this, more information on a risk is required - and you would need a more quantitative assessment.