The Issue with the Heat map
January 30, 2012 by
Filed under: Risk Management
There are varieties of heat maps that look at detectability. Can you see the risk event before your organization incurs additional damage? There are varieties that look at multiple dimensions of risk and the different impacts from risk. Impact to finance may be minimal but reputational damage may still be significant. Most heat maps evaluate inherent (gross) and residual (net) loss.
See previous blogs on this topic, some of which include thoughts on risk targets (where do we want to be). There are multiple ways to prioritize risk; there is no best way. Risk prioritization needs to fit a particular organization's needs and a particular situation. Perhaps, at an enterprise-wide level, detailed IT risks need to be assessed differently than strategic risks.
But don't forget: putting risks on a heat map is about creating awareness and setting priorities. It is basically about risk response: what do you do now that you have an understanding of a potential risk event. Do you accept it, do you stop facing this risk, do you strengthen your control measures, or, perhaps, do you find a way to transfer the risk, in order to ensure it is properly handled?
It is not about actually putting a true business value behind the risk; for this, more information on a risk is required - and you would need a more quantitative assessment.