Editor’s note: The following is a sponsored blog post from Reciprocity.
In the early 2000s, pharmaceutical company GlaxoSmithKline (GSK) was facing a serious risk: One of its manufacturing plants did not meet the requirements of current good manufacturing practices (CGMP).
CGMP non-compliance can have serious consequences, including warnings, product recalls, legal action, and criminal prosecution. In 2010, the U.S. Department of Justice (DoJ) proved that the drugs created in GSK’s plant violated several safety standards. GSK ended up paying a huge fine of US$750 million.
But GSK could have avoided this situation.
In 2001, it received warnings from the U.S. FDA about the plant’s unsafe practices. However, due to its problematic ERM process, it failed to quantify and act on these warnings. In so doing, GSK not only introduced unsafe bacteria into its products, but also ultimately ended up with a huge financial loss on its books.
→ Key Takeaway:
Every organization faces multiple risks that can affect its business continuity, financial stability, reputation, cybersecurity posture, and compliance. To avoid or mitigate such risks, you need a robust Enterprise Risk Management (ERM) strategy.
ERM is a holistic, enterprise-wide approach to identify, address and manage the key risks affecting an organization. These risks could be operational, financial, strategic, tactical, reputational, regulatory or cybersecurity-related. With an ERM program, you can implement the right controls to keep your organization safe, operational, productive and compliant.
A risk heat map is an important element of ERM, and this article will explain why. It will also show you how you can create one for your organization.
What Is a Risk Map in Enterprise Risk Management?
A risk heat map is a powerful visualization tool for Enterprise Risk Management. Also known as a risk heat chart or risk matrix, it shows risk likelihood on the horizontal axis (X) and risk impact on the vertical axis (Y). Together, these axes can help you analyze a risk and decide what action to take to minimize any possible adverse consequences.
The matrix can include “stoplight colors” to effectively and visually convey which risks are of most and least concern to your organization depending on its risk appetite. Usually, green indicates low risk, yellow is for medium risk and red is for high risk. This information can guide your risk mitigation and minimization strategies.
After plotting the risks on the heat map, you can calculate each risk using this formula:
Risk = Potential Impact × Probability of Occurrence
What Are the Benefits of a Risk Heat Map?
A risk heat map is a popular ERM tool, because it delivers many solid benefits for risk analysts and practitioners:
Show a Holistic View of Risks
The map presents a “big picture” and concise view of risks, especially if you use a scenario-based ERM approach. If you identify the maximum number of future scenarios, risk factors and the risks of each scenario, you can better understand the company’s overall risk health, coverage and profile. You can also identify and address any overlooked areas of ERM and internal control processes.
Communicate Risk Information to Stakeholders
You can communicate information about identified risks to stakeholders. Since the map is a visual tool, it’s easier to understand the seriousness of each risk and take faster action to address them.
Improves Risk Prioritization
You can assign weights to each risk to help with risk prioritization, so you can better understand where to focus your ERM energies.
Improves Decision-Making
You can make better, more strategic decisions about which mitigation strategies to implement based on probability and likely impact of risks.
Helps Create an Enterprise-Wide Risk Language
Create a common language of risk, which can be very useful when:
- You need to have discussions about the risk assessment process with senior leaders, business units, audit committees and the board of directors.
- Different departments need to understand how risks in one department could affect other departments.
Quantitative and Qualitative Risk Heat Map
A risk heat map can be qualitative so you can describe a risk’s intensity of impact, or it could be quantitative where you can quantify the risk intensity in terms of tangible numbers, priorities or ranks.
To build a qualitative heat map, you can add definitions to the terms “potential impact” and “likelihood.” Thus, if you are building a 3x3 risk map, you will have three parameters under both impact and likelihood.
Under “potential impact,” add definitions for “high risk,” “medium risk,” and “low risk.” Add stoplight colors to match these different impact types. For “likelihood,” add percentage ranges for parameters like “possible,” “probable,” and “remote.”
Depending on your organization’s risk profile, you can create a 4x4, 5x5, or an even more detailed risk heat map. So, your 5x5 map could include these parameters:
- Likelihood: Remote, Unlikely, Possible, Likely, Probable
- Potential Impact: Negligible, Low, Medium, High, Extreme
As with the 3x3 matrix, you can assign a percentage range to each likelihood parameter and colors to each cell to visually represent the risk’s seriousness.
How to Create and Optimize A Risk Heat Map: Best Practices
Here are some good practices to keep in mind when creating your organization’s risk heat map:
Brainstorm a List of Possible Risks
Even the best risk analyst, risk manager or CFO may not have a complete and updated view of all the risks affecting your organization. That’s why it’s important to consult with people across the company, including department heads, functional leaders and project managers.
These people may highlight evolving, previously-unknown risks, and help you understand why a particular risk is more or less serious. Use these insights to build a more complete heat map that captures all the risks affecting the entire organization.
Seek Expert Guidance
Talk to external risk experts. Ask for their insights, and use this information to guide your risk heat map creation process.
Consider Historical Data
Some risks to your organization may not be new. They may even have resulted in adverse risk events that caused some loss or damage to your company. Identify and assess these risks by asking:
- When did this risk lead to an adverse event?
- How many times?
- How severe was the event in terms of impact?
This historical information can help you judge the severity and potential impact of a risk as you create your risk heat map. Do keep in mind that the severity or impact might have changed, so you should do a deeper assessment as you create your risk heat map.
Rank Risks by Frequency and Severity
Once you identify all existing and potential risks, rank them in terms of frequency and severity. You can also do a comparative risk analysis by plotting points on the heat map. Assign numeric values to each risk on both aspects to help with the comparison, mitigation, planning and execution.
Determine the Cause of Risks
Determine the cause of the most serious risks to help you effectively implement prioritization and mitigation strategies. You can then communicate the results to senior executives when discussing the effectiveness of your ERM program.
Revisit the Risk Heat Map
Risks change constantly due to changes in technology, market and industry forces, geopolitical situations, and customer preferences. To keep up, your risk management process, practices, and risk heat map must also evolve.
Review the map periodically to assess if a particular risk has changed. Also discuss the heat map with relevant stakeholders at least quarterly to determine if any risks should be added, removed or updated.
Involve the Rank and File
Risk affects the organization at every level, so you should use the heat map to explain the purpose and goals of your ERM program to all employees. Explain why they should pay attention to the identified risks and their role in minimizing the impact and potential damage.
Also get their input to update and improve the heat map, formalize ERM, and ensure that it is part of your organization’s risk-aware culture.
Get Buy-In from the Top
Make sure you also get the inputs and sign-off of senior management when creating or updating the risk heat map. Support from the top is critical for creating effective risk mitigation strategies, monitoring their effectiveness and improving risk decision-making.
Integrate ZenGRC with Your Risk Management Strategy
ZenGRC can help you assess and manage risks within the organization’s framework of business and strategic objectives. With its single source of truth, you can aggregate all records, reports, policies, procedures, and controls listing in one place to improve risk communication and decision-making.
Catch and remediate vulnerabilities and risks with real-time updates so you can set up a successful ERM program. Leverage its reporting tools to understand your risk profile and its heat maps to operationalize ERM and communicate current risk status to stakeholders. You can even evaluate risks across connections with SCF and NIST frameworks and the cyber risk catalog.
See more about ZenGRC’s industry-leading risk management tools and capabilities. Or schedule a demo.
