The field of Enterprise Risk Management (ERM) has long used heat maps as a means to organize, define and rank risks that impact, or could potentially impact, an organization. They are presented to an organization’s leadership to assist in visualizing an organization’s risk exposure, provide a big-picture perspective on risk, and guide prioritization of risks.
While heat maps can depict the volume of risks and provide slight context about an organization’s general exposure to risk, heat maps do not provide meaningful data or detail to inform decision-making. When presenting risks in the form of a heat map based on an assessment of a risk’s likelihood and consequence, it is not easy to infer which risks truly require prioritization; multiple risks often fall into the same cell of the map, and typically within the same range of risk exposure.
Sample Risk Heat Map
In reviewing a heat map, one is left wondering: how do we distinguish among multiple risks in the same cell? In the same quadrant? Within the same color/level? Which should be prioritized? In short, a heat map generates more questions than it answers.
To generate meaningful data from the risk assessment process and effectively enable ranking of risks, organizations should consider incorporating an additional risk factor into their assessment process that can account for the risk appetite and strategic priorities of an organization’s leadership. This risk factor should be assigned by the organization’s leadership team, with full visibility to the consequence and likelihood values assigned to the risk. This additional risk factor, which we’ve entitled “urgency”, asks the question, how soon does our organization need to prioritize this risk?
The criteria for the risk factor can be adapted for your organization and should be designed to ensure your organization’s leadership takes into account their strategic priorities and risk appetite. Similar to the valuation provided to consequence and likelihood categories of rating risks, the responses to the question are aligned with a numerical value, with the soonest timeframe aligned with the highest numerical value, and the longest timeframe being aligned with the lowest numerical value.
With the three risk factors evaluated, the organization can then generate an overall score for the risk by multiplying as follows:
Likelihood X Consequence X Urgency
Risks can then be ranked and sorted by the overall risk score, clearing defining which risks require prioritization. The resulting prioritized risks have then been evaluated based on the impact to the organization as well as the risk appetite of the organization.
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Christine Packard
Director, Enterprise Risk Management, University of Massachusetts - President's Office
Having spent more than 15 years in the field of emergency management, including seven as the deputy director of the Massachusetts Emergency Management Agency, Christine joined the University of Massachusetts in August 2019 as its first dedicated director of enterprise risk management. In her role as ERM director, Christine is responsible for the system-wide enterprise risk management program, working with the five UMass campuses and the system office to identify and assess risk impacting the UMass system, and ensuring implementation of mitigation strategies.
By: Olivia Watson
Analyst Enterprise Risk Management, University of Massachusetts - President's Office
A graduate of the University of Massachusetts - Amherst, Olivia joined the University of Massachusetts in October 2021 having spent two years in the fields of public health emergency preparedness and emergency management.