In defence of Risk Heat Maps

by David Vose

A few words to get you started …
This article employs irony. Almost every idea written here is utter, utter nonsense. This should be very confronting, because also it describes – more or less – exactly what people actually do.
There are a couple of subtle web links about Pelican, our enterprise risk management system, which does not have these flaws. I think it is the only commercial ERM system to do so. You might like to take a look.
Have fun, and remember, try not to agree with anything …

In recent years, heat maps – a very popular and central tool for the management of risks of projects and businesses – have been criticised as being at best ‘misleading’ and, at worst, ‘useless’ by many of the thought leaders in the field. This article provides an objective review of these accusations.

What is a risk?

As we all know, a risk is an event that may or may not happen and, if it does happen, will have an impact that is undesirable. It therefore has two measures:

1.      The chance of happening

2.      The size of the impact if it does happen

Mathematicians, statisticians, engineers and scientists have a special word for the chance of something happening: probability. But this only applies for risks that can only occur once. For risks that can occur multiple times (which is the vast majority of risks) they also use the phrase expected frequency. This is confusing. In order to keep the mathematics and statistics down to a level that is useful to real people, we will stick with the word chance and assume that risks can only occur once.

There are several types of impact that one could experience. For example, the risk event could be an accident in which case the impacts could be one or more of:

  • Financial loss
  • Loss of human life
  • Damage to the environment
  • Delays or interruption in providing critical services
  • Loss of reputation and ultimate destruction of the business

It is customary to consider only the financial loss. This has several advantages:

  • It is simple and easy to follow
  • One can easily estimate financial impacts because everything comes down to money in the end
  • It is much quicker to do the analysis[1]
  • It avoids asking difficult questions about attitude to people or the environment, social responsibility, duty to provide a service or business sustainability

What is a risk heat map?

Risk heat maps plot the chance of something happening against the size of the impact on a grid. Typically, chance is plotted on the horizontal axis and impact is plotted on the vertical axis, but it can be the other way round too if you prefer.

Each axis is split into a number of sections. The number of sections must be the same for both axes. This looks nice and allows us to describe heat maps as ‘n x n’. Each section is given a term that is easily understood by senior managers. Research has shown that all senior managers understand the terms: lowmediumhigh and can place them in ascending order. This produces the grid shown in Figure 7:

Figure 1: a simple risk matrix

A numerical score is now assigned to each category. Integers (whole numbers) are used, starting from 1 and increasing for each category. For example, for the three sections of Figure 1, we have:

Low = 1, Medium = 2, High = 3

The scores for the Chance and Impact are then combined to give a score for each square in the grid. The two options are addition and multiplication. Both are used. Since, for risk-based decision making, it does not matter which system is used, multiplication is recommended. It is slightly more complex than addition, but it is consistent [2] with the common evaluation of risk as:

Risk = Chance x Impact [3]

Finally, to make it more obvious which risks are bigger, and which are smaller, a colour scheme is applied to provide the greatest managerial insight[4]. The most common colouring scheme is the red, amber, green system, familiar as the colours used at traffic lights, shown in Figure 2:

Figure 2: a risk heat map

In tests, 93% of managers understood red = stop, and 100% understood green = go. This is excellent news, as it means that management will react to any risk that plots in a red area with ‘STOP!’ as required. They will also not be concerned with any risk that plots in a green area. Good risk management finds ways to plot the risks in the green area.

The orange area is slightly more problematic. 23% of surveyed managers believed that orange meant stop, 47% of managers believed it meant go if you won’t get caught, and 2% of managers believed it meant just go [5]. This is called risk appetite and is a fundamental part of using risk information for decision-making.

Risks should be plotted in either the red or green areas as much as possible to reduce the workload and stress on the executive committee. This is difficult to achieve with the 3 x 3 matrix of Figure 2 as too much of the matrix is orange, so it is common to use a more sophisticated 5 x 5 matrix, as shown in Figure 3:

Figure 3: an advanced risk matrix

Note that there are relatively few orange squares, but the colouring scheme is consistent and transparent, which are essential for good risk management, by following the rules:

  • Score < 10 = green
  • 10 < Score < 14 = orange
  • Score > 14 = red

Descriptions other than {Very Low, Low, Medium, High, Very High} are also possible. For example, a quick Google provides us with various other options for the description of chance. These are used in commercial and highly popular risk management software (Pelican being a maverick) and can therefore be used with complete confidence:

  • {Remote, Unlikely, Possible, Likely, Probable}
  • {Rare, Unlikely, Possible, Likely, Almost Certain}
  • {Rare, Remote, Moderate, Likely, Frequent}

Some people Probably consider Possible to be less Likely than Unlikely, but the chance of that affecting risk management decisions is very Remote (or Rare). For convenience, all risks that are expected to occur more than once (e.g. a fraud, earthquake, tornado, strike, machine breakdown, etc.) are placed together in the highest chance category. Putting a risk that might occur once in the same chance category as another that might occur a hundred times is fine because they are both almost certain to occur. It is best practice.

Alternative impact descriptions are similarly consistent, for example:

  • {Negligible, Low, Medium, High, Extreme}
  • {Insignificant, Minor, Moderate, Major, Critical}
  • {Insignificant, Low, Moderate, Significant, Major}
  • {Insignificant, Minor, Moderate, Major, Catastrophic}
  • {Low, Medium, High, Serious, Extreme}
  • {Minor, Moderate, Significant, Major, Severe}

Both scales are highly customisable [6], in that every person evaluating a risk can interpret the various phrases in any way they wish. The most customisable version of a heat map dispenses entirely with descriptions and uses numbers 1 – 5. This avoids any confusion by entirely removing any connection between the scale and actual real world values. However, the technique is completely quantitative and should therefore only be used by fully-trained risk managers.

It is obvious that many risks might actually have different potential impacts. For example, a car crash could result in a minor dent or the loss of life of many people. In order to maintain consistency, a business must develop a risk management policy document explaining whether one should use the lower or higher impact as the single-point measure. The lower impact puts more risks in the green area and is therefore good risk management.

Many risk registers are performed in Excel and stored on the risk managers PC so that s/he has firm control of who gets to see it, and can ensure that all data are approved before being entered. This is because the risk manager knows about risk in each area of the business better than anyone else. It also makes it very easy to provide senior management with up-to-date information on the current risk status by quickly whipping out the spreadsheet (unless s/he is on holiday or sick).

Alternative colour schemes

Since conditional formatting became available in Excel, it is now easy to colour cells using a graded scheme, as shown in Figure 4.

Figure 4: risk heat map using a graded colour scheme

This is a classic example of software bells and whistles having unexpected and serious business consequences. Adding more colours increase managerial insight, of course, but makes it very difficult for managers to know whether to say Stop! or Go!, causing confusion, and the rejection of risk management for being too complex.

The risk heat map is best practice. It is a tool based on logic and maths, backed up by many guidelines, consultants, risk management qualifications and software tools, but we should not ruin the outstanding development work that has been done by over-complicating it with additional colours.

Using the colour scheme in the real world

The colour scheme is an essential aspect of risk monitoring. It allows one to set Key Performance Indicators (KPIs) and track their progress. For example, a risk could be entered into a risk register [7] as shown in Figure 5:

Figure 5: a risk register entry[8]

The colour scheme immediately shows that the risk has been moved from orange to green, which is good risk management. If the risk moved from orange to red this would be bad risk management. We can also see that the particular risk management action proposed has a benefit:cost ratio of 16.667, which is very accurate, and can therefore be precisely compared against other risk management actions to optimise the efficiency of the overall risk management strategy.

Advanced heat map analytics

Risk management is a reporting exercise. A risk management system is therefore judged by the visual appeal of its reports. The heat map scoring system provides many opportunities for developing colourful dashboards and comprehensive performance measures for senior management, of which we can only scratch the surface in this article. However, you will be able to develop many more ideas of your own because risk heat map logic is fully customisable, unconstrained by any mathematical principles. The most common risk management dashboard components are:

  • A list of top risks
  • A heat map risk count
  • KPIs showing progress in risk management

These are explained below in more detail.

List of top risks

The top risks are those that have the highest risk score. Traditionally, one looks at the top 5, 10 or – for a really deep dive – the top 15. These are normally presented in a table copied from Excel to PowerPoint. For a fully-integrated system, a link can be made between the PowerPoint file and the Excel file.

Risks can be assigned extra attributes like entity, region, asset, project and hazard (which is the root cause e.g. fire, weather, fraud, etc). This allows one to filter risks to show only those of importance to the intended audience. This is called drilling downDrilling down and deep diving together give an in-depth analysis. They can be done with pivot tables in Excel.

There is some disagreement about whether one should use the pre-management or post-management scores for ranking risks to find the top ones. Disagreement is a healthy sign of a profession that is willing to push the boundaries in the pursuit of progress. The most common opinion [9] is it is better to use the post-management scores as this assumes that all the risk management activities are correctly evaluated and working flawlessly, emphasising the value of the risk management. For example:

Figure 6: a top risks report

The report in Figure 6 shows that the business has reduced the score of its portfolio of risks from 103 to 42, or about 60%, which is easily verified in the last column (103 – 42 = 61). It also shows that only one risk is orange, which management can request a deep dive on to see what can be done to make it green.

The Top 10 Risks report will not change very much from one executive committee meeting to another, which provides confidence that the risk management strategy is stable, well-controlled and working. Showing that the top risks are not changing is called risk auditing.

Heat map risk count

A heat map risk count table counts [10] up all the risks that are in each heat map square. This gives an overview of the total risk exposure and is called risk aggregation. One can juxtapose pre- and post-management matrices to emphasise the achievements of the risk management efforts:

Figure 7: Pre- and post-management risk counts displayed in heat maps

Risk management KPIs

Key Performance Indicators are calculated, fully-quantitative metrics that objectively measure the risk management performance of an entity. They can be recorded each day and plotted over time to give executives an overview of the risk management performance of the business at a glance. This is very important, because executives are very busy and should not be wasting time on risk management when they are meant to be making big decisions about strategy, budgets, targets, etc.

The ideal presentation of a KPI is a sparkline. These can even be placed inside a spreadsheet cell, greatly enhancing the professional look of your Excel dashboard:

Figure 8: Creating a sparkline in your Excel dashboard

The real value of a sparkline is that it has no axes, labels or scales. This allows a busy executive to get an in-depth understanding of the evolution of several KPIs at a glance without wasting time trying to read any dates or numbers.

Typical KPI metrics are:

  • Number of risks that are red
  • Number of risks that would be red but aren’t because of risk management
  • Number of risks that are new and red
  • Number of risks that have expired and were red
  • Fraction of risks that have recently been moved from red to green, etc.


Risk analysis can be depressing. All doom and gloom. People who keep pointing out potential problems are unpopular. This is the key role of a risk manager. By allowing everyone else to stay positive and ignore risk, the risk manager sacrifices his/her popularity for the good of the enterprise and thereby improves the risk culture.

However, the social stigma can be too great for some risk managers. The burden of being the only one in charge of risk can really weigh heavily on the risk manager too. This is where opportunities come in. An opportunity is an event that may or may not happen, but if it does happen, it’s good. Like winning the lottery, or a change in the law that gives your company a tax break. The risk manager should give a lot of emphasis to the opportunities heat map whenever his/her social standing becomes unbearable. Spending more time on each opportunity than on risks will be necessary to achieve a balanced view as there are so few opportunities compared to risks.

Like risks, opportunities have chance and impact dimensions and can therefore be placed on their own heat map. The choice of colour is a bit difficult, since all traffic light colours have been used up. Different schemes have been proposed, including shades of blue, or using green for opportunities and red for risks. One expert has proposed purple but this has not been thoroughly tested yet. If an opportunity matrix is created, it should be placed next to the risk matrix with a reflected x-axis scale. This looks pretty.

Heat Map Critics and How to Counter Them

Who are these critics?

A number of people on the fringes of the risk management community are very critical of risk heat maps. These tend to be independent ‘thought leaders’ – authors, experts, anyone with a science or engineering degree, etc. They are very rarely people from the main pillars of the risk management community, namely:

  • Universities that sell masters courses on risk management. These universities have a responsibility to protect the investment of participants in their expensive courses by letting them all pass, and to make sure that anyone can attend such courses without any prerequisite knowledge. This is highly democratic, allowing almost anyone with some money to become a qualified risk manager.
  • Large consultancy firms that have added risk management to their services. These firms recognise the importance of standardisation by removing creative thinking and productising risk management. It is called best practice. The companies write what should be best practice after thoroughly researching what people already do, describing it vaguely and declaring it to be the best. This is excellent as nobody gets upset. The consultancy firms then compare the client’s risk management with everyone else they have told to follow best practice. This is called benchmarking. Excel template heat maps can be provided to consultants to ensure consistency.
  • Risk management software vendors who understand that well-designed modern risk management software is a quarterly reporting tool and should not distress senior management with decision-making questions. It must therefore be extremely simple to use, make nice charts, and should require no subject-matter knowledge. It should also run on a smartphone.

Who can I get help from when faced with criticism of heat maps?

Arguing with intellectuals can be challenging because they use big words and discuss ideas you haven’t heard of. This is unfair. Like most voters, you are also probably sick of experts telling you what to do all the time.

Luckily, there are many people who will come to your assistance. It is important that you don’t confront the thought leaders directly as they will use logic and ideas against you. This will get you annoyed, and you may end up saying something rude. Instead, state your case on LinkedIn and Twitter and encourage people to support you. You will find your greatest supporters among the following:

  • Qualified risk managers – ask them to help you by telling the world that they have been using heat maps and qualitative risk measurements for years and it works fine. Encourage them not to discuss how they know this. Get them to mention their university qualification
  • Risk management software salespeople – they will be able to objectively point any reader to the risk management guidelines that their product complies with
  • Subject matter experts – they will explain how fruitful the risk identification workshops are and how much insight they provide. Don’t ask them how the information was used in decision-making – this is not part of their role
  • Independent consultants who run risk workshops and make risk reports – these people can give countless examples of successfully writing reports quickly and at low cost

You can also send people links to YouTube videos. Search for “risk heat maps”. Avoid the highly irritating videos by Osama Salah, Alexei Sidorenko and Strategic Decision Group – they are thought leaders.

What are the criticisms anyway?

It is not important. They are all based on things like probability theory and decision theory.

Theory is just another word for a guess.

Rather than get into a fight about theories, it is better to stay dignified and simply point out to the critic that it’s all very easy to criticise other people’s work and make them feel bad, but do they have something better to offer?

Don’t let them show you Pelican.

[1] Speed is important. Risk management should only be done once a quarter. It should take no more than one day to update and the results should be presented within 15 minutes at the executive committee meeting. Taking any longer would only distract critical resources from running the business

[2] Consistency is a critical aspect of professional risk management

[3] For example, if you have a 10% chance of losing $1,000,000 then you are safe if you have 10% * $1,000,000 = $100,000 in reserve

[4] Insight is an important word used frequently in business schools. It should be used frequently when addressing management to gain their confidence, but not so frequently that managers will be suspicious that you are vying for their job

[5] The remaining 28% of surveyed managers refused to respond until they were provided with the correct answer. This is called compliance

[6] Risk management systems must be highly customisable

[7] This is an Excel document kept by the risk manager and reviewed quarterly. Entries into the risk register are usually recorded after a risk workshop

[8] Note – this is a simulated risk register for illustration purposes only. Professional risk registers show individual risks in rows, not in columns

[9] The most common opinion is always correct

[10] Counting is a prerequisite for risk management. If you do not like counting, risk management is probably (or possibly) not for you