Search
  • Duncan

10 reasons why assessing risk using heatmaps and matrices is a bad idea

Updated: May 10

Heatmaps and risk matrices are commonly used to score risks in many organisations. But there’s no evidence to suggest they contribute to better performance in any way, and they could actually be dangerous. Here are some of the reasons they should not be used.


  1. A risk doesn’t just have one single outcome. Ranges can’t be expressed using a single figure or colour.

  2. Qualitative descriptors are subjective and arbitrary. If the CEO says a risk is ‘medium’ who is going to say otherwise?

  3. There’s no way to account for a risk event happening more than once.

  4. Proper tools for assessing risk such as decision trees, bowtie analysis and Monte Carlo simulation are easily and cheaply available for use.

  5. Heatmaps and matrices provide an illusion of rigour and analysis which leads to a false sense of security.

  6. Organisations cannot make decisions on the basis of colour codings.

  7. Even ISO31010 (the international standard describing risk assessment techniques) says they are “highly subjective”.

  8. Heatmaps do nothing to help understand the effects of different options or courses of action.

  9. Risk Managers who promote heatmaps for risk assessment are masking true information from the organisation.

  10. Risks cannot be aggregated. Do two ‘ambers’ equal one ‘red’? It‘s meaningless.

This is a very simple list, there’s a lot more information available at the following links:

https://www.fairinstitute.org/blog/13-reasons-why-heat-maps-must-die


https://www.researchgate.net/publication/266666768_The_Risk_of_Using_Risk_Matrices https://hubbardresearch.com/publications/the-failure-of-risk-management-book/



Get in touch if you’re still using heatmaps and would rather be getting timely, actionable information from your risk management function.

20 views

Recent Posts

See All

Risk management horror stories

There are plenty of horror stories from the world of risk management out there. I’m not talking about bad decisions, poor strategies, mistakes or accidents, but rather cases where people have not thou

What risk management software?

While helping organisations strengthen their risk management arrangements we’re often asked what software do we recommend for risk management. The unfortunate fact is that there are many products out

© 2020 Risk Management Ltd 

Registered in Scotland SC618911

Registered office 43 Millside Road, Peterculter, AB14 0WG