10 reasons why assessing risk using heatmaps and matrices is a bad idea
Updated: May 10
Heatmaps and risk matrices are commonly used to score risks in many organisations. But there’s no evidence to suggest they contribute to better performance in any way, and they could actually be dangerous. Here are some of the reasons they should not be used.
A risk doesn’t just have one single outcome. Ranges can’t be expressed using a single figure or colour.
Qualitative descriptors are subjective and arbitrary. If the CEO says a risk is ‘medium’ who is going to say otherwise?
There’s no way to account for a risk event happening more than once.
Proper tools for assessing risk such as decision trees, bowtie analysis and Monte Carlo simulation are easily and cheaply available for use.
Heatmaps and matrices provide an illusion of rigour and analysis which leads to a false sense of security.
Organisations cannot make decisions on the basis of colour codings.
Even ISO31010 (the international standard describing risk assessment techniques) says they are “highly subjective”.
Heatmaps do nothing to help understand the effects of different options or courses of action.
Risk Managers who promote heatmaps for risk assessment are masking true information from the organisation.
Risks cannot be aggregated. Do two ‘ambers’ equal one ‘red’? It‘s meaningless.
This is a very simple list, there’s a lot more information available at the following links:
Get in touch if you’re still using heatmaps and would rather be getting timely, actionable information from your risk management function.