Questions you should ask the next time you see a risk heatmap
Risks are often assessed using matrices, typically with 1-5 scores for likelihood and impact, multiplied together, and assigned a colour. While this makes risk assessment quick, it is actually an extremely weak practice which does nothing to add value, and can even be dangerous. It needs to be replaced with other readily-available techniques as a matter of urgency. This post is one of a series relating to the use of effective risk management techniques.
The next time you see a heatmap like the one below you should ask yourself:
What information is this picture trying to tell me?
Can I make decisions and assign resources appropriately based on the information?
What do the colours mean?
What do the numbers mean? Is a '12' twice as bad as a '6'?
How have complex risks been reduced to two single-digits?
What other ways to assess risk could have been used?
Why has this approach been chosen rather than any others?
How do I know that what's presented is complete and accurate?
How do I know risks haven't been missed out or covered up?
How does this approach take into account individual and collective bias?
Why aren't we using Monte Carlo simulation?
If your risk managers and teams are still producing pictures like the one below then ask them these questions. Don't be surprised if they get defensive and try and hide behind 'best practice', 'how it's always done', 'not mature enough', 'not enough data', or 'not in our sector'. They're covering up their own lack of knowledge, experience, or competence, and means the organisation is taking a poor approach to risk management. There are better ways to deal with risk - get in touch and we'd be delighted to tell you more.