Many of the companies we work with, and a few that I’ve worked for, use the dreaded heat map as their primary source of “risk analysis”. Putting up on that multi color spectrum all the things that worry them the most, regardless of whether they are truly a risk, or have been vetted beyond a conversation between “risk analysts” like such:
Bob: “I’m feeling like this next “risk” is a “red.”
Dave: “I don’t know about that; I’m thinking it’s more of a “yellow.”
Bob: “Whatever. Let’s call it a day and place it as a “burnt orange.”
Don’t get me wrong, heat maps have their place: mostly as a communication tool for executives that are pressed for time. Executives have to make a series of high level decisions throughout the course of the day and can’t afford to get caught up in the weeds of an analysis. That being said, you are doing them and your company a tremendous disservice if your heat map is based on little more than shooting from the hip and gut feelings.
Absent a quantitative range tied to those colors or tiers (low, medium or high), or better yet, the rigor of a vetted risk model like FAIR, you end up with a series of problems.
Decreased consistency with increased subjectivity: How do you know that your yellow equals another person’s yellow? Or that my medium-low equals your medium-low? By using qualitative terms to express the level of risk, you inherently make the assessment more subjective and decrease consistency between analysts. How can a team of analysts breakdown, understand and come to a consensus around a risk if they’re not all working off of the same definitions and mental model? The short answer is, they can’t. At least not reliably or consistently.
Can’t prioritize risks: During the analysis process, you’re inevitably bound to end up with a series of findings in the same quadrant or color spectrum of the heat map. With these overlapping findings, how do you prioritize which risk to tackle first? How do you know which red is more red than the other reds? Absent a means of quantifying the risks, the short answer again is, you can’t.
Defending your findings or conclusions: When operating on little more than gut feeling and shooting from the hip, it is exceptionally difficult to stand behind your findings or conclusions in any meaningful manner. This means that you are just one question away from an executive asking, “how did you come up with that risk rating”, to lose all credibility in your company.
It’s our assertion at RiskLens that you, your company and executives deserve a better understanding of risk. This is where FAIR can help. The FAIR model provides a logical and rational framework for assessing risk. As part of the framework, concepts like threats, vulnerabilities, and shockingly, even risk are clearly defined and consistently used throughout the model, meaning all parties involved are operating from the same understanding of risk. This improves consistency from analyst to analyst, and also provides a rigorous methodology to explain and defend conclusions and recommendations.
Lastly, as part of the quantification component of the RiskLens platform, companies receive an understanding of their risk in dollars and cents, which allows them to prioritize their exposures along the same continuum as other concerns, projects or investments the company is facing at the time.