The risk heat map. An industry staple for many years. The standard 3x3, or 5x5 chart that has frequency on one axis, severity on the other, with colors ranging from green to red.
I imagine that many would assume that I’d use this post to rant and rave about the many problems typically associated with the heat chart; many of which I’ve stated myself. From being inherently subjective, “how do you know that my orange risk is the same as your orange risk”? To…not fostering sound prioritization, “which red risk is more red than the other reds?”
This may come as a shock to some, but as a means of communication, which I dare say is it’s primary use, the heat chart actually does a pretty effective job of relaying which risks are of most concern to your audience. In a very simplistic fashion, using colors that we all learned back in pre-school (green, yellow, red), a risk analyst can quickly, and rather effectively communicate which risks are of most and least concern.
So why does the heat map get such a bad rap, and more so, is it really deserved? From my perspective, the heat map has received a bad rap due to its association with poor risk assessment processes. Those that rely more on subjectivity, feeling and a lack of critical thinking. As a result, the heat map is often times a leading indicator of a more systemic concern about an organization’s risk management program.
But you can build a heat map on a solid foundation of objective, quantitative analysis. Here's how:
Step 1: Model
The first step is to get the organization to understand that the way they’ve been conducting risk assessments is at the root of the problem. The lack of a well thought-out, structured and consistent approach leads them to a set of results that are more often than not inaccurate and indefensible.
To turn this around, we need to put in place its complete opposite: An industry vetted model that breaks down risk into its core components, increases consistency among analyses, fosters critical thinking and communication, as well as defensibility of results (i.e. the FAIR model).
Step 2: Translation
The next step in the process would be to translate those “risks” identified in the heat map into risks--or loss events--in a FAIR sense. This is a common approach that we take with many customers, as the items that typically show up in a heat map, or a risk register are often not loss events, but other components of the risk landscape (i.e. "Insider Threat" is better understood as a "Threat Community"; "Cloud" as an "Asset"; "Application Vulnerabilities" as a "Control Deficiency").
The approach here is to tease out and translate the organization’s concern, "Cloud", into a loss event, a breach of sensitive customer information stored in the cloud. The translated statement is something we can actually tie a frequency and a magnitude to, and thus perform a quantitative analysis.
Step 3: Risk analysis process
Following translation, we would then move into the phases of the risk analysis process. In a previous post on the risk analysis process I go into detail, but at a high level we’d look to:
- Scoping: Take the translated statement and make sure we have a good understanding of the scenarios, asset(s), threat(s), effect(s), and, most importantly, loss event.
- Data Gathering: Aggregate the data, whether that be from in-person or remote sessions, putting together “data gathering helpers”, or leveraging sound industry data.
- Run/Refine: Hit the run button on your spreadsheet or RiskLens application, but more importantly, review the results with a critical eye, ensuring they accurately reflect the problem being analyzed, along with all of the information received along the way.
Step 4: Reporting
Although reporting is a key phase of the risk analysis process, I break it out here to highlight the extra step we’d take, which is to map quantitative ranges to the colors that make up the heat map in order to infuse the communication tool with more objectivity. Where previously we were not sure if one person’s red is the same as another, by mapping the colors to quantitative ranges, we increase the chances that all parties involved are on the same page when discussing the risk. Additionally, you provide your audience with a set of results that they’re familiar with, but this time around, they are backed by a sound, repeatable process.
This post originally published July 24, 2017