Risk Assessment and Heat Maps

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Following the last weeks blog about identifying risks, Tony and John now discuss risk assessment levels and how to manage them using operational risk software

This exert is taken from their book Mastering Risk Management…

Once risks are identified, they are assessed for likelihood (sometimes called frequency) and impact (sometimes called severity). Likelihood is reviewed on the basis of how frequently a risk event will occur over a given period (e.g. monthly, three times a year, once in 5 years). Alternatively, many firms find it helpful to think of the percentage likelihood of a risk occurring in one year. 

Impact is generally assessed on the basis of the (possible) cost to the firm if the risk happens. However, some risk occurrences such as reputation damage are difficult to assess on a cost basis. This more subjective impact is generally assessed on a qualitative scale such as high, medium high, medium, medium low and low.  While the term ‘severity’ is also used by some firms as being synonymous with impact, the word may also be used as a single value for a risk assessment, being a combination of likelihood and impact. This was more common before separate likelihood and impact assessments became widely used.

Three assessment levels

Risks can be assessed at three levels of mitigation.

Inherent Risk

Inherent (or gross) risk is assessed with no account taken of the controls which exist within a firm. The only controls which are assumed at the inherent level are inherent controls such as people’s honesty and society’s willingness to obey the law. The advantage of assessing risk at the inherent level is that there are no assumptions about the quality or existence (or otherwise) of controls. It also identifies the level of loss to which the firm is exposed if and when the existing controls fail.

Residual Risk

Residual (or net) risk is assessed after allowing for the existing controls within the firm. This means that there are assumptions about the adequacy and continuing effectiveness of the controls. These assumptions are rarely stated in residual risk assessments. If they are stated, they become close to control assessments. The object of this part of the exercise is to assess risks, not controls. The level of loss arising from a residual risk assessment is the day-to-day loss which the firms may suffer with the existing level of control.

Target Risk

Target risk is the name often given to the final level of expected risk appetite which exists within a firm after all mitigating effects are at the firm’s desired level. It is used to assess the impact (and sometimes the effectiveness) of control enhancement plans.

If risks are assessed at the inherent level, a control assessment can easily be linked to the inherent risk assessment. If risk is assessed at a residual level, the control assessment is already implicit in the residual risk assessment, and the result will require reconciling back to an explicit control assessment.

Heat map with both inherent and residual assessments and showing control effects

Using heat maps to assess risks

Heat maps are a very common way to assess risks. They generally use either four- or five-point scales, although five-point is becoming the standard as it gives more granularity than a four-point scale.

When setting the impact scale points, many firms prefer to use gross revenues. This is useful because the business (the first line of defence) can directly influence it and therefore the use of gross revenues encourages embedding of the process.  If net profitability is used, it must be borne in mind that it is more difficult for business heads to influence the costs allocated to them, and they are therefore likely to be less willing to accept the scale.

The beginning point of the highest range is often set at three or four months of gross revenues or profitability, whichever is appropriate. 

The same approach is used for setting the scale for likelihood. The beginning point of the highest range for likelihood is often set at a level at which it would be very unusual for the assess entity to experience a risk.

Next time, Tony & John discuss more on mitigating risks and risk transfer.

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. : https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317   

For more information contact us today on sales@risklogix-solutions.com

RiskLogix Solutions Limited

RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.

For more information contact us today on sales@risklogix-solutions.com

Global HQ

Eagle House
167 City Road
+44 207 377 2250


Related Posts

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology
The financial industry underpins the entire economic system by fostering trust and stability. Banks, a cornerstone of this ecosystem, play a critical role for individuals and businesses alike. For individuals, they act as trusted custodians, safeguarding hard-earned assets in the form of checking and savings accounts.  On a broader scale, banks facilitate commerce by offering …

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology Read More »

When managing People Risk, what are the key indicators?
In this, our final blog on the topic, we discuss the Key People Indicators for risk management. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  If people are, as a category, a firm’s biggest potential risk, it’s fair to ask what indicators are available to monitor that risk, …

When managing People Risk, what are the key indicators? Read More »

How do you mitigate People Risk?
In this blog we talk about key strategies for mitigating people risk and present a table to demonstrate context. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Creating the right risk culture will do much to reduce people risks. After that, the fundamental way of mitigating those risks …

How do you mitigate People Risk? Read More »