Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida
The purpose of this paper is to show how ERM (enterprise risk management) risk assessment grids can be presented as heat maps to convey the likelihood and impact of an organization's risks. The COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM framework is presented in a graphic illustration, and then a variety of risk assessment grids or heat maps are illustrated and discussed.
The COSO Enterprise Risk Management Framework
A somewhat condensed version of the COSO ERM framework involves identifying the organizations risks, assessing those risk for potential impact and likelihood, planning a response strategy, implementing mitigation strategy, and monitoring performance.
For more on the COSO ERM framework, see the Shenkir and Walker 2006 summary listed below.
ERM Risk Assessment Grids or Heat Maps
ERM risk assessment grids or heat maps can be designed with any number of cells to represent an organization's potential risks. McKay provides illustrations for a 3x3 and a 5x5 heat map. The ERM 3x3 risk assessment heat map below shows the most serious risks in red, i.e., high impact, possible (3x2) or probable (3x3), and the medium impact, probable (2x3) risks. Less serious risks appear in yellow (3x1 or 1x3), orange (2x2), or green (2x1, 1x1, or 1x2).
Another illustration using the same 3x3 heat map illustrated above adds definitions for the potential impacts on achieving objectives, and probabilities for the three measures of likelihood. High impact is defined as a material risk meaning it will be difficult to achieve multiple objectives. Medium impact is defined as a significant risk where it is more challenging to achieve some objectives. Low impact, on the other hand is defined as an inconsequential risk or one that may have some undesirable outcomes. The probabilities given are remote (0-20%), possible (>20-60%), and probable (>60-100%). These are just examples, but the point is that everyone in the organization needs to understand the metrics and terminology chosen.
Two additional illustrations show 5x5 heat maps and include estimated dollar amounts and probabilities to reflect the potential impact on financial results such as earnings per share or some other financial measurement. Various risks are plotted on the second version of the 5x5 map including obsolescence risk (10), distribution risk (11), manufacturing risks (12), new product introduction or NPI risks (13), supply chain risks (14), environmental health and safety or EH&S risks (15), and physical asset risk (16). An adaptation of the second 5x5 illustration appears below.
Some additional comments are made below the 5x5 heat map related to potential risk management gaps and follow up considerations. For example, sales forecasting was mentioned as a key factor associated with several risk. New product introduction (13) involves a significant risk and indicates opportunities for improvement in how this function is structured and managed.
Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).
COSO. 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. Public Exposure Draft. (June). (Summary).
Kaplan, R. S. and A. Mikes. 2012. Managing risks: A new framework. Smart companies match their approach to the nature of the threats they face. Harvard Business Review (June): 48-60. (Discussion of three categories of risks: Preventable risks, strategy risks, and external risks that are beyond the organization's influence and control. Each type of risk requires a different risk-management approach). (Summary).
Merchant, K. A. 2012. ERM: Where to go from here. Journal of Accountancy (September): 32-34, 36. (Summary).
Shenkir, W. G. and P. L. Walker. 2006. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May/June): 32-38. (Summary).