It's long been understood in some sectors and scenarios that the 'heat map' (probability impact grid, risk assessment matrix, risk map or whatever term you may use for the 3 x 3 or 5 x 5 grid you use to prioritise risks) is not that useful.
It's only a prioritisation tool.
It doesn't help much in assessing the overall riskiness of the situation you are in, and
It's such a subjective and biased process to put one together that you shouldn't really bet your company on one!
Douglas Hubbard's book - "The Failure of Risk Management - why it's broken and how to fix it" covers this in many more words than I have here.
Unfortunately it seems that either this isn't understood, or people don't know what to do differently.
Techniques for doing it differently exist - both numbers and stats based models - and words and relationships based approaches - and this blog is just a plea to open eyes and use them more.
In my last blog posting (ages ago - must do more!) I talked about the new requirements of the FRC corporate governance code for companies listed in London. Directors must embrace risk-thinking to manage the company and provide reasonable information for investors.
If we look 'beyond the heat map' then it becomes much easier to do.