Beyond the heat map - much change is needed

It's long been understood in some sectors and scenarios that the 'heat map' (probability impact grid, risk assessment matrix, risk map or whatever term you may use for the 3 x 3 or 5 x 5 grid you use to prioritise risks) is not that useful.

It's only a prioritisation tool.

It doesn't help much in assessing the overall riskiness of the situation you are in, and 

It's such a subjective and biased process to put one together that you shouldn't really bet your company on one!

Douglas Hubbard's book - "The Failure of Risk Management - why it's broken and how to fix it" covers this in many more words than I have here.

Unfortunately it seems that either this isn't understood, or people don't know what to do differently.

Techniques for doing it differently exist - both numbers and stats based models - and words and relationships based approaches - and this blog is just a plea to open eyes and use them more.

In my last blog posting (ages ago - must do more!) I talked about the new requirements of the FRC corporate governance code for companies listed in London.  Directors must embrace risk-thinking to manage the company and provide reasonable information for investors.

If we look 'beyond the heat map' then it becomes much easier to do.