On the face of it, a colorful heat map looks like a great way of visualizing the risks that could affect an enterprise. They’re easy to produce from spreadsheet data and they provide a simple view of the potential impact and likelihood of a range of risks, that can be used to help raise awareness of risk generally and to communicate the risk assessment to senior management.
So what’s wrong with heat maps? Why are security professionals cooling in their attitude towards them?
Because, as I’ve said before, the two-dimensional view of risks based on severity and likelihood are no longer enough.
Enterprises need to go far beyond the focus on inherent and residual risks that’s typical of a heat map and incorporate more dimensions, including assets, threats, vulnerabilities and controls. They want to look at risk relationships and mitigation tracking, with an approach to risk analysis that enables a quantitative assessment of all risks to all parts of the enterprise.
Although risk management information systems (RMIS), enterprise risk management (ERM), business continuity planning and crisis response are all specialized areas in their own right, the lines between them are starting to blur as the realization dawns that these management areas are all fundamental to an enterprise’s ability to survive and thrive.
A spreadsheet-driven approach is simply no longer up to the increasingly complex risk analysis job—and can even become a risk in itself. As Chris Duncan puts it, it’s like being armed with only a rock in the middle of a gunfight: you soon realize you need a lot more firepower.
So what’s the answer?
Heat maps can’t give you a rounded view of risks. Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving at-risk simulations. So heat maps are one view but they’re not THE view.
Think about the difference between the Google Maps ‘Map View’, ‘Satellite View’ and ‘Street View’. It’s Street View that will give you the most comprehensive view of the location you’re searching for, letting you pan around to see not only the building you’re looking for but also the environment you’ll be entering.
In much the same way, when it comes to risk management, you need to use multi-dimensional models that let you view risk data from different perspectives and enable creation of risk intelligence, so that you can make informed decisions enhanced by risk simulations from quantitative models.
Doing this right also involves combining high performance analytics (HPA) so that, instead of collating the different views on a monthly basis, you can collect, analyze and predict risk outcomes in near-real time. Combining all perspectives in this way means you get a much richer, multidimensional view of risk—and is exactly why using just a heat map is an archaic idea. A possible multidimensional view is represented in the above graph.
In the end it becomes possible to see the effect of each risk on different areas of the enterprise. Each enterprise domain—such as IT, legal, finance, operations—can view each risk and determine, for example, how the domains intersect; whether it’s a geopolitical risk; whether it’s an external or an internal risk; who is responsible; and what the impact on the enterprise will be in financial, reputational or other terms.