Hans Læssøe, founder of AKTUS, explains when heatmaps and risk matrices can be useful, and how to use them appropriately

Hans Laessoe

Risk matrices, also known as heatmaps are commonly used as a/the risk management tool in companies and organisations all over the world.

I, and others, have often and vigorously written and talked about the shortcomings of these.

However, I am not one to discard new inspiration – or at least, I do not wish to do so – so below I describe how I DO think risk matrices CAN be leveraged as a useful tool in risk management.

When to use risk matrices

In a volatile world, everything changes. This means new risks emerge whereas others become less relevant or even obsolete.

In between risks change to be more or less important – depending on the organisation and targets being considered.

New or emerging risks, in my view, are risks which we have noted/discovered/thought about – but as of yet, have not analysed or quantified to any extent. We have no data.

“The purpose of this exercise is to decide the next step of the risk assessment.”

That, however, does not give us a free pass to implement controls and mitigations to minimise the risk we have just seen. No organisation has infinite resources to lift that task. Hence, we must prioritise – and here the risk matrix can be used as a first step.

The purpose of this exercise is NOT to decide on the implementation of controls and/or mitigating actions – but merely to decide the next step of the risk assessment.

We have no data

We have no data … well, to be honest, we will never have data for risks!

This goes back to the fact that all data we will ever have will be based on the past, whereas all the risks we are taking or facing are related to the future. This may be a major problem, but really it is nowhere near that bad.

As Douglas Hubbard has described in his highly recommendable book “How to measure anything”, the purpose of measuring/quantifying is not to eliminate uncertainty and come up with a perfectly correct measurement. The purpose is merely to reduce the uncertainty of the outcome.

“All data we will ever have will be based on the past, whereas all the risks we are taking or facing are related to the future.”

Assume you lead a company with $1 billion in revenue last year. Now you look at your revenue for 2025, and you may find this may be anywhere between zero (you go bankrupt in 2024) and three billion (you triple your current revenue).

However, this range is clearly useless for any decision-making, and we need to reduce that uncertainty to help management.

Now, if you use quantified analytics on revenue development, market trends etc. you may find that there is a 90% likelihood the revenue for 2025 will be between 1.1 and 1.5 billion. This is much more useful for management and enables valid resource allocation.

Similar measuring considerations can be made for anything and any metric which can be financial or non-financial – whatever your organisation monitors to describe performance. 

Using the risk matrix


Now we can now leverage the risk matrix as a first-stop discussion tool for emerging risks – and keep this as simple as possible.

I suggest using a 3x3 matrix as the one shown here, and I would be more prone to recommend a 2x2 than something more complex.

To enhance the value, you may decide to give some value to the high/medium/low scales on impact and likelihood.

For likelihood, you need a defined timeframe (as eventually, everything will happen) and you could use e.g.:

  • Low – Less than 5%
  • Medium – Some 10%
  • High – More than 40%

On impact, you could use e.g.:

  • Low – Less than 1 Mio
  • Medium – Some 10 Mio
  • High – More than 100 Mio

This will guide and support the consistency of the discussions and ensure that everyone is on the “same page”.

Based on this – ask three initial questions:

  • What could happen? – describe a typical/expectable “scenario” of the risk materialising
  • How likely is it that something like this will happen within your timeframe?
  • What would be the level of impact if happening something like the described?

Based on this brief discussion – do not overkill it, at present – you can “place” the risk in the risk matrix. Based on the position, you have three potential next steps – defined by the colour of the cell in which the risk “landed”

  • Red – Must be analysed further on likelihood and impact range and potentially embedded in active risk management
  • Amber – One or both of two approaches can be chosen: a) Make a next-step evaluation, typically by asking subject matter experts for their views and insights or b) delegate to the business unit where this is most relevant, and ask them to address it based on their targets
  • Green – Park it. It is important to be aware that there are risks you deliberately choose not to address,  to ensure effective use of your resources. In this case, you have seen the risk, discussed the risk and deliberately parked the risk

Hence, the purpose of the use of the risk matrix is to get to the next step of risk assessment - NOT to define risk controls and/or mitigating actions. We do not have adequate insights yet, to spend company resources on that.

Simplicity - the dangerous pitfall

Today, many companies and organisations jump from the initial heatmap discussion directly to defining ownership, controls, and mitigation plans. This is generically a bad use of company resources for any one of three reasons:

  • Some (red) risks are shown, when analysed, to be less likely and/or significant than what was assessed in the first (humanly biased) discussion – in which case, we will have overspent on addressing something with limited significance
  • Some (amber) risks are shown, when analysed, to have a long impact tail, and hence our deployed controls and mitigations may be grossly inadequate should the risk materialise
  • Some risks are shown, when analysed, to be “dramatic” but also to have very limited or no major effect on your meeting your targets

Daniel Kahneman, Douglas Hubbard, and others have shown time and time again, that human beings are very bad at guessing, and hence acting (or not) based on an initial discussion is grossly inadequate and downright irresponsible.

What next? 

Somewhat contradictory to what I and others have stated for years – do, by all means, leverage the risk matrix or heatmap as an initial assessment tool to direct next-step analytics and risk management.

Do not jump the fence and use the risk matrix discussion as the base for implementing controls and/or mitigations as you will need more valid and quantitative analysis.

“The exact same approach can be used to define which opportunities we wish to “go for” and which we “park”.”

Whenever you spend company resources on anything else, you create and address a quantitative business case, where targets, costs and implementation plans are described for approval prior to anything being done.

The same should be the case when spending company resources on implementing risk controls and/or mitigating actions.

Now, what about the opportunity side of risks – well, the exact same approach can be used to define which opportunities we wish to “go for” and which we “park”.