Back in 2016, I wrote a series of two articles on my Risk Management Guru Blog entitled “How to Create a Risk Heatmap in Excel”. Part 1 is available here and part 2 is available here.
For the last decade at least, these types of tools have been widely used in firms and in different types of industries, and in many instances, they are still in use. These matrix-based tools are also still referred to in Financial and Risk Management training materials, as well as central banks and regulators’ public documentation.
The two “How to Create a Risk Heatmap in Excel” articles are still, by far, some of the most visited articles on my blog. I think part of what makes these articles so popular is that: a) they explain step by step how to achieve this kind of deliverable; and b) the second part of the article actually allows visitors to download the zip file I built for the purpose of an illustrative Risk Management Heatmap. It is a pretty neat solution and has some degree of VBA to get it right.
However, it is still my strong conviction that many people out there, in different firms across different industries, including financial services and banking, are still using this kind of tool to map their firm’s risks in a visual Red-Amber-Green (RAG) manner, hoping that its output will magically give them the necessary insights to act upon a risk potentially materialising. The issue becomes more meaningful if you think that this is the kind of management information still being used to communicate to Boards of Directors, who must take “informed” decisions.
In the last couple of years or so I have heard diverse opinions on this topic. These include several subject matter experts with whom I connect and exchange thoughts with regarding Risk Management, Governance and Compliance issues. I’ve been noticing a growing effort by some to re-educate Risk Managers and C-Suites about the fallibility and danger of focusing some of a firm’s systems and controls arrangements on spreadsheets that work very well in PowerPoint presentations.
Before giving firm views on this topic, I would like to request that you answer the questions below and express your thoughts on this matter:
- do you still use Risk Heatmaps? Why not / why do you?
- what vulnerabilities do you identify by using these spreadsheet-based tools?
- if you do not use Risk Heatmaps, what are you currently using?
- what kind of management information does your Board receive from Risk Management in order to help inform their decisions?
Many thanks for considering my request.
Thank you and best regards.
Antonio Caldas