CGMA TOOLs

How to
communicate risks
using a heat map

Powered by
CONTENTS

Two of the world’s most prestigious accounting bodies,

AICPA and CIMA, have formed a joint-venture to establish
the Chartered Global Management Accountant (CGMA)
designation to elevate the profession of management
accounting. The designation recognises the most talented
and committed management accountants with the discipline
and skill to drive strong business performance.

Introduction 2

Initial Risk Assessment: Potential Impact and Likelihood 3

of Occurrence

Defining Your Metrics 4

Quantifying Potential Risk Impacts 5

1
Introduction

Managing and communicating risks have become crucial tasks in

today’s economy. COSO’s Enterprise Risk Management—Integrated
Framework provides a way for organisations to incorporate risk
management into their day-to-day operations. Enterprise risk
management (ERM) is a structured enterprise-wide view of risks
affecting an organisation. An ERM process is shown in figure 1.

Figure 1: ERM Process

Self-assessment
Internal audit Monitor
Performance

Plan Implement
Mitigation Identify
Risk Owner Risk
Strategy Risk
Oversight
Committee

Accept
Share Plan
Mitigate Response Assess Potential Impact
Avoid Strategy Risk Likelihood

Organisations use a variety of ways to identify potential impact and likelihood of occurring. This tool,
entity-wide risks (eg, surveys, workshops, risk factors a risk heat map, is used in the risk assessment process
disclosed in financial reports, etc.). When the entity- and is a great for facilitating communication.
wide risks are identified then each risk is assessed for

2 How to Communicate risks using a heat map

Initial Risk Assessment: Potential Impact
and Likelihood of Occurrence

In the risk assessment process, visualisation of risks using a heat

map presents a big picture, holistic view to share while making
decisions about the likelihood and impact of entity-wide risks within
an organisation. A heat map is a two-dimensional representation
of data in which values are represented by colours and can be
designed from being simple (qualitative only: 3x3) to very complex
(both qualitative and quantitative: 5x5). It is important to carefully
design the heat map so that the terms used to describe “potential
impact” and “likelihood” are what is used in your organisation.

When a heat map is used in workshops to assess
the risks by individual managers, the discussions
can be enhanced, for they can see how risks in one
part of the organisation impacts another part of
the organisation. The resulting heat map can also
be used to communicate the risk assessment to
senior management, audit committees, and boards
of directors. The heat map also enables a business
conversation about mitigation alternatives.
Organisations may want to start out by using
a qualitative only (3x3) heat map to do the risk
assessment shown in figure 2. The horizontal axis
shows the likelihood of a given risk occurring, that
is, the likelihood that the risk will materialise and
become an issue. The vertical axis shows the potential
impact that the risk will have on the objective or goal
not being achieved should it materialise. The colours
are risk areas (eg, green coloured boxes are in the low
area; yellow boxes are in the medium area; red boxes
in the high area). The risks are plotted on the heat map
based upon the “Potential Impact” and “Likelihood” of
occurring (Risk = Impact × Probability/Likelihood of
occurring).

Figure 2: Enterprise Risk Assessment Scale (Qualitative Only: 3x3)

High 3 6 9
Potential Impact

Medium 2 4 6

Low 1 2 3

Remote Possible Probable

Likelihood

3
Defining Your Metrics

As organisations gain experience doing risk assessments, they may

want to build on their qualitative heat map by adding definitions
to “Potential Impact” and “Likelihood” that quantify the terms. For
“Potential Impact,” definitions for what is meant by High, Medium,
and Low and for “Likelihood,” percentages could be added for
Remote, Possible and Probable as shown in figure 3.

Figure 3: Enterprise Risk Assessment Scale (3x3)

High 3 6 9
Material: difficult to achieve
multiple objectives
Potential Impact

Significant: more challenging

to achieve some objectives Medium 2 4 6
Inconsequential: may have
some undesirable outcomes

Low 1 2 3

Remote Possible Probable

Likelihood

% ranges 0-20% >20–60% >60–100%

The percentages, metrics, and definitions would come
from your organisation’s policies and what is used
in your organisation. It is important to get approved
terminology for the percentages, metrics, definitions,
and terms so that everyone in the organisation
understands what they are and how they are used in
the risk assessment process. This common language
is an added benefit in the communication process of
assessing risks.

4 How to Communicate risks using a heat map

Quantifying Potential Risk Impacts

One can continue expanding on the “Potential Impact” as shown

in the following 25 point assessment scale (5x5) by adding
Earnings Per Share (EPS) or Cash Equivalents. For example two
cents per share may equate to $3 million, which may further
define a “Significant” rating. This heat map may be more precise,
however, the main point is to hold discussions about the risks
facing the organisation, so that management can either mitigate
the risk (protecting value) or seize the opportunity (value creation)
in alignment with its risk appetite. Please refer to figure 4 as an
example.

Figure 4: Enterprise Risk Assessment Scale (5x5)

Very Material: may affect

> $ ____ million (m): company's ongoing existence Extreme 15 19 22 24 25
Material: difficult to achieve
> $ ____ m–$ ____m: multiple objectives
High 10 14 18 21 23
Potential Impact

Significant: more challenging

> $ ____ k–$ ____m:
to achieve some objectives
Medium 6 9 13 17 20
> $ ____ k–$ ____k: Inconsequential: may have
some undesirable outcomes

< $ ____k: Trivial: no noticeable impact Low 3 5 8 12 16

on objectives

High => $0.000 EPS* or Cash and Equivalents Negligible 1 2 4 7 11

Low => $0.000 EPS or Cash and Equivalents Remote Unlikely Possible Likely Probable
EPS* = Earnings Per Share Likelihood
% ranges 0-10% >10–25% >25–50% >50–90% >90–100%

Figure 5, on the next page, shows a sample heat

map for risks that were primarily grouped together
according to their interrelated nature and effect on
operations, not on all of the identified risks for a
company.

5
Figure 5: Enterprise Risk Assessment Scale (5x5)

Very Material: may affect

> $75m: company's ongoing existence Extreme

Material: difficult to achieve

> $1.95m–$75m: multiple objectives
High

Potential Impact
Significant: more challenging 13
> $340k–$1.95m: 14
to achieve some objectives 11
Medium 12
> $25k–$340k: Inconsequential: may have 10
some undesirable outcomes 15

Trivial: no noticeable impact Low 16

< $25k:
on objectives

High => $0.025 EPS Negligible

Low => $0.005 EPS Remote Unlikely Possible Likely Probable

Risk Legend
Likelihood
(10) Obsolence Risk % ranges 0-10% >10–25% >25–50% >50–90% >90–100%
(11) Customer Concentration or Distribution Risk
(12) Manufacturing Risk
(13) NPI Risk
(14) Supply Chain Risk
(15) EH&S Risk
(16) Physical Asset Risk

Potential risk management gaps and

follow-up:
• A more accurate sales forecasting function was a
recurring theme thought to be a key risk indicator
associated with several of these interrelated risks.

• The perception of supply chain risk increased with

the vertical supply chain as viewed by downstream
business units.

• The likelihood and potential impact of risk events

appeared highest with the new product introduction
(NPI) process, indicating that opportunities may
exist in how the company is structured and manages
NPI.

• Environmental Health & Safety (EH&S) and

physical asset risk have robust, dedicated functions
responsible for risk management and were considered
fairly well managed in the United States. However,
some uncertainty exists among participants as to risk
ownership and how mature these functions are in
Asia Pacific locations.

6 How to Communicate risks using a heat map

© 2012 AICPA. All rights reserved.
Distribution of this material via the Internet does
not constitute consent to the redistribution of it in
any form. No part of this material may be otherwise
reproduced, stored in third party platforms and
databases, or transmitted in any form or by any
printed, electronic, mechanical, digital or other means
without the written permission of the owner of the
copyright as set forth above. For information about
the procedure for requesting permission to reuse this
content please email
or the Association of International Certified
Professional Accountants. This material is offered with
the understanding that it does not constitute legal,
accounting, or other professional services or advice. If
legal advice or other expert assistance is required, the
services of a competent professional should be sought.
The information contained herein is provided to assist
the reader in developing a general understanding of
the topics discussed, but no attempt has been made to
cover the subjects or issues exhaustively. While every
attempt to verify the timeliness and accuracy of the

[email protected] information herein as of the date of issuance has been
made, no guarantee is or can be given regarding the
The information and any opinions expressed in this applicability of the information found within to any
material do not represent official pronouncements of or given set of facts and circumstances.
on behalf of AICPA, CIMA, the CGMA designation

The information herein was adapted from Risk Assessment For Mid-sized Companies: Tools for Developing a Tailored
Approach to Risk Management, by Scott McKay, CPA, CFE, CIA, CCSA, Copyright © 2011 by the American
Institute of Certified Public Accountants, Inc.
American Institute of CPAs
1211 Avenue of the Americas
New York, NY 10036-8775
T. +1 2125966200
F. +1 2125966213

Chartered Institute of
Management Accountants
26 Chapter Street
London SW1P 4NP
United Kingdom
T. +44 (0)20 7663 5441
F. +44 (0)20 7663 5442

www.cgma.org

January 2012

11676-359

The Association of International Certified Professional

Accountants, a joint venture of AICPA and CIMA,
established the CGMA designation to elevate the
profession of management accounting globally.