Stop Seeing Red: How to Revamp Your Risk Assessment Process to Free Up More Resources

As noted in last week’s blog on freeing up in-house ERM resources, your organization has probably experienced a substantial increase in the volume and complexity of risks over the past five years, and yet you have insufficient resources to strengthen your ERM processes to manage these new threats.

These statistics from NC State’s report, The State of Risk Oversight, might help you make the case for hiring more staff, but it could take months to bring new risk managers and analysts up to speed.

So, what can you do to make the most of the resources you have? Focus on the right risks. 

But how do you know which ones to focus on? 

Heatmap Limitations

When it comes to scoring and reporting on risks, it seems that most organizations use some form of the heatmap, or risk matrix. Typically, it captures Impact and Likelihood scores, allowing risks to be compared to one another.

Here’s an example heatmap using a 1 to 5 scale:

revamp risk assessment

If you want management to avoid this red-laser focus and to put resources where they’re really needed, then you need to give them more than a heatmap to work with.

If we take the following raw data for Risks 1 and 2 and plot them on this heatmap, we see that the scores are 18 and 20, respectively:


revamp risk assessment


Since these risks are in the red zone of the heatmap, executives will want to assign resources to perform mitigating activities to bring down the scores. They’ll also expect your ERM staff to monitor these risks closely and report on them regularly.

This makes sense until you come across risks that are always orange and red, no matter how many resources you throw at them. And then there are risks that management expects to be high, and they’re alright with that. So, why are you still spending your limited resources on them?

If you want management to avoid this red-laser focus and to put resources where they’re really needed, then you need to give them more than a heatmap to work with.

Here are a few tools and data elements you can start implementing today to revamp risk assessment in your organization.

Risk Tolerance

As noted in a previous post, the Risk Appetite defines the amount of risk the organization is willing to take to achieve strategic objectives. Once you’ve worked with the board and senior executives to set the Risk Appetite, you should set boundaries around it called Risk Tolerances. It’s these Tolerances that make the Risk Appetite actionable because they tell the business units what level of risk is acceptable and what is not.

Using the same example risks noted above, let’s assume that management has set Risk Tolerances for the various Risk Categories of the organization (e.g. Operational, Financial, Compliance, and Reputation). When we score the risks, we can collect an Impact Score for each of the Risk Categories and compare that to the Tolerances, as shown here:

revamp risk assessment

Instead of saying “this risk is higher than that one,” we can now say, “the Compliance aspect of this risk is outside of our Tolerance.” We can even show this variance using a Radar chart:

revamp risk assessment

Now we’re getting somewhere!


If you identify aspects of the risk outside of the Tolerance, you should work with the business unit to identify Future Mitigations that can further reduce the risk. You can help the business unit create an Action Plan and monitor their progress as the risk is reduced.

If Future Mitigations cannot reduce the risk further, you may determine the risk is outside of the control of the organization. Working with the business unit, determine if the risk can be transferred. If not, then you may need to suggest that executives accept the risk (as a last resort).

Positive Risk

We all know that risks can have an upside as well as a downside. So why not capture that in your risk assessment?

Take your regular Risk Impact Matrix and create a companion Positive Impact Matrix to capture the positive impacts of risks. Be sure to use the same scale so you can compare the two.

For example, if you determine a risk could have a negative impact of 4 for the Operational Category, but it could also result in a positive impact of 3 for the Financial Category, you should have a good conversation with management. Perhaps some mitigation can be put in place to lower the impact to the Operational area, while other activities could allow the organization to seize on the Financial benefits.

This is the kind of insight and value you should seek to provide to the organization…and if you’re not busy tracking the same two “red risks” all year, you might have time to do it!

In fact, you can save time now by using a simple Excel workbook to capture your risk information and create your own Radar charts. To download a sample spreadsheet you can begin using immediately, complete the short form at the bottom of this post.

Yes, it will take a little time and effort to establish these tools and data elements in your processes and reports, but you’ll make it up many times over if you use this information to get the most out of your resources!

Have you used these elements to prioritize your risks and assign resources? Do you use other data points?

We want to hear from you!

If you have any thoughts on prioritizing risks you would like to share, or any questions, enter them in the comments section below or join the conversation on LinkedIn.

And if you’re struggling with risk assessment and how to focus your resources to their most efficient use, continue browsing to learn more or complete this form to be added to the consulting & coaching waitlist.

About the author

Ashley Jones joined ERM Insights by Carol in June 2017. She graduated from Florida State University in 2003 with a B.A. in Risk Management and Insurance and obtained the Project Management Professional (PMP) designation in May 2012. Ashley has fourteen years of experience in the fields of insurance and risk management, most notably as a Senior Risk Analyst within the ERM department of a $7+ billion property and casualty insurance company. When she’s not working on project or risk management, Ashley is busy writing, blogging, teaching, and speaking on a wide variety of topics.


Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More