0:00:00.080,0:00:03.040
Risk Mapping in Risk Management. Welcome

0:00:03.040,0:00:05.040
to the Risk Management of Everything

0:00:05.040,0:00:07.759
channel. On this channel, you will find

0:00:07.759,0:00:09.679
videos on risk management and the

0:00:09.679,0:00:11.440
application of risk management to

0:00:11.440,0:00:13.759
diverse areas and sectors.

0:00:13.759,0:00:15.839
If you are new here, please consider

0:00:15.839,0:00:17.760
subscribing to our channel and press the

0:00:17.760,0:00:19.840
notification button so you can be

0:00:19.840,0:00:22.800
notified when we upload new videos.

0:00:22.800,0:00:25.279
Thank you. Risk mapping in risk

0:00:25.279,0:00:28.000
management is discussed in this video.

0:00:28.000,0:00:30.480
In this video, we'll discuss how a risk

0:00:30.480,0:00:32.719
map can be used by an organization to

0:00:32.719,0:00:34.200
manage its risks in an

0:00:34.200,0:00:35.360
easy-to-understand

0:00:35.360,0:00:38.719
way. Now, let us start.

0:00:38.719,0:00:41.200
Meaning of a Risk. Risk is the

0:00:41.200,0:00:43.680
uncertainty of a financial loss.

0:00:43.680,0:00:45.520
A risk exists where there is an

0:00:45.520,0:00:48.079
opportunity for a profit or a loss.

0:00:48.079,0:00:50.480
In terms of losses, we commonly refer to

0:00:50.480,0:00:52.559
the risks as exposures to loss,

0:00:52.559,0:00:56.399
or simply exposures. Fire is an exposure.

0:00:56.399,0:00:58.879
Defective products or defamation are

0:00:58.879,0:01:00.800
liability exposures.

0:01:00.800,0:01:02.800
The loss of business that results from a

0:01:02.800,0:01:05.280
damaged building or tarnished reputation

0:01:05.280,0:01:08.400
is also an exposure. Risks can come from

0:01:08.400,0:01:10.880
various sources including uncertainty in

0:01:10.880,0:01:12.400
international markets,

0:01:12.400,0:01:14.880
threats from project failures (at any

0:01:14.880,0:01:16.240
phase in design

0:01:16.240,0:01:18.880
development, production, or sustaining of

0:01:18.880,0:01:20.080
life-cycles),

0:01:20.080,0:01:23.520
legal liabilities, credit risk, accidents,

0:01:23.520,0:01:26.240
natural causes and disasters, deliberate

0:01:26.240,0:01:27.040
attack from an

0:01:27.040,0:01:29.360
adversary, or events of uncertain or

0:01:29.360,0:01:31.520
unpredictable root-cause.

0:01:31.520,0:01:33.840
There are two types of events which are:

0:01:33.840,0:01:34.640
(1)

0:01:34.640,0:01:36.720
negative events which can be classified

0:01:36.720,0:01:38.400
as risks or threats;

0:01:38.400,0:01:40.960
and (2) positive events that may be

0:01:40.960,0:01:43.439
classified as opportunities.

0:01:43.439,0:01:46.640
What is Risk Management? Risk management

0:01:46.640,0:01:48.880
is the process of identification,

0:01:48.880,0:01:51.600
analysis, and acceptance or mitigation of

0:01:51.600,0:01:54.479
uncertainty in investment decisions.

0:01:54.479,0:01:56.799
Organizations face many risks and they

0:01:56.799,0:01:58.560
must decide where to focus their

0:01:58.560,0:02:00.479
mitigation resources.

0:02:00.479,0:02:03.439
To handle or manage risks, organizations

0:02:03.439,0:02:05.520
usually have the options to avoid,

0:02:05.520,0:02:08.639
control, accept, or transfer risk. The

0:02:08.639,0:02:11.120
adverse effects of risk can be objective

0:02:11.120,0:02:13.760
or quantifiable like insurance premiums

0:02:13.760,0:02:15.200
and claims costs,

0:02:15.200,0:02:17.520
or subjective and difficult to quantify

0:02:17.520,0:02:19.520
such as damage to reputation or

0:02:19.520,0:02:21.360
decreased productivity.

0:02:21.360,0:02:23.360
By focusing attention on risk and

0:02:23.360,0:02:25.360
committing the necessary resources to

0:02:25.360,0:02:27.440
control and mitigate risk,

0:02:27.440,0:02:29.440
a business will protect itself from

0:02:29.440,0:02:30.560
uncertainty,

0:02:30.560,0:02:33.360
reduce costs, and increase the likelihood

0:02:33.360,0:02:36.000
of business continuity and success.

0:02:36.000,0:02:38.560
Meanwhile, a risk map can be used as a

0:02:38.560,0:02:40.640
tool to improve the risk management

0:02:40.640,0:02:42.879
system of an organization.

0:02:42.879,0:02:46.480
What is a Risk Map? A risk map, also known

0:02:46.480,0:02:47.840
as a risk heat map,

0:02:47.840,0:02:49.920
is a data visualization tool for

0:02:49.920,0:02:51.760
communicating specific risks an

0:02:51.760,0:02:53.680
organization faces.

0:02:53.680,0:02:56.000
A risk map is a graphical depiction of a

0:02:56.000,0:02:57.840
select number of a company's risks

0:02:57.840,0:02:59.840
designed to illustrate the impact or

0:02:59.840,0:03:02.080
significance of risks on one axis and

0:03:02.080,0:03:04.800
the likelihood or frequency on the other.

0:03:04.800,0:03:07.040
Risk mapping is used to assist in

0:03:07.040,0:03:08.200
identifying,

0:03:08.200,0:03:11.360
prioritizing, and quantifying (at a macro

0:03:11.360,0:03:11.920
level)

0:03:11.920,0:03:14.319
risks to an organization. This

0:03:14.319,0:03:16.560
representation often takes the form of a

0:03:16.560,0:03:18.720
two-dimensional grid with frequency

0:03:18.720,0:03:21.599
(or likelihood of occurrence) on one axis

0:03:21.599,0:03:22.560
and severity

0:03:22.560,0:03:24.879
(or degree of financial impact) on the

0:03:24.879,0:03:25.840
other axis;

0:03:25.840,0:03:27.440
the risks that fall in the

0:03:27.440,0:03:30.000
high-frequency/high-severity quadrant are

0:03:30.000,0:03:32.159
given priority risk management

0:03:32.159,0:03:34.959
attention. A risk map helps companies

0:03:34.959,0:03:37.200
identify and prioritize the risks

0:03:37.200,0:03:39.280
associated with their business.

0:03:39.280,0:03:41.519
The goal of a risk map is to improve an

0:03:41.519,0:03:43.840
organization's understanding of its risk

0:03:43.840,0:03:45.280
profile and appetite,

0:03:45.280,0:03:47.200
clarify thinking on the nature and

0:03:47.200,0:03:48.560
impact of risks,

0:03:48.560,0:03:50.640
and improve the organization's risk

0:03:50.640,0:03:52.080
assessment model.

0:03:52.080,0:03:54.480
In the enterprise, a risk map is often

0:03:54.480,0:03:57.200
presented as a two-dimensional matrix.

0:03:57.200,0:03:59.519
For example, the likelihood a risk will

0:03:59.519,0:04:01.840
occur may be plotted on the x-axis,

0:04:01.840,0:04:03.599
while the impact of the same risk is

0:04:03.599,0:04:05.519
plotted on the y-axis.

0:04:05.519,0:04:07.439
A risk map is considered a critical

0:04:07.439,0:04:09.840
component of enterprise risk management

0:04:09.840,0:04:12.000
because it helps identify risks that

0:04:12.000,0:04:13.599
need more attention.

0:04:13.599,0:04:15.920
Identified risks that fall in the high-frequency

0:04:15.920,0:04:18.238
and high-severity section can

0:04:18.238,0:04:21.358
then be made a priority by organizations.

0:04:21.358,0:04:23.440
If the organization is disbursed

0:04:23.440,0:04:25.600
geographically and certain risks are

0:04:25.600,0:04:27.919
associated with certain geographical

0:04:27.919,0:04:28.639
areas,

0:04:28.639,0:04:30.560
risks might be illustrated with a heat

0:04:30.560,0:04:32.880
map, using color to illustrate the levels

0:04:32.880,0:04:34.800
of risk to which individual branch

0:04:34.800,0:04:36.960
offices are exposed.

0:04:36.960,0:04:40.160
Why it's Important to Create a Risk Map?

0:04:40.160,0:04:42.240
A risk map offers a visualized,

0:04:42.240,0:04:44.400
comprehensive view of the likelihood and

0:04:44.400,0:04:47.199
impact of an organization's risks.

0:04:47.199,0:04:49.600
This helps the organization improve risk

0:04:49.600,0:04:51.440
management and risk governance by

0:04:51.440,0:04:54.479
prioritizing risk management efforts.

0:04:54.479,0:04:57.199
This risk prioritization enables them to

0:04:57.199,0:04:59.040
focus time and money on the most

0:04:59.040,0:05:01.520
potentially damaging risks identified in

0:05:01.520,0:05:02.320
a heat map

0:05:02.320,0:05:05.160
chart. A risk map also facilitates

0:05:05.160,0:05:07.360
interdepartmental dialogues about an

0:05:07.360,0:05:09.199
organization's inherent risks and

0:05:09.199,0:05:11.039
promotes communication about

0:05:11.039,0:05:13.600
risks throughout the organization. It

0:05:13.600,0:05:16.240
helps organizations visualize risks in

0:05:16.240,0:05:17.680
relation to each other,

0:05:17.680,0:05:19.280
and it guides the development of a

0:05:19.280,0:05:21.280
control assessment of how to deal with

0:05:21.280,0:05:23.280
the risks and the consequence of those

0:05:23.280,0:05:24.639
risks.

0:05:24.639,0:05:27.680
Benefits of Using Risk Heat Maps.

0:05:27.680,0:05:29.759
Risk heat maps can offer significant

0:05:29.759,0:05:32.160
benefits to organizations.

0:05:32.160,0:05:34.080
Here are some of the benefits of using

0:05:34.080,0:05:37.759
risk heat maps by an organization:

0:05:37.759,0:05:40.639
A visual, big picture, holistic view that

0:05:40.639,0:05:42.400
can be shared to make strategic

0:05:42.400,0:05:44.479
decisions;

0:05:44.479,0:05:46.320
Improved management of risks and

0:05:46.320,0:05:48.160
governance of the risk management

0:05:48.160,0:05:50.160
process;

0:05:50.160,0:05:52.479
Increased focus on risk appetite and the

0:05:52.479,0:05:55.440
risk tolerance of the company;

0:05:55.440,0:05:57.360
More precision in the risk assessment

0:05:57.360,0:05:59.360
and mitigation process;

0:05:59.360,0:06:02.639
and Greater integration of risk

0:06:02.639,0:06:05.600
management actions across the enterprise.

0:06:05.600,0:06:07.919
The Importance of Risk Mapping Business

0:06:07.919,0:06:09.600
Organizations.

0:06:09.600,0:06:11.680
Why should your organization be using

0:06:11.680,0:06:13.440
risk maps?

0:06:13.440,0:06:15.759
Building a risk map brings valuable

0:06:15.759,0:06:16.960
benefits.

0:06:16.960,0:06:18.720
You will have a thorough understanding

0:06:18.720,0:06:20.160
of your risk environment

0:06:20.160,0:06:22.400
and how individual risks compare to one

0:06:22.400,0:06:23.199
another.

0:06:23.199,0:06:25.199
You can use this to strategically

0:06:25.199,0:06:27.280
prioritize your risks and determine

0:06:27.280,0:06:29.759
where to use your limited resources.

0:06:29.759,0:06:32.319
The map can help the company visualize

0:06:32.319,0:06:33.919
how risks in one part of the

0:06:33.919,0:06:36.160
organization can affect operations of

0:06:36.160,0:06:37.759
another business unit within the

0:06:37.759,0:06:39.039
organization.

0:06:39.039,0:06:41.360
A risk map also adds precision to an

0:06:41.360,0:06:43.919
organization's risk assessment strategy

0:06:43.919,0:06:44.160
and

0:06:44.160,0:06:46.560
identifies gaps in an organization's

0:06:46.560,0:06:48.800
risk management processes.

0:06:48.800,0:06:50.720
A risk map is built by plotting the

0:06:50.720,0:06:53.120
frequency of a risk on the y-axis of the

0:06:53.120,0:06:56.000
chart and the severity on the x-axis.

0:06:56.000,0:06:58.080
Frequency is how likely the risk is or

0:06:58.080,0:07:00.240
how often you think it will occur;

0:07:00.240,0:07:02.319
severity is how much of an impact it

0:07:02.319,0:07:04.000
would have if it did occur.

0:07:04.000,0:07:05.840
The higher risk ranks for these

0:07:05.840,0:07:08.000
qualities, the more threatening it is to

0:07:08.000,0:07:09.759
your organization.

0:07:09.759,0:07:12.560
The most severe and frequent risks, your

0:07:12.560,0:07:13.840
primary risks,

0:07:13.840,0:07:15.360
are critical and would hinder your

0:07:15.360,0:07:17.440
ability to conduct business.

0:07:17.440,0:07:20.080
Risks that are severe but unlikely, that

0:07:20.080,0:07:22.240
is your "detect and monitor" risks,

0:07:22.240,0:07:24.080
are those risks that should be watched

0:07:24.080,0:07:26.319
but don't require heavy mitigation

0:07:26.319,0:07:27.520
strategies.

0:07:27.520,0:07:29.440
Risks that are highly likely but

0:07:29.440,0:07:32.000
insignificant, your monitor risks,

0:07:32.000,0:07:34.400
will not impact your ability to continue

0:07:34.400,0:07:35.759
operations.

0:07:35.759,0:07:37.919
Finally, the risks that are low in both

0:07:37.919,0:07:39.520
frequency and severity,

0:07:39.520,0:07:42.400
your low control risks, can be revisited

0:07:42.400,0:07:44.080
on a yearly basis to ensure

0:07:44.080,0:07:46.960
the risk remains low. Risk maps are a

0:07:46.960,0:07:48.560
valuable tool as they assist

0:07:48.560,0:07:50.560
organizations to:

0:07:50.560,0:07:53.919
1. Understand the risk environment.

0:07:53.919,0:07:56.080
Risk management begins with building a

0:07:56.080,0:07:58.319
list of all risks your organization

0:07:58.319,0:08:01.520
faces. Depending on your industry, this

0:08:01.520,0:08:03.440
number could range from a handful to

0:08:03.440,0:08:04.479
hundreds.

0:08:04.479,0:08:06.400
Risk mapping is beneficial because it

0:08:06.400,0:08:07.680
requires you to assess

0:08:07.680,0:08:09.440
each risk and its causes and

0:08:09.440,0:08:11.520
consequences individually.

0:08:11.520,0:08:13.840
It also allows you to look at your risk

0:08:13.840,0:08:15.840
environment as a whole and understand

0:08:15.840,0:08:18.720
how frequencies and severities compare.

0:08:18.720,0:08:20.879
Finally, a risk map is a visual that

0:08:20.879,0:08:23.440
anyone in your organization can use to

0:08:23.440,0:08:25.440
see the big picture of risks most

0:08:25.440,0:08:26.000
prominent

0:08:26.000,0:08:29.360
in your industry or workplace. 2.

0:08:29.360,0:08:32.479
Prioritize mitigation strategies.

0:08:32.479,0:08:35.039
With limited resources, it's important to

0:08:35.039,0:08:38.080
be strategic about mitigation techniques.

0:08:38.080,0:08:40.080
Risk mapping allows you to determine

0:08:40.080,0:08:41.919
what steps to take first:

0:08:41.919,0:08:44.000
implement prevention tactics for the

0:08:44.000,0:08:46.080
most frequent and severe risks before

0:08:46.080,0:08:47.600
moving onto others.

0:08:47.600,0:08:50.080
This prioritization method ensures that

0:08:50.080,0:08:52.000
you address the risk that have the most

0:08:52.000,0:08:53.839
potential to cause harm to your

0:08:53.839,0:08:55.440
organization.

0:08:55.440,0:08:58.959
3. Allocate limited resources.

0:08:58.959,0:09:01.279
Whether your organization consists of

0:09:01.279,0:09:03.360
2 employees or 2,000,

0:09:03.360,0:09:06.240
risk managers have limited resources.

0:09:06.240,0:09:08.320
Risk mapping allows you to use them to

0:09:08.320,0:09:10.399
prevent primary risks.

0:09:10.399,0:09:12.880
D&amp;M risks should be revisited several

0:09:12.880,0:09:14.959
times a year to ensure appropriate

0:09:14.959,0:09:16.240
management.

0:09:16.240,0:09:18.640
Similarly, monitor risks typically only

0:09:18.640,0:09:20.560
need to be checked yearly to ensure

0:09:20.560,0:09:23.279
their potential impact hasn't grown.

0:09:23.279,0:09:25.760
Finally, by figuring out which risks are

0:09:25.760,0:09:26.800
low control,

0:09:26.800,0:09:28.720
you will know where not to spend time

0:09:28.720,0:09:29.839
and money.

0:09:29.839,0:09:32.480
However, keep in mind that no risk can be

0:09:32.480,0:09:33.839
completely ignored:

0:09:33.839,0:09:35.839
make sure you still consider these in

0:09:35.839,0:09:37.920
future assessments and ensure that the

0:09:37.920,0:09:40.959
low-risk status has not changed.

0:09:40.959,0:09:44.720
4. Receive better insurance premiums.

0:09:44.720,0:09:47.040
Risk maps can also help your

0:09:47.040,0:09:48.480
organization in becoming an

0:09:48.480,0:09:49.680
international standard

0:09:49.680,0:09:52.720
organization (ISO) certified,

0:09:52.720,0:09:54.160
as it shows that you have an

0:09:54.160,0:09:56.240
understanding of your risk environment

0:09:56.240,0:09:59.040
and a strategic plan for moving forward.

0:09:59.040,0:10:00.880
This can also help you receive

0:10:00.880,0:10:03.360
competitive insurance premiums.

0:10:03.360,0:10:05.519
Insurers are looking for good risk, or

0:10:05.519,0:10:07.440
companies they believe will have minimal

0:10:07.440,0:10:08.720
losses.

0:10:08.720,0:10:12.000
Key Considerations for Risk Heat Maps.

0:10:12.000,0:10:14.160
To develop an effective cybersecurity

0:10:14.160,0:10:15.279
risk heat map,

0:10:15.279,0:10:18.560
consider these critical elements:

0:10:18.560,0:10:20.720
What are your most critical systems and

0:10:20.720,0:10:22.320
information assets

0:10:22.320,0:10:25.920
(those you want to map)? How accurate is

0:10:25.920,0:10:29.200
the data and where is it coming from?

0:10:29.200,0:10:31.600
What is your organization's appetite for

0:10:31.600,0:10:33.360
risk?

0:10:33.360,0:10:35.360
What categories and levels of impact

0:10:35.360,0:10:37.040
would be considered material,

0:10:37.040,0:10:40.079
for example, monetary, brand reputation,

0:10:40.079,0:10:42.959
and other related impacts?

0:10:42.959,0:10:45.360
What is the range of acceptable variance

0:10:45.360,0:10:47.440
from your key performance and operating

0:10:47.440,0:10:48.399
metrics?

0:10:48.399,0:10:51.680
And how will you define terms to

0:10:51.680,0:10:53.760
integrate potential risk events with

0:10:53.760,0:10:55.200
your heat map?

0:10:55.200,0:10:58.240
How to Build a Risk Map. A risk map is

0:10:58.240,0:11:00.079
built by plotting the frequency of a

0:11:00.079,0:11:02.240
risk on the y-axis of the chart and the

0:11:02.240,0:11:04.480
severity on the x-axis.

0:11:04.480,0:11:06.640
Frequency is how likely the risk is or

0:11:06.640,0:11:08.720
how often you think it will occur.

0:11:08.720,0:11:10.880
Severity is how much of an impact it

0:11:10.880,0:11:12.480
would have if it did happen.

0:11:12.480,0:11:14.320
The higher risk ranks for these

0:11:14.320,0:11:16.480
qualities, the more threatening it is to

0:11:16.480,0:11:18.079
your organization.

0:11:18.079,0:11:20.320
Let us discuss tips on how to build a

0:11:20.320,0:11:21.760
risk map.

0:11:21.760,0:11:23.680
Here are four tips on how to build a

0:11:23.680,0:11:25.200
risk map:

0:11:25.200,0:11:28.000
1. Involve people from all parts of

0:11:28.000,0:11:29.760
your organization.

0:11:29.760,0:11:31.680
Risk mapping is not a process that

0:11:31.680,0:11:34.079
should be conducted by one person.

0:11:34.079,0:11:36.240
Every person in your business, from the

0:11:36.240,0:11:37.839
CEO to the intern,

0:11:37.839,0:11:39.680
will have different ideas about what

0:11:39.680,0:11:41.600
risks are most prevalent to your

0:11:41.600,0:11:44.560
industry. You cannot involve everyone, but

0:11:44.560,0:11:46.640
ask multiple people from various

0:11:46.640,0:11:48.720
departments and levels of authority to

0:11:48.720,0:11:51.440
ensure you are getting unique viewpoints.

0:11:51.440,0:11:53.279
This will also allow you to discover

0:11:53.279,0:11:55.279
risks that you may not have previously

0:11:55.279,0:11:57.519
considered and gain new perspectives on

0:11:57.519,0:12:00.800
how frequent or severe a risk really is.

0:12:00.800,0:12:03.839
2. Understand each risk.

0:12:03.839,0:12:06.079
Simply naming your risks does not allow

0:12:06.079,0:12:08.560
you to build an effective risk map.

0:12:08.560,0:12:10.639
You must assess each scenario with a

0:12:10.639,0:12:12.560
strong understanding of the business and

0:12:12.560,0:12:14.800
how the risks can impact your ability to

0:12:14.800,0:12:16.639
continue operations.

0:12:16.639,0:12:18.639
Think about what is likely to cause the

0:12:18.639,0:12:20.399
risk and the consequences it will have

0:12:20.399,0:12:21.839
if it occurs.

0:12:21.839,0:12:24.079
It is also important to be consistent in

0:12:24.079,0:12:26.240
how you rank each risk in terms of

0:12:26.240,0:12:28.560
frequency and severity so that the final

0:12:28.560,0:12:30.639
product is a clear depiction of how the

0:12:30.639,0:12:32.880
risks compare to each other.

0:12:32.880,0:12:36.720
3. Seek guidance. If consulting those

0:12:36.720,0:12:39.120
within your organization isn't providing

0:12:39.120,0:12:40.959
a sufficient understanding,

0:12:40.959,0:12:43.600
look elsewhere. You can try to determine

0:12:43.600,0:12:45.839
how likely and impactful a risk will be

0:12:45.839,0:12:48.560
based on your experience and past losses,

0:12:48.560,0:12:51.040
but what if you're a start-up company? You

0:12:51.040,0:12:52.399
can ask an expert:

0:12:52.399,0:12:54.480
many insurance providers are able to

0:12:54.480,0:12:56.800
assist with risk management tools,

0:12:56.800,0:12:59.279
and if not, they can likely suggest

0:12:59.279,0:13:00.639
someone who can.

0:13:00.639,0:13:02.240
You can also look at similar

0:13:02.240,0:13:04.720
organizations and industry statistics to

0:13:04.720,0:13:07.279
help guide your risk ranking.

0:13:07.279,0:13:10.320
4. Revisit and modify.

0:13:10.320,0:13:12.160
You've built your risk map and are now

0:13:12.160,0:13:14.639
using it to help manage and mitigate-

0:13:14.639,0:13:17.040
great! But it's important to remember

0:13:17.040,0:13:19.360
that your risk landscape is constantly

0:13:19.360,0:13:20.399
changing.

0:13:20.399,0:13:22.320
Revisit your rankings with the risk

0:13:22.320,0:13:23.839
management team at least

0:13:23.839,0:13:26.240
quarterly, to discuss if the status of

0:13:26.240,0:13:28.800
any existing risks has changed or if any

0:13:28.800,0:13:31.360
new risks should be placed on the map.

0:13:31.360,0:13:33.760
Doing so will ensure that your risk map

0:13:33.760,0:13:35.920
is a consistently helpful tool that will

0:13:35.920,0:13:36.959
help you reduce

0:13:36.959,0:13:40.399
incidents and costs. Major Ways to Use

0:13:40.399,0:13:43.519
Risk Heat Maps by Organizations.

0:13:43.519,0:13:45.519
Where charts have to be interpreted and

0:13:45.519,0:13:47.199
tables have to be understood,

0:13:47.199,0:13:49.279
heat maps are self-explanatory and

0:13:49.279,0:13:50.480
intuitive.

0:13:50.480,0:13:52.240
Because they are tailor-made for putting

0:13:52.240,0:13:54.720
massive data sets into a context that's

0:13:54.720,0:13:56.240
easy to understand,

0:13:56.240,0:13:58.079
they are increasingly valued as a

0:13:58.079,0:14:00.480
superior data visualization tool in

0:14:00.480,0:14:02.959
cybersecurity for identifying,

0:14:02.959,0:14:06.160
prioritizing, and mitigating risks.

0:14:06.160,0:14:08.560
Here are three major ways to use risk

0:14:08.560,0:14:09.600
heat maps by

0:14:09.600,0:14:13.760
organizations: 1. Risk impact heat map to

0:14:13.760,0:14:15.519
show the likelihood of a risk event

0:14:15.519,0:14:16.000
happening

0:14:16.000,0:14:18.079
vs. business impact of such that

0:14:18.079,0:14:19.360
event.

0:14:19.360,0:14:21.680
Risk is the product of breach likelihood

0:14:21.680,0:14:23.279
and breach impact.

0:14:23.279,0:14:25.760
In this type of heat map, the horizontal

0:14:25.760,0:14:27.817
axis shows the likelihood of a

0:14:27.817,0:14:29.519
cybersecurity breach.

0:14:29.519,0:14:31.839
The vertical axis shows the business

0:14:31.839,0:14:33.440
impact of a breach.

0:14:33.440,0:14:36.320
The colors are risk areas, for example,

0:14:36.320,0:14:38.560
green colored boxes indicate no

0:14:38.560,0:14:40.959
action needed and red boxes indicating

0:14:40.959,0:14:42.639
immediate action needed.

0:14:42.639,0:14:44.639
The individual risk items are then

0:14:44.639,0:14:46.639
plotted on the heat map based upon the

0:14:46.639,0:14:48.800
Business Impact and Likelihood of breach

0:14:48.800,0:14:49.760
happening.

0:14:49.760,0:14:52.399
This can be computed as follows: Risk is

0:14:52.399,0:14:56.000
equal to impact times likelihood.

0:14:56.000,0:14:58.800
2. Comparing breach likelihood across

0:14:58.800,0:14:59.760
different business

0:14:59.760,0:15:02.959
areas. Risk heat maps can be used by an

0:15:02.959,0:15:04.959
organization to comparing breach

0:15:04.959,0:15:06.880
likelihood across different business

0:15:06.880,0:15:07.839
areas.

0:15:07.839,0:15:10.320
Here is an example of a heat map that IT

0:15:10.320,0:15:12.399
can use to compare breach likelihood

0:15:12.399,0:15:13.199
across different

0:15:13.199,0:15:16.000
areas or groups. Such charts can be

0:15:16.000,0:15:18.079
created for multiple types of risk

0:15:18.079,0:15:18.639
groups-

0:15:18.639,0:15:22.320
asset types, locations, business units,

0:15:22.320,0:15:25.680
and more. 3. Mapping information

0:15:25.680,0:15:26.560
technology

0:15:26.560,0:15:29.199
(IT) asset inventory by type and risk

0:15:29.199,0:15:32.320
associated with each of those categories.

0:15:32.320,0:15:34.320
Risk heat maps can be used by an

0:15:34.320,0:15:35.920
organization for mapping IT

0:15:35.920,0:15:38.480
asset inventory based on the type of IT

0:15:38.480,0:15:40.880
asset inventory and risk associated with

0:15:40.880,0:15:42.720
each of those categories.

0:15:42.720,0:15:45.279
Here is an example of a heat map that IT

0:15:45.279,0:15:46.639
can use to map IT

0:15:46.639,0:15:48.639
asset inventory by type and risk

0:15:48.639,0:15:51.759
associated with each of those categories.

0:15:51.759,0:15:54.639
How to Create or Build a Risk Map. For

0:15:54.639,0:15:56.399
the heat map to be insightful and

0:15:56.399,0:15:57.440
comprehensive,

0:15:57.440,0:15:59.920
it should be created using accurate, and

0:15:59.920,0:16:01.519
complete information.

0:16:01.519,0:16:03.839
Identification of inherent risks is the

0:16:03.839,0:16:06.480
first step in creating a risk map.

0:16:06.480,0:16:08.720
Risks can be broadly categorized into

0:16:08.720,0:16:10.079
strategic risk,

0:16:10.079,0:16:12.880
compliance risk, operational risk,

0:16:12.880,0:16:15.519
financial risk, and reputational risk,

0:16:15.519,0:16:17.839
but organizations should aim to chart

0:16:17.839,0:16:19.519
their own lists by taking into

0:16:19.519,0:16:21.839
consideration specific factors that

0:16:21.839,0:16:23.759
might affect them financially.

0:16:23.759,0:16:26.480
Once the risks have been identified, it

0:16:26.480,0:16:28.720
is necessary to understand what kind of

0:16:28.720,0:16:31.040
internal or external events are driving

0:16:31.040,0:16:32.240
the risks.

0:16:32.240,0:16:34.079
The next step in risk mapping is

0:16:34.079,0:16:36.800
evaluating the risks: estimating the

0:16:36.800,0:16:37.680
frequency,

0:16:37.680,0:16:39.519
the potential impact and possible

0:16:39.519,0:16:42.480
control processes to offset the risks.

0:16:42.480,0:16:45.279
The risks should then be prioritized. The

0:16:45.279,0:16:47.680
most impactful risks can be managed by

0:16:47.680,0:16:49.839
applying control processes to help

0:16:49.839,0:16:52.079
lessen their potential occurrence.

0:16:52.079,0:16:54.160
As threats evolve and vulnerabilities

0:16:54.160,0:16:57.040
change, a risk map must be re-evaluated

0:16:57.040,0:16:58.320
periodically.

0:16:58.320,0:17:00.560
Organizations also must review their

0:17:00.560,0:17:03.120
risk maps regularly to ensure key risks

0:17:03.120,0:17:04.079
are being managed

0:17:04.079,0:17:07.199
effectively. For example, let us briefly

0:17:07.199,0:17:09.159
consider how a firm can build a

0:17:09.159,0:17:10.799
cyber risk heat map.

0:17:10.799,0:17:13.039
Cybersecurity heat maps involve an

0:17:13.039,0:17:14.959
extensive and disciplined assessment

0:17:14.959,0:17:16.400
process at the back end,

0:17:16.400,0:17:17.839
in order to present a simple

0:17:17.839,0:17:20.160
visualization of risks and recommended

0:17:20.160,0:17:22.000
actions at the front end.

0:17:22.000,0:17:24.079
The heat map is an essential and useful

0:17:24.079,0:17:26.559
output of your overall cybersecurity

0:17:26.559,0:17:28.960
assessment and vulnerability management

0:17:28.960,0:17:31.760
process. With a rapidly increasing attack

0:17:31.760,0:17:32.480
surface,

0:17:32.480,0:17:34.799
the first step is to accurately measure

0:17:34.799,0:17:37.120
a cyber risk attack surface.

0:17:37.120,0:17:39.360
This means getting complete visibility

0:17:39.360,0:17:40.640
into all your IT

0:17:40.640,0:17:44.000
assets (devices, apps, and users)

0:17:44.000,0:17:46.080
and then continuously monitoring them

0:17:46.080,0:17:48.559
across all 200+ attack vectors in

0:17:48.559,0:17:50.400
adversaries' arsenals.

0:17:50.400,0:17:53.360
The company, therefore, need to regularly

0:17:53.360,0:17:56.000
analyze the observations to derive risk

0:17:56.000,0:17:57.120
insights.

0:17:57.120,0:17:58.960
This is a layered calculation that

0:17:58.960,0:18:01.360
involves incorporating information about

0:18:01.360,0:18:03.919
threats, vulnerabilities, mitigating

0:18:03.919,0:18:04.720
actions,

0:18:04.720,0:18:07.840
business criticality, impact elasticity,

0:18:07.840,0:18:11.039
and time-to-repair. Conclusion.

0:18:11.039,0:18:13.200
Risk mapping in risk management has been

0:18:13.200,0:18:15.039
discussed in this video.

0:18:15.039,0:18:17.600
A risk map (or risk heat map) is a

0:18:17.600,0:18:19.840
graphical representation of cyber risk

0:18:19.840,0:18:21.760
data where the individual values

0:18:21.760,0:18:23.919
contained in a matrix are represented as

0:18:23.919,0:18:25.760
colors that connote meaning.

0:18:25.760,0:18:28.240
Risk heat maps are used to present cyber

0:18:28.240,0:18:30.039
risk assessment results in an

0:18:30.039,0:18:31.440
easy to understand,

0:18:31.440,0:18:34.160
visually attractive and concise format.

0:18:34.160,0:18:36.720
Risk maps can be used by an organization

0:18:36.720,0:18:39.360
to improve its risk management culture.

0:18:39.360,0:18:42.000
Risk maps can, therefore, assist to

0:18:42.000,0:18:44.480
enhance understanding and prioritization

0:18:44.480,0:18:46.960
of a firm's risk management system.

0:18:46.960,0:18:49.200
In short, heat maps present a very

0:18:49.200,0:18:51.520
complex set of facts in an easily

0:18:51.520,0:18:53.120
digestible way.

0:18:53.120,0:18:55.440
This helps organizations to enhance

0:18:55.440,0:18:56.240
their resilience

0:18:56.240,0:18:58.080
in the highly challenging business

0:18:58.080,0:18:59.600
environment.

0:18:59.600,0:19:01.280
Hope the video is educative and

0:19:01.280,0:19:02.799
beneficial to you?

0:19:02.799,0:19:05.039
Which aspect of the risk mapping in risk

0:19:05.039,0:19:07.120
management discussed in this video do

0:19:07.120,0:19:09.120
you consider to be more relevant in your

0:19:09.120,0:19:10.400
organization?

0:19:10.400,0:19:12.640
Please post your answer to this question

0:19:12.640,0:19:14.559
in the comment section below.

0:19:14.559,0:19:16.559
If this video has been helpful and

0:19:16.559,0:19:17.919
beneficial to you;

0:19:17.919,0:19:20.000
then, give it a thumbs up and share it

0:19:20.000,0:19:21.520
with your friends.

0:19:21.520,0:19:23.200
Thank you for watching the Risk

0:19:23.200,0:19:25.520
Management of Everything videos.

0:19:25.520,0:19:28.480
We love to hear from you. Please post

0:19:28.480,0:19:29.440
your comments and

0:19:29.440,0:19:31.520
questions in the comment section down

0:19:31.520,0:19:33.600
below. If you are new here,

0:19:33.600,0:19:36.000
please subscribe to our channel Risk

0:19:36.000,0:19:37.360
Management of Everything

0:19:37.360,0:19:39.760
and press the notification button so you

0:19:39.760,0:19:41.760
can be notified when we upload new

0:19:41.760,0:19:43.039
videos.

0:19:43.039,0:19:45.679
Thank you.