1
00:00:00,080 --> 00:00:03,040
Risk Mapping in Risk Management. Welcome

2
00:00:03,040 --> 00:00:05,040
to the Risk Management of Everything

3
00:00:05,040 --> 00:00:07,759
channel. On this channel, you will find

4
00:00:07,759 --> 00:00:09,679
videos on risk management and the

5
00:00:09,679 --> 00:00:11,440
application of risk management to

6
00:00:11,440 --> 00:00:13,759
diverse areas and sectors.

7
00:00:13,759 --> 00:00:15,839
If you are new here, please consider

8
00:00:15,839 --> 00:00:17,760
subscribing to our channel and press the

9
00:00:17,760 --> 00:00:19,840
notification button so you can be

10
00:00:19,840 --> 00:00:22,800
notified when we upload new videos.

11
00:00:22,800 --> 00:00:25,279
Thank you. Risk mapping in risk

12
00:00:25,279 --> 00:00:28,000
management is discussed in this video.

13
00:00:28,000 --> 00:00:30,480
In this video, we'll discuss how a risk

14
00:00:30,480 --> 00:00:32,719
map can be used by an organization to

15
00:00:32,719 --> 00:00:34,200
manage its risks in an

16
00:00:34,200 --> 00:00:35,360
easy-to-understand

17
00:00:35,360 --> 00:00:38,719
way. Now, let us start.

18
00:00:38,719 --> 00:00:41,200
Meaning of a Risk. Risk is the

19
00:00:41,200 --> 00:00:43,680
uncertainty of a financial loss.

20
00:00:43,680 --> 00:00:45,520
A risk exists where there is an

21
00:00:45,520 --> 00:00:48,079
opportunity for a profit or a loss.

22
00:00:48,079 --> 00:00:50,480
In terms of losses, we commonly refer to

23
00:00:50,480 --> 00:00:52,559
the risks as exposures to loss,

24
00:00:52,559 --> 00:00:56,399
or simply exposures. Fire is an exposure.

25
00:00:56,399 --> 00:00:58,879
Defective products or defamation are

26
00:00:58,879 --> 00:01:00,800
liability exposures.

27
00:01:00,800 --> 00:01:02,800
The loss of business that results from a

28
00:01:02,800 --> 00:01:05,280
damaged building or tarnished reputation

29
00:01:05,280 --> 00:01:08,400
is also an exposure. Risks can come from

30
00:01:08,400 --> 00:01:10,880
various sources including uncertainty in

31
00:01:10,880 --> 00:01:12,400
international markets,

32
00:01:12,400 --> 00:01:14,880
threats from project failures (at any

33
00:01:14,880 --> 00:01:16,240
phase in design

34
00:01:16,240 --> 00:01:18,880
development, production, or sustaining of

35
00:01:18,880 --> 00:01:20,080
life-cycles),

36
00:01:20,080 --> 00:01:23,520
legal liabilities, credit risk, accidents,

37
00:01:23,520 --> 00:01:26,240
natural causes and disasters, deliberate

38
00:01:26,240 --> 00:01:27,040
attack from an

39
00:01:27,040 --> 00:01:29,360
adversary, or events of uncertain or

40
00:01:29,360 --> 00:01:31,520
unpredictable root-cause.

41
00:01:31,520 --> 00:01:33,840
There are two types of events which are:

42
00:01:33,840 --> 00:01:34,640
(1)

43
00:01:34,640 --> 00:01:36,720
negative events which can be classified

44
00:01:36,720 --> 00:01:38,400
as risks or threats;

45
00:01:38,400 --> 00:01:40,960
and (2) positive events that may be

46
00:01:40,960 --> 00:01:43,439
classified as opportunities.

47
00:01:43,439 --> 00:01:46,640
What is Risk Management? Risk management

48
00:01:46,640 --> 00:01:48,880
is the process of identification,

49
00:01:48,880 --> 00:01:51,600
analysis, and acceptance or mitigation of

50
00:01:51,600 --> 00:01:54,479
uncertainty in investment decisions.

51
00:01:54,479 --> 00:01:56,799
Organizations face many risks and they

52
00:01:56,799 --> 00:01:58,560
must decide where to focus their

53
00:01:58,560 --> 00:02:00,479
mitigation resources.

54
00:02:00,479 --> 00:02:03,439
To handle or manage risks, organizations

55
00:02:03,439 --> 00:02:05,520
usually have the options to avoid,

56
00:02:05,520 --> 00:02:08,639
control, accept, or transfer risk. The

57
00:02:08,639 --> 00:02:11,120
adverse effects of risk can be objective

58
00:02:11,120 --> 00:02:13,760
or quantifiable like insurance premiums

59
00:02:13,760 --> 00:02:15,200
and claims costs,

60
00:02:15,200 --> 00:02:17,520
or subjective and difficult to quantify

61
00:02:17,520 --> 00:02:19,520
such as damage to reputation or

62
00:02:19,520 --> 00:02:21,360
decreased productivity.

63
00:02:21,360 --> 00:02:23,360
By focusing attention on risk and

64
00:02:23,360 --> 00:02:25,360
committing the necessary resources to

65
00:02:25,360 --> 00:02:27,440
control and mitigate risk,

66
00:02:27,440 --> 00:02:29,440
a business will protect itself from

67
00:02:29,440 --> 00:02:30,560
uncertainty,

68
00:02:30,560 --> 00:02:33,360
reduce costs, and increase the likelihood

69
00:02:33,360 --> 00:02:36,000
of business continuity and success.

70
00:02:36,000 --> 00:02:38,560
Meanwhile, a risk map can be used as a

71
00:02:38,560 --> 00:02:40,640
tool to improve the risk management

72
00:02:40,640 --> 00:02:42,879
system of an organization.

73
00:02:42,879 --> 00:02:46,480
What is a Risk Map? A risk map, also known

74
00:02:46,480 --> 00:02:47,840
as a risk heat map,

75
00:02:47,840 --> 00:02:49,920
is a data visualization tool for

76
00:02:49,920 --> 00:02:51,760
communicating specific risks an

77
00:02:51,760 --> 00:02:53,680
organization faces.

78
00:02:53,680 --> 00:02:56,000
A risk map is a graphical depiction of a

79
00:02:56,000 --> 00:02:57,840
select number of a company's risks

80
00:02:57,840 --> 00:02:59,840
designed to illustrate the impact or

81
00:02:59,840 --> 00:03:02,080
significance of risks on one axis and

82
00:03:02,080 --> 00:03:04,800
the likelihood or frequency on the other.

83
00:03:04,800 --> 00:03:07,040
Risk mapping is used to assist in

84
00:03:07,040 --> 00:03:08,200
identifying,

85
00:03:08,200 --> 00:03:11,360
prioritizing, and quantifying (at a macro

86
00:03:11,360 --> 00:03:11,920
level)

87
00:03:11,920 --> 00:03:14,319
risks to an organization. This

88
00:03:14,319 --> 00:03:16,560
representation often takes the form of a

89
00:03:16,560 --> 00:03:18,720
two-dimensional grid with frequency

90
00:03:18,720 --> 00:03:21,599
(or likelihood of occurrence) on one axis

91
00:03:21,599 --> 00:03:22,560
and severity

92
00:03:22,560 --> 00:03:24,879
(or degree of financial impact) on the

93
00:03:24,879 --> 00:03:25,840
other axis;

94
00:03:25,840 --> 00:03:27,440
the risks that fall in the

95
00:03:27,440 --> 00:03:30,000
high-frequency/high-severity quadrant are

96
00:03:30,000 --> 00:03:32,159
given priority risk management

97
00:03:32,159 --> 00:03:34,959
attention. A risk map helps companies

98
00:03:34,959 --> 00:03:37,200
identify and prioritize the risks

99
00:03:37,200 --> 00:03:39,280
associated with their business.

100
00:03:39,280 --> 00:03:41,519
The goal of a risk map is to improve an

101
00:03:41,519 --> 00:03:43,840
organization's understanding of its risk

102
00:03:43,840 --> 00:03:45,280
profile and appetite,

103
00:03:45,280 --> 00:03:47,200
clarify thinking on the nature and

104
00:03:47,200 --> 00:03:48,560
impact of risks,

105
00:03:48,560 --> 00:03:50,640
and improve the organization's risk

106
00:03:50,640 --> 00:03:52,080
assessment model.

107
00:03:52,080 --> 00:03:54,480
In the enterprise, a risk map is often

108
00:03:54,480 --> 00:03:57,200
presented as a two-dimensional matrix.

109
00:03:57,200 --> 00:03:59,519
For example, the likelihood a risk will

110
00:03:59,519 --> 00:04:01,840
occur may be plotted on the x-axis,

111
00:04:01,840 --> 00:04:03,599
while the impact of the same risk is

112
00:04:03,599 --> 00:04:05,519
plotted on the y-axis.

113
00:04:05,519 --> 00:04:07,439
A risk map is considered a critical

114
00:04:07,439 --> 00:04:09,840
component of enterprise risk management

115
00:04:09,840 --> 00:04:12,000
because it helps identify risks that

116
00:04:12,000 --> 00:04:13,599
need more attention.

117
00:04:13,599 --> 00:04:15,920
Identified risks that fall in the high-frequency

118
00:04:15,920 --> 00:04:18,238
and high-severity section can

119
00:04:18,238 --> 00:04:21,358
then be made a priority by organizations.

120
00:04:21,358 --> 00:04:23,440
If the organization is disbursed

121
00:04:23,440 --> 00:04:25,600
geographically and certain risks are

122
00:04:25,600 --> 00:04:27,919
associated with certain geographical

123
00:04:27,919 --> 00:04:28,639
areas,

124
00:04:28,639 --> 00:04:30,560
risks might be illustrated with a heat

125
00:04:30,560 --> 00:04:32,880
map, using color to illustrate the levels

126
00:04:32,880 --> 00:04:34,800
of risk to which individual branch

127
00:04:34,800 --> 00:04:36,960
offices are exposed.

128
00:04:36,960 --> 00:04:40,160
Why it's Important to Create a Risk Map?

129
00:04:40,160 --> 00:04:42,240
A risk map offers a visualized,

130
00:04:42,240 --> 00:04:44,400
comprehensive view of the likelihood and

131
00:04:44,400 --> 00:04:47,199
impact of an organization's risks.

132
00:04:47,199 --> 00:04:49,600
This helps the organization improve risk

133
00:04:49,600 --> 00:04:51,440
management and risk governance by

134
00:04:51,440 --> 00:04:54,479
prioritizing risk management efforts.

135
00:04:54,479 --> 00:04:57,199
This risk prioritization enables them to

136
00:04:57,199 --> 00:04:59,040
focus time and money on the most

137
00:04:59,040 --> 00:05:01,520
potentially damaging risks identified in

138
00:05:01,520 --> 00:05:02,320
a heat map

139
00:05:02,320 --> 00:05:05,160
chart. A risk map also facilitates

140
00:05:05,160 --> 00:05:07,360
interdepartmental dialogues about an

141
00:05:07,360 --> 00:05:09,199
organization's inherent risks and

142
00:05:09,199 --> 00:05:11,039
promotes communication about

143
00:05:11,039 --> 00:05:13,600
risks throughout the organization. It

144
00:05:13,600 --> 00:05:16,240
helps organizations visualize risks in

145
00:05:16,240 --> 00:05:17,680
relation to each other,

146
00:05:17,680 --> 00:05:19,280
and it guides the development of a

147
00:05:19,280 --> 00:05:21,280
control assessment of how to deal with

148
00:05:21,280 --> 00:05:23,280
the risks and the consequence of those

149
00:05:23,280 --> 00:05:24,639
risks.

150
00:05:24,639 --> 00:05:27,680
Benefits of Using Risk Heat Maps.

151
00:05:27,680 --> 00:05:29,759
Risk heat maps can offer significant

152
00:05:29,759 --> 00:05:32,160
benefits to organizations.

153
00:05:32,160 --> 00:05:34,080
Here are some of the benefits of using

154
00:05:34,080 --> 00:05:37,759
risk heat maps by an organization:

155
00:05:37,759 --> 00:05:40,639
A visual, big picture, holistic view that

156
00:05:40,639 --> 00:05:42,400
can be shared to make strategic

157
00:05:42,400 --> 00:05:44,479
decisions;

158
00:05:44,479 --> 00:05:46,320
Improved management of risks and

159
00:05:46,320 --> 00:05:48,160
governance of the risk management

160
00:05:48,160 --> 00:05:50,160
process;

161
00:05:50,160 --> 00:05:52,479
Increased focus on risk appetite and the

162
00:05:52,479 --> 00:05:55,440
risk tolerance of the company;

163
00:05:55,440 --> 00:05:57,360
More precision in the risk assessment

164
00:05:57,360 --> 00:05:59,360
and mitigation process;

165
00:05:59,360 --> 00:06:02,639
and Greater integration of risk

166
00:06:02,639 --> 00:06:05,600
management actions across the enterprise.

167
00:06:05,600 --> 00:06:07,919
The Importance of Risk Mapping Business

168
00:06:07,919 --> 00:06:09,600
Organizations.

169
00:06:09,600 --> 00:06:11,680
Why should your organization be using

170
00:06:11,680 --> 00:06:13,440
risk maps?

171
00:06:13,440 --> 00:06:15,759
Building a risk map brings valuable

172
00:06:15,759 --> 00:06:16,960
benefits.

173
00:06:16,960 --> 00:06:18,720
You will have a thorough understanding

174
00:06:18,720 --> 00:06:20,160
of your risk environment

175
00:06:20,160 --> 00:06:22,400
and how individual risks compare to one

176
00:06:22,400 --> 00:06:23,199
another.

177
00:06:23,199 --> 00:06:25,199
You can use this to strategically

178
00:06:25,199 --> 00:06:27,280
prioritize your risks and determine

179
00:06:27,280 --> 00:06:29,759
where to use your limited resources.

180
00:06:29,759 --> 00:06:32,319
The map can help the company visualize

181
00:06:32,319 --> 00:06:33,919
how risks in one part of the

182
00:06:33,919 --> 00:06:36,160
organization can affect operations of

183
00:06:36,160 --> 00:06:37,759
another business unit within the

184
00:06:37,759 --> 00:06:39,039
organization.

185
00:06:39,039 --> 00:06:41,360
A risk map also adds precision to an

186
00:06:41,360 --> 00:06:43,919
organization's risk assessment strategy

187
00:06:43,919 --> 00:06:44,160
and

188
00:06:44,160 --> 00:06:46,560
identifies gaps in an organization's

189
00:06:46,560 --> 00:06:48,800
risk management processes.

190
00:06:48,800 --> 00:06:50,720
A risk map is built by plotting the

191
00:06:50,720 --> 00:06:53,120
frequency of a risk on the y-axis of the

192
00:06:53,120 --> 00:06:56,000
chart and the severity on the x-axis.

193
00:06:56,000 --> 00:06:58,080
Frequency is how likely the risk is or

194
00:06:58,080 --> 00:07:00,240
how often you think it will occur;

195
00:07:00,240 --> 00:07:02,319
severity is how much of an impact it

196
00:07:02,319 --> 00:07:04,000
would have if it did occur.

197
00:07:04,000 --> 00:07:05,840
The higher risk ranks for these

198
00:07:05,840 --> 00:07:08,000
qualities, the more threatening it is to

199
00:07:08,000 --> 00:07:09,759
your organization.

200
00:07:09,759 --> 00:07:12,560
The most severe and frequent risks, your

201
00:07:12,560 --> 00:07:13,840
primary risks,

202
00:07:13,840 --> 00:07:15,360
are critical and would hinder your

203
00:07:15,360 --> 00:07:17,440
ability to conduct business.

204
00:07:17,440 --> 00:07:20,080
Risks that are severe but unlikely, that

205
00:07:20,080 --> 00:07:22,240
is your "detect and monitor" risks,

206
00:07:22,240 --> 00:07:24,080
are those risks that should be watched

207
00:07:24,080 --> 00:07:26,319
but don't require heavy mitigation

208
00:07:26,319 --> 00:07:27,520
strategies.

209
00:07:27,520 --> 00:07:29,440
Risks that are highly likely but

210
00:07:29,440 --> 00:07:32,000
insignificant, your monitor risks,

211
00:07:32,000 --> 00:07:34,400
will not impact your ability to continue

212
00:07:34,400 --> 00:07:35,759
operations.

213
00:07:35,759 --> 00:07:37,919
Finally, the risks that are low in both

214
00:07:37,919 --> 00:07:39,520
frequency and severity,

215
00:07:39,520 --> 00:07:42,400
your low control risks, can be revisited

216
00:07:42,400 --> 00:07:44,080
on a yearly basis to ensure

217
00:07:44,080 --> 00:07:46,960
the risk remains low. Risk maps are a

218
00:07:46,960 --> 00:07:48,560
valuable tool as they assist

219
00:07:48,560 --> 00:07:50,560
organizations to:

220
00:07:50,560 --> 00:07:53,919
1. Understand the risk environment.

221
00:07:53,919 --> 00:07:56,080
Risk management begins with building a

222
00:07:56,080 --> 00:07:58,319
list of all risks your organization

223
00:07:58,319 --> 00:08:01,520
faces. Depending on your industry, this

224
00:08:01,520 --> 00:08:03,440
number could range from a handful to

225
00:08:03,440 --> 00:08:04,479
hundreds.

226
00:08:04,479 --> 00:08:06,400
Risk mapping is beneficial because it

227
00:08:06,400 --> 00:08:07,680
requires you to assess

228
00:08:07,680 --> 00:08:09,440
each risk and its causes and

229
00:08:09,440 --> 00:08:11,520
consequences individually.

230
00:08:11,520 --> 00:08:13,840
It also allows you to look at your risk

231
00:08:13,840 --> 00:08:15,840
environment as a whole and understand

232
00:08:15,840 --> 00:08:18,720
how frequencies and severities compare.

233
00:08:18,720 --> 00:08:20,879
Finally, a risk map is a visual that

234
00:08:20,879 --> 00:08:23,440
anyone in your organization can use to

235
00:08:23,440 --> 00:08:25,440
see the big picture of risks most

236
00:08:25,440 --> 00:08:26,000
prominent

237
00:08:26,000 --> 00:08:29,360
in your industry or workplace. 2.

238
00:08:29,360 --> 00:08:32,479
Prioritize mitigation strategies.

239
00:08:32,479 --> 00:08:35,039
With limited resources, it's important to

240
00:08:35,039 --> 00:08:38,080
be strategic about mitigation techniques.

241
00:08:38,080 --> 00:08:40,080
Risk mapping allows you to determine

242
00:08:40,080 --> 00:08:41,919
what steps to take first:

243
00:08:41,919 --> 00:08:44,000
implement prevention tactics for the

244
00:08:44,000 --> 00:08:46,080
most frequent and severe risks before

245
00:08:46,080 --> 00:08:47,600
moving onto others.

246
00:08:47,600 --> 00:08:50,080
This prioritization method ensures that

247
00:08:50,080 --> 00:08:52,000
you address the risk that have the most

248
00:08:52,000 --> 00:08:53,839
potential to cause harm to your

249
00:08:53,839 --> 00:08:55,440
organization.

250
00:08:55,440 --> 00:08:58,959
3. Allocate limited resources.

251
00:08:58,959 --> 00:09:01,279
Whether your organization consists of

252
00:09:01,279 --> 00:09:03,360
2 employees or 2,000,

253
00:09:03,360 --> 00:09:06,240
risk managers have limited resources.

254
00:09:06,240 --> 00:09:08,320
Risk mapping allows you to use them to

255
00:09:08,320 --> 00:09:10,399
prevent primary risks.

256
00:09:10,399 --> 00:09:12,880
D&M risks should be revisited several

257
00:09:12,880 --> 00:09:14,959
times a year to ensure appropriate

258
00:09:14,959 --> 00:09:16,240
management.

259
00:09:16,240 --> 00:09:18,640
Similarly, monitor risks typically only

260
00:09:18,640 --> 00:09:20,560
need to be checked yearly to ensure

261
00:09:20,560 --> 00:09:23,279
their potential impact hasn't grown.

262
00:09:23,279 --> 00:09:25,760
Finally, by figuring out which risks are

263
00:09:25,760 --> 00:09:26,800
low control,

264
00:09:26,800 --> 00:09:28,720
you will know where not to spend time

265
00:09:28,720 --> 00:09:29,839
and money.

266
00:09:29,839 --> 00:09:32,480
However, keep in mind that no risk can be

267
00:09:32,480 --> 00:09:33,839
completely ignored:

268
00:09:33,839 --> 00:09:35,839
make sure you still consider these in

269
00:09:35,839 --> 00:09:37,920
future assessments and ensure that the

270
00:09:37,920 --> 00:09:40,959
low-risk status has not changed.

271
00:09:40,959 --> 00:09:44,720
4. Receive better insurance premiums.

272
00:09:44,720 --> 00:09:47,040
Risk maps can also help your

273
00:09:47,040 --> 00:09:48,480
organization in becoming an

274
00:09:48,480 --> 00:09:49,680
international standard

275
00:09:49,680 --> 00:09:52,720
organization (ISO) certified,

276
00:09:52,720 --> 00:09:54,160
as it shows that you have an

277
00:09:54,160 --> 00:09:56,240
understanding of your risk environment

278
00:09:56,240 --> 00:09:59,040
and a strategic plan for moving forward.

279
00:09:59,040 --> 00:10:00,880
This can also help you receive

280
00:10:00,880 --> 00:10:03,360
competitive insurance premiums.

281
00:10:03,360 --> 00:10:05,519
Insurers are looking for good risk, or

282
00:10:05,519 --> 00:10:07,440
companies they believe will have minimal

283
00:10:07,440 --> 00:10:08,720
losses.

284
00:10:08,720 --> 00:10:12,000
Key Considerations for Risk Heat Maps.

285
00:10:12,000 --> 00:10:14,160
To develop an effective cybersecurity

286
00:10:14,160 --> 00:10:15,279
risk heat map,

287
00:10:15,279 --> 00:10:18,560
consider these critical elements:

288
00:10:18,560 --> 00:10:20,720
What are your most critical systems and

289
00:10:20,720 --> 00:10:22,320
information assets

290
00:10:22,320 --> 00:10:25,920
(those you want to map)? How accurate is

291
00:10:25,920 --> 00:10:29,200
the data and where is it coming from?

292
00:10:29,200 --> 00:10:31,600
What is your organization's appetite for

293
00:10:31,600 --> 00:10:33,360
risk?

294
00:10:33,360 --> 00:10:35,360
What categories and levels of impact

295
00:10:35,360 --> 00:10:37,040
would be considered material,

296
00:10:37,040 --> 00:10:40,079
for example, monetary, brand reputation,

297
00:10:40,079 --> 00:10:42,959
and other related impacts?

298
00:10:42,959 --> 00:10:45,360
What is the range of acceptable variance

299
00:10:45,360 --> 00:10:47,440
from your key performance and operating

300
00:10:47,440 --> 00:10:48,399
metrics?

301
00:10:48,399 --> 00:10:51,680
And how will you define terms to

302
00:10:51,680 --> 00:10:53,760
integrate potential risk events with

303
00:10:53,760 --> 00:10:55,200
your heat map?

304
00:10:55,200 --> 00:10:58,240
How to Build a Risk Map. A risk map is

305
00:10:58,240 --> 00:11:00,079
built by plotting the frequency of a

306
00:11:00,079 --> 00:11:02,240
risk on the y-axis of the chart and the

307
00:11:02,240 --> 00:11:04,480
severity on the x-axis.

308
00:11:04,480 --> 00:11:06,640
Frequency is how likely the risk is or

309
00:11:06,640 --> 00:11:08,720
how often you think it will occur.

310
00:11:08,720 --> 00:11:10,880
Severity is how much of an impact it

311
00:11:10,880 --> 00:11:12,480
would have if it did happen.

312
00:11:12,480 --> 00:11:14,320
The higher risk ranks for these

313
00:11:14,320 --> 00:11:16,480
qualities, the more threatening it is to

314
00:11:16,480 --> 00:11:18,079
your organization.

315
00:11:18,079 --> 00:11:20,320
Let us discuss tips on how to build a

316
00:11:20,320 --> 00:11:21,760
risk map.

317
00:11:21,760 --> 00:11:23,680
Here are four tips on how to build a

318
00:11:23,680 --> 00:11:25,200
risk map:

319
00:11:25,200 --> 00:11:28,000
1. Involve people from all parts of

320
00:11:28,000 --> 00:11:29,760
your organization.

321
00:11:29,760 --> 00:11:31,680
Risk mapping is not a process that

322
00:11:31,680 --> 00:11:34,079
should be conducted by one person.

323
00:11:34,079 --> 00:11:36,240
Every person in your business, from the

324
00:11:36,240 --> 00:11:37,839
CEO to the intern,

325
00:11:37,839 --> 00:11:39,680
will have different ideas about what

326
00:11:39,680 --> 00:11:41,600
risks are most prevalent to your

327
00:11:41,600 --> 00:11:44,560
industry. You cannot involve everyone, but

328
00:11:44,560 --> 00:11:46,640
ask multiple people from various

329
00:11:46,640 --> 00:11:48,720
departments and levels of authority to

330
00:11:48,720 --> 00:11:51,440
ensure you are getting unique viewpoints.

331
00:11:51,440 --> 00:11:53,279
This will also allow you to discover

332
00:11:53,279 --> 00:11:55,279
risks that you may not have previously

333
00:11:55,279 --> 00:11:57,519
considered and gain new perspectives on

334
00:11:57,519 --> 00:12:00,800
how frequent or severe a risk really is.

335
00:12:00,800 --> 00:12:03,839
2. Understand each risk.

336
00:12:03,839 --> 00:12:06,079
Simply naming your risks does not allow

337
00:12:06,079 --> 00:12:08,560
you to build an effective risk map.

338
00:12:08,560 --> 00:12:10,639
You must assess each scenario with a

339
00:12:10,639 --> 00:12:12,560
strong understanding of the business and

340
00:12:12,560 --> 00:12:14,800
how the risks can impact your ability to

341
00:12:14,800 --> 00:12:16,639
continue operations.

342
00:12:16,639 --> 00:12:18,639
Think about what is likely to cause the

343
00:12:18,639 --> 00:12:20,399
risk and the consequences it will have

344
00:12:20,399 --> 00:12:21,839
if it occurs.

345
00:12:21,839 --> 00:12:24,079
It is also important to be consistent in

346
00:12:24,079 --> 00:12:26,240
how you rank each risk in terms of

347
00:12:26,240 --> 00:12:28,560
frequency and severity so that the final

348
00:12:28,560 --> 00:12:30,639
product is a clear depiction of how the

349
00:12:30,639 --> 00:12:32,880
risks compare to each other.

350
00:12:32,880 --> 00:12:36,720
3. Seek guidance. If consulting those

351
00:12:36,720 --> 00:12:39,120
within your organization isn't providing

352
00:12:39,120 --> 00:12:40,959
a sufficient understanding,

353
00:12:40,959 --> 00:12:43,600
look elsewhere. You can try to determine

354
00:12:43,600 --> 00:12:45,839
how likely and impactful a risk will be

355
00:12:45,839 --> 00:12:48,560
based on your experience and past losses,

356
00:12:48,560 --> 00:12:51,040
but what if you're a start-up company? You

357
00:12:51,040 --> 00:12:52,399
can ask an expert:

358
00:12:52,399 --> 00:12:54,480
many insurance providers are able to

359
00:12:54,480 --> 00:12:56,800
assist with risk management tools,

360
00:12:56,800 --> 00:12:59,279
and if not, they can likely suggest

361
00:12:59,279 --> 00:13:00,639
someone who can.

362
00:13:00,639 --> 00:13:02,240
You can also look at similar

363
00:13:02,240 --> 00:13:04,720
organizations and industry statistics to

364
00:13:04,720 --> 00:13:07,279
help guide your risk ranking.

365
00:13:07,279 --> 00:13:10,320
4. Revisit and modify.

366
00:13:10,320 --> 00:13:12,160
You've built your risk map and are now

367
00:13:12,160 --> 00:13:14,639
using it to help manage and mitigate-

368
00:13:14,639 --> 00:13:17,040
great! But it's important to remember

369
00:13:17,040 --> 00:13:19,360
that your risk landscape is constantly

370
00:13:19,360 --> 00:13:20,399
changing.

371
00:13:20,399 --> 00:13:22,320
Revisit your rankings with the risk

372
00:13:22,320 --> 00:13:23,839
management team at least

373
00:13:23,839 --> 00:13:26,240
quarterly, to discuss if the status of

374
00:13:26,240 --> 00:13:28,800
any existing risks has changed or if any

375
00:13:28,800 --> 00:13:31,360
new risks should be placed on the map.

376
00:13:31,360 --> 00:13:33,760
Doing so will ensure that your risk map

377
00:13:33,760 --> 00:13:35,920
is a consistently helpful tool that will

378
00:13:35,920 --> 00:13:36,959
help you reduce

379
00:13:36,959 --> 00:13:40,399
incidents and costs. Major Ways to Use

380
00:13:40,399 --> 00:13:43,519
Risk Heat Maps by Organizations.

381
00:13:43,519 --> 00:13:45,519
Where charts have to be interpreted and

382
00:13:45,519 --> 00:13:47,199
tables have to be understood,

383
00:13:47,199 --> 00:13:49,279
heat maps are self-explanatory and

384
00:13:49,279 --> 00:13:50,480
intuitive.

385
00:13:50,480 --> 00:13:52,240
Because they are tailor-made for putting

386
00:13:52,240 --> 00:13:54,720
massive data sets into a context that's

387
00:13:54,720 --> 00:13:56,240
easy to understand,

388
00:13:56,240 --> 00:13:58,079
they are increasingly valued as a

389
00:13:58,079 --> 00:14:00,480
superior data visualization tool in

390
00:14:00,480 --> 00:14:02,959
cybersecurity for identifying,

391
00:14:02,959 --> 00:14:06,160
prioritizing, and mitigating risks.

392
00:14:06,160 --> 00:14:08,560
Here are three major ways to use risk

393
00:14:08,560 --> 00:14:09,600
heat maps by

394
00:14:09,600 --> 00:14:13,760
organizations: 1. Risk impact heat map to

395
00:14:13,760 --> 00:14:15,519
show the likelihood of a risk event

396
00:14:15,519 --> 00:14:16,000
happening

397
00:14:16,000 --> 00:14:18,079
vs. business impact of such that

398
00:14:18,079 --> 00:14:19,360
event.

399
00:14:19,360 --> 00:14:21,680
Risk is the product of breach likelihood

400
00:14:21,680 --> 00:14:23,279
and breach impact.

401
00:14:23,279 --> 00:14:25,760
In this type of heat map, the horizontal

402
00:14:25,760 --> 00:14:27,817
axis shows the likelihood of a

403
00:14:27,817 --> 00:14:29,519
cybersecurity breach.

404
00:14:29,519 --> 00:14:31,839
The vertical axis shows the business

405
00:14:31,839 --> 00:14:33,440
impact of a breach.

406
00:14:33,440 --> 00:14:36,320
The colors are risk areas, for example,

407
00:14:36,320 --> 00:14:38,560
green colored boxes indicate no

408
00:14:38,560 --> 00:14:40,959
action needed and red boxes indicating

409
00:14:40,959 --> 00:14:42,639
immediate action needed.

410
00:14:42,639 --> 00:14:44,639
The individual risk items are then

411
00:14:44,639 --> 00:14:46,639
plotted on the heat map based upon the

412
00:14:46,639 --> 00:14:48,800
Business Impact and Likelihood of breach

413
00:14:48,800 --> 00:14:49,760
happening.

414
00:14:49,760 --> 00:14:52,399
This can be computed as follows: Risk is

415
00:14:52,399 --> 00:14:56,000
equal to impact times likelihood.

416
00:14:56,000 --> 00:14:58,800
2. Comparing breach likelihood across

417
00:14:58,800 --> 00:14:59,760
different business

418
00:14:59,760 --> 00:15:02,959
areas. Risk heat maps can be used by an

419
00:15:02,959 --> 00:15:04,959
organization to comparing breach

420
00:15:04,959 --> 00:15:06,880
likelihood across different business

421
00:15:06,880 --> 00:15:07,839
areas.

422
00:15:07,839 --> 00:15:10,320
Here is an example of a heat map that IT

423
00:15:10,320 --> 00:15:12,399
can use to compare breach likelihood

424
00:15:12,399 --> 00:15:13,199
across different

425
00:15:13,199 --> 00:15:16,000
areas or groups. Such charts can be

426
00:15:16,000 --> 00:15:18,079
created for multiple types of risk

427
00:15:18,079 --> 00:15:18,639
groups-

428
00:15:18,639 --> 00:15:22,320
asset types, locations, business units,

429
00:15:22,320 --> 00:15:25,680
and more. 3. Mapping information

430
00:15:25,680 --> 00:15:26,560
technology

431
00:15:26,560 --> 00:15:29,199
(IT) asset inventory by type and risk

432
00:15:29,199 --> 00:15:32,320
associated with each of those categories.

433
00:15:32,320 --> 00:15:34,320
Risk heat maps can be used by an

434
00:15:34,320 --> 00:15:35,920
organization for mapping IT

435
00:15:35,920 --> 00:15:38,480
asset inventory based on the type of IT

436
00:15:38,480 --> 00:15:40,880
asset inventory and risk associated with

437
00:15:40,880 --> 00:15:42,720
each of those categories.

438
00:15:42,720 --> 00:15:45,279
Here is an example of a heat map that IT

439
00:15:45,279 --> 00:15:46,639
can use to map IT

440
00:15:46,639 --> 00:15:48,639
asset inventory by type and risk

441
00:15:48,639 --> 00:15:51,759
associated with each of those categories.

442
00:15:51,759 --> 00:15:54,639
How to Create or Build a Risk Map. For

443
00:15:54,639 --> 00:15:56,399
the heat map to be insightful and

444
00:15:56,399 --> 00:15:57,440
comprehensive,

445
00:15:57,440 --> 00:15:59,920
it should be created using accurate, and

446
00:15:59,920 --> 00:16:01,519
complete information.

447
00:16:01,519 --> 00:16:03,839
Identification of inherent risks is the

448
00:16:03,839 --> 00:16:06,480
first step in creating a risk map.

449
00:16:06,480 --> 00:16:08,720
Risks can be broadly categorized into

450
00:16:08,720 --> 00:16:10,079
strategic risk,

451
00:16:10,079 --> 00:16:12,880
compliance risk, operational risk,

452
00:16:12,880 --> 00:16:15,519
financial risk, and reputational risk,

453
00:16:15,519 --> 00:16:17,839
but organizations should aim to chart

454
00:16:17,839 --> 00:16:19,519
their own lists by taking into

455
00:16:19,519 --> 00:16:21,839
consideration specific factors that

456
00:16:21,839 --> 00:16:23,759
might affect them financially.

457
00:16:23,759 --> 00:16:26,480
Once the risks have been identified, it

458
00:16:26,480 --> 00:16:28,720
is necessary to understand what kind of

459
00:16:28,720 --> 00:16:31,040
internal or external events are driving

460
00:16:31,040 --> 00:16:32,240
the risks.

461
00:16:32,240 --> 00:16:34,079
The next step in risk mapping is

462
00:16:34,079 --> 00:16:36,800
evaluating the risks: estimating the

463
00:16:36,800 --> 00:16:37,680
frequency,

464
00:16:37,680 --> 00:16:39,519
the potential impact and possible

465
00:16:39,519 --> 00:16:42,480
control processes to offset the risks.

466
00:16:42,480 --> 00:16:45,279
The risks should then be prioritized. The

467
00:16:45,279 --> 00:16:47,680
most impactful risks can be managed by

468
00:16:47,680 --> 00:16:49,839
applying control processes to help

469
00:16:49,839 --> 00:16:52,079
lessen their potential occurrence.

470
00:16:52,079 --> 00:16:54,160
As threats evolve and vulnerabilities

471
00:16:54,160 --> 00:16:57,040
change, a risk map must be re-evaluated

472
00:16:57,040 --> 00:16:58,320
periodically.

473
00:16:58,320 --> 00:17:00,560
Organizations also must review their

474
00:17:00,560 --> 00:17:03,120
risk maps regularly to ensure key risks

475
00:17:03,120 --> 00:17:04,079
are being managed

476
00:17:04,079 --> 00:17:07,199
effectively. For example, let us briefly

477
00:17:07,199 --> 00:17:09,159
consider how a firm can build a

478
00:17:09,159 --> 00:17:10,799
cyber risk heat map.

479
00:17:10,799 --> 00:17:13,039
Cybersecurity heat maps involve an

480
00:17:13,039 --> 00:17:14,959
extensive and disciplined assessment

481
00:17:14,959 --> 00:17:16,400
process at the back end,

482
00:17:16,400 --> 00:17:17,839
in order to present a simple

483
00:17:17,839 --> 00:17:20,160
visualization of risks and recommended

484
00:17:20,160 --> 00:17:22,000
actions at the front end.

485
00:17:22,000 --> 00:17:24,079
The heat map is an essential and useful

486
00:17:24,079 --> 00:17:26,559
output of your overall cybersecurity

487
00:17:26,559 --> 00:17:28,960
assessment and vulnerability management

488
00:17:28,960 --> 00:17:31,760
process. With a rapidly increasing attack

489
00:17:31,760 --> 00:17:32,480
surface,

490
00:17:32,480 --> 00:17:34,799
the first step is to accurately measure

491
00:17:34,799 --> 00:17:37,120
a cyber risk attack surface.

492
00:17:37,120 --> 00:17:39,360
This means getting complete visibility

493
00:17:39,360 --> 00:17:40,640
into all your IT

494
00:17:40,640 --> 00:17:44,000
assets (devices, apps, and users)

495
00:17:44,000 --> 00:17:46,080
and then continuously monitoring them

496
00:17:46,080 --> 00:17:48,559
across all 200+ attack vectors in

497
00:17:48,559 --> 00:17:50,400
adversaries' arsenals.

498
00:17:50,400 --> 00:17:53,360
The company, therefore, need to regularly

499
00:17:53,360 --> 00:17:56,000
analyze the observations to derive risk

500
00:17:56,000 --> 00:17:57,120
insights.

501
00:17:57,120 --> 00:17:58,960
This is a layered calculation that

502
00:17:58,960 --> 00:18:01,360
involves incorporating information about

503
00:18:01,360 --> 00:18:03,919
threats, vulnerabilities, mitigating

504
00:18:03,919 --> 00:18:04,720
actions,

505
00:18:04,720 --> 00:18:07,840
business criticality, impact elasticity,

506
00:18:07,840 --> 00:18:11,039
and time-to-repair. Conclusion.

507
00:18:11,039 --> 00:18:13,200
Risk mapping in risk management has been

508
00:18:13,200 --> 00:18:15,039
discussed in this video.

509
00:18:15,039 --> 00:18:17,600
A risk map (or risk heat map) is a

510
00:18:17,600 --> 00:18:19,840
graphical representation of cyber risk

511
00:18:19,840 --> 00:18:21,760
data where the individual values

512
00:18:21,760 --> 00:18:23,919
contained in a matrix are represented as

513
00:18:23,919 --> 00:18:25,760
colors that connote meaning.

514
00:18:25,760 --> 00:18:28,240
Risk heat maps are used to present cyber

515
00:18:28,240 --> 00:18:30,039
risk assessment results in an

516
00:18:30,039 --> 00:18:31,440
easy to understand,

517
00:18:31,440 --> 00:18:34,160
visually attractive and concise format.

518
00:18:34,160 --> 00:18:36,720
Risk maps can be used by an organization

519
00:18:36,720 --> 00:18:39,360
to improve its risk management culture.

520
00:18:39,360 --> 00:18:42,000
Risk maps can, therefore, assist to

521
00:18:42,000 --> 00:18:44,480
enhance understanding and prioritization

522
00:18:44,480 --> 00:18:46,960
of a firm's risk management system.

523
00:18:46,960 --> 00:18:49,200
In short, heat maps present a very

524
00:18:49,200 --> 00:18:51,520
complex set of facts in an easily

525
00:18:51,520 --> 00:18:53,120
digestible way.

526
00:18:53,120 --> 00:18:55,440
This helps organizations to enhance

527
00:18:55,440 --> 00:18:56,240
their resilience

528
00:18:56,240 --> 00:18:58,080
in the highly challenging business

529
00:18:58,080 --> 00:18:59,600
environment.

530
00:18:59,600 --> 00:19:01,280
Hope the video is educative and

531
00:19:01,280 --> 00:19:02,799
beneficial to you?

532
00:19:02,799 --> 00:19:05,039
Which aspect of the risk mapping in risk

533
00:19:05,039 --> 00:19:07,120
management discussed in this video do

534
00:19:07,120 --> 00:19:09,120
you consider to be more relevant in your

535
00:19:09,120 --> 00:19:10,400
organization?

536
00:19:10,400 --> 00:19:12,640
Please post your answer to this question

537
00:19:12,640 --> 00:19:14,559
in the comment section below.

538
00:19:14,559 --> 00:19:16,559
If this video has been helpful and

539
00:19:16,559 --> 00:19:17,919
beneficial to you;

540
00:19:17,919 --> 00:19:20,000
then, give it a thumbs up and share it

541
00:19:20,000 --> 00:19:21,520
with your friends.

542
00:19:21,520 --> 00:19:23,200
Thank you for watching the Risk

543
00:19:23,200 --> 00:19:25,520
Management of Everything videos.

544
00:19:25,520 --> 00:19:28,480
We love to hear from you. Please post

545
00:19:28,480 --> 00:19:29,440
your comments and

546
00:19:29,440 --> 00:19:31,520
questions in the comment section down

547
00:19:31,520 --> 00:19:33,600
below. If you are new here,

548
00:19:33,600 --> 00:19:36,000
please subscribe to our channel Risk

549
00:19:36,000 --> 00:19:37,360
Management of Everything

550
00:19:37,360 --> 00:19:39,760
and press the notification button so you

551
00:19:39,760 --> 00:19:41,760
can be notified when we upload new

552
00:19:41,760 --> 00:19:43,039
videos.

553
00:19:43,039 --> 00:19:45,679
Thank you.