WEBVTT

00:00:00.080 --> 00:00:03.040
Risk Mapping in Risk Management. Welcome

00:00:03.040 --> 00:00:05.040
to the Risk Management of Everything

00:00:05.040 --> 00:00:07.759
channel. On this channel, you will find

00:00:07.759 --> 00:00:09.679
videos on risk management and the

00:00:09.679 --> 00:00:11.440
application of risk management to

00:00:11.440 --> 00:00:13.759
diverse areas and sectors.

00:00:13.759 --> 00:00:15.839
If you are new here, please consider

00:00:15.839 --> 00:00:17.760
subscribing to our channel and press the

00:00:17.760 --> 00:00:19.840
notification button so you can be

00:00:19.840 --> 00:00:22.800
notified when we upload new videos.

00:00:22.800 --> 00:00:25.279
Thank you. Risk mapping in risk

00:00:25.279 --> 00:00:28.000
management is discussed in this video.

00:00:28.000 --> 00:00:30.480
In this video, we'll discuss how a risk

00:00:30.480 --> 00:00:32.719
map can be used by an organization to

00:00:32.719 --> 00:00:34.200
manage its risks in an

00:00:34.200 --> 00:00:35.360
easy-to-understand

00:00:35.360 --> 00:00:38.719
way. Now, let us start.

00:00:38.719 --> 00:00:41.200
Meaning of a Risk. Risk is the

00:00:41.200 --> 00:00:43.680
uncertainty of a financial loss.

00:00:43.680 --> 00:00:45.520
A risk exists where there is an

00:00:45.520 --> 00:00:48.079
opportunity for a profit or a loss.

00:00:48.079 --> 00:00:50.480
In terms of losses, we commonly refer to

00:00:50.480 --> 00:00:52.559
the risks as exposures to loss,

00:00:52.559 --> 00:00:56.399
or simply exposures. Fire is an exposure.

00:00:56.399 --> 00:00:58.879
Defective products or defamation are

00:00:58.879 --> 00:01:00.800
liability exposures.

00:01:00.800 --> 00:01:02.800
The loss of business that results from a

00:01:02.800 --> 00:01:05.280
damaged building or tarnished reputation

00:01:05.280 --> 00:01:08.400
is also an exposure. Risks can come from

00:01:08.400 --> 00:01:10.880
various sources including uncertainty in

00:01:10.880 --> 00:01:12.400
international markets,

00:01:12.400 --> 00:01:14.880
threats from project failures (at any

00:01:14.880 --> 00:01:16.240
phase in design

00:01:16.240 --> 00:01:18.880
development, production, or sustaining of

00:01:18.880 --> 00:01:20.080
life-cycles),

00:01:20.080 --> 00:01:23.520
legal liabilities, credit risk, accidents,

00:01:23.520 --> 00:01:26.240
natural causes and disasters, deliberate

00:01:26.240 --> 00:01:27.040
attack from an

00:01:27.040 --> 00:01:29.360
adversary, or events of uncertain or

00:01:29.360 --> 00:01:31.520
unpredictable root-cause.

00:01:31.520 --> 00:01:33.840
There are two types of events which are:

00:01:33.840 --> 00:01:34.640
(1)

00:01:34.640 --> 00:01:36.720
negative events which can be classified

00:01:36.720 --> 00:01:38.400
as risks or threats;

00:01:38.400 --> 00:01:40.960
and (2) positive events that may be

00:01:40.960 --> 00:01:43.439
classified as opportunities.

00:01:43.439 --> 00:01:46.640
What is Risk Management? Risk management

00:01:46.640 --> 00:01:48.880
is the process of identification,

00:01:48.880 --> 00:01:51.600
analysis, and acceptance or mitigation of

00:01:51.600 --> 00:01:54.479
uncertainty in investment decisions.

00:01:54.479 --> 00:01:56.799
Organizations face many risks and they

00:01:56.799 --> 00:01:58.560
must decide where to focus their

00:01:58.560 --> 00:02:00.479
mitigation resources.

00:02:00.479 --> 00:02:03.439
To handle or manage risks, organizations

00:02:03.439 --> 00:02:05.520
usually have the options to avoid,

00:02:05.520 --> 00:02:08.639
control, accept, or transfer risk. The

00:02:08.639 --> 00:02:11.120
adverse effects of risk can be objective

00:02:11.120 --> 00:02:13.760
or quantifiable like insurance premiums

00:02:13.760 --> 00:02:15.200
and claims costs,

00:02:15.200 --> 00:02:17.520
or subjective and difficult to quantify

00:02:17.520 --> 00:02:19.520
such as damage to reputation or

00:02:19.520 --> 00:02:21.360
decreased productivity.

00:02:21.360 --> 00:02:23.360
By focusing attention on risk and

00:02:23.360 --> 00:02:25.360
committing the necessary resources to

00:02:25.360 --> 00:02:27.440
control and mitigate risk,

00:02:27.440 --> 00:02:29.440
a business will protect itself from

00:02:29.440 --> 00:02:30.560
uncertainty,

00:02:30.560 --> 00:02:33.360
reduce costs, and increase the likelihood

00:02:33.360 --> 00:02:36.000
of business continuity and success.

00:02:36.000 --> 00:02:38.560
Meanwhile, a risk map can be used as a

00:02:38.560 --> 00:02:40.640
tool to improve the risk management

00:02:40.640 --> 00:02:42.879
system of an organization.

00:02:42.879 --> 00:02:46.480
What is a Risk Map? A risk map, also known

00:02:46.480 --> 00:02:47.840
as a risk heat map,

00:02:47.840 --> 00:02:49.920
is a data visualization tool for

00:02:49.920 --> 00:02:51.760
communicating specific risks an

00:02:51.760 --> 00:02:53.680
organization faces.

00:02:53.680 --> 00:02:56.000
A risk map is a graphical depiction of a

00:02:56.000 --> 00:02:57.840
select number of a company's risks

00:02:57.840 --> 00:02:59.840
designed to illustrate the impact or

00:02:59.840 --> 00:03:02.080
significance of risks on one axis and

00:03:02.080 --> 00:03:04.800
the likelihood or frequency on the other.

00:03:04.800 --> 00:03:07.040
Risk mapping is used to assist in

00:03:07.040 --> 00:03:08.200
identifying,

00:03:08.200 --> 00:03:11.360
prioritizing, and quantifying (at a macro

00:03:11.360 --> 00:03:11.920
level)

00:03:11.920 --> 00:03:14.319
risks to an organization. This

00:03:14.319 --> 00:03:16.560
representation often takes the form of a

00:03:16.560 --> 00:03:18.720
two-dimensional grid with frequency

00:03:18.720 --> 00:03:21.599
(or likelihood of occurrence) on one axis

00:03:21.599 --> 00:03:22.560
and severity

00:03:22.560 --> 00:03:24.879
(or degree of financial impact) on the

00:03:24.879 --> 00:03:25.840
other axis;

00:03:25.840 --> 00:03:27.440
the risks that fall in the

00:03:27.440 --> 00:03:30.000
high-frequency/high-severity quadrant are

00:03:30.000 --> 00:03:32.159
given priority risk management

00:03:32.159 --> 00:03:34.959
attention. A risk map helps companies

00:03:34.959 --> 00:03:37.200
identify and prioritize the risks

00:03:37.200 --> 00:03:39.280
associated with their business.

00:03:39.280 --> 00:03:41.519
The goal of a risk map is to improve an

00:03:41.519 --> 00:03:43.840
organization's understanding of its risk

00:03:43.840 --> 00:03:45.280
profile and appetite,

00:03:45.280 --> 00:03:47.200
clarify thinking on the nature and

00:03:47.200 --> 00:03:48.560
impact of risks,

00:03:48.560 --> 00:03:50.640
and improve the organization's risk

00:03:50.640 --> 00:03:52.080
assessment model.

00:03:52.080 --> 00:03:54.480
In the enterprise, a risk map is often

00:03:54.480 --> 00:03:57.200
presented as a two-dimensional matrix.

00:03:57.200 --> 00:03:59.519
For example, the likelihood a risk will

00:03:59.519 --> 00:04:01.840
occur may be plotted on the x-axis,

00:04:01.840 --> 00:04:03.599
while the impact of the same risk is

00:04:03.599 --> 00:04:05.519
plotted on the y-axis.

00:04:05.519 --> 00:04:07.439
A risk map is considered a critical

00:04:07.439 --> 00:04:09.840
component of enterprise risk management

00:04:09.840 --> 00:04:12.000
because it helps identify risks that

00:04:12.000 --> 00:04:13.599
need more attention.

00:04:13.599 --> 00:04:15.920
Identified risks that fall in the high-frequency

00:04:15.920 --> 00:04:18.238
and high-severity section can

00:04:18.238 --> 00:04:21.358
then be made a priority by organizations.

00:04:21.358 --> 00:04:23.440
If the organization is disbursed

00:04:23.440 --> 00:04:25.600
geographically and certain risks are

00:04:25.600 --> 00:04:27.919
associated with certain geographical

00:04:27.919 --> 00:04:28.639
areas,

00:04:28.639 --> 00:04:30.560
risks might be illustrated with a heat

00:04:30.560 --> 00:04:32.880
map, using color to illustrate the levels

00:04:32.880 --> 00:04:34.800
of risk to which individual branch

00:04:34.800 --> 00:04:36.960
offices are exposed.

00:04:36.960 --> 00:04:40.160
Why it's Important to Create a Risk Map?

00:04:40.160 --> 00:04:42.240
A risk map offers a visualized,

00:04:42.240 --> 00:04:44.400
comprehensive view of the likelihood and

00:04:44.400 --> 00:04:47.199
impact of an organization's risks.

00:04:47.199 --> 00:04:49.600
This helps the organization improve risk

00:04:49.600 --> 00:04:51.440
management and risk governance by

00:04:51.440 --> 00:04:54.479
prioritizing risk management efforts.

00:04:54.479 --> 00:04:57.199
This risk prioritization enables them to

00:04:57.199 --> 00:04:59.040
focus time and money on the most

00:04:59.040 --> 00:05:01.520
potentially damaging risks identified in

00:05:01.520 --> 00:05:02.320
a heat map

00:05:02.320 --> 00:05:05.160
chart. A risk map also facilitates

00:05:05.160 --> 00:05:07.360
interdepartmental dialogues about an

00:05:07.360 --> 00:05:09.199
organization's inherent risks and

00:05:09.199 --> 00:05:11.039
promotes communication about

00:05:11.039 --> 00:05:13.600
risks throughout the organization. It

00:05:13.600 --> 00:05:16.240
helps organizations visualize risks in

00:05:16.240 --> 00:05:17.680
relation to each other,

00:05:17.680 --> 00:05:19.280
and it guides the development of a

00:05:19.280 --> 00:05:21.280
control assessment of how to deal with

00:05:21.280 --> 00:05:23.280
the risks and the consequence of those

00:05:23.280 --> 00:05:24.639
risks.

00:05:24.639 --> 00:05:27.680
Benefits of Using Risk Heat Maps.

00:05:27.680 --> 00:05:29.759
Risk heat maps can offer significant

00:05:29.759 --> 00:05:32.160
benefits to organizations.

00:05:32.160 --> 00:05:34.080
Here are some of the benefits of using

00:05:34.080 --> 00:05:37.759
risk heat maps by an organization:

00:05:37.759 --> 00:05:40.639
A visual, big picture, holistic view that

00:05:40.639 --> 00:05:42.400
can be shared to make strategic

00:05:42.400 --> 00:05:44.479
decisions;

00:05:44.479 --> 00:05:46.320
Improved management of risks and

00:05:46.320 --> 00:05:48.160
governance of the risk management

00:05:48.160 --> 00:05:50.160
process;

00:05:50.160 --> 00:05:52.479
Increased focus on risk appetite and the

00:05:52.479 --> 00:05:55.440
risk tolerance of the company;

00:05:55.440 --> 00:05:57.360
More precision in the risk assessment

00:05:57.360 --> 00:05:59.360
and mitigation process;

00:05:59.360 --> 00:06:02.639
and Greater integration of risk

00:06:02.639 --> 00:06:05.600
management actions across the enterprise.

00:06:05.600 --> 00:06:07.919
The Importance of Risk Mapping Business

00:06:07.919 --> 00:06:09.600
Organizations.

00:06:09.600 --> 00:06:11.680
Why should your organization be using

00:06:11.680 --> 00:06:13.440
risk maps?

00:06:13.440 --> 00:06:15.759
Building a risk map brings valuable

00:06:15.759 --> 00:06:16.960
benefits.

00:06:16.960 --> 00:06:18.720
You will have a thorough understanding

00:06:18.720 --> 00:06:20.160
of your risk environment

00:06:20.160 --> 00:06:22.400
and how individual risks compare to one

00:06:22.400 --> 00:06:23.199
another.

00:06:23.199 --> 00:06:25.199
You can use this to strategically

00:06:25.199 --> 00:06:27.280
prioritize your risks and determine

00:06:27.280 --> 00:06:29.759
where to use your limited resources.

00:06:29.759 --> 00:06:32.319
The map can help the company visualize

00:06:32.319 --> 00:06:33.919
how risks in one part of the

00:06:33.919 --> 00:06:36.160
organization can affect operations of

00:06:36.160 --> 00:06:37.759
another business unit within the

00:06:37.759 --> 00:06:39.039
organization.

00:06:39.039 --> 00:06:41.360
A risk map also adds precision to an

00:06:41.360 --> 00:06:43.919
organization's risk assessment strategy

00:06:43.919 --> 00:06:44.160
and

00:06:44.160 --> 00:06:46.560
identifies gaps in an organization's

00:06:46.560 --> 00:06:48.800
risk management processes.

00:06:48.800 --> 00:06:50.720
A risk map is built by plotting the

00:06:50.720 --> 00:06:53.120
frequency of a risk on the y-axis of the

00:06:53.120 --> 00:06:56.000
chart and the severity on the x-axis.

00:06:56.000 --> 00:06:58.080
Frequency is how likely the risk is or

00:06:58.080 --> 00:07:00.240
how often you think it will occur;

00:07:00.240 --> 00:07:02.319
severity is how much of an impact it

00:07:02.319 --> 00:07:04.000
would have if it did occur.

00:07:04.000 --> 00:07:05.840
The higher risk ranks for these

00:07:05.840 --> 00:07:08.000
qualities, the more threatening it is to

00:07:08.000 --> 00:07:09.759
your organization.

00:07:09.759 --> 00:07:12.560
The most severe and frequent risks, your

00:07:12.560 --> 00:07:13.840
primary risks,

00:07:13.840 --> 00:07:15.360
are critical and would hinder your

00:07:15.360 --> 00:07:17.440
ability to conduct business.

00:07:17.440 --> 00:07:20.080
Risks that are severe but unlikely, that

00:07:20.080 --> 00:07:22.240
is your "detect and monitor" risks,

00:07:22.240 --> 00:07:24.080
are those risks that should be watched

00:07:24.080 --> 00:07:26.319
but don't require heavy mitigation

00:07:26.319 --> 00:07:27.520
strategies.

00:07:27.520 --> 00:07:29.440
Risks that are highly likely but

00:07:29.440 --> 00:07:32.000
insignificant, your monitor risks,

00:07:32.000 --> 00:07:34.400
will not impact your ability to continue

00:07:34.400 --> 00:07:35.759
operations.

00:07:35.759 --> 00:07:37.919
Finally, the risks that are low in both

00:07:37.919 --> 00:07:39.520
frequency and severity,

00:07:39.520 --> 00:07:42.400
your low control risks, can be revisited

00:07:42.400 --> 00:07:44.080
on a yearly basis to ensure

00:07:44.080 --> 00:07:46.960
the risk remains low. Risk maps are a

00:07:46.960 --> 00:07:48.560
valuable tool as they assist

00:07:48.560 --> 00:07:50.560
organizations to:

00:07:50.560 --> 00:07:53.919
1. Understand the risk environment.

00:07:53.919 --> 00:07:56.080
Risk management begins with building a

00:07:56.080 --> 00:07:58.319
list of all risks your organization

00:07:58.319 --> 00:08:01.520
faces. Depending on your industry, this

00:08:01.520 --> 00:08:03.440
number could range from a handful to

00:08:03.440 --> 00:08:04.479
hundreds.

00:08:04.479 --> 00:08:06.400
Risk mapping is beneficial because it

00:08:06.400 --> 00:08:07.680
requires you to assess

00:08:07.680 --> 00:08:09.440
each risk and its causes and

00:08:09.440 --> 00:08:11.520
consequences individually.

00:08:11.520 --> 00:08:13.840
It also allows you to look at your risk

00:08:13.840 --> 00:08:15.840
environment as a whole and understand

00:08:15.840 --> 00:08:18.720
how frequencies and severities compare.

00:08:18.720 --> 00:08:20.879
Finally, a risk map is a visual that

00:08:20.879 --> 00:08:23.440
anyone in your organization can use to

00:08:23.440 --> 00:08:25.440
see the big picture of risks most

00:08:25.440 --> 00:08:26.000
prominent

00:08:26.000 --> 00:08:29.360
in your industry or workplace. 2.

00:08:29.360 --> 00:08:32.479
Prioritize mitigation strategies.

00:08:32.479 --> 00:08:35.039
With limited resources, it's important to

00:08:35.039 --> 00:08:38.080
be strategic about mitigation techniques.

00:08:38.080 --> 00:08:40.080
Risk mapping allows you to determine

00:08:40.080 --> 00:08:41.919
what steps to take first:

00:08:41.919 --> 00:08:44.000
implement prevention tactics for the

00:08:44.000 --> 00:08:46.080
most frequent and severe risks before

00:08:46.080 --> 00:08:47.600
moving onto others.

00:08:47.600 --> 00:08:50.080
This prioritization method ensures that

00:08:50.080 --> 00:08:52.000
you address the risk that have the most

00:08:52.000 --> 00:08:53.839
potential to cause harm to your

00:08:53.839 --> 00:08:55.440
organization.

00:08:55.440 --> 00:08:58.959
3. Allocate limited resources.

00:08:58.959 --> 00:09:01.279
Whether your organization consists of

00:09:01.279 --> 00:09:03.360
2 employees or 2,000,

00:09:03.360 --> 00:09:06.240
risk managers have limited resources.

00:09:06.240 --> 00:09:08.320
Risk mapping allows you to use them to

00:09:08.320 --> 00:09:10.399
prevent primary risks.

00:09:10.399 --> 00:09:12.880
D&amp;M risks should be revisited several

00:09:12.880 --> 00:09:14.959
times a year to ensure appropriate

00:09:14.959 --> 00:09:16.240
management.

00:09:16.240 --> 00:09:18.640
Similarly, monitor risks typically only

00:09:18.640 --> 00:09:20.560
need to be checked yearly to ensure

00:09:20.560 --> 00:09:23.279
their potential impact hasn't grown.

00:09:23.279 --> 00:09:25.760
Finally, by figuring out which risks are

00:09:25.760 --> 00:09:26.800
low control,

00:09:26.800 --> 00:09:28.720
you will know where not to spend time

00:09:28.720 --> 00:09:29.839
and money.

00:09:29.839 --> 00:09:32.480
However, keep in mind that no risk can be

00:09:32.480 --> 00:09:33.839
completely ignored:

00:09:33.839 --> 00:09:35.839
make sure you still consider these in

00:09:35.839 --> 00:09:37.920
future assessments and ensure that the

00:09:37.920 --> 00:09:40.959
low-risk status has not changed.

00:09:40.959 --> 00:09:44.720
4. Receive better insurance premiums.

00:09:44.720 --> 00:09:47.040
Risk maps can also help your

00:09:47.040 --> 00:09:48.480
organization in becoming an

00:09:48.480 --> 00:09:49.680
international standard

00:09:49.680 --> 00:09:52.720
organization (ISO) certified,

00:09:52.720 --> 00:09:54.160
as it shows that you have an

00:09:54.160 --> 00:09:56.240
understanding of your risk environment

00:09:56.240 --> 00:09:59.040
and a strategic plan for moving forward.

00:09:59.040 --> 00:10:00.880
This can also help you receive

00:10:00.880 --> 00:10:03.360
competitive insurance premiums.

00:10:03.360 --> 00:10:05.519
Insurers are looking for good risk, or

00:10:05.519 --> 00:10:07.440
companies they believe will have minimal

00:10:07.440 --> 00:10:08.720
losses.

00:10:08.720 --> 00:10:12.000
Key Considerations for Risk Heat Maps.

00:10:12.000 --> 00:10:14.160
To develop an effective cybersecurity

00:10:14.160 --> 00:10:15.279
risk heat map,

00:10:15.279 --> 00:10:18.560
consider these critical elements:

00:10:18.560 --> 00:10:20.720
What are your most critical systems and

00:10:20.720 --> 00:10:22.320
information assets

00:10:22.320 --> 00:10:25.920
(those you want to map)? How accurate is

00:10:25.920 --> 00:10:29.200
the data and where is it coming from?

00:10:29.200 --> 00:10:31.600
What is your organization's appetite for

00:10:31.600 --> 00:10:33.360
risk?

00:10:33.360 --> 00:10:35.360
What categories and levels of impact

00:10:35.360 --> 00:10:37.040
would be considered material,

00:10:37.040 --> 00:10:40.079
for example, monetary, brand reputation,

00:10:40.079 --> 00:10:42.959
and other related impacts?

00:10:42.959 --> 00:10:45.360
What is the range of acceptable variance

00:10:45.360 --> 00:10:47.440
from your key performance and operating

00:10:47.440 --> 00:10:48.399
metrics?

00:10:48.399 --> 00:10:51.680
And how will you define terms to

00:10:51.680 --> 00:10:53.760
integrate potential risk events with

00:10:53.760 --> 00:10:55.200
your heat map?

00:10:55.200 --> 00:10:58.240
How to Build a Risk Map. A risk map is

00:10:58.240 --> 00:11:00.079
built by plotting the frequency of a

00:11:00.079 --> 00:11:02.240
risk on the y-axis of the chart and the

00:11:02.240 --> 00:11:04.480
severity on the x-axis.

00:11:04.480 --> 00:11:06.640
Frequency is how likely the risk is or

00:11:06.640 --> 00:11:08.720
how often you think it will occur.

00:11:08.720 --> 00:11:10.880
Severity is how much of an impact it

00:11:10.880 --> 00:11:12.480
would have if it did happen.

00:11:12.480 --> 00:11:14.320
The higher risk ranks for these

00:11:14.320 --> 00:11:16.480
qualities, the more threatening it is to

00:11:16.480 --> 00:11:18.079
your organization.

00:11:18.079 --> 00:11:20.320
Let us discuss tips on how to build a

00:11:20.320 --> 00:11:21.760
risk map.

00:11:21.760 --> 00:11:23.680
Here are four tips on how to build a

00:11:23.680 --> 00:11:25.200
risk map:

00:11:25.200 --> 00:11:28.000
1. Involve people from all parts of

00:11:28.000 --> 00:11:29.760
your organization.

00:11:29.760 --> 00:11:31.680
Risk mapping is not a process that

00:11:31.680 --> 00:11:34.079
should be conducted by one person.

00:11:34.079 --> 00:11:36.240
Every person in your business, from the

00:11:36.240 --> 00:11:37.839
CEO to the intern,

00:11:37.839 --> 00:11:39.680
will have different ideas about what

00:11:39.680 --> 00:11:41.600
risks are most prevalent to your

00:11:41.600 --> 00:11:44.560
industry. You cannot involve everyone, but

00:11:44.560 --> 00:11:46.640
ask multiple people from various

00:11:46.640 --> 00:11:48.720
departments and levels of authority to

00:11:48.720 --> 00:11:51.440
ensure you are getting unique viewpoints.

00:11:51.440 --> 00:11:53.279
This will also allow you to discover

00:11:53.279 --> 00:11:55.279
risks that you may not have previously

00:11:55.279 --> 00:11:57.519
considered and gain new perspectives on

00:11:57.519 --> 00:12:00.800
how frequent or severe a risk really is.

00:12:00.800 --> 00:12:03.839
2. Understand each risk.

00:12:03.839 --> 00:12:06.079
Simply naming your risks does not allow

00:12:06.079 --> 00:12:08.560
you to build an effective risk map.

00:12:08.560 --> 00:12:10.639
You must assess each scenario with a

00:12:10.639 --> 00:12:12.560
strong understanding of the business and

00:12:12.560 --> 00:12:14.800
how the risks can impact your ability to

00:12:14.800 --> 00:12:16.639
continue operations.

00:12:16.639 --> 00:12:18.639
Think about what is likely to cause the

00:12:18.639 --> 00:12:20.399
risk and the consequences it will have

00:12:20.399 --> 00:12:21.839
if it occurs.

00:12:21.839 --> 00:12:24.079
It is also important to be consistent in

00:12:24.079 --> 00:12:26.240
how you rank each risk in terms of

00:12:26.240 --> 00:12:28.560
frequency and severity so that the final

00:12:28.560 --> 00:12:30.639
product is a clear depiction of how the

00:12:30.639 --> 00:12:32.880
risks compare to each other.

00:12:32.880 --> 00:12:36.720
3. Seek guidance. If consulting those

00:12:36.720 --> 00:12:39.120
within your organization isn't providing

00:12:39.120 --> 00:12:40.959
a sufficient understanding,

00:12:40.959 --> 00:12:43.600
look elsewhere. You can try to determine

00:12:43.600 --> 00:12:45.839
how likely and impactful a risk will be

00:12:45.839 --> 00:12:48.560
based on your experience and past losses,

00:12:48.560 --> 00:12:51.040
but what if you're a start-up company? You

00:12:51.040 --> 00:12:52.399
can ask an expert:

00:12:52.399 --> 00:12:54.480
many insurance providers are able to

00:12:54.480 --> 00:12:56.800
assist with risk management tools,

00:12:56.800 --> 00:12:59.279
and if not, they can likely suggest

00:12:59.279 --> 00:13:00.639
someone who can.

00:13:00.639 --> 00:13:02.240
You can also look at similar

00:13:02.240 --> 00:13:04.720
organizations and industry statistics to

00:13:04.720 --> 00:13:07.279
help guide your risk ranking.

00:13:07.279 --> 00:13:10.320
4. Revisit and modify.

00:13:10.320 --> 00:13:12.160
You've built your risk map and are now

00:13:12.160 --> 00:13:14.639
using it to help manage and mitigate-

00:13:14.639 --> 00:13:17.040
great! But it's important to remember

00:13:17.040 --> 00:13:19.360
that your risk landscape is constantly

00:13:19.360 --> 00:13:20.399
changing.

00:13:20.399 --> 00:13:22.320
Revisit your rankings with the risk

00:13:22.320 --> 00:13:23.839
management team at least

00:13:23.839 --> 00:13:26.240
quarterly, to discuss if the status of

00:13:26.240 --> 00:13:28.800
any existing risks has changed or if any

00:13:28.800 --> 00:13:31.360
new risks should be placed on the map.

00:13:31.360 --> 00:13:33.760
Doing so will ensure that your risk map

00:13:33.760 --> 00:13:35.920
is a consistently helpful tool that will

00:13:35.920 --> 00:13:36.959
help you reduce

00:13:36.959 --> 00:13:40.399
incidents and costs. Major Ways to Use

00:13:40.399 --> 00:13:43.519
Risk Heat Maps by Organizations.

00:13:43.519 --> 00:13:45.519
Where charts have to be interpreted and

00:13:45.519 --> 00:13:47.199
tables have to be understood,

00:13:47.199 --> 00:13:49.279
heat maps are self-explanatory and

00:13:49.279 --> 00:13:50.480
intuitive.

00:13:50.480 --> 00:13:52.240
Because they are tailor-made for putting

00:13:52.240 --> 00:13:54.720
massive data sets into a context that's

00:13:54.720 --> 00:13:56.240
easy to understand,

00:13:56.240 --> 00:13:58.079
they are increasingly valued as a

00:13:58.079 --> 00:14:00.480
superior data visualization tool in

00:14:00.480 --> 00:14:02.959
cybersecurity for identifying,

00:14:02.959 --> 00:14:06.160
prioritizing, and mitigating risks.

00:14:06.160 --> 00:14:08.560
Here are three major ways to use risk

00:14:08.560 --> 00:14:09.600
heat maps by

00:14:09.600 --> 00:14:13.760
organizations: 1. Risk impact heat map to

00:14:13.760 --> 00:14:15.519
show the likelihood of a risk event

00:14:15.519 --> 00:14:16.000
happening

00:14:16.000 --> 00:14:18.079
vs. business impact of such that

00:14:18.079 --> 00:14:19.360
event.

00:14:19.360 --> 00:14:21.680
Risk is the product of breach likelihood

00:14:21.680 --> 00:14:23.279
and breach impact.

00:14:23.279 --> 00:14:25.760
In this type of heat map, the horizontal

00:14:25.760 --> 00:14:27.817
axis shows the likelihood of a

00:14:27.817 --> 00:14:29.519
cybersecurity breach.

00:14:29.519 --> 00:14:31.839
The vertical axis shows the business

00:14:31.839 --> 00:14:33.440
impact of a breach.

00:14:33.440 --> 00:14:36.320
The colors are risk areas, for example,

00:14:36.320 --> 00:14:38.560
green colored boxes indicate no

00:14:38.560 --> 00:14:40.959
action needed and red boxes indicating

00:14:40.959 --> 00:14:42.639
immediate action needed.

00:14:42.639 --> 00:14:44.639
The individual risk items are then

00:14:44.639 --> 00:14:46.639
plotted on the heat map based upon the

00:14:46.639 --> 00:14:48.800
Business Impact and Likelihood of breach

00:14:48.800 --> 00:14:49.760
happening.

00:14:49.760 --> 00:14:52.399
This can be computed as follows: Risk is

00:14:52.399 --> 00:14:56.000
equal to impact times likelihood.

00:14:56.000 --> 00:14:58.800
2. Comparing breach likelihood across

00:14:58.800 --> 00:14:59.760
different business

00:14:59.760 --> 00:15:02.959
areas. Risk heat maps can be used by an

00:15:02.959 --> 00:15:04.959
organization to comparing breach

00:15:04.959 --> 00:15:06.880
likelihood across different business

00:15:06.880 --> 00:15:07.839
areas.

00:15:07.839 --> 00:15:10.320
Here is an example of a heat map that IT

00:15:10.320 --> 00:15:12.399
can use to compare breach likelihood

00:15:12.399 --> 00:15:13.199
across different

00:15:13.199 --> 00:15:16.000
areas or groups. Such charts can be

00:15:16.000 --> 00:15:18.079
created for multiple types of risk

00:15:18.079 --> 00:15:18.639
groups-

00:15:18.639 --> 00:15:22.320
asset types, locations, business units,

00:15:22.320 --> 00:15:25.680
and more. 3. Mapping information

00:15:25.680 --> 00:15:26.560
technology

00:15:26.560 --> 00:15:29.199
(IT) asset inventory by type and risk

00:15:29.199 --> 00:15:32.320
associated with each of those categories.

00:15:32.320 --> 00:15:34.320
Risk heat maps can be used by an

00:15:34.320 --> 00:15:35.920
organization for mapping IT

00:15:35.920 --> 00:15:38.480
asset inventory based on the type of IT

00:15:38.480 --> 00:15:40.880
asset inventory and risk associated with

00:15:40.880 --> 00:15:42.720
each of those categories.

00:15:42.720 --> 00:15:45.279
Here is an example of a heat map that IT

00:15:45.279 --> 00:15:46.639
can use to map IT

00:15:46.639 --> 00:15:48.639
asset inventory by type and risk

00:15:48.639 --> 00:15:51.759
associated with each of those categories.

00:15:51.759 --> 00:15:54.639
How to Create or Build a Risk Map. For

00:15:54.639 --> 00:15:56.399
the heat map to be insightful and

00:15:56.399 --> 00:15:57.440
comprehensive,

00:15:57.440 --> 00:15:59.920
it should be created using accurate, and

00:15:59.920 --> 00:16:01.519
complete information.

00:16:01.519 --> 00:16:03.839
Identification of inherent risks is the

00:16:03.839 --> 00:16:06.480
first step in creating a risk map.

00:16:06.480 --> 00:16:08.720
Risks can be broadly categorized into

00:16:08.720 --> 00:16:10.079
strategic risk,

00:16:10.079 --> 00:16:12.880
compliance risk, operational risk,

00:16:12.880 --> 00:16:15.519
financial risk, and reputational risk,

00:16:15.519 --> 00:16:17.839
but organizations should aim to chart

00:16:17.839 --> 00:16:19.519
their own lists by taking into

00:16:19.519 --> 00:16:21.839
consideration specific factors that

00:16:21.839 --> 00:16:23.759
might affect them financially.

00:16:23.759 --> 00:16:26.480
Once the risks have been identified, it

00:16:26.480 --> 00:16:28.720
is necessary to understand what kind of

00:16:28.720 --> 00:16:31.040
internal or external events are driving

00:16:31.040 --> 00:16:32.240
the risks.

00:16:32.240 --> 00:16:34.079
The next step in risk mapping is

00:16:34.079 --> 00:16:36.800
evaluating the risks: estimating the

00:16:36.800 --> 00:16:37.680
frequency,

00:16:37.680 --> 00:16:39.519
the potential impact and possible

00:16:39.519 --> 00:16:42.480
control processes to offset the risks.

00:16:42.480 --> 00:16:45.279
The risks should then be prioritized. The

00:16:45.279 --> 00:16:47.680
most impactful risks can be managed by

00:16:47.680 --> 00:16:49.839
applying control processes to help

00:16:49.839 --> 00:16:52.079
lessen their potential occurrence.

00:16:52.079 --> 00:16:54.160
As threats evolve and vulnerabilities

00:16:54.160 --> 00:16:57.040
change, a risk map must be re-evaluated

00:16:57.040 --> 00:16:58.320
periodically.

00:16:58.320 --> 00:17:00.560
Organizations also must review their

00:17:00.560 --> 00:17:03.120
risk maps regularly to ensure key risks

00:17:03.120 --> 00:17:04.079
are being managed

00:17:04.079 --> 00:17:07.199
effectively. For example, let us briefly

00:17:07.199 --> 00:17:09.159
consider how a firm can build a

00:17:09.159 --> 00:17:10.799
cyber risk heat map.

00:17:10.799 --> 00:17:13.039
Cybersecurity heat maps involve an

00:17:13.039 --> 00:17:14.959
extensive and disciplined assessment

00:17:14.959 --> 00:17:16.400
process at the back end,

00:17:16.400 --> 00:17:17.839
in order to present a simple

00:17:17.839 --> 00:17:20.160
visualization of risks and recommended

00:17:20.160 --> 00:17:22.000
actions at the front end.

00:17:22.000 --> 00:17:24.079
The heat map is an essential and useful

00:17:24.079 --> 00:17:26.559
output of your overall cybersecurity

00:17:26.559 --> 00:17:28.960
assessment and vulnerability management

00:17:28.960 --> 00:17:31.760
process. With a rapidly increasing attack

00:17:31.760 --> 00:17:32.480
surface,

00:17:32.480 --> 00:17:34.799
the first step is to accurately measure

00:17:34.799 --> 00:17:37.120
a cyber risk attack surface.

00:17:37.120 --> 00:17:39.360
This means getting complete visibility

00:17:39.360 --> 00:17:40.640
into all your IT

00:17:40.640 --> 00:17:44.000
assets (devices, apps, and users)

00:17:44.000 --> 00:17:46.080
and then continuously monitoring them

00:17:46.080 --> 00:17:48.559
across all 200+ attack vectors in

00:17:48.559 --> 00:17:50.400
adversaries' arsenals.

00:17:50.400 --> 00:17:53.360
The company, therefore, need to regularly

00:17:53.360 --> 00:17:56.000
analyze the observations to derive risk

00:17:56.000 --> 00:17:57.120
insights.

00:17:57.120 --> 00:17:58.960
This is a layered calculation that

00:17:58.960 --> 00:18:01.360
involves incorporating information about

00:18:01.360 --> 00:18:03.919
threats, vulnerabilities, mitigating

00:18:03.919 --> 00:18:04.720
actions,

00:18:04.720 --> 00:18:07.840
business criticality, impact elasticity,

00:18:07.840 --> 00:18:11.039
and time-to-repair. Conclusion.

00:18:11.039 --> 00:18:13.200
Risk mapping in risk management has been

00:18:13.200 --> 00:18:15.039
discussed in this video.

00:18:15.039 --> 00:18:17.600
A risk map (or risk heat map) is a

00:18:17.600 --> 00:18:19.840
graphical representation of cyber risk

00:18:19.840 --> 00:18:21.760
data where the individual values

00:18:21.760 --> 00:18:23.919
contained in a matrix are represented as

00:18:23.919 --> 00:18:25.760
colors that connote meaning.

00:18:25.760 --> 00:18:28.240
Risk heat maps are used to present cyber

00:18:28.240 --> 00:18:30.039
risk assessment results in an

00:18:30.039 --> 00:18:31.440
easy to understand,

00:18:31.440 --> 00:18:34.160
visually attractive and concise format.

00:18:34.160 --> 00:18:36.720
Risk maps can be used by an organization

00:18:36.720 --> 00:18:39.360
to improve its risk management culture.

00:18:39.360 --> 00:18:42.000
Risk maps can, therefore, assist to

00:18:42.000 --> 00:18:44.480
enhance understanding and prioritization

00:18:44.480 --> 00:18:46.960
of a firm's risk management system.

00:18:46.960 --> 00:18:49.200
In short, heat maps present a very

00:18:49.200 --> 00:18:51.520
complex set of facts in an easily

00:18:51.520 --> 00:18:53.120
digestible way.

00:18:53.120 --> 00:18:55.440
This helps organizations to enhance

00:18:55.440 --> 00:18:56.240
their resilience

00:18:56.240 --> 00:18:58.080
in the highly challenging business

00:18:58.080 --> 00:18:59.600
environment.

00:18:59.600 --> 00:19:01.280
Hope the video is educative and

00:19:01.280 --> 00:19:02.799
beneficial to you?

00:19:02.799 --> 00:19:05.039
Which aspect of the risk mapping in risk

00:19:05.039 --> 00:19:07.120
management discussed in this video do

00:19:07.120 --> 00:19:09.120
you consider to be more relevant in your

00:19:09.120 --> 00:19:10.400
organization?

00:19:10.400 --> 00:19:12.640
Please post your answer to this question

00:19:12.640 --> 00:19:14.559
in the comment section below.

00:19:14.559 --> 00:19:16.559
If this video has been helpful and

00:19:16.559 --> 00:19:17.919
beneficial to you;

00:19:17.919 --> 00:19:20.000
then, give it a thumbs up and share it

00:19:20.000 --> 00:19:21.520
with your friends.

00:19:21.520 --> 00:19:23.200
Thank you for watching the Risk

00:19:23.200 --> 00:19:25.520
Management of Everything videos.

00:19:25.520 --> 00:19:28.480
We love to hear from you. Please post

00:19:28.480 --> 00:19:29.440
your comments and

00:19:29.440 --> 00:19:31.520
questions in the comment section down

00:19:31.520 --> 00:19:33.600
below. If you are new here,

00:19:33.600 --> 00:19:36.000
please subscribe to our channel Risk

00:19:36.000 --> 00:19:37.360
Management of Everything

00:19:37.360 --> 00:19:39.760
and press the notification button so you

00:19:39.760 --> 00:19:41.760
can be notified when we upload new

00:19:41.760 --> 00:19:43.039
videos.

00:19:43.039 --> 00:19:45.679
Thank you.