Risk matrices get mocked for good reasons—but a clear heatmap still helps busy leaders see where to lean in. This is the lightweight approach I use.
Keep scoring simple
- Probability: Low/Medium/High with written definitions (e.g., High = >30% in next quarter).
- Impact: Low/Medium/High anchored to business outcomes (cost, time, compliance, customer).
- No decimals, no 5x5 grid—3x3 is enough for clarity.
Show trend, not just color
- Add an arrow for direction (improving, stable, worsening).
- Timestamp each update; stale greens are worse than honest ambers.
Focus on the top risks
- Limit the heatmap to the top 10–15 active risks.
- Each risk shows owner, next action, and date of next review.
- Link to the RAID entry for details; the heatmap is the headline view.
Use it in conversations
- Steering: discuss reds and trending ambers first; ask for decisions/funding.
- Teams: use the same scoring to avoid translation errors up the chain.
- Audits: show history—when did it turn red, and what did we do?
The value of a heatmap is in the shared language, not the colors. Keep it tight, keep it current, and tie every red to an action.