Short answer

A hazard map shows a potentially damaging process: where it can happen, how intense it can be, and how often (probability or return period). A risk map goes further and combines that hazard with the exposure (people and assets present) and their vulnerability (how much they would be damaged at a given intensity), so it expresses expected consequences rather than the physical process alone. The widely used framing is:

Risk = Hazard × Exposure × Vulnerability

A flood-depth grid is a hazard layer. The same grid intersected with buildings and damage curves to estimate euros of loss is a risk layer. They look superficially similar on a screen, which is exactly why mislabelling one as the other is dangerous.

The three components, precisely

  • Hazard is the probability and intensity of the process. For floods it is depth at a return period (e.g. the 1%-annual-chance, "100-year", event); for earthquakes it is ground motion (PGA, spectral acceleration) at a probability of exceedance; for landslides it is susceptibility or a probability of failure. Crucially, hazard already contains a temporal element — the return period or annual exceedance probability — that a static susceptibility map lacks.
  • Exposure is the inventory of elements in harm's way: population, residential and critical buildings, roads, lifelines, agriculture. In GIS this is a points/polygons layer with counts and replacement values.
  • Vulnerability is the relationship between hazard intensity and damage, usually a fragility or damage curve: at 0.5 m flood depth a single-storey masonry house might suffer 20% damage; at 2 m, 60%. Vulnerability is asset-specific and is what turns intensity into loss.

A subtle but important distinction sits inside "hazard": a susceptibility map (where conditions favour landslides, based on slope, lithology, land cover) is not the same as a hazard map, because it carries no probability over time. Calling a susceptibility raster a hazard map overstates what it knows.

What the public agency products are

  • FEMA Flood Insurance Rate Maps (FIRMs) delineate Special Flood Hazard Areas and the 1%-annual-chance floodplain. They are hazard products under the National Flood Insurance Program. They drive insurance and zoning, but on their own they are not risk maps; FEMA's separate risk products (and tools like Hazus) add exposure and loss estimation.
  • USGS landslide products are typically susceptibility or hazard layers, depending on whether they include a temporal probability.
  • USGS National Seismic Hazard Maps give ground-motion levels at fixed exceedance probabilities — hazard. Loss estimation (Hazus, the USGS PAGER system) is the risk step.
  • NOAA sea-level-rise viewers show inundation depth scenarios — hazard — which become risk only when combined with what is exposed.

Knowing which one you are holding determines what decision it can support.

Building a risk map from a hazard layer in GIS

A worked flood example on a common grid (say 10 m, in a projected metric CRS):

  1. Hazard layer. A flood-depth raster for the 1%-annual-chance event, classified into depth bands (0–0.5 m, 0.5–1 m, >1 m).
  2. Exposure layer. Building footprints with an occupancy type and replacement value. Tag each with the underlying flood depth: in QGIS, Sample raster values or ST_Value in PostGIS.
  3. Vulnerability. Join a depth-damage curve per occupancy type, so each building gets a damage fraction from its sampled depth.
  4. Loss. expected_loss = replacement_value × damage_fraction, computed per building, then aggregated to a grid or administrative unit for the map.
  5. Annualise if needed. Repeating across several return periods and integrating the loss-exceedance curve yields Average Annual Loss, the most decision-useful risk metric.

In raster-only terms a simpler screening version multiplies normalised hazard, exposure, and vulnerability rasters with gdal_calc.py --calc="H*E*V", but the building-level approach is far more defensible because vulnerability is genuinely asset-specific.

Throughout, keep observed events (recorded flood extents), modelled hazard (the depth grid), and derived risk (the loss surface) as separate, clearly named layers. Merging them destroys the audit trail.

Labelling: the part people skip

The legend must state which quantity is shown and its units: "flood depth, 1%-annual-chance event (m)" is a hazard legend; "expected annual loss (€/cell)" is a risk legend. It must also state provenance — official FIRM vs in-house model — and confidence. A map that says "landslide susceptibility (relative index, no return period)" prevents a reader from treating a screening index as a probability of failure.

Common pitfalls and why they happen

  • Calling a susceptibility or screening overlay a "risk map". It has no exposure or vulnerability, so it cannot speak to consequences; the words just sound interchangeable.
  • Mixing official hazard zones with informal model outputs unlabelled. A reader cannot tell the regulatory floodplain from a quick DEM-based guess, and may act on the wrong one.
  • Reusing a single vulnerability curve for all assets, which erases the asset-specificity that makes risk meaningful.
  • Ignoring return period. A "100-year" and a "500-year" flood hazard map look alike but mean very different probabilities; omitting the period makes the map uninterpretable.
  • Forgetting data age and scale. A 1990s flood study on coarse terrain may misrepresent today's channel.

QA and validation

Confirm the hazard layer states its return period or exceedance probability and its intensity units. Check that exposure was sampled against the hazard in a consistent CRS and resolution. Verify damage fractions stay within 0–1 and that loss is zero where depth is zero. Compare modelled extents against any observed event footprint as an independent reality check, and confirm every layer's legend names its quantity, units, source, and confidence.

Bathyl perspective

We keep hazard and risk distinct and labelled because conflating them quietly inflates what a map claims. A screening overlay is a useful early signal; a loss estimate is a different, heavier object that needs exposure, vulnerability, and review. The deliverable should make clear which one a decision-maker is looking at and how much confidence it warrants.

Related reading

Sources