BowTie Risk Management Methodology
Despite it being arguably the most effective Risk Management paradigm around today, most organisations are not aware of the beauty, power and persuasiveness of BowTie Risk Management methodology.
Those who are aware of it are either using it, or make up the vast remainder, who have heard good things about it, but don't really know what it is or where to start.
I've heard the term before, in an anecdote about Serco Group Plc, the FTSE 100 company who handle many UK Government contracts being "the biggest company you've never heard of".
Perhaps, ironically, BowTie is the "most effective Risk Management technique you've maybe heard of."
In this post i'll show you what BowTie Risk Management methodology is all about.
Interest in BowTie Risk Management methodology is on the rise.
Although it has been around, in many guises since (apparently) the 70s, and has become relatively widespread in the Oil, Gas and Chemical industries, this risk management methodology which is suitable for all businesses and industries is largely unknown.
From 2013 - 2015, 95% of our software requests were for BowTie systems and help about BowTie methodology.
What is BowTie Risk Management?
BowTie methodology is a structured, yet graphical approach to describing and analysing a cause to consequence pathway of potential events (risk events, safety events, process events etc), controlling them, and then importantly communicating them - all with the aim of minimising loss and maximising gain of any kind.
Unlike most Risk Management protocols, BowTie is interactive, graphical, user friendly, visual, collaborative and highly communicable - no more lists and spreadsheets!
There are 10 key components to a BowTie: a single Hazard, a single Top Event and an unlimited amount of Threats, Consequences, Escalation Factors (2 types) and Controls ( 4 types), all of which are described below.
Although the first step of your BowTie analysis is always defining the Hazard and Top Event, after that the order in which you brainstorm the Risk Assessment via BowTie production is up to you. Commonly, you would define your Threats and Consequences first and work inwards from there.
Centre of the BowTie diagram
A hazard is anything whatsoever that has the potential to cause a risk event (Top Event).
Safety example: Working at height
Enterprise example: Staff
A Top Event is the centre of your BowTie. It is an undesired event/ risk event that could happen due to the presence of the Hazard.
Safety example: Worker falls from height
Enterprise example: Staff productivity is very low
Left side of the BowTie diagram
The left hand side of the BowTie is all about working out the PROBABILITY of a Top Event happening, and preventing it.
Threats are anything that promote the progression of the Hazard leading to the Top Event. There can be, and likely will be multiple of these.
Safety example: Wind
Enterprise example: Recruitment procedure
Barriers are a form of Risk Control. They are put in place to reduce the probability of the Threat leading to the Top Event. Just like all Risk Controls, Barriers can be anything at all - work orders, management procedures, equipment, maintenance, training etc. The key to a Barrier is that it reduces risk via reducing the probability, and it is entirely independent of other Barriers.
Safety example: Wind shields
Enterprise example: Candidates to undergo suitability check
An Escalation Factor is something that inhibits the effectiveness of the Barrier - that is, it reduces the probability reduction power of the Barrier and therefore increases risk. Escalation Factors in BowTie analysis are a fantastic way of adding further scrutiny to your Risk Management plan as they identify flaws in Risk Controls.
Safety example: Wind shield fails
Enterprise example: Suitability check ineffective
Escalation Factor Controls
An Escalation Factor Control is a form of Risk Control and is put in place to reduce the probability of a defined Escalation Factor negatively influencing a Barrier - Escalation Factor Controls reduce risk. Escalation Factor Controls in BowTie analysis can be viewed as a 'belt and braces' approach to Risk Management in that they add a further level of Risk Control to your Risk Management plan. Arguably, it is the Escalation Factor Controls that make BowTie methodology such a robust Risk Management tool - they are downstream Risk Controls put in place to aid upstream Risk Controls.
Safety example: Wind shield to be checked prior to every usage
Enterprise example: Hire an expert external consultancy to administer role-specific examinations
Right side of the BowTie diagram
The right hand side of the BowTie is all about working out and reducing the IMPACT that the Top Event could have on your organisation.
A Consequence is something that could happen if the Top Event were to become a reality, and it is almost always something negative or undesired. A Consequence is always downstream of the Top Event, and when carrying out your BowTie analysis, on the right hand side, you need to assume that the Top Event has already occurred when conducting your analysis.
Safety example: Worker is severely injured as a result of falling from height
Enterprise example: Profits fall
A Recovery Measure is another form of Risk Control and it is put in place between the Top Event and Consequence in order to reduce the probability of the Top Event (after it has happened) leading to the Consequence. Recovery Measures reduce risk. Again, you have to assume that the Top Event has occurred when putting in place Recovery Measures; if you don't, it is quite easy to confuse Barriers with Recovery Measures (this is shown in the safety example below)
Safety example: Provision of a harness.
Many people would say a harness is a Barrier, however, we have stated that our Top Event is 'worker falls from height'. A harness will not stop someone falling, but it will prevent serious injury should they fall, which we have defined as our Consequence - a harness is therefore a Recovery Measure in this case - nomenclature and context is important in BowTie analysis.
Enterprise example: Continual communication with shareholders
Recovery Measure Escalation Factors
Much like the left hand side Escalation Factors, the Recovery Measure Escalation Factors represent a further level in your Risk Management plan, and they are things that reduce the effectiveness of your Recovery Measure - they increase Risk by inhibiting the probability reducing power of your Recovery Measure.
Safety example: Harness fails
Enterprise example: Shareholders do not respond well to PR communications
Recovery Measure Escalation Factor Controls
Recovery Measure Escalation Factor Controls are a type of Risk Control that are put in place to prevent the negative effect of the Recovery Measure Escalation Factor they are attached to - they reduce risk. In fact, Recovery Measure Escalation Factor Controls represent the last line of defence in your BowTie analysis/ Risk Management plan because it is here that you srutinise down to the lowest level about how to prevent a Consequence from occurring as a result of a Top Event coming into fruition.
Safety example: Harness to be maintained at regular intervals
Enterprise example: Financial Insurance
In conjunction with the text above, and the main diagram of this post, I have explained the key component of a BowTie diagram, and how BowTies are used for Risk Management.
This description represents a qualitative approach to BowTie Risk Management i.e. we haven't defined any values - we have simply described a chain of events.
In my next post, I will show you how to use BowTie Risk Methodology in a quantitative way - that is, to use BowTie Risk Management to fully quantify your Risk Management plan and add values to it- making it an extremely powerful risk tool when it comes to Risk Assessment, Risk Prioritisation, Risk Control and Risk Communication.