How to Improve Bowtie Risk Analysis
What is Bowtie Risk Analysis?
There are three main components in risk assessments: causes, events and consequences. Think about the risk of slipping and getting hurt when walking outside in winter: The cause is a slippery sidewalk due to snow or ice, the event is that you slip and take a bad fall, and the consequence is a bruise. In many asset-intensive and process-intensive industries, causes are also known as “hazards”, and it’s important to not confuse hazards and risks. In addition, in some domains (IT, finances, etc.), the term “threat” is also used for causes.
Risk assessment is more complex than simply putting together three pieces (causes, events, consequences). The same event can have multiple causes and consequences. For each cause, a preventive control must be identified, although it’s possible for the same control to address two or more causes. A preventive control mitigates the risk by addressing the cause or hazard (e.g. a new ventilation system to reduce hazardous dust particles than can create respiratory problems). Finally, each consequence needs a recovery control, and just like for causes, it’s also possible for the same control to address two or more consequences. A recovery control aims to reduce the impact of the consequence (e.g. access to fire extinguishers if a severe equipment malfunction creates a fire).
Imagine if for a given risk you needed to put all causes, consequences, preventive controls and reactive controls in a spreadsheet or a table, including the relationships between them. Imagine also if you needed to identify potential missing pieces (causes without preventive controls, consequences without reactive controls). Things can get very complicated and overwhelming quickly. Bowtie risk analysis helps to better understand risks affecting the organization by visually representing risk concepts and the relationships between them.
Risk Management Software Enables Dynamic Bowties
You can find many bowtie risk analysis templates on the Internet. These templates are better than managing risks through spreadsheets, but they’re not dynamic. You just enter the information and hope that you did not forget anything. In contrast, risk management software makes the bowie dynamic by:
1) Showing where controls are missing.
2) Helping to evaluate the effectiveness of controls.
Let’s take a step back to understand why this is critical. Bowtie risk analysis is a risk management tool whose primary objective is to mitigate risks. Its primary objective is not to document causes, events and consequences in a graphical and visual way. That is a secondary objective that helps achieve the primary objective. Bowtie risk analysis is improved when it dynamically helps users better mitigate risks.
Risk management software that offers bowtie risk analysis functionality must guide users by dynamically highlighting the areas where preventive and reactive controls are missing. But that’s not all. If controls are in place, users should be able to see the effectiveness of each control and modify the ratings that calculate the effectiveness, with just a few clicks.
The result is more effective risk mitigation and more accurate residual risk ratings. Bowtie risk analysis is therefore improved by dynamically guiding users to implement better controls, not just by simply providing a fancy visual representation of causes, events, controls and consequences. If you are evaluating risk management software or bowtie software, make sure that it includes both a smart bowtie risk analysis as well as a visually appealing one. A bowtie can be both smart and beautiful!
Learn how Enablon’s integrated platform uses bowtie risk analysis to guide risk mitigation efforts across your operations and EHS processes by filling the “Contact Us” form on this page.
A Governance, Risk and Compliance (GRC) platform can help you enable holistic risk management in your organization to adequately prepare for threats and crises. Download The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016 report and learn more about the 14 most significant GRC vendors.