Risk assessment lies at the heart of the joint IRM, AIRMIC and ALARM risk management standard. And one of the most powerful and increasingly popular risk assessment techniques is the 'bow-tie' method, so called because it describes the management of risk in the shape of a bow-tie.
This method goes beyond the usual risk assessment snapshot and puts emphasis on the linkage between risk controls and the management system. It thus can help to ensure that risks are truly managed, rather than just analysed. It forces practitioners into undertaking a comprehensive and structured approach to risk assessment, and it is also an excellent means of communicating risk issues to non-specialists.
The bow-tie method provides a readily-understood visualisation of the relationships between the causes of business upsets, the escalation of such events, the controls preventing the event from occurring and the preparedness measures in place to limit the business impact (Fig 1). More importantly, the preventive and mitigating measures are linked to tasks, procedures, responsible individuals and competencies. This highlights the crucial connection between risk controls (whether hardware, procedural or competence based) and the management system necessary for assuring their ongoing effectiveness.
Bow-ties originated as a method for assessing hazards and operational risks, although the exact origins of the methodology are a little hazy. The earliest mention appears to be in an Imperial Chemical Industries training course from 1979. Undoubtedly, the Royal Dutch/Shell Group was the first major company to fully integrate the bow-tie method into its business practices and is credited with developing the technique which is widely used today. The primary motivation was to seek assurance that fit-for-purpose risk controls were consistently in place throughout all operations world-wide.
Use of bow-ties has subsequently spread between companies, industries, countries and from industry to regulator, and their application has been extended to embrace all risks, for example financial, strategic, security, quality, business interruption, political, human resources, design and project risks. The possibilities are endless.
The method for building a bow-tie diagram involves asking a structured set of questions in a logical sequence to build up the diagram step by step (Fig 2). The completed bow-tie illustrates the hazard, its causes and consequences, and the controls to minimise the risk.
Facilitated workshops involving people who are regularly confronted with the risks have proved to be the most effective way of identifying real controls and capturing current practice. Honesty is an essential ingredient during these sessions if any weaknesses in controls are going to be uncovered. To encourage honesty, the workshop needs to be run in an open and engaging fashion, and an independent facilitator can often help to create such an environment.
- Logical structured approach: Risk assessments can have a tendency to concentrate on the level of risk only, rather than considering all aspects of the management of risk. The structured approach of the bow-tie forces an assessment of how well all initial causes are being controlled and how well prepared the organisation is to recover should things start to go wrong. It highlights the direct link between the controls and elements of the management system (Fig 3). This logical approach often identifies gaps and issues that are missed by other techniques.
There are other ways of showing this link (for example tables) but the bow-tie provides the clearest graphical illustration and offers other benefits.
- Communication: The diagram is easy to understand at all levels of an organisation, including personnel who are not connected with the day-to-day operation being assessed. The bow-tie can be displayed on posters highlighting key risk control issues. Pocket books and leaflets have also been produced for dissemination of the risk management message, and web-based bow-ties can form part of on-line training and information systems.
You do not have to use sophisticated techniques to get the most from the bow-tie method. Talking through the components of a particular scenario while sketching a bow-tie, layer-by-layer, can clearly illustrate how the risk is managed. In this sense it is true that a picture paints a thousand words.
- International application: The graphical-based approach is easy to implement with multi-national teams where language difficulties may otherwise hinder progress.
- Organisational improvements: Bow-ties can highlight areas where organisational control is weak, enabling resources to be targeted at those areas where most benefit is likely to be gained. Bow-ties have also been used to ensure that critical controls do not fall through the cracks after a company reorganisation, merger or acquisition. Bow-ties can be used during incident investigations to identify organisational weaknesses that allowed risk controls to fail.
- Procedures and competence: A completed bow-tie assessment includes identifying critical tasks undertaken to assure the ongoing integrity of risk controls. These tasks can be high level tasks such as setting and reviewing policies for corporate social responsibility, or lower level tasks such as testing and maintaining a standby diesel generator to ensure the uninterruptible power system for IT equipment will work when the local grid supply is lost. What is important is that critical tasks have been identified, and that people know they need to do them and why.
The tasks can be used to verify the adequacy of a company's competence assurance system; the competencies defined for each role should align with the bow-tie controls. You may find that people know what they have to do, but they have not been fully trained, or do not have the right personal attributes for the task. Bow-ties have also been used to manage handover of responsibilities for new-starters.
- Critical systems: Hardware systems which prevent, detect, control or mitigate a significant business risk are deemed critical. Systems such as fire protection systems or emergency power systems are clearly illustrated along the threat and consequence branches of the bow-tie and can be linked to defined standards for their performance and how their performance will be verified. This verification may be required by statutory regulations to be undertaken by independent specialists, such as third-party inspection of steam generating boilers.
- 'Future proof' risk management: Unlike other risk assessment techniques, the bow-tie illustrates not only what controls are currently in place, but, through the use of critical tasks, why they will still be there tomorrow.
- Practical assessment: Bow-tie workshops stimulate communication between key stakeholders who all have a role to play in managing risk. Bow-ties focus on risk management by people on a day-to-day basis, rather than analytical studies by technical risk specialists. All too often risk analysis can become progressively more complex leading to analysis paralysis, which overwhelms the need to take positive action.
- Involvement and ownership: Risk management is the responsibility of line managers and their people; all staff can see why what they do is critical for risk control. When people feel involved they tend to buy in to the process. When action is taken based on what they say, people will take ownership.
- Demonstration: Bow-ties can be used to demonstrate that risks are being controlled. This provides management with the assurance that risks are being properly managed and was the primary driver for the implementation of the approach within Shell from the mid-1990s. For example, bow-ties have been used successfully in formal safety reports produced for compliance with the European onshore chemical industry Seveso II Directive.
- Auditable trail: The diagrams and critical tasks provide a protocol around which auditing by internal departments or regulators can focus on what people are actually doing rather than physical systems.
Of course bow-ties are not the panacea for all risk management problems. If you want to quantify your level of risk in absolute terms then the bow-tie method will not help directly. If you want to model complex inter-relationships between your risk controls, there are better ways than using bow-ties. But if you want to remove the mystique of risk management and obtain insights into your risk controls that are easy to understand and easy to communicate, then there is no better method than bow-ties.
- Steve Lewis is a director and Sheryl Hurst is a principal consultant with Risktec Solutions, Tel: 01925 438010, www.risktec.co.uk European Case Studies
Case Study A: An oil and gas company whose onshore wells were periodically drilled close to third party land, pioneered the use of bow-ties to illustrate to the regulator and members of the public that the hazards associated with the operation were recognised, understood and well managed, both from a preventive point of view and for preparedness in the event of an emergency. Simply drawing bow-ties freehand during public meetings helped considerably in putting across the message that the company was in control of the hazards and the risks were minimised.
Case Study B: The bow-tie has been used successfully as a means of assessing the adequacy of controls and identifying areas for risk reduction for a rail transport network. A series of stakeholder workshops employed the bow-tie method to test the robustness and number of existing safeguards and identify improvements. For each risk control, critical operating parameters were identified and links were made to rail operating procedures, maintenance systems and international standards. Actions were identified to strengthen particular controls.
Case Study C: A multinational natural resources organisation has applied the bow-tie method to map its company-wide corporate risk management strategy, covering all risks including quality, financial, business, political, environmental, information technology, human resources, design and new technology. A simplified version of a political risk bow-tie is illustrated in Fig 4.
Case Study D: Use of web-based bow-ties has enabled one organisation to ensure that up to date, consistent information on risk-critical roles and responsibilities is managed effectively, aligned with business processes and disseminated to individuals, disciplines and projects. In this way the management system is 'operationalised', enabling it to serve as a dynamic corporate risk memory.