The Risk Bowtie – 5 critical questions for managing risk
Rick Mounfield, CEO of the Security Institute, invites you to consider the Risk Bowtie – 5 critical questions as a straightforward and graphic way to represent your approach to managing a risk.
“A picture paints a thousand words” said Frederick R. Barnard in 1921 and it’s well worth considering when you need to demonstrate a risk and its associated impacts in a succinct way. There are many tools available to the modern security professional and I offer this method for your toolbox. I have seen it used by the Civil Aviation Authority and the British Army. I like its simplicity and visual articulation.
Many reading this will be well versed in risk and the common strategies that can be used to manage it. The manner in which we demonstrate each risk and present it will impact on the way it is read and understood by those that need to implement the control measures. Overly technical and it can become confusing. Too little information and it may not realistically reflect the true measure of the risk event or the controls required to respond.
As you can see, the model is shaped like a bow tie, creating a clear differentiation between proactive and reactive risk management.
Every business has hazardous events that will be listed on a risk register. Those risks can be individually assessed and then managed using the Risk Bowtie – 5 critical questions:
What is the hazard? And what is the top event that could occur?
It can be anything deemed as such, like crossing the road. The hazard is the act of crossing the road. The top event, (in the bowtie knot) is the top risk event, the thing we wish to mitigate – In this case, being struck by a moving vehicle, resulting in death or serious injury.
What is the threat?
These are the actions that will increase the chance of the risk event occurring. When crossing a road the following could be threats: not looking both ways, using a mobile device/ being distracted, being intoxicated, rushing or not using a pedestrian crossing. All will increase the likelihood of being struck by a vehicle.
What are the consequences?
Consequences need to be considered as far as possible to ensure all aspects are covered: death or serious injury to self; car swerves and crashes into other pedestrians; car crashes and injures driver resulting in legal action; multiple vehicle collision. The list is as exhaustive as you make it.
At this stage we have a clear understanding of the risk and what needs to be controlled. The hazard, top event, threats and consequences give us an overview of everything we don’t want around a certain hazard.
Every line through the bowtie represents a different potential incident. Besides containing incident scenarios that might already have occurred, part of the strength of the bowtie is that there is also room for scenarios which have not occurred yet. This makes it a very proactive approach.
What are Preventative and Recovery Barriers?
Barriers are also known as controls. Typically, they sit either side of the bowtie but as shown below, they can be grouped. To the left are the preventative controls implemented to prevent the top event occurring. This may include installing a pedestrian crossing or footbridge over a busy road. To the right we place the recovery controls, the things that will limit the impact if the top event does occur.
In our scenario this may include first aid actions, traffic control to secure the safety at the scene of the accident – things that prevent the death of the pedestrian. In most cases the barrier or control will have an escalation factor, e.g the pedestrian crossing is there but what if the pedestrian does not use it correctly or the driver fails to stop at the red light? How can we increase the safety in that event?
What is a response?
Once the controls are in place and escalations are considered, the response can be allocated. What aspects will be impacted by this event occurring?
People, the asset, the environment or event reputational damage. Responses could include:
- Treat the risk (physical implementation – what will that cost)
- Treat the risk (no cost-policy or procedure)
- Tolerate the risk
- Transfer the risk (insure it?)
- Terminate the risk (if possible)
- Take the opportunity (doesn’t work with our scenario but might when you use this in your place of work)
There are many risk management tools available, perhaps this one is new to you. It’s worth looking at a little closer.
Rick Mounfield
Security Institute
For more articles on Risk Management, see related articles in our: Risk Management Category
