Organisations that struggle to implement risk management often view the process as being “all pain, no gain” – that is, it is seen as a drain on resources without offering much in return. In August, we tried to answer the question “What is Risk Management?” We explained that the risk assessment process broadly involves three phases:

  • Risk Identification – recognising what risks exist
  • Risk Analysis – deciding how to prioritise the risks. This is commonly considered in terms of likelihood and consequence, after considering current controls
  • Risk Treatment – using the results of the risk analysis to determine how to deal with the risks

    A tool that can be used as part of the risk analysis phase is the bow-tie method.

    The Bow-tie Method

    The bow-tie can be used to help simplify risk assessment by allowing one to conceptualise the interaction of causes, controls and consequences of a risk. The following diagram illustrates the process.

    Risk Analysis using Bow-Ties

    The steps to undertaking a risk analysis using the bow-tie method are as follows:

      • Of all the possible consequences resulting from the risk (these are the yellow boxes above), identify which is the most foreseeable, as opposed to the worst-case
      • Identify the consequence level of the most foreseeable consequence
      • Identify the likelihood level of the risk occurring and resulting in the consequence identified in Step 1

        Example: Kitchen Fire

        In this case, we might identify that the most foreseeable consequence of a kitchen fire would be asset destruction. Our analysis would thus be:

        • What is the consequence of asset destruction due to fire?
        • What is the likelihood that there will be a fire which causes asset destruction?

        By constructing a bow-tie diagram, one can simply see how multiple causes with failed preventative controls result in a risk occurring. If the preparedness controls also fail, the risk will occur and have a negative consequence. Mapping risks using the bow-tie can provide a sound starting point from which to ensure controls are actually addressing the real causes and consequences.