Many high hazard industries have to deal with the ISO 31000 standard. This is a standard for Risk Management for any organization. ISO (the International Organization for Standardization) recommends organizations to develop, implement and continuously improve a risk management framework throughout the entire organization (ISO 2009). In order to achieve this, many organizations use the bowtie method: a visualized way of doing risk assessments that enables organizations to get a good understanding of how they control risks. This blog shows you how the bowtie method will help you conform to the ISO 31000 standards for risk management.
The optimal process of risk management according to ISO 31000
The picture below comes from the ISO 31000:2009 that explains the optimal general process of risk management. The activities and stages that are shown in this picture should all be included in the risk management framework. We discuss each stage and activity below and explain what role the bowtie method plays in each of these stages.
Establishing the context
Here the organization identifies the scope, objectives and parameters of the business activities that require risk management. All resources needed to do the risk assessments are considered, such as responsibilities and strategies used. It is basically the approach plan of your risk management process.
The organization needs to determine who will be involved in the risk management process, to who the risks are communicated inside and outside the organization, and how each step of the risk management framework will be approached. Here you also determine which methods will be used, for example, the bowtie method.
The goal of risk identification is to end up with a comprehensive list of business activities, substances or processes that have the potential to cause harm to people, assets, environment or reputation of the organization. This list is called a risk register.
Usually this risk register, which is often made in Excel, already contains components that are also used in the bowtie method:
- Potential causes
- Barriers or control measures (identified to some extend at this stage)
When the risk register is completed, consequences are individually assessed using a risk matrix. Risk matrices determine the severity and the likelihood of an incident (the consequences). The organization can now see the high-risk scenarios and the low-risk scenarios.
This is actually the first stage where the bowtie method comes into play. In the previous step, we identified our risks, but we don’t want to make a bowtie for every risk that we have. So we make bowties for the high-risk scenarios (e.g. Major Accident Hazards) and keep the low-risk scenarios in the register. It is good to review this register on a regular basis, because some low risks may become high risks due to organizational and operational changes or other influences.
Bowtie is a method that helps you to analyze and assess risks. The diagram is divided into two parts, shaping like a bow-tie. The left side is the proactive side that answers the question: What do we have to do, to prevent any deviation from the normal process? The right side is the recovery side. Once a deviation of the normal process or a ‘loss of control’ occurs, we put the controls on the right side to understand what we have to do, to prevent the consequence(s) from happening or to mitigate their effects. See the image below.
The information that we already have from the risk register can all be placed in the bowtie. Instead of a flat list, we can now see the relation between threats, consequences and barriers. This gives us a better understanding of the actual function of the barriers; do they prevent the consequences or eliminate the threat?
After creating the bowties and analyzing the risk, it is time to evaluate the risk scenarios. This is also done by using the risk matrices, where the residual risk is determined. The risk scenarios are usually evaluated on the consequences, with for example risk matrices for people, assets, environment and reputation. In the risk matrix you can determine a limit for scenario’s that are ALARP or not. In the figure below you can see an example. All scenario’s above the orange line are considered ALARP and require continuous monitoring and all scenario’s under the orange line are considered not ALARP and require a risk treatment.
Some decisions need to be made for risk scenarios that we do not consider to be ALARP. This is what ISO 31000 calls risk treatment. Here you can define actions for improvement, for example, adding new barriers or improving barriers.
There is a workflow to assess the risk treatment, as in the model below. The risk treatment that we have determined needs to be assessed. We assess the risk treatment to determine the level of risk tolerability. If the risk treatment results in a tolerable risk level, we can conduct the treatment. If the risk treatment is not sufficient to make the risk level tolerable, we can change the risk treatment or make a new one until a tolerable risk level is reached.
In BowTieXP it is possible to visualize this treatment and to assess the residual risk matrix on the consequences or top event. Bowties make it easy to understand where risk treatment is needed and where barriers need to be added or improved.
Communication and consultation
During the entire risk management process, communication and consultation play a significant role. Risk needs to be communicated across the organization and also to stakeholders. Bowtie can be very useful in this stage because it is an easy to understand, visual diagram and much clearer than a document full of text. In a sense, the bowtie is a self-telling story that allows people in all layers of the organization to understand the entire risk picture.
Monitoring and review
On the right side of the ISO 31000 framework, we see monitoring and review. Here we want to receive information on how our barriers are performing. There are various ways to monitor and review the performance of the barriers. In combination with bowties, audits and incident analyses are commonly used. Incident investigations provide information on why the barrier failed, while auditing is a proactive way to check the barriers. Results can be shown on a bowtie, like in the figure below.
Now you have conducted all these steps, the risk management process is still not finished. Actually, it will never be finished. Risk management is a continuous cycle as each little change in the organization or environment may lead to high potential risks.
Learn how to conform to ISO 31000 using the BowTieXP software
BowTieXP is a well-known tool that is used worldwide across various industries. It does not only offer a bowtie building functionality but also allows you to manage your barriers (controls) by linking it to the management system. It visualizes improvement actions to reduce risk and strengthen your risk scenarios. For communication and consultation, BowTieXP offers a set of different filters to show the exact information to your audience without deleting any information. To prevent a bowtie being a static picture, BowTieXP can be used in combination with IncidentXP and AuditXP to monitor and review barrier performances.
Learn how this all works? Request a personal online demonstration on this subject matter.