Establishing the context
Here the organization identifies the scope, objectives and parameters of the business activities that require risk management. All resources needed to do the risk assessments are considered, such as responsibilities and strategies used. It is basically the approach plan of your risk management process.
The organization needs to determine who will be involved in the risk management process, to who the risks are communicated inside and outside the organization, and how each step of the risk management framework will be approached. Here you also determine which methods will be used, for example, the bowtie method.
Risk identification
The goal of risk identification is to end up with a comprehensive list of business activities, substances or processes that have the potential to cause harm to people, assets, environment or reputation of the organization. This list is called a risk register.
Usually this risk register, which is often made in Excel, already contains components that are also used in the bowtie method:
- Potential causes
- Consequences
- Barriers or control measures (identified to some extend at this stage)
When the risk register is completed, consequences are individually assessed using a risk matrix. Risk matrices determine the severity and the likelihood of an incident (the consequences). The organization can now see the high-risk scenarios and the low-risk scenarios.
Risk analysis
This is actually the first stage where the bowtie method comes into play. In the previous step, we identified our risks, but we don’t want to make a bowtie for every risk that we have. So we make bowties for the high-risk scenarios (e.g. Major Accident Hazards) and keep the low-risk scenarios in the register. It is good to review this register on a regular basis, because some low risks may become high risks due to organizational and operational changes or other influences.
Bowtie is a method that helps you to analyze and assess risks. The diagram is divided into two parts, shaping like a bow-tie. The left side is the proactive side that answers the question: What do we have to do, to prevent any deviation from the normal process? The right side is the recovery side. Once a deviation of the normal process or a ‘loss of control’ occurs, we put the controls on the right side to understand what we have to do, to prevent the consequence(s) from happening or to mitigate their effects. See the image below.