In our last blog, we briefly mentioned ISO 31000 guidelines on risk analysis and then introduced the bowtie methodology. In this week’s blog, we will explore this in more detail using the bowtie methodology.
According to the ISO 31000 guideline, you should consider multiple factors during the risk analysis phase. As the International Organization of Standardization states:
“Risk analysis should consider factors such as”:
1 – The likelihood of events and consequences
Although the bowtie method is more qualitative at its core, it is also possible to add quantitative data to its different elements. Indeed, there are instances of people combining the LOPA technique with the bowtie methodology to great success.
In addition, it is also possible to display risk matrices (see figure 1) on consequences or even on the hazard or top event to capture the likelihood of certain events. Likelihood alone, however, is not enough to properly assign the risk, you will also need…
2 – The nature and magnitude of consequences
Once the likelihood has been verified, it needs to be calculated together with the severity, or magnitude of an event. In this way, the impact of the event of the consequence can be assessed, as a result prioritizing which consequence is most dangerous becomes clearer. This will make ALARP analyses easier thus allowing decision makers to make better-informed decisions.
Figure 1 – A typical risk matrix
3 – Complexity and connectivity
ISO 31000 states: “An event can have multiple causes and consequences and can affect multiple objectives”. The bowtie methodology lends itself well to support this part of risk analysis. As opposed to risk registers where it is often hard to understand which control, or barrier, is protecting us from which threat. As can be seen in the figure below, in the risk register it is hard to see if we have barriers for each threat/consequence line, whereas in the bowtie diagram it becomes immediately apparent.
Figure 2 – A risk register VS a bowtie diagram
4 – Time-related factors and volatility
The time-related factors can be considered a shortcoming of the bowtie methodology as it does not show just how much time a scenario would take to unfold. In addition, the volatility of certain events can sometimes be hard to capture in a bowtie other than by using the risk matrices.
5 – The effectiveness of existing controls
ISO explains that existing controls and their effectiveness and efficiency should also be taken into account when analyzing risk. By displaying the effectiveness of barriers through, e.g. color (see picture below), the final risk that will be assigned to a scenario in a risk matrix will be easier to understand and thus help to make decisions. For more information on defining effectiveness see our other blogs: 3 pillars to define barrier effectiveness or How to estimate the expected performance of your barriers or controls.
Figure 3 – Barriers colored according to their effectiveness
6 – Sensitivity and confidence levels
The bowtie methodology is incredibly effective at communicating risk to people in all layers of an organization due to its simplicity. As such, it is important to remember to add doubts and questions to your bowtie diagrams in instances of uncertainty. Simply adding a question mark or some words to the elements in a bowtie can already inform the decision makers of the uncertainty inherent in the scenario.
Join us in next week’s blog post to discover how to use BowTieXP to your advantage.