In this new blog series, we will try to address different reasons and motivations why organizations (such as yours) might consider adapting the bowtie methodology as a risk management means. If you think we missed a reason, or you may have another opinion why bowtie should be adopted, you are more than welcome to share that with us, so we can address that in future parts of this blog series. Of course, it is important to keep in mind that bowtie is just one of the possible methodologies to analyze risks and therefore the goal of this series is to shine a light on a broader perspective. If your organization has adopted a different way or approach, we would like to encourage you to share that with us and the other readers. As for now, enjoy the new blog series, and we look forward to your contribution.
1st Reason to adopt the bowtie methodology – Meeting regulatory objectives (Complying with regulations)
What links bowtie with compliance?
When talking to clients or partners within our network it would be fair to say that we encounter organizations and individuals with different motivations for their interest in bowtie software and the bowtie methodology. Often this motivation is related to the internal goals of an organization which then again relate to a certain maturity level on the safety culture ladder (see Figure 1).
Figure 1 – Safety culture ladder
Some organizations tend to be very focused on evolving on this safety culture ladder, while others are content with their current position. Where a company is located on the cultural safety ladder is often not merely a matter of choice but closely relates to aspects such as the specific industry, revenue margin, or geographical location in combination with socio-cultural standards.
Usually when organizations are interested in bowties, they tend to be (or at least strive for) the “Calculative” stage on the ladder. This does not necessarily mean that they instantly know how to approach their risks and hazards. Oftentimes this is the stage where a regulator assists to set some initial minimum thresholds that must be achieved to meet certain safety standards. In other words, the requirements from a regulator will influence the organizations within that industry and thus affect how risk management is executed, e.g. including the utilization of bowties.
Bowtie from a compliance-driven perspective
Thus, there are several companies and industries that are bound by compliance and regulations. For this scenario bowtie would be considered a tool that can help the organization to communicate risk exposure, risk assessment, or coverage and performance against certain regulations or standards.
When organizations need to show for the above-mentioned aspects, they often require a certain format and thus the need for specific reporting arises. From an “off the shelf software” developers’ perspective this is often a challenging topic to tackle, as different industries, regulatory bodies, and geographical locations set different requirements for those specific reports. However, there are common main denominators that can be considered:
- Showing which standards or regulatory requirements are met;
- Showing what the gap between the current performance and the required performance is and how the organization is going to address this.
Figure 2 – Compliance Framework: Inspection data linked to objectives through bowtie controls and supporting activities
In order to address this, the “Compliance Framework” concept is part of our software solutions (BowtieXP combined with AuditXP and BowTieServer). This specific concept connects bowties to regulatory objectives and requirements. This feature could be described as a mapping exercise that allows organizations to split the regulatory standard into specific objectives. Meeting these objectives thereafter can be measured by assessing controls or activities in place on the bowtie framework that contribute to achieve the objectives. See figure 2b for an example of this framework within BowtieXP.
Figure 2b – Compliance Framework: Inspection data linked to objectives through bowtie controls and supporting activities
The BARS use case
The Basic Aviation Risk Standard, also known as “BARS” is a regulatory standard that has been translated into a concrete Compliance Framework use case. After dissecting the regulatory documentation of this standard, we managed to identify 210 substantive compliance objectives.
Figure 3 – BARS dissected in compliance objectives
After linking these objectives to the available controls and activities within our (exemplar) aviation company ‘CGE Risk Air’, we managed to identify the gaps between the BARS and our bowtie framework and learned that not all objectives are covered by controls or supporting activities (see Figure 3). This insight allows us to address the gaps by implementing additional controls or supporting activities, or through adjusting the currently existing ones. Those objectives that are linked can be measured against the aggregated performance of all linked controls or activities. It is also possible to assign different maturity levels of all covered objectives as shown in the image below.
Figure 4 – Coverage of objectives against controls and supporting activities
Bowtie from a regulatory perspective
Luckily, regulators do not only push their requirements and standards to the industry with the expectations for organizations to implement them without any help. Of course, some industries do have to deal with such situations, but we would also like to encounter the other side of the coin. There are many cases where a regulatory body shows the intention of helping and assisting the industry to achieve the minimum expected requirements. On several occasions, regulators recognize the communicative power of bowtie and adopt the methodology within their requirements as well as their support to implement it within the industry.
The Significant Seven
A prominent example of a regulatory body, which has adopted bowtie and helps the industry using bowties, is the Civil Aviation Authority in the United Kingdom. Their goal is to make the aviation industry safer by sharing their regulatory requirements through a set of standardized bowties.
Figure 5 – The Significant Seven bowtie framework – Source: CAA UK
This standardization now allows every organization within the aviation industry to kickstart their risk management process and use these regulatory bowties as a starting point, after which every bowtie can be modified in accordance to meet individual needs. This offers many advantages for all parties involved, as it speeds up the process on the industry side and lowers the threshold to engage in decent risk management. From the regulators’ perspective it standardizes the risk communication language which allows them to review and monitor the industry in a more efficient way. More information about this initiative can be found on the website of the CAA UK.
Pros and Cons
As mentioned before, bowtie is not the only tool to address compliance-based or regulatory aspects within the organization. There are pros and cons on if and why to adopt the bowtie methodology with compliance as a driving force.
- Measuring and knowing ones own performance compared to regulatory objectives will allow the organization to be prepared for (third party) audits and other inspections.
- Demonstrating performance against objectives will make it easier to communicate with the regulatory body, especially if they are familiar with the bowtie methodology.
- Allocating too much focus on the compliance-based requirements ignites the question whether nothing else is important. And if it is, does it actually get the right amount of attention, or is the focus on compliance overshadowing other important areas that could be addressed through bowties?
- The requirement of very specific reports for different industries or geographical locations over the world might not be directly covered by the off the shelf software. Bespoke reports might be needed.
In order to create more pros and battle the cons, from a developers’ point of view we are trying to deal with certain questions:
- What are the common denominators for regions/industries which we can use to solve a problem for everyone and include this in the off the shelf software concept?
- What movement or change can we expect in the forthcoming years from a regulatory point of view and can we anticipate on it (as something that is currently adequate might change in a couple of months)?
If you are interested in learning more about bowtie and using the compliance frameworks, or if you want to share your insights and help us take this concept to the next level, please contact us!
Keep an eye out on our website to read about the next reasons why your company should adopt the bowtie method.