To understand what a risk assessment is and how it can be conducted, it is important to first distinguish the terms ‘risk’ and ‘hazard’. Risks and hazards often get confused as the same thing, however, they are not the same. Risk is the likelihood of harm in defined circumstances while a hazard is an activity with the potential to cause harm.
Hazardous activities are often part of normal business and therefore organizations are exposed to certain risks. Activities such as flying planes or producing kerosene are typical hazards. A hazard by itself is not harmful but if there is a loss of control over the hazard (or hazardous activity) it can become harmful.
How to conduct a risk assessment
To make sure an organization is in control of their hazardous activities and the damage they can cause, a risk assessment should be conducted. A risk assessment is a procedure where different risks are reviewed, qualified and clarified in a way that makes it possible to determine an adequate action or state to prevent or lower the risk. In turn, this makes it possible to make educated decisions when it comes to risk and risk management.
When evaluating risk by conducting a risk assessment, all influential factors need to be considered. By doing so, certain questions need to be asked. Some examples are:
- - Who could get harmed?
- - How might this person get harmed?
- - What is the inherent risk for this to happen? (the risk without any implemented controls or barriers)
- - What control measures (also called barriers) are in place or can be put in place to prevent an event from happening?
- - What is the residual risk after the control measures? (the risk with implemented controls or barriers)
To do this in a structured way, risk assessments are often done within a spreadsheet (image 1).
Results of risk assessments are often gathered within risk registers, which provide insights in all possible risk scenarios, their threats, consequences and controls. Risk registers are often created by using spreadsheets (image 2).
Spreadsheets versus the bowtie method
Registering all data within a spreadsheet is a great way to gather all relevant information. However, there are some limitations to this approach. When looking at a risk register, the information often gets too complicated for non-experts. Furthermore, a spreadsheet does not necessarily show the connections that are so important to fully understand the risks a company is dealing with. Subsequently, blind spots can arise because excel sheets often don’t show control measures in the context of specific risk scenarios. With other words, you cannot always distinguish where the control is placed within the risk scenario.
Example: Blind spots of a classic risk register.
Based upon the information in the image above, it can be concluded that there are 9 control measures in place for 3 threats and 3 consequences. This should be sufficient to be at least “medium safe”. Therefore, the risk rating is set to medium. A logical assumption could be that the control measures are equally divided over the threats and consequences. However, this is not certain and is not visualized clearly by the spreadsheet.
Over time, the need for better visualization of risk scenarios increased. Organizations wanted more control and oversight which led to the development of the bowtie method as we know it today. A bowtie often tells the complete story that a more traditional risk register cannot. In a bowtie diagram all possible scenarios are individually shown, with all relevant control measures in the right context. This makes it not only possible to intuitively understand the risks, but also to level with everyone who is reading it, regardless of the reader’s level of expertise. By nature, the human mind can more easily understand a picture than a comprehensive spreadsheet.
Example: Blind spots uncovered – Risk register scenarios visualized with bowtie.
Advantages of bowtie risk assessment
At a single glance, the bowtie immediately visualizes the risk this organization is exposed to. It can be concluded from this picture that this organization is not in control of all specific risk scenario’s. The threat, intoxicated driving, completely lacks any control measures. Thus, if anyone enters their car drunk, there is nothing in place to stop this from causing the top event. Next, it shows that the organization is in a reactive state of operation (rather than proactive state), as most control measures in place are kicking in after the loss of control (right side of the bowtie). The assessment in this case would not be rated “medium” anymore and the organization would know exactly where to allocate the resources to protect itself.