Risk Bow Tie Analysis is a powerful tool to document and communicate any type of risk. At Protecht we have always been passionate about the Bow Tie technique and have developed a number of content pieces on the topic. Some of these include: A thought leadership webinar, a "Bringing it to Life" webinar, an eBook and most excitingly for us, the incorporation of Risk Bow Tie Analysis as a tool in our risk management system, Protecht.ERM.
In this article I share with you the Q&A from the thought leadership webinar.
Questions and Answers from the Live Session
1. Do you find that people tend to use different ways of structuring bow tie based on their personal perception (say hierarchy based or functions based or relationships between objects) and whether group review could benefit the review of bow tie to make sure the issue is approached from different angles?
David Tattam: As the Bow Tie is an analytical tool which maps out people's perception of the relationships between different parts of a risk, different people will have different approaches. I have found that this is healthy and creates healthy challenge and debate so that a consensus is reached that takes into account everyone's thinking, collectively.
2. Does the pervasiveness of the risk have an impact on the Bow Tie? Does it make it more complex?
David Tattam: There are definitely different levels of complexity depending on the type of risk and also the level (Board vs. Coal Face) that you are doing the analysis at. The more pervasive and widespread the risk is, the greater the potential for complexity. The key is to always make the Bow Tie fit for purpose. Where a Bow Tie becomes too complex, it is better to split the Bow Tie into 2 or more smaller Bow Ties, each of a reasonable size and complexity to facilitate easy understanding.
3. As with systems thinking, do you have to acknowledge your own biases and limits of understanding
David Tattam: Yes. There is a large portion of "art" and subjective judgement in risk management. As with anything involving subjective judgement, it is important to understand your own, and the group's biases and heuristics when creating Bow Ties. This is to a degree overcome when you have a number of people working together to create a Bow Tie so that healthy debate and challenge is achieved.
4. I fear the comprehensive technique looks overly complicated rather than an easy communication tool.
David Tattam: This is up to the user. You can make the Bow Tie as simple or as complex as you wish.
5. The target audience for this BTA would be full time practitioners. Sorry, if you use this BTA, you will lose a Board or a committee. 20 years using the BTA tells me that this level of complexity won’t be understood by non-risk professionals. If Protecht expect to use this BTA to articulate risk on a page for executives, there will need a cut-down, more simplistic version.
David Tattam: This depends on how complex you make the process and the diagrams. The level of complexity is up to the user. Our experience is that the Bow Tie, with some appropriate training, is engaging and usable by a wide range of non risk practitioners.
6. Is the breach of the compliance obligation the risk event, or the intervention by a regulator the risk event?
David Tattam: On the basis that a common objective of any organisation is / should be "to comply with applicable regulatory obligations", then the breach of an obligation is a failure of an objective. This therefore makes it an impact, not a risk event. The risk event is the point at which control is lost, which could then lead to a compliance breach. For example, for breach of privacy obligations, the risk event maybe "loss of control over confidential data". Intervention of a regulator is also not the main event as loss of control comes way before that. This will be a late event, between the main event and the impact.
7. Do you distinguish between preventing and mitigating controls?
David Tattam: At Protecht, our best practice methodology is to recognise Preventive, Detective (Early and Late) and Reactive / Corrective controls. Preventive and Early Detective controls will link to the left hand side of the bow tie and be primarily focused on reducing the likelihood of the main event occurring (probably what you call "preventing" controls). Late Detective and Reactive / Corrective controls link to the right hand side of the bow tie and are focused primarily on the reduction of impact from the main event having occurred (probably what you call "mitigating" controls).
8. Please can you provide advice on how to aggregate measures of control effectiveness to provide overall indicators of risk and/or vulnerability?
David Tattam: This is a complex question. Our Protecht.ERM system has the capability to determine an overall effectiveness of a group of controls over a risk based on a number of factors including whether the control is key or non-key and the control assurance rating (Effective, Partially Effective or Ineffective). We however recommend this only as a guide and judgement must still be used. Using the bow tie to help this by seeing the complete risk picture, is very useful.
9. Would failure to wear PPE not also be a root cause?
David Tattam: We view PPE as a control. Therefore failure to wear PPE is a failed control rather than the root cause of a risk.
10. Why are there controls on the Knot? I thought they had to be related to a cause?
David Tattam: Controls can attached to any node within the Protecht.ERM Bow Tie tool. It depends on the nature of the control and the nature of the main event (knot).
11. I love Bowtie analysis as well, do you think it have any downsides to it? What are the limitations of Bow Tie Analysis?
David Tattam: There are not many downsides as a technique. If there are any downsides it would be in how Bow Ties are created. There is a big difference between a good and a bad Bow Tie!
12. How do you encourage SME in business to go through a risk bow analysis with the risk team?
David Tattam: The key is to show the value of the technique for the SME, demonstrate the simplicity of the technique and provide a simple worked example.
13. I just wonder why is IS0 3100 risk definitions looks only at risk as negative event?
David Tattam: Per the ISO 31000 Standard, Risk is "the effect of uncertainty on objectives" It goes on to say "An effect is a deviation from the expected". It can be positive (sometimes expressed as opportunities), and negative (sometimes expressed as threats), or both." As a result, the ISO standard does look at both the positive and negative effects of risk.
14. I am interested in the KRI elements of Bow tie analysis
David Tattam: We do have an online recorded training course on Key Risk Indicators that covers this. Please contact us if your are interested in this 6 hour online course.
15. How do you make the difference / how can you determine a main event versus interim ones? How does one identify which event is the core risk event rather than interim. e.g., I would think 'car fails' would be risk event.
David Tattam: The main event is the point at which you lose control of the situation. For some risks this may not be obvious and you may feel a number of events could be deemed to be this point. As a result, it is not crucial exactly which event is deemed the main event. You should look at the complete risk and consider what is the best "short name" for the risk and this will be your main event.
16. Is the Event in the middle of the Bow Tie always coming from entries from the Risk Register?
David Tattam: Where you are using Bow Ties to support risks in a risk register, the event in the middle (main event) should be the same as the risk register risk name. Where the bow tie is not connected with a risk register, there is no necessity for this.
17. On risk registers we capture impacts, but not causes, do you recommend capturing causes at this level as a separate column?
David Tattam: This depends on maturity. Where your risk management is more mature we definitely recommend that you capture your causes, as managing the causes means that your risk management becomes more proactive and preventive.
18. Which method is more effective and advisable for the organisation's use- Barrier or Comprehensive?
David Tattam: There is no one answer. The Barrier method is simpler and therefore more easily understood but it lacks a complete view of the linkages between Cause and Main Event and Main Event and Impacts. Protecht prefers the Comprehensive method because of the completeness of the risk story but you can use both on a fit for purpose basis.
19. You mentioned the Bow Tie was based on a Risk Centric approach. Can it be based on an Objective centric approach?
David Tattam: If you do an Objective Centric approach, it will not be a Bow Tie! As the objectives are the final impact of a risk, the resulting diagram will be a wedge with the point on the right side, ending in the impact on objectives, and the left side will show the various risks and risk pathways that could impact the objective.
20. How can the Bow Tie be used to quantify or use ratings within the process/method?
David Tattam: At a basic level, the bow tie can help the qualitative assessment of likelihood and impact as you can more clearly see the drivers of likelihood (left side of bow tie) and the drivers of impact (the right side of the bow tie). At a more advanced level, you can overlay such techniques as probability theory, Monte Carlo simulations and Bayesian networks over Bow Ties to give a more quantitative approach.
21. What areas do you align to risk heatmap (consequence/likelihood) to get a risk rating?
David Tattam: The "risk" typically shown and assessed on a risk heatmap should be the centre of the Bow Tie - the main event. In this way, the left side of the Bow Tie drives likelihood and the right side drives impact.
22. How does your software apply the inherent and residual rating?
David Tattam: We deem inherent risk assessment to be before controls and residual, the risk rating after controls. Our Protecht.ERM system allows assessment of both of these levels using likelihood and impact based on a subjective assessment as well as supporting a more quantitative assessment based on the effectiveness of controls.
We do have the capability to determine an overall effectiveness of a group of controls over a risk, based on a number of factors including whether the control is key or non-key and the control assurance rating (Effective, Partially Effective or Ineffective). This is only however a guide and judgement must still be used. Using the bow tie to help this by seeing the complete risk picture, is very useful.
23. Is Operational risk a subset of Compliance risk?
David Tattam: This is your decision. By default, we do view compliance risk as a subset of operational risk. This is in line with the financial services regulators.
24. Any advice on how to analyse the effect of climate change on an organisation using bow-tie analysis?
David Tattam: The Bow Tie tool can be used to understand "Climate Change" risk and we have performed this a number of times with clients. Climate change is a cause and then this can be filtered through the Bow Tie to show the risks that it creates and the resulting impacts.
25. Do you have examples for Strategic and Financial Risk?
David Tattam: We do have a series of proforma Bow Ties for typical corporate risks including Strategic and Financial, but these are part our content which we provide to our Protecht.ERM system clients.
26. I am looking at introducing Bow Ties into the education sector. Does Protecht do anything in this space?
David Tattam: Yes we do. The education sector is one of our target markets and we have a number of clients in this space. Feel free to contact me at david.tattam@protecht.com.au and I am happy to discuss this further with you.
27. So the left of the Bow Tie is the RCA?
David Tattam: Yes - the left hand side of the Bow Tie is effectively Root Cause Analysis.
28. Can we use this in scenario analysis?
David Tattam: Yes - it works very well for scenario analysis. The Bow Tie is created on "severe but plausible" assumptions.
29. Is the bow tie method recommended for every risk? The risk assessment process in itself is time consuming. How do you incorporate the Bow-tie analysis? Is it done for each risk or only the key risks or high rated risk?
David Tattam: You can use it for any risk. The issue is effort and value and therefore you should focus on your key risks first and only apply it to less important risks as required.
30. At what level of risk maturity can Bow Tie Analysis be implemented?
David Tattam: We believe at Protecht, any maturity level. Because the technique is simple and engaging and can be carried out either as a stand alone or integrated process, it can be used at anytime. As you mature, you will be looking to integrate it with your overall risk management framework and system.
31. Based on your experience, have you seen a Bow Tie used the same way for strategic risks, financial and operational risks?
David Tattam: Yes - you can use Bow Tie for any risk and over the years I have developed hundreds for clients across strategic, financial and operational.
Poll results. What your peers think
It is encouraging to note that Bow Tie Analysis was the major technique being used by the participants as well as over half not using any specific technique. Perfect for new Bow Tie recruits!
Although Bow Tie is being used, there is generally a manual / general tool approach to documenting them. As with the new Bow Tie tool within the Protecht.ERM system, we are seeing a greater trend towards using specialist Bow tie software.
As expected, for those that use Bow Ties, the barrier traditional barrier method is the most popular. We are seeing an increase in the use of the Comprehensive Method when a greater level of analysis and understanding is required.
The responses from participants were very encouraging. Traditionally, Bow Ties have been used for incident management to support root cause analysis. It is clear their use is widening across risk management, especially to aid understanding and analysis of risks in the risk register.
Watch the bow tie risk analysis webinar recording here.