In our recent webinar Risk Art Class - Visualize your risk with bow tie analysis, we were asked an interesting question: "How do you ensure that causes and impacts in a risk bow tie are MECE (mutually exclusive and collectively exhaustive)?"
While we answered directly during the webinar, I found it interesting enough to delve further into the intent of the question and elaborating on the response. While I have come across the concept of MECE during my career, I couldn't recall the source. It made me curious to investigate and identify whether there was any guidance on its use in risk management, or where it could be leveraged.
I'll provide a brief introduction to risk bow ties, define what MECE is, and then delve into whether it is a valid way to think about risks.
What is a risk bow tie?
If you aren't familiar with risk bow ties, we will go into just enough detail to frame the discussion (we suggest you download our e-book for a more detailed explanation).
We break down risks into the building block of cause – risk event – and impact on objectives. A risk can have multiple cause pathways, and impact on multiple objectives. It is called the risk bow tie due to its shape when it is visualized.
What is MECE and where did it come from?
MECE stands for 'mutually exclusive and collectively exhaustive'. You can break it down into two sets of pairs, 'mutually exclusive' and 'collectively exhaustive', but they are also intended to be considered a single concept.
The concept was introduced by Barbara Minto, who worked at McKinsey in the 1960-70s. It was created as a structure for thinking and problem solving, and helping the people around her write articles or content by providing them a consistent framework.
Mutually exclusive means that ideas, concepts or things can be categorized in a single way; they should be able to fit into only one set of given categories, not multiple. Collectively exhaustive means that all of the possible options available have been considered. For any idea, concept or thing, it should be able to fit into a category.
Should causes and impacts in a risk bow tie be mutually exclusive?
When constructing a single risk bow tie, the interconnectivity of causes, events and impacts should be carefully considered. This can result in causes (or combinations of causes) leading to multiple interim events that may result in impacts on one or more objectives.
Due to the construction of the bow tie, it means that:
- One cause can be a driver for multiple interim events
- Some events may result in varying impacts across multiple dimensions
- Some of those causes, events or impacts may be correlated, including to broader environmental conditions that may not be modelled in your bow tie
When you look at your risks collectively, it is evident that the elements of a risk bow tie are not mutually exclusive across risks either. The same cause may apply to multiple risks, meaning they are not independent or mutually exclusive. The good news is that this is one of the powers of the risk bow tie; understanding common causes and drivers so that appropriate action can be taken.
Should causes and impacts in a risk bow tie be collectively exhaustive?
I interpret this side of the question to be 'How do I ensure there are no surprises?' i.e. If an incident occurred, would I be able to map it directly to my bow tie, or will people be asking why we didn't foresee it?
In an ideal world, we would have identified all the risks that could affect to your objectives, and all of the ways that they could unfold (causes and types of impacts). While we should strive for as much completeness as possible, we will never capture everything. The very definition of risk includes uncertainty. That includes the 'unknown unknowns', those things we simply can't predict or are outside of our sphere of awareness.
There are a few things we can do to move closer to capturing as much detail as practical in our risk bow ties:
- Learning from incidents
- Asking different questions
- Learning from our people
When an incident occurs it may be related to a risk that we were already aware of, but it might have occurred in a way that we didn't anticipate. There may be additional causal pathways we didn't think about, internal or external changes that created new pathways, or a combination of causes or conditions that seemed harmless individually, but together created the perfect storm.
You might also be able to apply incident data broader that the specific risk; you might be able to improve your risk posture by considering whether those drivers might apply to other risks as well. You can also consider incident data outside your own enterprise, such as those from industry bodies or business partners willing to share their learnings.
When I've facilitated risk workshops, there are some questions I like to throw at the audience that aren't intended to identify new risks; they are to uncover or gain a better understanding of causes and impacts of existing risks. They include:
- Imagine the risk has already occurred. How did it happen, on the assumption already identified controls are operating effectively?
- Are we only considering information that is already 'available' in our memory? i.e. Are we only considering the causal pathways we have experienced before? Could it happen another way?
- Imagine that the event has occurred, but the impact is X times larger than you expected. What would cause the impact to be that high?
Framing questions that overcome some of our inherent cognitive biases is a topic in and itself, but we would suggest investing time in the design of risk workshops to address them as much as practical.
Something that we've seen work effectively for some customers is having a way for all employees to raise risks or issues via a centralized process. This helps align a top down and bottom-up approach to risk management. Even when employees don't have visibility of the whole risk picture, they may have detailed insights into specific elements (such as control gaps, changing conditions, or complex interactions) that might improve understanding of the risk.
Does MECE have a place in risk management?
While writing this blog, there was one place I realized the MECE principle is commonly used in risk management even if it is never referred to in that way: the risk taxonomy.
Ideally we group elements of risk frameworks (such as risk categories, causes, and control characteristics) into mutually exclusive groups, while covering all the different types that we would expect to see. As noted above, it's hard to be truly mutually exclusively and collectively exhaustive, but that is the aim. One benefit of those taxonomies is they can be used as a checklist during risk identification or analysis as a 'sense check' to see if anything may have been overlooked.
Beyond that I haven't found any specific risk frameworks or guidance that require or expect 'MECE' to be applied (if there are, please let us know). Thanks for the question, we love being challenged by and engaging with the community.
If you'd like to know more about the principles of bow tie analysis, please watch our Risk Art Class - Visualize your risk with bow tie analysis on-demand webinar.