Bowties provide a graphical representation of an incident pathway connecting the causes of events to their consequences. In many instances, the bowtie can be used to perform a risk assessment to determine if there are sufficient controls in place to manage the risk.
Over the last 20 years, bowtie’s have become very popular, however in my opinion, there is a graveyard of them out there providing little value.
Typical problems include:
Large bowties with a lot of content
Incorrect allocation of causes, controls and top events
Inability to see where there are gaps in risk to information overload
The main cause of this problem starts with the purchase of a bowtie tool without deployment standards and staff training in place which focusses on the development of good structures (vs how to use the tool). Here are a few observations and recommendations:
Bowtie Intent – Is the intent of the bowtie to communicate the incident pathway OR to perform a risk assessment? It is important to understand why you are doing the bowtie and who is your audience. A communication “styled” bowtie typically will have more causes and controls, however, if the goal is to perform a risk assessment (and determine if the controls are sufficient), then standards & rules are needed.
Big Bowties – I have come across many large bowties that have over 20 causes and dozens of controls and often span several pages on paper/ pdf's or the tool being used. These bowties serve little purpose from a communication or risk perspective and need to be more focused.
No Hazard Identification Step Performed– A good safety assessment starts with a hazard identification and then moves on to a risk assessment. The hazard identification phase is a brainstorming activity using guidewords with the goal of identifying the consequences and controls in place. Common consequences are then assessed using a bowtie or other techniques. Skipping the hazard identification phase often leads to either large bowties or those that are missing key threat lines.
Management Systems vs Controls – a management system defines the processes that are in place to drive the quality of operations management. Examples include permit to work/ control of work, emergency response, competence management etc. Controls are more specific and are targeted at reducing the risk of an event. If the intent of the bowtie is communications in nature, then management systems can appear either as “controls” or “escalation/ degradation factors” depending on the preference of the organisation. If the intent of the bowtie is a risk assessment to determine the sufficiency of controls, then the management systems often affect the “control effectiveness” and do not appear directly on the bowtie, however they need to be captured in the assurance process.
A Bowtie Standard – if you are looking to start using bowties within your organisation, it is important to establish a standard on how they will be deployed and used. Without a standard, it is a slippery slope, often starting with purchasing a tool, followed by developing some bowties through workshops. Using an experienced facilitator can help kick start good practice, however, a documented standard will allow an organisation to deploy and use bowties at scale consistently.
Performing a Risk Assessment – If you are using bowties to perform a risk assessment, there are 2 options. You can either qualitatively decide on the consequence risk based on your judgement, or alternatively use “control effectiveness” for the controls to determine the likelihood of the consequence. The latter takes more time (if done properly), but the quality of the conversations tend to be higher, with more firm recommendations to improve & reduce risk.
The Tools – Not all Bowtie tools are the same. Some are desktop-based, some are cloud-based, some are hybrid, however, there is a general move towards using cloud-based tools. Some bowtie packages are integrated into an overall risk management platform which includes hazard identification, bowties and assurance toolsets. There are many options available out there, however, it is good to have a plan of what you want to achieve before selecting a tool. We use the VelocityEHS Risk Management platform in our work.
Bowties and Operations Risk Management - Often an organisation has a significant number of hazard and risk studies that are continually being generated through projects, MoC and ongoing assurance activities. Bowties are a useful tool to retain an active source of truth that an organisation can manage and then use within the business. The following diagram is an example of where bowties can fit within a operations risk management model.
Understanding Scenarios – a common cause of poor bowties, is caused by a lack of understanding of the scenario being depicted. If the scenario is too “broad-based”, then the bowtie will grow “arms and legs” and lose its value. If the bowtie is to be used as part of a risk assessment, then scenarios need to be more specific and focused.
Language and definitions – terminologies such as threats, controls, top events and consequences are common terms used in bowties however they are not always understood or defined well. There are other terms used in the safety/ risk space which have similar meanings (eg causes, barriers etc), and so it is important to agree on a terminology structure in a deployment standard.
Not everything needs a bowtie – Whilst they have value, we do not need bowties for everything (eg simple risks or complex scenarios). However, in my experience, it fits the need for many risks in the industry.
Competence - There is plenty training courses out there on how to use bowtie tools, however there is not much training on how to develop effective bowties. We have developed a course targeting this specific need and has been delivered to over 200 people globally in 2021.
If you have any other thoughts on bowties, we would love to hear from you. Feel free to download our checklist that can be used to self-assess your own bowties.