Bowtie Risk Management Methodology and Quantification
Bowtie Risk Management Methodology and Quantification
Bowtie Risk Management Methodology and Quantification
4th
September, 2015
www.risk-soft.com
INTRODUCTION
BowTies are a graphical barrier-based approach to Risk Management where a clear Threat to Consequence
pathway is mapped out, providing a powerful tool to assess, control and communicate Risks of all kinds.
BowTies deal with both prevention of a Top Event (proactive Risk Management) as well as recovery from a
Top Event should it become reality (reactive Risk Management).
Risk Control with regards to BowTie Methodology involves placing Barriers between Threats and the Top
Event, as well as Recovery Measures between the Top Event and downstream Consequences. Moreover, a
further level of Risk Control can be employed between Escalation Factors and their respective Controls on
both sides of the BowTie diagram.
BowTies are traditionally thought of as a qualitative Risk Assessment technique (where Risks are merely
described), however, more effective Risk Management paradigms make use of semi-quantification, or better
still, quantification, of risk, where numerical values are added to Risk Events.
Due to the multiple-domain nature of BowTies, quantification of their associated diagrams is more involved
than the majority of Risk Assessment techniques; indeed, prior to the production of Risksoft BowTie RS
software, there was no fully quantifiable BowTie tool available on the market.
Risksoft Software Ltd has worked out a method of fully quantifying BowTie diagrams, by adding numerical
data to Threats, Controls, Escalation Factors and Consequences which manifests as a single Risk Value for
each BowTie, thereby allowing for incorporation into a Tolerability of Risk schedule, resulting in more
effective Risk Assessment, Risk Prioritisation and Risk Control.
1 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
Controls themselves come in many forms e.g. they can be procedures, pieces of equipment, maintenance
schedules, intelligence gathering etc. Quantification allows us to assess the risk reduction power and
reliability of each Control and therefore facilitates a method for us to work out more accurate post-control risk
values and better inform us about the addition of further control, if necessary.
Risk Quantification therefore allows us to better understand our pre and post control levels of risk,
more stringently prioritise our Risks, and importantly more accurately apply and monitor Risk
Controls. Moreover, we can use the generated Risk Value data in downstream calculations e.g.
working out the overall level of risk throughout the organisation or applying the risk value to asset
management formulae among many possibilities.
R=PxI
where R is our Risk Value,
P is 0 1 (1 means it will definitely happen),
and I is 1 - (determined by how relatively severe the downstream affect of the risk could
be).
This simple but useful equation assigns a value to any risk event and takes into account the probability or
likelihood that an event could occur, and what impact or severity it will impart should the event happen.
Clearly, arriving at a P value involves, in many cases, rigorous calculation or at least industry experience,
and these can be based on operational or market knowledge, manufacturers' reports, specific product data,
research and development etc.
I is largely down to your own market knowledge as only you can know how a single risk event could impact
your organisation. Of course an equally considered approach to quantifying impact is advised.
Risk Controls
Following Risk Calculation, if we decided that the level of Risk (R value) is too high, we aim to reduce the
value of R by lowering the probability or inhibiting the impact level, and is this is usually achieved by the
application of Risk Controls.
Most commonly a Risk Control is put in place to reduce the probability as opposed to impact (the idea behind
that is that it makes more sense to stop an event happening in the first place, and in BowTie methodology,
we can reduce the probability of a Top Event leading to a Consequence after the Top Event has happened,
as well as reducing the probability of the Top Event happening altogether).
Risk controls should be independent of eachother, and at Risksoft, we quantify a Risk Control by two key
parameters:
Quality how powerful, when operational, is the Risk Control at reducing the probability of a Risk
Event happening?
2 of 10
Failure rate how often will the Risk Control fail when we want it to work?
BUSINESS NO CLASSIFICATION
4th
September, 2015
C = Q (Q x F)
where C is our single Control Value
Q is 0 1 (1 means it will reduce the probability by 100% - completely stop it),
and F is 0 1 (1 means it will fail all the time)
Because Risk Controls are all independent, we can then take a combined Total Control Value of all C Values
added together:
CT = C1 + C2 + C3 +..........Cn
where CT is our Total Control Value
and n is the max number of controls per risk
If our CT value is 1 or greater, it will completely stop the risk because P will become 0, so in our calculation
we limit CT to a maximum of 1.
if CT > 1 ? CT = 1
In practical terms this means you have put in enough Controls to completely stop the risk.
Now all that is left to do is factor in our Total Control Value into the P calculation. We use the reciprocal of the
Total Control Value as we are reducing P by a factor.
R = (P * (1-CT)) * I
3 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
In the examples below, actual values are displayed to aid in the interpretation of this paper
these are not normally displayed on the BowTies for aesthetic reasons.
In the example above, two Threats are defined. Their probabilities (probability of the Threat occurring) are
shown on the Threats themselves. The Top Event probability (shown in the centre of the diagram) is simply a
sum of all Threat probabilities in this case with no Controls, but in a populated BowTie, all respective
Controls are taken into account as discussed later.
4 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
In the example above, we have now added some impact values to the BowTie at the Consequence end
(shown to the left of pipe bars as 1000 and 10). Because we have worked out the probability of the Top
Event happening, we can simply use our R = P x I for each Consequence (P will be the same for each
Consequence as there are no Controls in place) and I is what you select for each Consequence from your
impact thresholds settings using BowTie RS. The number on the right side of the bars in the Consequence
box is R (110 and 1.1 respectively); the Risk Value for that Consequence. What we then do is sum up all the
Consequence Risk Values and this gives us the full BowTie Risk Value for that Top Event this is shown in
the Top Event box on the right of the pipe bars (111.11).
Incidentally at this stage, because we know P for the BowTie and we have worked out R by
combining all the Consequence Risk Values, we can now rearrange the R = P x I formula to I = R/P to
give us the overall Impact value for the whole BowTie (1010 displayed in the centre of the BowTie)
unsurprisingly at this pre-control stage of the BowTie the impact level is the sum of the
Consequence impacts.
5 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
Factoring in Barriers (left hand side controls that are put in place to
reduce the probability of the Top Event occurring).
In the above example, two Barriers (Controls) have been placed in front of Threat Two (the biggest Threat).
Their Quality (Q) and Failure Rates (F) are displayed along with their resultant Control Value.
CT in this instance is 0.4995 + 0.24975 = 0.74925. Probability for this Threat is 0.1 * (1-0.74925) = 0.025075,
which when added to the uncontrolled Threat One (0.01) gives us our new Top Event Probability of 0.035075
as displayed in the centre of the BowTie.
This Top Event Probability then manifests into the Consequences resulting in an overall Risk Value of
35.42575 the addition of two Barriers has reduced risk by 75.67425 based on customised P and I values.
Also note at this stage that the overall Impact has not changed (still 1010) because we have not yet
put controls on the right hand side of the BowTie that deal with the effects of Consequences.
6 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
In the example above, we can see how adding in a Recovery Measure reduces risk for a single
Consequence and for the overall BowTie Top Event.
A Recovery Measure is put in place to reduce the probability of the Top Event leading to a Consequence. In
this case the software has worked out the Top Event probability is 0.035075 and we have a put a Recovery
Measure in place with a value, worked out from it's Q and F attributes, of 0.45.
Our probability for this Consequence is now 0.035075 * (1-0.45) = 0.01929125, which we multiply by the
impact value of 1000 to give us a new Risk Value for this Consequence of 19.29125.
Because we have reduced the Risk Value for this single Consequence, the overall Risk Value of the BowTie
Top Event is lowered to 19.642.
Importantly, we have now reduced the overall Impact of this BowTie Top Event because we put a
control in the Consequence side our overall Impact is now 560.
7 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
In the example above, an Escalation Factor (EF) has been added to our main Barrier in practical terms we
have spotted something that could render the Barrier unserviceable. Although highly unlikely in the real
world, a probability of 1 has been assigned to this EF which means this threat is always present. The effect
of the EF is that it has knocked out the associated Barrier which has increased the Risk Value throughout the
BowTie. However, because Barriers are always independent, we still have some protection from the second
Barrier, hence why the probability has not dropped to pre-control levels.
The same approach is used on Recovery Measures using exactly the same calculations .
8 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
Just like Barriers and Recovery Measures, Risksoft BowTie RS calculates EFC values based on Q and F. In
the example above an EFC has been put in place with the highest possible Q value (1) and with a very low
Failure rate (0.0001). This has had the effect of virtually stopping (99.9%) the effect of the EF, therefore
allowing the associated Barrier to function and bring the Risk Value down to pre-EF levels.
The same Escalation Factor effect is shown in the figure above; this time with influence on the right hand
9 of 10
BUSINESS NO CLASSIFICATION
4th
September, 2015
side of the BowTie knocking out the Recovery Measure with a probability of 1 has increased Risk in the
whole system and changed the overall impact value.
END
10 of 10