Using Bowtie Risk Management in Compliance Management Systems
The ability to collect adverse events and make decisions to foster improvement is the cornerstone of any Quality Management, Environmental Health & Safety or Compliance Management system. Whether you are recording complaints, safety incidents, audit data, or nonconformances, the process of collecting data, investigating the root cause, and taking steps to correct it is consistent.
As organizations grow in size and complexity, the concept of maintaining an acceptable level of compliance becomes strained. Companies are looking for new ways to benchmark their compliance and keep up with the pace of business. Risk Management is becoming that benchmark; it is a systematic means by which companies are able to identify hazards, assess and measure the risk of those hazards, and take proportionate action based on the risk. Risk is so powerful in that it provides a common method for measuring all types of adverse events and hazards within your organization. You are able to perform risk assessments on the adverse events, and make more consistent and informed decisions based on the risk.
However, what if your organization does encounter that many adverse events, or events that warrant the level of criticality that would be considered high risk? Most Risk tools work best when you have adverse events occurring frequently, so that you are able to use historical reference to calculate where your top risks are. But what if your business has significant potential for undesired events, but little or no data to support how you would handle the risk of that event?
The Bowtie Risk Assessment Method is designed for this type of situation. What Bowtie is able to do is take a more proactive approach to risk. Instead of collecting adverse event data from undesired events, and taking steps to control the risk of those events, Bowtie looks at a potential undesired event before it happens, and puts controls in place that act as “barriers” to prevent that event from occurring.
Here’s how it works – you place an undesired event in the center of the model, and you analyze the impact of that event. You look at the potential threats that could cause that event to occur, and then put in place controls that will help you prevent that event from occurring. You are effectively building a scenario in which that event might occur and applying preventive controls to mitigate the risk of it actually happening. Similarly, you also want to look at the potential consequences if the undesired event does occur. Once you’ve identified those consequences, you would then build out recovery controls to minimize the impact of the event. This is so that, if the undesired event does occur, you can properly mitigate the risk of that event causing the consequence.
A good way to imagine this is to look at driving a car as an example. In driving, an undesired event is loss of control of the vehicle causing an accident. In this scenario, we would take this undesired event and figure out the potential threats that might be the cause. Common threats here would be:
- Rain falling/bad weather
- Poor visibility
- Driving too fast
- A tired driver
- Bad tires
How can we put controls in place to “block” those threats? We would apply preventive measures to help us operate the vehicle more safely, such as:
- Windshield Wipers
- Headlights/Fog Lights
- Enforcement of a Speed Limit
- Getting enough sleep or coffee before driving
- Regularly rotating and replacing tires
These preventive controls will help to reduce the risk of the event occurring – they are barriers that help someone operate a vehicle more safely.
But, in our driving example – what if the event breaks through all those control barriers and still occurs? What if, despite our best efforts to prevent it, we still lose control of the vehicle and cause an accident? We need to implement recovery controls to prevent the consequences from being too dire. In this case, the ultimate consequence may be:
- Injury to the driver
- Destruction of the vehicle
- Injury to other drivers
- Death of the Driver
Based on the above, we would want to put controls in place to mitigate the risk of those consequences. These would be items that wouldn’t prevent the undesired event from occurring (in our scenario it already happened), but would seek to reduce the likelihood of the consequences. So what are those?
- Anti-Lock Brakes
- Guard Rails
- Crash Barrels
These barriers are designed to help a driver recover from the loss of control of the vehicle, and hopefully reduce their risk of damaging the vehicles (or other vehicles), causing injury, or perhaps even death.
While this is a simplified example, many organizations are using this in their safety and quality management processes for events that they need to protect themselves from, but do not have a lot of data on. This model is very typical in industries where adverse events are few, but catastrophic, such as Chemical, Oil and Gas, and Airline industries. While they are mostly safe and compliant and the likelihood of a high-risk event is low, the severity of said events is too high to simply wait for the event to occur and react to it. They use Bowtie to build out the scenario and put in place proactive controls and barriers to mitigate risk of occurrence, and if they do occur, mitigate the risk of dire consequences as well.
Bowtie is just one of risk management softwares available for compliance professionals, and helps to foster more efficient processes, better decision making, and greater visibility into risks within the organization.