Is the risk still acceptable?

The three basic management system questions

The three questions will help you to understand what can affect your operations, how you have implemented a management system and how reliable your critical barriers and controls are. Find the three basic management system questions below, which are essential in 'Performanced-Based Oversight (PBO) environment' for certified organizations (ARO.GEN.200/ORO.GEN.200/ADR.OR.D.005).

Do you understand what can go wrong?

Answering this question requires you to really understand your risks. A risk is the probability of an occurrence that adversely affects the realization of the organization’s business objectives, or causes serious damage to the environment or leads to hurting people as well as damaging reputation.

Do we know the most significant risks and are they assessed and aligned with the organization’s risk attitude or appetite? Whereby risk attitude is defined as “an organization’s approach to assess and eventually pursue, retain, take or turn away from risk” (ISO 31000).

Answering this question is the first step in designing your (safety/compliance/quality/operational excellence) management system.

Do you know what your systems are to prevent this from happening?

What preventative and corrective measures do you have in place to prevent incidents from happening? Who is responsible? Which barriers or controls are more critical than others? Are you prepared for a situation when you have lost control over a critical process?

This question is about the implementation of your barriers and controls. It is a combination of utilizing applicable compliance frameworks and assessing your process in a barrier based manner, using the bowtie methodology.

Do you have information to assure they are working effectively?

Are you monitoring and measuring how well your control measures are performing? Are you using all available data to understand the availability and effectiveness of your critical barriers and controls? How well are your verification activities, such as oversight, audits, surveys and inspections carried out? Have you analyzed your incidents and what is the status of your improvement actions?

This question is about the performance of your barriers and controls.


The bowtie method

Figure 1 - A bowtie diagram showing all elements

The bowtie method is a risk assessment method that can be used to analyse and communicate how high risk scenarios develop. The essence of the bowtie consists of plausible risk scenarios around a certain hazard, and ways in which the organisation stops those scenarios from happening. The method takes its name from the shape of the diagram that you create, which looks like a men's bowtie.
The bowtie method has several goals:

  • Provide a structure to systematically analyse a hazard.
  • Help make a decision whether the current level of control is sufficient (or, for those who are familiar with the concept, whether risks are As Low As Reasonably Practicable or ALARP).
  • Help identify where and how investing resources would have the greatest impact.
  • Increase risk communication and awareness.

The next section will introduce the elements that make up a bowtie diagram. Building a bowtie happens in the same order.

Stpe One: Identify the hazards

A bowtie starts with a hazard we want to analyse. The word ‘hazard’ has a negative connotation in daily life. Let's take as an example associated to the above video, a part of a BowTie model published by the UK CAA, referred to Runway Excursion on landing.

Figure 2 - An example of a Hazard

In the bowtie method however, hazards are part of normal business and are often necessary to run a business. What makes a hazard special is that this part of the business introduces the possibility for harm to occur. Most hazards are introduced into an organisation for good reasons, otherwise they could simply be eliminated and no harm would be possible. Hazards can be operations/activities (operating rotating machinery, driving a car), substances (chemicals, hot fluids, etc.) or situations (a load suspended at height) we deal with in the normal processes of our business. As long as these hazards are under control, they will not cause harm, but they introduce the potential for harm.

Step Two: Identify Top Events

When control over a hazard is lost, it is usually possible to identify the moment when a normal situation changes to an abnormal situation. That point is called the top event in bowtie and is the centre event of the diagram.

Figure 3 - An example of a Top Event

The top event is not a catastrophe yet, but the company is now exposed to the potential harm of the hazard. It should
be possible for the organisation to bring the situation under control again. If control is regained after the top event has occurred, it will be thought of as a narrow escape that could have led to more serious unwanted events.

Step Three: Identify Threats

There are often several factors that could cause the top event. These are called threats in the bowtie.

Figure 4 - An example of a Threat

Threats lead directly to the top event and should be able to cause the top event independently.

Step Four: Identify Consequences

When a top event has occurred, it can lead to certain consequences. Consequences are unwanted scenarios that could be caused by the top event.

Figure 5 - An example of a Consequence

They should be realistic and specific. Consequences are mainly unwanted because they will lead to loss or damage.

Step Five and Six: Identify Preventive and Recovery Barriers

Risk management is about controlling risks. This is done by implementing barriers to prevent certain events form happening. A barrier (sometimes also called a control) can be any measure taken that acts against some undesirable force or intention, in order to maintain a desired state. Barriers can be hardware systems, design aspects, human behaviour and so on. Barriers are placed on both sides of the top event.

Preventive barriers on the left side of the bowtie prevent the top event from happening.

Figure 6 - An example of Preventive BarriersRemember: they are the cheapest and the most effective.

Recovery barriers on the right side of the bowtie can either prevent the top event from resulting in unwanted consequences or mitigate further consequences.

Figure 7 - An example of Recovery BarriersRemember: they are expensive and least effective.  

Step seven and eight – identify escalation factors and escalation factor barriers

Once the control measures are identified, the bowtie method takes it one step further and identifies specific
conditions or actions that make it more likely that a barrier will fail. These are called escalation factors.

Figure 8 - An example of Escalation controls. Remember: they can be either side of the BowTieXP model.

There are barriers for escalation factors as well. These barriers protect the main barrier from an escalation factor.

The software features making it possible

Who produces BowTie?

We are BowTieXP is produced by CGE Risk Management Solutions B.V., Vlietweg 17v, 2266 KA, Leidschendam, The Netherlands, Phone: +31 (0) 88 100 1350 Fax: +31 (0) 88 100 1349, Email:

Continuous Safety is an official partner and distributor of C.G.E. Risk products.

The BowTieXP methodology News

Zurich, 21st – 23rd Nov. 2017 BowTie Training (including Audit & Incidents in PBO)

Continuous Safety cordially invite you to attend our BowTie Industry Event in Zurich, at the Air Force Center in Dübendorf, on the 21st of November 2017. This event will give you the opportunity to share ideas, discuss existing BowTie risk analysis applications, specially in Performance-Based Oversight (PBO), have a look at the latest challenges within […]