Every business has legal, economical, and ethical objectives that range from mandatory safety to commercial goals to corporate citizenship. Businesses undertake a certain amount of risk to achieve these objectives. The balance between risk and reward is an ongoing challenge regardless of the activities involved. The bowtie technique can be used to visualize, assess, and manage risk.
By: David Hatch
Not all barriers are created equal, however, and appropriate attention should be given to those that pose a higher risk. Categorizing the bowtie components and then color-coding them helps prioritize risk by providing immediate impact, as shown in Figure 4.
Figure 4: Enhanced bowtie for a typical filter dryer
This displays a variety of parameters, each with a key message to help inform decision-making. In simple terms, the robustness of risk (or failure) management can be broken down as:
These can be considered in several additional ways:
In Figure 4, the barrier types are categorized as:
Colors also categorize barrier effectiveness:
Threats can be classified as:
Two colors categorize threat types:
Since prevention is better than cure, attention should focus on threats with high contribution and high frequency. A quick scan of threat types related to human factors or errors, for example, can reveal where more training is required. Other approaches could be adopted for predominately computer-related threats, as is the case in Figure 4.
At the end of the scenario, consequences might be classified by:
Consequences are categorized using the following colors:
More attention should be paid to consequences of major concern and/or those with the highest (mitigated or unmitigated) risk, since the barriers associated with these scenarios are neither actually or potentially effective in the overall risk-reduction strategy.