SOX audit software
ComplianceESGJune 04, 2019

ISO 31000 blog series – Risk evaluation with BowTieXP

Two ways to evaluate your risk

How do you evaluate risk? In this blog, we describe two functionalities that will help you to evaluate your risks and to see the strengths and weaknesses of your processes. The previous blog describes different approaches to evaluate risk, namely the qualitative way and quantitative way. In this part of the series, we will show you how to do a qualitative risk evaluation in two ways using BowTieXP.

The two ways that help you to create a clearer picture and evaluate the risks are:
1. Risk matrices
2. Consequence categories

1. Risk Matrix

The risk matrix is an effective tool to evaluate risks in a qualitative way. In BowTieXP it is possible to assess the risk on an inherent level and residual level concerning the hazard, top event and consequence. There are a couple of steps you need to go through to use the risk matrices to its full functionality.

  • Change the risk matrix to your organization’s standards. Go to case > risk matrices. Click on a risk matrix and give it a name. To add risk categories, right click under risk categories. Here you can add a new category, select a color and change the text.
Right click on columns and rows to add more or to delete. Now that you have the right axis, you can color the matrix with the risk categories. It is like painting; click on one risk category and color the boxes in the risk matrix you want in that color.
  • Now you have your risk matrix, you can start using them on the hazard, top event or consequence. Let’s say we want to use it on the consequence. Hover over the consequence and click on the pencil icon and go to the risk assessment tab. Here you can asses the inherent and the residual risk. 
  • Now you have assessed the risk of the consequence, but it does not automatically show on the diagram. Click on the eye icon to tick the box for inherent and residual. 

It is also possible to use the risk matrix on the hazard or top event. Organizations choose to do so to show the overall risk assessment of that hazard for example. The process works the same as for the consequence, but sometimes the risk assessments are shown on the top event, while you actually want to see it on the hazard. Go to the large eye icon in the toolbar.

Under hazard risk assessment, you can tick the box to show the risk matrix on the top event. If this box is not ticked, it will be shown on the hazard.
In this same overview, you also have the option to hide the unassessed risk assessments. If you do not tick this box, the unassessed risk assessments are shown as grey.

2. Consequence categories

Some organizations do not use risk matrices, but they use the consequence types or categories. For example, you can create two categories; 1. ALARP and 2. Not ALARP. Go to the lookup tables in the treeview. Right click on Consequence categories and select new consequence category.

Now you are creating a new category. Fill in a code, name, description (if required) and select a color, like in the example below.
To add one of these newly created categories to one of your consequences, click on the consequence of your choice using the pencil icon. To show the consequence category. Click on the eye-icon and choose categories.

These are just two examples of how to do a qualitative risk evaluation in BowTieXP. Which of these two ways do you prefer?

What’s next?

When you have completed this risk evaluation phase, your diagram will directly show you where you need to improve safety. But how? You’ll find out in our next blog about risk treatment.