man working on a keyboard with a data graph overlay
ComplianceESGMay 07, 2019

ISO 31000 blog series – Which factors should you consider during risk analysis?

effectiveness bowtie, analysis factors, register bowtie diagram

In our last blog, we briefly mentioned ISO 31000 guidelines on risk analysis and then introduced the bowtie methodology.

In this week’s blog, we will explore this in more detail using the bowtie methodology.

According to the ISO 31000 guideline, you should consider multiple factors during the risk analysis phase. As the International Organization of Standardization states:

“Risk analysis should consider factors such as”:

1 – The likelihood of events and consequences

Although the bowtie method is more qualitative at its core, it is also possible to add quantitative data to its different elements. Indeed, there are instances of people combining the LOPA technique with the bowtie methodology to great success.

In addition, it is also possible to display risk matrices (see figure 1) on consequences or even on the hazard or top event to capture the likelihood of certain events. Likelihood alone, however, is not enough to properly assign the risk, you will also need…

2 – The nature and magnitude of consequences

Once the likelihood has been verified, it needs to be calculated together with the severity, or magnitude of an event. In this way, the impact of the event of the consequence can be assessed, as a result prioritizing which consequence is most dangerous becomes clearer. This will make ALARP analyses easier thus allowing decision makers to make better-informed decisions.

ISO Risk evaluation, matrix
Figure 1 – A typical risk matrix, click here to view full image

3 – Complexity and connectivity

ISO 31000 states: “An event can have multiple causes and consequences and can affect multiple objectives”. The bowtie methodology lends itself well to support this part of risk analysis. As opposed to risk registers where it is often hard to understand which control, or barrier, is protecting us from which threat. As can be seen in the figure below, in the risk register it is hard to see if we have barriers for each threat/consequence line, whereas in the bowtie diagram it becomes immediately apparent.

effectiveness bowtie, analysis factors, register bowtie diagram
Figure 2 – A risk register VS a bowtie diagram. Click here to view the full image

4 – Time-related factors and volatility

The time-related factors can be considered a shortcoming of the bowtie methodology as it does not show just how much time a scenario would take to unfold. In addition, the volatility of certain events can sometimes be hard to capture in a bowtie other than by using the risk matrices.

5 – The effectiveness of existing controls

ISO explains that existing controls and their effectiveness and efficiency should also be taken into account when analyzing risk. By displaying the effectiveness of barriers through, e.g. color (see picture below), the final risk that will be assigned to a scenario in a risk matrix will be easier to understand and thus help to make decisions. For more information on defining effectiveness see our other blog: 3 pillars to define barrier effectiveness.

effectiveness bowtie, analysis factors, register bowtie diagram
Figure 3 – Barriers colored according to their effectiveness. Click here to view the full image

6 – Sensitivity and confidence levels

The bowtie methodology is incredibly effective at communicating risk to people in all layers of an organization due to its simplicity. As such, it is important to remember to add doubts and questions to your bowtie diagrams in instances of uncertainty. Simply adding a question mark or some words to the elements in a bowtie can already inform the decision makers of the uncertainty inherent in the scenario.

Join us in next week’s blog post to discover how to use BowTieXP to your advantage.

Related Insights

  • Artificial intelligence in auditing: Enhancing the audit lifecycle
    Article
    Compliance
    April 17, 2024
    Artificial intelligence in auditing: Enhancing the audit lifecycle
    Using artificial intelligence in auditing improves performance across the audit lifecycle.
    Learn More
  • Auto finance digital transformation index
    Article
    Compliance
    April 17, 2024
    Auto finance digital transformation index
    Navigate auto lending's changing landscape with our Automotive Finance Digital Transformation Index. Learn about critical digital transformation drivers and insights for thriving in the new digital era.
    Learn More
  • Common concerns of businesses that file their own UCC filings
    Article
    Compliance
    Finance
    April 17, 2024
    Common concerns of businesses that file their own UCC filings
    Variations in state laws complicate UCC filings, requiring precise adherence to jurisdiction-specific guidelines to avoid rejections.
    Learn More
  • The value of recurring search
    Article
    Compliance
    Finance
    April 17, 2024
    The value of recurring search
    Utilize recurring searches for strategic decision-making and risk mitigation. Optimize operations and ensure compliance with tailored search profiles and integrated systems through effective public records monitoring.
    Learn More
Back To Top