Building Effective Bowties for Robust Critical Risk Management

A bowtie analysis captures the scenarios, causes, and potential impacts of risk for the strategic implementation of preventative and mitigative controls.

This information is presented in a bowtie diagram that visualises the various causal pathways of a risk, the controls in place, and the consequences of a failure in those controls.

Bowtie diagrams are popular risk management tools. Renowned for their intuitive structure, bowties break down the complexities of risk into digestible components and are often used to communicate risk management strategies to stakeholders and employees.

In the field, the risk and event information contained in a well-built bowtie can be used to strengthen critical risk management practices and improve safety performance.

Here, we examine the bowtie methodology, including the process for building an effective bowtie, and explain how well-built bowties can be utilised as part of a robust approach to critical risk management.

What is the bowtie methodology?

The bowtie methodology is a globally recognised approach to barrier-based risk management. It is widely used in high-risk industries to identify critical risks and determine the steps required to mitigate and prevent material unwanted events (MUEs).

In the bowtie methodology, a critical risk and event is identified and its potential causes and effects mapped out in a diagram shaped like a bow tie. Critical controls are established to prevent the causes that can trigger the event and to mitigate the consequences should it occur.

Simple and easy to understand, bowtie diagrams can effectively demonstrate how risks are being managed to stakeholders with little or no safety expertise.

Importantly, the value of a well-executed bowtie extends beyond a graphical representation. The information it contains can facilitate the design of a robust critical risk management process that verifies the effectiveness of controls in the event of an accident.

To be actionable and ensure a strong verification process, bowties must be supported by a comprehensive risk analysis. To remain effective, bowties should be regularly reviewed to capture new scenarios or information.

How to build a bowtie

There is no standard method for building a bowtie diagram. However, bowties generally follow this basic structure:

  • At the centre is an event that can realise the identified critical risk (the bowtie’s “knot”). It defines the moment when control over the risk is lost but no consequences have occurred.
  • The left side of the bowtie lists potential causes of the event.
  • The right side of the bowtie lists potential impacts of the event.
  • Along the middle are preventative controls for the potential causes and mitigative controls for the potential impacts.

When building bowties, the design of the diagram is secondary to conducting an accurate and comprehensive risk analysis. This enables a thorough assessment of the effectiveness of existing critical controls and helps pinpoint where vital controls are missing.

To illustrate the process, here is a simple breakdown of building a bowtie for the critical risk Fall from Height.

Building a bowtie: Fall from Height

The following elements must be addressed for an actionable bowtie:

Critical risk

Identify the critical risk. A critical risk is a risk with the potential to cause serious injury, death, and other catastrophic outcomes.

  • Example Critical Risk: Fall from Height

Event

Define the moment when control is lost over the risk and the potential for harm is imminent.

  • Example Event: Loss of control resulting in a person falling from height during work activities.

Set the scene with a potential scenario.

  • Example Scenario: Incorrect use or failure of ladders and mobile platform.

Critical risks can have multiple events. It is advisable to create bowties for each event if necessary to avoid overly complex or confusing diagrams.

Causes and Impacts

Conduct a thorough risk assessment to define what can cause the event and what the potential impacts are should it occur. This includes assessing the likelihood of the risk materialising and the severity of its potential impacts.

  • Example Cause: Improperly secured ladders or use on unstable ground can cause a ladder to tip over.
  • Example Impact: Fatality or life-changing injury.

To ensure a comprehensive analysis, inherent and residual risks should be assessed. Inherent risk is the underlying level of risk in an activity or process without controls in place. Residual risk is the level of risk remaining once controls are implemented and is dependent on their effectiveness.

Critical preventative and mitigating controls

Develop critical controls that directly address root causes and mitigate potential harms.

  • Preventive and Mitigating Control: Ladders and Mobile Platforms (non motorised)

Effective controls form the core of robust critical risk management strategy. Focus on data-driven controls informed by past incidents and organisational priorities to ensure controls are relevant and effective.

Escalation factors and their controls

Identify weaknesses in systems or processes that could reduce the effectiveness of critical controls and implement escalation factor controls to manage them.

Bowties can be built manually from scratch or by using a template. It can take organisations many months or years to obtain all the information required for an effective bowtie.

Commonly, a bowtie analysis starts with brainstorming sessions to capture risks and their controls. This process can be ad hoc, and without expert knowledge or adequate coverage of stakeholder views, often relies on the personal perspectives of participants. In this approach, important causes, impacts, or controls are in danger of being missed.

Digital tools such as Risk+ offer a simpler and more comprehensive solution. Risk+ provides world-class bowties that can be used as is or to help organisations build bowties specific to the risks in their workplace. It also delivers data-driven assessments of how well risks are being managed to support compliance reporting, strategic decision making, and continuous improvement.

The comprehensive overview provided by Risk+ can not only save an organisation time and money. It also ensures that the organisation’s bowties are fit for purpose and contain all the relevant information for effective critical risk management.

How bowties strengthen critical risk management

Well-built bowties can be used to drive several key aspects of a robust critical risk management system. These also encompass a range of organisational objectives, including:

Preventing fatalities and serious injuries

In best practice critical risk management, critical controls are verified as in place and effective before work commences. Multi-level checklists are the proven method for conducting quality critical control verifications and preventing fatalities. They ensure controls are consistently implemented and any gaps in safety processes identified. A well-built bowtie provides the focus to construct questions for a thorough checklist.

Operational efficiency

Storing bowties and the vital safety data they generate in a central repository, like Risk+, streamlines processes and helps deliver quick solutions to problems as they arise. Effectively managing and reducing risk can in turn lead to increased productivity and operational efficiency. If an incident does occur, a strong risk management system is vital for ensuring business continuity, reducing downtime and loss.

Continuous improvement

A pillar of best practice critical risk management, continuous improvement relies on accurate data and clear oversight of organisational risks. Conducting a bowtie analysis enables an organisation to spot weaknesses in its safety practices and implement better controls. Risk+ streamlines the risk assessment process and monitors the effectiveness of controls to proactively identify risk hotspots and improve safety performance.

Resource allocation

The detailed risk information generated by a thorough bowtie analysis enables strategic decision making and ensures the resources for managing risk are allocated effectively.

Reporting and compliance

It is a legislative requirement for organisations to effectively communicate the risks that exist in an operation or facility and demonstrate how they are being managed. The risk information in a well-built bowtie can be used to report compliance or assess compliance maturity.

How Risk+ enhances the bowtie methodology

Risk+ embeds bowtie analyses into an operational risk management solution that takes you through each step of critical risk identification and management.

Risk+ can manage every dimension of risk in your business, including:

  • Bowtie Visualisation: Provides the tools to identify and assess critical risks, develop and implement effective controls, and analyse data to improve safety performance.
  • Control Effectiveness Tests: Ensures controls are performing as expected or designed and tracks how well risks are being managed through a data-driven scoring system.
  • Role-Specific Checklists: Bowties are linked to actionable checklists in Safety+ tailored to managers, supervisors, and operators, ensuring controls are verified at every level.
  • Proven Methodologies: Tested content addressing 20+ critical risks informed by years of industry expertise and best practices.
  • Reporting Capabilities: Extensive reporting capabilities ensure all stakeholder requirements are met.
  • Integrated Risk Management: Captures and tracks all your risks in one solution, eliminating silos and streamlining workflows.

When integrated with Critical Control Verifications in Safety+, Risk+ enables continuous improvement of fatality risk reduction.

Get in touch to learn more about the Risk+ solution and optimising your risk management.