“It’s a risk, let’s put it on the risk register”; “it’s obvious what we need to do”; “late delivery of the project is the major risk”. You’ve heard them all, but how do you pull back from the quick fix?
BOWTIE ANALYSIS
This technique described in IEC/ISO 31010 Risk management – Risk assessment techniques allows you to ’open up’ a seemingly closed scenario.
The technique can be used by the risk expert alone, or preferably with the risk owner (or a group), to explore the risk area. It is most powerful where the risk is wide ranging in scope (Bird Flu hits the company), or the boundaries of the risk are unclear or cross department boundaries. It is most useful to use at the start of the process to evaluate a new risk.
WHAT TO DO?
Through focusing on the event and brainstorming causes and consequences, people generate scenarios without value judgement. One cause may have a number of consequences, whilst a number of causes may give the same result. Once the various ‘radials’ to the diagram have been identified then people can identify what will need to be put in place to prevent causes or to mitigate or recover from consequences. This is a little trickier as people automatically think who will take accountability for a control and the likely cost, so skilled facilitation is needed here. This is the ‘close down’ part of the process
DRAWBACKS TO THE TOOL
To be sure, there are drawbacks. The technique is not so good where there are dependencies between the pathways, it can oversimplify the situation and does not readily lend itself to quantitative analysis. Where there really is just one mitigating action to an event then this approach is counter-productive, so choose when you use it.
And finally, if you want to keep your risk spreadsheet simple, with 1 risk to 1 mitigating action then this is not for you.
WORKED EXAMPLE
The following is one I did using the MindMap tool for decommissioning the old kit in a data centre after moving to a new data centre. The focus of this diagram is the removal of the company’s data from disks and other storage devices. There were lots of other risks, such as powering off still active servers, that were captured elsewhere.
Bio:
Rick has worked in IT for many years in Programme Management, Service Support, Service Delivery and audit and now specialises in Risk and Pharmaceutical Validation.