For a number of years I have been using a bow tie analysis when working with organizations to evaluate risk responses. It is extremely useful in thinking through preventive as well as reactive measures to respond to risks. When an organization first looks at its potential risk responses it must consider whether or not there is any ability to control the occurrence of the risk event, and if so, the steps that could be taken to reduce the likelihood of a risk occurring. And then alternatively, when there is little ability to control a risk, the focus shifts to the potential impacts of the risk event and what could be done to prepare. In many cases it is through this process of evaluating risks that I have seen ERM skeptics “get it” and start to appreciate the value of the ERM process. That would be reason enough to sing the praises of the bow-tie analysis; however, recently I have come to appreciate another incredibly valuable aspect of the bow-tie analysis: identifying key risk indicators that could provide an early warning of impending risk events.
Before we discuss key risk indicators, it may be helpful to describe the bow-tie analysis process (see illustration below) in more detail. It starts with the risk at the “knot” of the tie, and then moves to the left to identify and describe the events or circumstances that may cause the risk event to occur, paying particular attention to root causes. Once those causes have been identified, the analysis then identifies preventive measures that could be implemented. At this point there could be an evaluation of the actual preventive measures that the organization has in place to determine whether additional measures should be implemented. The analysis then moves to the right to look at the potential consequences that would result after the risk event happens, and the plans the organization either has or should have in place to minimize the negative effects of the risk.
Now let’s walk through an example of how this process could be used to identify key risk indicators (KRIs). A manufacturing company identifies a risk of defects in a top selling product in its portfolio. The first step in the analysis of this risk is to determine what could cause the defects to happen. If this event had happened in the past then the company could look back at the root causes of those problems in the past. If not, the company may go through a process of brainstorming to identify potential root causes. In this case, the company identified a couple of root causes that had occurred in the past: the first was a significant amount of turnover in the personnel working on the assembly process, and the second was an increase in defective parts coming from a supplier. With respect to the first root cause, by reviewing historical data the company determined that inexperienced assembly employees were a key factor in the defects. Accordingly, the organization decided to track the number of assembly employees with less than 6 months experience that were scheduled on each shift. With additional analysis, the organization concluded that when more than 5% of the assembly employees had less than 6 months experience, there was a significant increase in the probability of defects. In implementing this KRI, the organization set the 5% level as a trigger point and developed an action plan (risk response) to be put in place when that trigger point was reached. It followed the same process with respect to the second root cause that was identified.
For any given risk event there could be multiple root causes that need to be evaluated. In practice, I have seen as many as 5 or 6 per risk. This process can be very involved at the outset in analyzing the data to find the relevant root causes and to set the appropriate “trigger” points; however, the ongoing monitoring may not require a significant amount of incremental effort. Many organizations find that the predictive data is already being compiled and reported for another purpose within the organization, or the data is readily available through existing systems.
While the use of KRIs can be most impactful in tracking root causes where the organization has some control and therefore can act to prevent the risk from occurring, KRIs can also be valuable in situations where prevention is not an option or where preventive measures are not working. In those situations, KRIs can sound an early warning for the organization to get prepared to react to the event to contain the damage and/or accelerate the recovery from the event.
The bow-tie analysis should have a place in every risk manager’s toolbox. It is a valuable way to evaluate risk responses as well as a great way to communicate key risks, degree of control over those risks, and response plans. Finally, it is a great launch point for developing key risk indicators that can provide early warnings of potential risk events.
Download a copy of the article here .
As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process. In this article, Bonnie addresses the use of a bow-tie analysis to evaluate risk responses and develop key risk indicators.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.