Updated: Oct 2
In this article we take a look at the nature of risk reduction controls through the lens of barrier analysis. This is a common practice in process safety and is becoming more popular in other fields such as environmental, finance, regulatory, cybersecurity, and overall compliance risk.
At a basic level, the bow-tie diagram (simplified above) is used to visualize a risk path initiated by a threat that results in an event that if left unmitigated will result in harmful consequences. Each element can be expanded so that analysis can occur to design measures or discover vulnerabilities in them that might lead to their insufficiency to completely stop harm to the people and things we care about.
Process visualization is an important tenet of LEAN and also for risk management although not as prevalent or easy to do. What is more common is for risk to be communicated using statistical attributes which while necessary often fails to properly describe event chains and their contribution to harmful or hazardous events. Nancy Leveson (STAMP method) calls these hazardous processes, although other phrases have been used that include event chains, error chains, risk streams, and the like.
What barrier analysis and bow-ties do for risk is what LEAN value stream analysis does for quality. The latter helps to identify waste to eliminate or reduce in the creation of value whereas the former helps to identify uncertainty whose effects we also want to eliminate or reduce in the creation of safety.
Bow Tie Concept Handbook
While the Bow Tie and Barrier Analysis methods are commonly used in process safety they have lacked consistent practices and vocabulary which has hindered their utility and advancement. To address these concerns, as well as others, The Center for Chemical and Process Safety (CCPS) along with the Energy Institute (UK) in 2018 published a handbook entitled, "BOW TIES IN RISK MANAGEMENT - A Concept Book for Process Safety." This handbook provides a common set of definitions, best practices and guidelines by which hazard and risk analysis may be done.
In the Bow Tie handbook the following definitions are provided for the basic elements of the bow tie shown previously which will be helpful for our consideration and application with respect to compliance where hazards also exist in need of contending with.
Hazard: An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm.
Top Event: In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard.
Prevention Barrier: A barrier located on the left hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (other possible names Proactive Barrier).
Mitigation Barrier: A barrier located on the right hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (other possible names Reactive Barrier, Recovery Measure).
Threat: A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). ( other possible names Cause, Initiating Event).
Consequence: The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name Outcome. The magnitude of the consequence may be described using a risk matrix
For this article, I want to focus in on barriers which in other industries are called Risk Measures.
Risk Measure Validity
Barriers are the technical and human factors used to prevent threats from becoming a reality. They have specific meaning when it comes to process safety and particularly to the properties they should have. The handbook suggests that barriers must have three essential properties. They should be effective, independent, and auditable:
Effective - A prevention barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended, and it is capable on its own of preventing a threat from developing into the top event. A mitigation barrier is described as ‘effective’ if it is capable of either completely mitigating the consequences of a top event, or significantly reducing the severity.
Independent - Barriers should be independent of the threat and of other barriers on that pathway. For example, if the threat was loss of power and a barrier requires power to operate, then that would not be a permissible barrier in that pathway.
Auditable - Barriers should be capable of being audited to check that they work. formally, it could be that performance standards are assigned to the functionality of a barrier. For example, a performance standard for an ESD valve would ideally include ‘periodic end to end testing’, i.e., a signal is placed upon the detection device, the logic controller responds, and activates the end device, e.g., the ESD valve.
Validity of Compliance Risk Measures
While these definitions are described for process safety they are applicable to general risk management including compliance.
Compliance uses risk measures to prevent or reduce the consequences associated with data breaches, ethical violations, non-conformance, and other "hazardous" events. They should also have essential properties to ensure they perform their intended purpose. These would include the ones for barriers: effective, independent, and auditable for similar reasons given for process safety. In fact, compliance risk measures would also benefit from the extended list of attributes defined by CCPS:
access security, and
Unfortunately, just as in process safety and perhaps more so, there is a lack of a standard set of definitions and practices with respect to risk management as a whole. We seldom see risk defined using a consistent vocabulary across organizations let alone within them.
Risk identification even when done tends to be focused on the "components" of an organization and seldom at the level describing how these might work together to create what in process safety is call a hazardous process. Without understanding the causal nature of risk it is impossible to effectively prevent risk from occurring.
As a result it is no wonder that risk registers rarely contain the risks that really matter with measures that have been properly analyzed and designed to be effective at preventing or mitigating harmful outcomes.
You might say that compliance is in need of tools such as the Bow Tie and Barrier Analysis to better visualize, describe and analysis risk processes.
For those interested in learning more we have written additional articles on the topic of using bow ties in the compliance domain which can be found here.