11 results found for "bowtie"
- Risk Based process Safety During Disruptive Times
You can download this monograph using this link CCPS also has published a BowTie for Covid-19 analysis which you can also find here #managedsafety #covid
- Are Your Risk Measures Valid?
In this article we take a look at the nature of risk reduction controls through the lens of barrier analysis. This is a common practice in process safety and is becoming more popular in other fields such as environmental, finance, regulatory, cybersecurity, and overall compliance risk. At a basic level, the bow-tie diagram (simplified above) is used to visualize a risk path initiated by a threat that results in an event that if left unmitigated will result in harmful consequences. Each element can be expanded so that analysis can occur to design measures or discover vulnerabilities in them that might lead to their insufficiency to completely stop harm to the people and things we care about. Process visualization is an important tenet of LEAN and also for risk management although not as prevalent or easy to do. What is more common is for risk to be communicated using statistical attributes which while necessary often fails to properly describe event chains and their contribution to harmful or hazardous events. Nancy Leveson (STAMP method) calls these hazardous processes, although other phrases have been used that include event chains, error chains, risk streams, and the like. What barrier analysis and bow-ties do for risk is what LEAN value stream analysis does for quality. The latter helps to identify waste to eliminate or reduce in the creation of value whereas the former helps to identify uncertainty whose effects we also want to eliminate or reduce in the creation of safety. Bow Tie Concept Handbook While the Bow Tie and Barrier Analysis methods are commonly used in process safety they have lacked consistent practices and vocabulary which has hindered their utility and advancement. To address these concerns, as well as others, The Center for Chemical and Process Safety (CCPS) along with the Energy Institute (UK) in 2018 published a handbook entitled, "BOW TIES IN RISK MANAGEMENT - A Concept Book for Process Safety." This handbook provides a common set of definitions, best practices and guidelines by which hazard and risk analysis may be done. In the Bow Tie handbook the following definitions are provided for the basic elements of the bow tie shown previously which will be helpful for our consideration and application with respect to compliance where hazards also exist in need of contending with. Hazard: An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm. Top Event: In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard. Prevention Barrier: A barrier located on the left hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (other possible names Proactive Barrier). Mitigation Barrier: A barrier located on the right hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (other possible names Reactive Barrier, Recovery Measure). Threat: A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). ( other possible names Cause, Initiating Event). Consequence: The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name Outcome. The magnitude of the consequence may be described using a risk matrix For this article, I want to focus in on barriers which in other industries are called Risk Measures. Risk Measure Validity Barriers are the technical and human factors used to prevent threats from becoming a reality. They have specific meaning when it comes to process safety and particularly to the properties they should have. The handbook suggests that barriers must have three essential properties. They should be effective, independent, and auditable: Effective - A prevention barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended, and it is capable on its own of preventing a threat from developing into the top event. A mitigation barrier is described as ‘effective’ if it is capable of either completely mitigating the consequences of a top event, or significantly reducing the severity. Independent - Barriers should be independent of the threat and of other barriers on that pathway. For example, if the threat was loss of power and a barrier requires power to operate, then that would not be a permissible barrier in that pathway. Auditable - Barriers should be capable of being audited to check that they work. formally, it could be that performance standards are assigned to the functionality of a barrier. For example, a performance standard for an ESD valve would ideally include ‘periodic end to end testing’, i.e., a signal is placed upon the detection device, the logic controller responds, and activates the end device, e.g., the ESD valve. Validity of Compliance Risk Measures While these definitions are described for process safety they are applicable to general risk management including compliance. Compliance uses risk measures to prevent or reduce the consequences associated with data breaches, ethical violations, non-conformance, and other "hazardous" events. They should also have essential properties to ensure they perform their intended purpose. These would include the ones for barriers: effective, independent, and auditable for similar reasons given for process safety. In fact, compliance risk measures would also benefit from the extended list of attributes defined by CCPS: independence, functionality, integrity, reliability, auditability, access security, and management of change Unfortunately, just as in process safety and perhaps more so, there is a lack of a standard set of definitions and practices with respect to risk management as a whole. We seldom see risk defined using a consistent vocabulary across organizations let alone within them. Risk identification even when done tends to be focused on the "components" of an organization and seldom at the level describing how these might work together to create what in process safety is call a hazardous process. Without understanding the causal nature of risk it is impossible to effectively prevent risk from occurring. As a result it is no wonder that risk registers rarely contain the risks that really matter with measures that have been properly analyzed and designed to be effective at preventing or mitigating harmful outcomes. You might say that compliance is in need of tools such as the Bow Tie and Barrier Analysis to better visualize, describe and analysis risk processes. For those interested in learning more we have written additional articles on the topic of using bow ties in the compliance domain which can be found here.
- Lord of the Risks – The Two Towers: Productivity and Compliance
The folk in the Tower of Compliance are known to use what is known as RISK MANAGEMENT and they are fond of the BowTie Analysis.
- Bow Tie Template
To help you achieve your outcomes we are offering a free copy of our Bow-Tie Analysis PowerPoint template. Our template incorporates smart shapes to make it easy to document your analysis. Both threats and opportunities are supported. Now you can prepare your defenses against threats and your attacks on opportunities. May it help you defeat the dragon of uncertainty! Download your template here. #BowtieAnalysis #RiskAssessment #RiskbasedThinking #ComplianceInsights
- Bow Ties are Cool and Effective
There might be some who read my posts who are also Doctor Who fans and get the reference to bow ties being cool. However, even if you don't watch Doctor Who, you can still appreciate the benefits from using a bow-tie analysis to help improve the certainty of achieving your goals. Risk management has changed over the years and in many ways has now become an optimization process to increase the certainty of achieving outcomes. And nothing demonstrates this more than using a bow-tie analysis.The first thing that people notice when using a bow-tie analysis is that it looks like an actual bow tie particularly in its simpler form: This provides a great visual when considering how to address risks. However, what makes it so powerful is that it incorporates causal and consequence trees along with control analysis all in one tool. To illustrate how the bow-tie analysis can be used let's consider risks associated with achieving a relatively simple objective of getting to work. We can simplify this even further by only considering a risk scenario that involves getting from the parking lot to the office building. The path has a significant hole in the pavement that developed over the winter and is now a meter wide wide and several meters deep. This hole is referred to as a hazard which threatens the ability to achieve the objective of getting to work. However, it should be noted that not all holes represent threats only the ones that are in the way between us and our objective. As in the words of, Dr. David Hillson (The Risk Doctor), that's how you know which risks really matter. The goal of a bow-tie analysis is to optimize controls addressing both prevention and recovery to reduce the treated risk to below a given risk tolerance. For each cause an evaluation is made of the prevention controls effects on the likelihood of the risk event occurring, which in our example is falling in the hole. In a similar fashion, an evaluation is made of the effects of the recovery controls to reduce the impact of not achieving the objective. The following list contains brief definitions for key elements of our bow-tie example : Objective: This is what is being aimed or sought after (i.e. getting to work) Causes: these are conditions that may result in falling in the hole. In our example, three causes have been identified: walking down the path, running down the path, and walking while being distracted. Each one will have their own likelihood of falling in the hole. Consequences: these are the results of falling in the hole which affect whether or not we get to work. They are uncertain as they depend on the whether or not a person falls in the hole. Three consequences have been identified: cuts and bruises, broken bones, and fatalities. Prevention: these are controls to prevent falling in the hole. Each one has their own level of effectiveness Recovery: these are controls that mitigate the effects of falling in the hole should they happen. Each one has their own level of effectiveness. After optimizing the prevention and recovery controls to reduce residual risk below the risk tolerance, a risk plan can be developed by creating risk statements for the cross product of causes and consequences. Here I am using the risk meta-language proposed by Dr. Hillson and others: A bow-tie analysis is effective not only with qualitative considerations but can be (an often is) extended to include quantitative measures on both causal and prevention logic trees. In addition, by considering both prevention and recovery efficacy in isolation and in relationship with other controls, a preliminary assessment (LOPA) of the layers of defense can be obtained to gauge overall coverage. A bow-tie analysis can also be applied to opportunities where instead of prevention and recovery the focus is on enabling opportunity events and exploiting them should they materialize. By considering both threats and opportunities a holistic approach to addressing uncertainty in the achievement of objectives is possible. Download our free PowerPoint Bow-Tie / ISO 31000 Template here
- Lean Compliance A3 Format
The A3 Format and DMAIC are structured processes used for LEAN / Six Sigma improvements and problem solving. While these have proven to be very effective for certain processes, when it comes to meeting performance and outcome based compliance obligations, you need a more proactive approach that addresses threats and opportunities. We have created the Lean Compliance A3 format which incorporates the bow-tie analysis along along with measures of effectiveness, performance, and compliance to help you continually advance towards better outcomes using a PDCA cycle. Now you can document each of your obligation improvements using the A3 format. Contact us to find out more about how you can use LEAN to improve your compliance. #leanmanagement
- The Pursuit of Opportunities in the Presence of Uncertainty
In this article I want to discuss what is going on with the COVID-19 pandemic with respect to risk. The first risk will be what every one is talking about, the others are only now being discussed. Before we dive in I am not a health care expert and so will be taking the position of an observer of what is happening around me, and to some extent, others who I know. Here are three risks that I see: The COVID-19 pandemic and it's bigger brother the COVID-19 panic, The economic shutdown created by "Flattening the curve", and The loss of rights and freedoms or commonly known as #StayAtHome The last two are risk measures, or controls if you prefer, implemented for the purpose of protecting life against the effects of the first. However, these measures as important as they may be, are not without their own risks against life; as we will find out. Three Risks 1. The COVID-19 pandemic and it's bigger brother the COVID-19 panic, COVID-19 which is a variant of the corona virus has and continues to pose significant threat on life. Some say that this is not a Black Swan which is a risk that could not have been predicted. However, others say that it could have been anticipated and precautions made to deal with its possibility. Whatever the case, COVID-19 is now upon us. The window of prevention has closed and now the focus is directed at mitigating its effects by slowing down its transmission by reducing the number of those infected. This has been called, "flattening the curve," and its purpose is to save lives. You might say that the COVID-19 risk is now a reality and we are now facing the next risk which is, "COVID-19 Infection" The following diagram is a bow-tie analysis (not exhaustive) which we will use to demonstrate the interactions between the uncertain event of being infected by COVID-19, the causes that would bring this about, and the consequences that arise if infected. Preventive controls (or measures) are used to reduce the likelihood of getting infected. Whereas, mitigative controls are used to reduce the impact caused by the infection. Shutting down the economy to essential services is one of the measures to reduce the chance of infection and perhaps an enabler to allow as many as possible to self isolate. These measures are expected to reduce and delay the number who get infected. The forced economic shutdown while needed is itself a source of additional risk to life. 2. The economic shutdown created by "Flattening the curve" Shutting down businesses, public spaces, transportation along with other elements of society is also a risk on life. Preventing this shutdown from happening is not possible. In fact, right now, compliance to these measures is exactly what is needed and critical to flattening the curve. However, the longer this goes on the greater the chance that many, perhaps even more than the numbers of COVID-19 deaths, will lose their business, their livelihood, their marriages, and possibly their lives.The stress associated with financial loss should not be ignored and should be managed. There is a saying that if you remove the means by which someone is paying off their debt you not only take away their livelihood you take away their life. (Deuteronomy 25:6). 3. The loss of rights and freedoms or commonly known as #StayAtHome In attempts to flatten the curve many government institutions are amending by-laws and regulations to enforce public health measures. As and example, in Burlington, Ontario it is now illegal to stand closer than 2m to someone else on public spaces. The majority of people will comply with these measures and do their part to help flatten the curve by self-isolating, shop for food only when needed, and otherwise staying at home. However, there are some who won't and that is why governments have acted to remove freedoms. What has surprised me, and perhaps others as well, is how quickly freedoms have been removed. The question that is on my mind is how quickly will these rights and freedoms be restored. Will we find that governments will use emergency measures more often as a solution to not being proactive in the past? Will they see this as a way of dealing with bad governance? The removal of civil liberties is something that we should not accept lightly. We need to hold government officials accountable and to request from them plans and measures to restore all the freedoms that have been removed, livelihoods that have been lost, and how we will get back to life. Pursuit of Opportunities The pursuit of opportunities is an effective countermeasure to the negative effects of risk including those of COVID-19. Although, there is also uncertainty associated with opportunities as there is with threats. Therefore risk measures should also be used to improve the probability of realizing opportunities in the presence of uncertainty. The following diagram looks at how risks and their measures are connected: We will consider two of the effects: loss of business, loss of livelihood and consider how opportunites can be used to not only mitigate its effects but recover from them. COVID-19 Infection (risk) --> Economic Shutdown (risk measure) --> Loss of business, Loss of livelihood (effects) Here we use the bow-tie once again, but this time to improve the chances of an uncertain positive event which is the opportunites of: a new business, and a new livelihood. We can take measures to enable each opportunity and should it be realized, how it can be exploited to maximize the positive effects or outcomes. NEW BUSINESS Causes that will bring about a new line of business: Innovation New Product Development Pivot Improving your chances of a new business: Digital transformation Customer engagement Accelerate launch windows of NPI Exploiting the opportunity to maximize positive outcomes: Promotion Networking CRM Consequences of a new line of business: Increased sales Increased profits Increased stakeholder value NEW LIVELIHOOD Causes that will bring about a new livelihood: Apply for new opportunites (i.e. jobs) Improving your chances of a new livelihood: Volunteer Retrain Go back to school Network Update CV Exploiting the opportunity to maximize positive outcomes: Mentorship Networking Volunteer Take on new responsibilities Consequences of a new livelihood: Better job Better circumstances Better life Summary We see threats far more easily than we do opportunites particularly when we are in the midst of a crisis. However, that doesn't mean that the opportunities don't exist. In Khaneman's book, Thinking, Fast and Slow, he helps us understand that we need to use a different part of our brain when considering things such as opportunities. Whereas, the fast part of brain is great at dealing with threats, efficiencies, and getting things done. Risk measures can be put in place to prevent and mitigate the effects of uncertainty when they are negative and threaten what we value. However, measures can also be created to improve the probability of opportunities and increase their positive effects to protect and create new value. Be Safe Be Proactive. #lordoftherisks #covid
- Integrated Risk Assessment
In response to increasing and often overlapping requirements from standards and regulatory bodies, many companies are looking to integrated and proactive approaches to manage all their obligations, reduce risk, and increase stakeholder trust. Each management system serves as a layer of defense against unwanted events such as: loss of containment, injury, regulatory violation, non-conformance, and others. A Bow-Tie Analysis can be an effective tool to ensure that you are not over or under investing with respect to risk controls. It also helps you identify metrics to monitor and track the effectiveness of your overall compliance program. #riskmanagement #managedsafety
- The Proactive Certainty Challenge
UPDATED - May 17, 2020 Knowing how to manage in the presence of uncertainty is a skill that is in short supply, but also something you can learn. We developed The Proactive Certainty Program™ to help organizations just like yours be more proactive with their compliance in response to changes in regulations and standards towards performance and outcome-based objectives. Most industries have adopted Vision Zero targets such as: zero emissions, zero violations, zero harm, zero fatalities, and others. Prescriptive regulatory designs are seen as no longer enough to make progress against these targets. Instead, companies will need to develop their own approaches to advance their capabilities using risk-based and continuous improvement approaches. Effective organizations benefit from incorporating risk, lean and performance management into their risk & compliance programs to make progress against their quality, safety, security, environmental and regulatory objectives. It starts by deciding to be proactive which is a countermeasure to reactive behaviors caused by uncertainty and made worse by a crisis such as the COVID-19 pandemic. To help you be more proactive we are offering free memberships to the Proactive Certainty Program™. COVID-19 Membership Package (FREE) The package includes membership in The Proactive Certainty Program™ where you will have access to: The Lord of The Risks Workshop (3 Hours) - Project Success in the Presence of Uncertainty To increase the probability of project and mission success we need to manage in the presence of uncertainty. This content is for project managers and PMOs who are responsible to ensure that critical projects continue and are successful: 5 Principles of Project Success (Intro) - Video What is Uncertainty and Risk? - Video 5 Immutable Principles of Project Success - Video How to Estimate Project Uncertainty and Implement Effective Risk Measures - Video The Effective Compliance Workshop (4 Hours) To advance performance and outcome-based obligations we need to be proactive. This content is for department managers, and directors who are responsible to ensure that risk & compliance efforts including quality, safety, security, environmental, and regulatory continue to make progress against vision zero targets: 10 Rules for Effective Compliance - Video Compliance at the Speed of Risk - Video A Framework for Effective Compliance - Video A Proactive Approach for Governance, Risk and Compliance (GRC) - Video The Systems Thinking Workshop (5 Hours) To improve management system outcomes you need to apply systems thinking A curated list of videos on Systems Thinking including related blog posts and articles applying systems thinking to compliance. The Business Recovery Workshop (2 Hours) - Coming soon Transition from CRISIS to RECOVERY by learning how to create a risk-based business recovery plan. As the lifting of Covid-19 restrictions begin all around the world, companies are starting to transition to a next normal for their business. This requires an effective business recovery plan that: Re-imagines what normal looks like Safely restarts operations Recovers business that was lost Reinforces defenses against future uncertainty This is an opportunity for risk & compliance to be at the table to lead and coordinate efforts to improve the probability of mission success. In addition, you will have access to the following templates and resources: This content includes helpful templates and worksheets that are risk-based and appropriate for improving projects, systems, and processes: Lean A3 Obligation Template (Risk adjusted) Lean X-Matrix-Compass Template (based on the 10 Principles for Effective Compliance) Lean Bow-Tie Analysis Template Lean Project Charter Template Lean Compliance Beetle Template (risk-adjusted version of the Quality Turtle Diagrams) Lean A3 PDCA Template Lean Project Pre-mortem Canvas Template Lean Risk Scenario Pre-mortem Canvas Template Lean Compliance Poster Lean Compliance - Why Compliance Needs to Change - White Paper All of this content and resources are available as part of joining The Proactive Certainty Program™ which we are offering for FREE to help you be more proactive. And that's not all! For those who are involved with achieving quality, safety, security, environmental, and regulatory objectives we are also providing a: Free 90 Minute Compliance Mapping Session after completing the Proactive Certainty Scorecard. This evaluation helps you identify where you are on the proactive/reactive scale and what areas to improve. How to get your free membership If you currently are a subscriber (or not) this is your time to become a member and take advantage of these free resources made available as part of the COVID-19 Membership Package. To sign up for the COVID-19 Membership Package all you need to do is register by clicking this link. After you register you will have access to 7 hours of training, valuable resources, and a free evaluation of one of your compliance programs. So take the Proactive Certainty Challenge and fight the reactive effects of uncertainty. Be Safe Be Proactive.
- Compliance versus Obligation Risks
When it comes to performance-based compliance you need to manage both compliance and obligation risk. Compliance risk are the effects of uncertainty of non-conformance. These impede outcomes. Obligation risk (i.e. opportunities) are the effects of uncertainty of conformance. These advance outcomes. To manage both the following are helpful tools, and systems: Bow-Tie Analysis - evaluate risk and controls to optimize risk buy-down and opportunity invest-up plans ISO 31000 Risk Management System - provides a framework to manage risks and opportunities across their life-cycle. Don't create an opportunity for threats to penetrate your defenses or opportunities to be missed by missing a step. ISO 19600 Compliance Management System - provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to ensure effectiveness. When obligation risk is addressed ahead of time it reduces the probability of compliance risk. Not only will you protect against loss but you also advance outcomes at the same time. It pays to be proactive. #effectivecompliance #riskmanagement