BUSINESS NO CLASSIFICATION

4th

September, 2015

BowTie Risk Management Methodology and Quantification

Dr Andrew Fenna, Risksoft Software Ltd. andrew.fenna@risk-soft.com

www.risk-soft.com

INTRODUCTION
BowTies are a graphical barrier-based approach to Risk Management where a clear Threat to Consequence
pathway is mapped out, providing a powerful tool to assess, control and communicate Risks of all kinds.
BowTies deal with both prevention of a Top Event (proactive Risk Management) as well as recovery from a
Top Event should it become reality (reactive Risk Management).
Risk Control with regards to BowTie Methodology involves placing Barriers between Threats and the Top
Event, as well as Recovery Measures between the Top Event and downstream Consequences. Moreover, a
further level of Risk Control can be employed between Escalation Factors and their respective Controls on
both sides of the BowTie diagram.
BowTies are traditionally thought of as a qualitative Risk Assessment technique (where Risks are merely
described), however, more effective Risk Management paradigms make use of semi-quantification, or better
still, quantification, of risk, where numerical values are added to Risk Events.
Due to the multiple-domain nature of BowTies, quantification of their associated diagrams is more involved
than the majority of Risk Assessment techniques; indeed, prior to the production of Risksoft BowTie RS
software, there was no fully quantifiable BowTie tool available on the market.
Risksoft Software Ltd has worked out a method of fully quantifying BowTie diagrams, by adding numerical
data to Threats, Controls, Escalation Factors and Consequences which manifests as a single Risk Value for
each BowTie, thereby allowing for incorporation into a Tolerability of Risk schedule, resulting in more
effective Risk Assessment, Risk Prioritisation and Risk Control.

Why Quantify Risk?

In any effective Risk Management regime, the ultimate goal is to bring all Risks present down to acceptable
levels. To do this we must firstly understand the uncontrolled level of Risk, prioritise them with respect to all
other Risks present, decide which Risks need more control/ resources by seeing where the Risk fits within
our defined Tolerability of Risk thresholds, and finally apply carefully considered Risk Controls.

1 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Controls themselves come in many forms e.g. they can be procedures, pieces of equipment, maintenance
schedules, intelligence gathering etc. Quantification allows us to assess the risk reduction power and
reliability of each Control and therefore facilitates a method for us to work out more accurate post-control risk
values and better inform us about the addition of further control, if necessary.
Risk Quantification therefore allows us to better understand our pre and post control levels of risk,
more stringently prioritise our Risks, and importantly more accurately apply and monitor Risk
Controls. Moreover, we can use the generated Risk Value data in downstream calculations e.g.
working out the overall level of risk throughout the organisation or applying the risk value to asset
management formulae among many possibilities.

Fundamental Risk Calculation

The basic formula for calculating any risk is: Risk = Probability x Impact

R=PxI
where R is our Risk Value,
P is 0 1 (1 means it will definitely happen),
and I is 1 - (determined by how relatively severe the downstream affect of the risk could
be).
This simple but useful equation assigns a value to any risk event and takes into account the probability or
likelihood that an event could occur, and what impact or severity it will impart should the event happen.
Clearly, arriving at a P value involves, in many cases, rigorous calculation or at least industry experience,
and these can be based on operational or market knowledge, manufacturers' reports, specific product data,
research and development etc.
I is largely down to your own market knowledge as only you can know how a single risk event could impact
your organisation. Of course an equally considered approach to quantifying impact is advised.

Risk Controls
Following Risk Calculation, if we decided that the level of Risk (R value) is too high, we aim to reduce the
value of R by lowering the probability or inhibiting the impact level, and is this is usually achieved by the
application of Risk Controls.
Most commonly a Risk Control is put in place to reduce the probability as opposed to impact (the idea behind
that is that it makes more sense to stop an event happening in the first place, and in BowTie methodology,
we can reduce the probability of a Top Event leading to a Consequence after the Top Event has happened,
as well as reducing the probability of the Top Event happening altogether).
Risk controls should be independent of eachother, and at Risksoft, we quantify a Risk Control by two key
parameters:

Quality how powerful, when operational, is the Risk Control at reducing the probability of a Risk
Event happening?

2 of 10

Failure rate how often will the Risk Control fail when we want it to work?

BUSINESS NO CLASSIFICATION

4th

September, 2015

C = Q (Q x F)
where C is our single Control Value
Q is 0 1 (1 means it will reduce the probability by 100% - completely stop it),
and F is 0 1 (1 means it will fail all the time)
Because Risk Controls are all independent, we can then take a combined Total Control Value of all C Values
added together:

CT = C1 + C2 + C3 +..........Cn
where CT is our Total Control Value
and n is the max number of controls per risk
If our CT value is 1 or greater, it will completely stop the risk because P will become 0, so in our calculation
we limit CT to a maximum of 1.

if CT > 1 ? CT = 1
In practical terms this means you have put in enough Controls to completely stop the risk.
Now all that is left to do is factor in our Total Control Value into the P calculation. We use the reciprocal of the
Total Control Value as we are reducing P by a factor.

R = (P * (1-CT)) * I

BowTie Risk Calculation

Above was described the basic methodology of calculating general risk. What is required now is to transfer
these formulae into the BowTie diagram.
To start with, we can work with a BowTie diagram where no controls are put in place, and we can see how a
Risk Value is calculated from multiple Threats and multiple Consequences.

3 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

In the examples below, actual values are displayed to aid in the interpretation of this paper
these are not normally displayed on the BowTies for aesthetic reasons.

Calculating BowTie Top Event Probability with no Controls

In the example above, two Threats are defined. Their probabilities (probability of the Threat occurring) are
shown on the Threats themselves. The Top Event probability (shown in the centre of the diagram) is simply a
sum of all Threat probabilities in this case with no Controls, but in a populated BowTie, all respective
Controls are taken into account as discussed later.

4 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Calculating a BowTie Risk Value via Consequences with no Controls

In the example above, we have now added some impact values to the BowTie at the Consequence end
(shown to the left of pipe bars as 1000 and 10). Because we have worked out the probability of the Top
Event happening, we can simply use our R = P x I for each Consequence (P will be the same for each
Consequence as there are no Controls in place) and I is what you select for each Consequence from your
impact thresholds settings using BowTie RS. The number on the right side of the bars in the Consequence
box is R (110 and 1.1 respectively); the Risk Value for that Consequence. What we then do is sum up all the
Consequence Risk Values and this gives us the full BowTie Risk Value for that Top Event this is shown in
the Top Event box on the right of the pipe bars (111.11).

Incidentally at this stage, because we know P for the BowTie and we have worked out R by
combining all the Consequence Risk Values, we can now rearrange the R = P x I formula to I = R/P to
give us the overall Impact value for the whole BowTie (1010 displayed in the centre of the BowTie)
unsurprisingly at this pre-control stage of the BowTie the impact level is the sum of the
Consequence impacts.

5 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Factoring in Barriers (left hand side controls that are put in place to
reduce the probability of the Top Event occurring).

In the above example, two Barriers (Controls) have been placed in front of Threat Two (the biggest Threat).
Their Quality (Q) and Failure Rates (F) are displayed along with their resultant Control Value.
CT in this instance is 0.4995 + 0.24975 = 0.74925. Probability for this Threat is 0.1 * (1-0.74925) = 0.025075,
which when added to the uncontrolled Threat One (0.01) gives us our new Top Event Probability of 0.035075
as displayed in the centre of the BowTie.
This Top Event Probability then manifests into the Consequences resulting in an overall Risk Value of
35.42575 the addition of two Barriers has reduced risk by 75.67425 based on customised P and I values.
Also note at this stage that the overall Impact has not changed (still 1010) because we have not yet
put controls on the right hand side of the BowTie that deal with the effects of Consequences.

6 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Factoring-in Recovery Measures (right hand side of the BowTie that

inhibit the Top Event leading to a Consequence).

In the example above, we can see how adding in a Recovery Measure reduces risk for a single
Consequence and for the overall BowTie Top Event.
A Recovery Measure is put in place to reduce the probability of the Top Event leading to a Consequence. In
this case the software has worked out the Top Event probability is 0.035075 and we have a put a Recovery
Measure in place with a value, worked out from it's Q and F attributes, of 0.45.
Our probability for this Consequence is now 0.035075 * (1-0.45) = 0.01929125, which we multiply by the
impact value of 1000 to give us a new Risk Value for this Consequence of 19.29125.
Because we have reduced the Risk Value for this single Consequence, the overall Risk Value of the BowTie
Top Event is lowered to 19.642.
Importantly, we have now reduced the overall Impact of this BowTie Top Event because we put a
control in the Consequence side our overall Impact is now 560.

7 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Bringing in Escalation Factors (factors that inhibit upstream controls

an extra layer of protection and analysis provided by BowTie
methodology)
BowTie methodology offers you the chance to scrutinise your Risk Controls by looking at eventualities that
could inhibit them therefore reducing their effectiveness.
An Escalation Factor (EF) can be considered a Threat because it increases Risk. For this reason, Risksoft
has quantified them using probability i.e. how likely is this EF going to completely inhibit an associated
Control (a Barrier or Recovery Measure)?
We assume that when an EF is identified and comes into play, it stops the Control 100%, so in terms of
quantification, you assign a probability of how likely this is to occur.

In the example above, an Escalation Factor (EF) has been added to our main Barrier in practical terms we
have spotted something that could render the Barrier unserviceable. Although highly unlikely in the real
world, a probability of 1 has been assigned to this EF which means this threat is always present. The effect
of the EF is that it has knocked out the associated Barrier which has increased the Risk Value throughout the
BowTie. However, because Barriers are always independent, we still have some protection from the second
Barrier, hence why the probability has not dropped to pre-control levels.
The same approach is used on Recovery Measures using exactly the same calculations .

8 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

Reducing risk through Escalation Factor Controls

Clearly when we recognise a factor that can inhibit our upstream Risk Controls, we want to put something
extra in place to prevent the negative influence it will have on our Risk Management system.
Escalation Factor Controls (EFCs) provide a belt and braces mechanism for Risk Management and
essentially represent the last line of defence for a particular Threat. The addition of EFCs makes BowTie
methodology especially powerful in barrier-based Risk Control.

Just like Barriers and Recovery Measures, Risksoft BowTie RS calculates EFC values based on Q and F. In
the example above an EFC has been put in place with the highest possible Q value (1) and with a very low
Failure rate (0.0001). This has had the effect of virtually stopping (99.9%) the effect of the EF, therefore
allowing the associated Barrier to function and bring the Risk Value down to pre-EF levels.

The same Escalation Factor effect is shown in the figure above; this time with influence on the right hand
9 of 10

BUSINESS NO CLASSIFICATION

4th

September, 2015

side of the BowTie knocking out the Recovery Measure with a probability of 1 has increased Risk in the
whole system and changed the overall impact value.

Fully quantified BowTie Diagram

In the example above, a fully quantified BowTie diagram is shown.

Carrying on from the last BowTie, two Recovery Measure Escalation Factor Controls have been added (1 of
high risk reduction power, and 1 of low risk reduction power). Combined they have reduced the risk in their
associated Consequence by reducing the negative effects of RM EF on Rec. Measure.
Our (relatively simple) BowTie is now complete and is fully quantified with a probability of 0.03508
(rounded), a risk value of 22.17174 (rounded) and an impact of 632.03375.

Take home formulae

R=PxI
C = Q (Q x F)
CT = C1 + C2 + C3 +..........Cn
R = (P * (1-CT)) * I

END

10 of 10