Tuesday, 3 June 2014


This is the third installment of a six-part series on common business challenges and the quality management system (QMS) tools that can help alleviate those challenges. We've discussed corrective action in Part 1 and document control in Part 2, and the ways in which organizations are finding value through these tools. In this article, we're going to discuss risk management and how it can help you proactively identify and mitigate risk.

The Challenge: Complexity in Organizations Makes Compliance Harder

All industries experience the need for change at some point or another. Furthermore, changes to products, processes, and regulations are not isolated—one impacts the other. Add to this an increasing oversight on compliance regulations and standards and it’s easy to see how complexity increases, whether in quality management or general compliance.

A company needs to address the effects of change on both quality and compliance as it grows; however, there is often a disconnect in how the compliance function is organized once a company expands in complexity. Whether a company is domestic or international, it faces regulations at both a local level and national level. These vary by country and region, and to complicate matters, the regulations are forever changing and shifting. Organizations need to ensure quality and compliance is met as they roll out new processes and products.

Considering all of these factors and the need to maintain compliance within an ever-changing business pace, how can a company keep up?

The Answer: An Automated Approach with the Bowtie Risk Model

Companies are looking for new ways to benchmark their compliance and keep up with the pace of business; risk management is becoming that benchmark. Risk management provides a systematic method for identifying hazards, assessing and measuring the risk of those hazards, and taking appropriate action based on the risk. Risk management provides a common method for measuring all types of adverse events and hazards within your organization so you can make consistent and informed decisions based on the level of risk.

The Bowtie risk model in particular is an effective risk tool for assessing risk in low-occurrence events. It’s called Bowtie because it’s shaped a bit like a bow tie. The knot is the undesired event with threats and preventive controls fanning out to the left, and recovery controls and consequences fanning out to the right. It’s beneficial because your company may have little data on potential critical events, but the undesired effects of these events are so catastrophic that you can’t risk not having controls in place.

The Bowtie is a proactive risk assessment tool that looks to mitigate risk before it happens. It builds out a scenario in which an adverse event might occur and puts preventive controls in place to mitigate the risk of that event actually happening. Similarly, it also builds out recovery controls to minimize the impact in case the event does occur.

Companies use the Bowtie risk model to guard themselves from events that they do not have enough historical data on, but need to make sure that they are protected from both a preventive standpoint and recovery standpoint.

The Real-World Scenario

A good way to envision the Bowtie risk model is to use driving as an example. An adverse event in driving is a loss of control of the vehicle causing an accident. In this event you would figure out what are the potential threats that might cause loss of control. Common threats could be rain, poor visibility, driving too fast, a tired driver, or bad tires. How can you put controls in place to “block” those threats? Some examples of controls could be installing new windshield wiper blades, ensuring both headlights are working and properly aligned, implementing a speed limit, giving a tired driver coffee, or replacing worn tires. These preventive controls will help to reduce the risk of the event occurring.

But what if even with these control barriers the event still occurs? You need to implement recovery controls to mitigate the risk of harm to the driver. These recovery controls could be seat belts, airbags, guard rails, or crash barrels. Although these did not prevent the undesired event—it already happened—they will mitigate the risk of injury. So the event still occurred, but you are putting barriers in place to make sure the risk is minimized as much as possible.


With risk management becoming such a major part in compliance efforts, building in risk technologies and tools such as Bowtie method is an effective way to benchmark and measure compliance to regulations.

Risk management is a universal language that is common for all levels of compliance. It provides an objective and systematic method of filtering and prioritizing adverse events, and improves the speed and quality of decision-making capabilities. The Bowtie method of risk evaluation enables you to be proactive when mitigating risk within your organization, even without an existing risk history. This approach to risk from all angles provides you with the assurance that you will be aware of any adverse events before they happen, and if they do occur, you will have controls in place to lessen the severity of the outcomes.

Sources: Tim Lozier, EtQ Inc.

No comments: