Moving from risk spreadsheets to a bowtie risk register
Conventional risk spreadsheets work well in particular contexts. They offer simplicity and ease of use, at the cost of a deeper understanding of risk. How does one take the plunge from spreadsheets to more sophisticated methods, such as bowtie risk models?
This problem is a familiar one for emerging businesses in mining, construction, energy and security. The risk register spreadsheet represents a tremendous investment for the business: but this should not be confused with tremendous value for the business.
Here we’ll be looking at how you can preserve the investment in your risk register while taking on a deeper approach to risk that produces more value.
We’ll look at two aspects: the risk assessment and the risk register. Then we’ll look at how to migrate from spreadsheets to a bowtie risk register.
The risk assessment
Risk assessments are a form of analysis that focus on the interaction between events, factors and qualities. Each risk assessment is a combination of events and factors, with a combination of qualities that give an indication of the risk’s character.
To take an example:
The risk assessment is a combination of events and factors: e.g. a worker on a construction site is struck by a moving piece of equipment.
The risk assessment is a combination of qualities: e.g. the risk is likely to happen and could have severe consequences, and the risk is therefore high enough to be of concern.
It makes perfect sense to capture this kind of linear logic using a spreadsheet. In a typical register, the columns represent the different parts of the risk:
Some spreadsheets go into more detail, for example examining the different causes of the worker being struck by a moving piece of equipment. The critical limitation here is the extent to which a row on a spreadsheet can capture complex interactions. If there are multiple causes, how are these shown on the spreadsheet? How do we map controls against different causes within a single row entry on the spreadsheet?
The bowtie risk assessment
Bowtie risk assessments take a deeper look at the interactions involved in the risk assessment. Each cause and consequence is plotted individually, with controls along each pathway for the risk. This allows the risk assessment team to analyse individual pathways and identify appropriate critical controls.
The bowtie risk assessment is not so different from the spreadsheet risk assessment. It captures interactions between events, factors and qualities. It documents and captures the knowledge of the risk for further analysis.
One of the core differences is the depth of analysis that a bowtie offers. It takes the same information that would be present in a spreadsheet, but maps it in a way that allows more opportunities to analyse the interactions. In essence, the same information is presented, but we can get better intelligence and analysis from the model.
The risk register
Risk registers are often thought of as being data in spreadsheet form, but a register is essentially just a repository of knowledge. The site risk register isn’t the spreadsheet that gets used, it’s the sum of corporate knowledge on risk that gets distilled into the rows and columns of a spreadsheet. There’s no reason why a risk register can’t take other forms.
The key is accessibility. A spreadsheet is a popular form of risk register because it is a convenient place for all the knowledge to go, and most people can access and digest information from it. If we’re going to use another format for our risk register, it needs to have the same kind of accessibility to be effective.
The bowtie risk register
Given that we’ve established that a spreadsheet and a bowtie contain the same core information, it stands to reason that bowties should be able to form a risk register. The key is for the bowtie risk register to have the accessibility factor.
The bowtie risk assessments are the risk register, and the key data from the bowties can be rendered as a spreadsheet for ease of navigation and review. This gives you a hybrid form with the best of both worlds.
The drawbacks of risk register spreadsheets
There are, of course, quite a few well-known dangers involved in using spreadsheet software to manage risk. These include:
- Inconsistencies in data across different spreadsheets (original)
- Errors in data entry, especially when using copy/paste (original) or hidden calculations (original)
- No single view of risk data across different sheets, tabs and spreadsheets (original)
Most importantly, they have a tendency to become a drain on resources as the spreadsheets get bigger and more complex.
“Spreadsheets bog down processes in many different ways that have a noticeable impact on how long it takes to get work done. They’re fast [and] easy to set up, but when they’re used in collaborative, repetitive enterprise processes, they become time wasters.” Robert Kugel, Ventana Research (quoted here)
Benefits of moving to a bowtie risk register
There’s a few benefits that come with building a bowtie risk register. The main one if the winning combination of both breadth and depth in the risk register. Conventional risk spreadsheets are great for breadth, because they capture a wide range of risks with a fairly superficial risk assessment. Bowties provide a depth of risk assessment to back this up. With a bowtie risk register, you have the breadth of the spreadsheet with the ability to drill-down into more detail.
This is where bowtie software can really help you leverage your risk knowledge. Good bowtie software gives you the ability to navigate through to bowties from the risk spreadsheet view (i.e. drill-down). The better software packages also use the bowtie risk assessments to create the aggregated risk data at the spreadsheet view level.
There are also opportunities for substantial time savings through auto-creation of bowties, but we’ll come back to that later.
How to make the move from spreadsheets to a bowtie risk register
What we’re talking about is having a tabular risk register that can link to bowtie risk assessments. The bowtie risk register has two faces (the spreadsheet and the bowties), but contains the same information.
In order to move from spreadsheets to a bowtie risk register, the same information therefore has to be present across both. The core fields present in both would be:
- Preventative controls
- Mitigative controls
- Risk rating
Don’t panic if your current risk register doesn’t encompass all of these fields. Making the change can be a gradual thing that fits into your normal risk monitoring and review processes.
Take the below example:
Here we have a good understanding of the hazard, risk and controls. What we’re lacking is any depth of understanding of how the hazard unfolds, and how the controls interact to reduce risk. The total risk reduction is not necessarily the sum of all our risk controls: for example, if all of our controls relate to one of the causes, there is no actual risk reduction working to reduce the likelihood of the other causes.
We need to add columns for causes and consequences. It should be easy to populate the consequences column, because we’ve already identified the harm we’re trying to prevent.
We can keep it simple with the causes column. Two or three causes per risk is a good starting point, and we can expand or reduce that later down the track.
It’s important to split our risk controls column into preventative and mitigative controls. It’s also important to make sure that each control is mapped against the cause or consequence it affects.
Already we’re heading towards a richer understanding of our risk exposure. Some businesses will populate the extra columns in one fell swoop. It doesn’t take long, because they’ve already got a solid understanding of the risks in the register. They just haven’t mapped the information in quite the right way.
Other businesses will take up to a year to gradually fill in the blanks, taking advantage of the normal risk review meetings to enter the data. It really doesn’t matter which path your business takes, as long as you arrive at a spreadsheet that documents the information required.
The best option for taking the next step is to use a bowtie software package to build the bowtie risk register. Maintaining the risk register in spreadsheet and bowtie form (concurrently) in one software package usually isn’t any more expensive than using software that only supports spreadsheet-style risk registers.
In this example, we’re using RiskView to move into the bowtie risk register. Our first move is to import the existing data into the system. We need our existing risk register spreadsheets, which should now be formatted with causes, consequences, preventative controls and mitigative controls.
We can import the spreadsheet in the normal spreadsheet file format. If we had been using another software package previously, we just need to export our data from that software into a spreadsheet. We make sure that the fields on our spreadsheet match what RiskView needs, and then we upload the file into the bowtie software.
The result looks like this:
Now we have a cloud-based, deeper risk register than when we started. We could even stop at this point if we wanted more time to acclimatise to using the software.
In our example, we’re going to dive right into building the bowtie risk register. Because we formatted the existing risk register data in the format we did, we don’t need to build bowties from scratch. The bowtie software we’re using has a feature to automatically create bowtie risk assessments from the risk spreadsheet view.
This saves a lot of time and effort, and ensures consistency. RiskView allows you to skip ahead from the spreadsheet to the bowtie, without the frustrations of manually copying the bowtie elements from the spreadsheet.
With the time we saved, we now have more time to analyse the risk in detail using the bowtie risk assessment module. We can add more detail to each bowtie until we’ve reached a point where we’re happy with the residual risk levels. We can make risk decisions more confidently, because we can easily see points of weakness or pathways that have no effective controls in place. We can also be more confident that the critical controls we select are genuinely critical.
As we mentioned before, taking the bowtie risk register approach also provides us with a top-down spreadsheet view with more accurate risk intelligence. The spreadsheets supplies information based on the in-depth bowties, which means we get the benefit of the “depth” of the bowties with the “breadth” of the spreadsheet view.
The transition process from spreadsheets to a bowtie risk register can be achieved in short order if you’re prepared. If your spreadsheets already examine causes and consequences, importing the data can take a few hours, a few days or a few weeks. Starting with a more basic spreadsheet isn’t a problem, it will just mean that the transition will need to be managed carefully and may take a few weeks or more (with the added consultation required).
The bowtie risk register has a lot to offer across a range of risk domains. If bowtie modelling is something that your business would benefit from, consider making the move from spreadsheets to a bowtie risk register. The barriers to entry for bowtie risk analysis are lower than ever.