Using bowtie cost benefit analysis to make better critical control investment decisions

The value of risk analysis is the contribution it makes to good decision-making, especially when it comes to investing in risk controls. Bowtie cost benefit analysis is a great way to leverage your existing risk analysis work to make better decisions on investment. It can also be a powerful tool for building a defensible case for risk spending that can stand up to the scrutiny of corporate executives and Regulators alike.

Let’s jump right in and see how it works in practice with bowtie software.

Bowtie analysis and risk decision-making

Bowtie analysis is about understanding the dynamics of risk, which is why it is such a powerful tool. Whereas a tabular risk assessment focuses on populating all the details (e.g. a list of causes and risk controls), bowtie risk assessment looks at how causes interact with consequences and controls in the real world. Understanding the interplay of the different dimensions of risk makes for better understanding of risk (risk intelligence), which drives better decision-making.

Bowtie analysis is particularly powerful for critical control identification. Laying out the risk scenario in a diagram (like the one above) clearly shows the pathways by which causes lead to an unwanted event, which has harmful consequences. When we plot our risk controls (and their effectiveness) on the diagram, it quickly becomes clear which controls are the most important (see our full article on critical control identification here).

But why stop at assessing the effectiveness and criticality of controls? If we have a reasonable sense of the potential costs associated with the harmful consequences in our scenario, shouldn’t we be looking at our risk control options to reduce risk to an acceptable level?

This is especially important when our risk acceptance level is “as low as reasonably practicable” (ALARP), because the definition has in-built criteria that relate to the practical feasibility of risk controls. It would make sense to use our bowtie diagram to examine the investment cost and potential risk reduction effect of our controls before we choose to invest in them.

Bowtie cost benefit analysis: in practice

In order to undertake our bowtie cost-benefit analysis, there are some key inputs that we need to work with. Specifically, we need:

  • The financial and/or human cost of individual consequences of our top event;
  • The cost of implementing and maintaining our proposed risk controls, and their expected service life; and
  • Confidence in the data in our bowtie diagram (e.g. likelihood values, risk reduction effect, and so on).

The data doesn’t need to be guaranteed 100% accurate, provided that the degree of uncertainty is made clear to decision-makers when they see the outputs of the bowtie cost-benefit analysis exercise.

In this example, we’re working with the Meercat RiskView bowtie software to perform the analysis. We’re looking at the example of a 3-year government construction project, where the principal contractor is concerned about the risk of members of the public entering the site and injuring themselves.

This is an important exercise for principal contractors who are assuming responsibility for high-profile sites. The worst-case consequence from a successful break-in would be loss of life and the financial losses associated with litigation, insurances, and reputational damage.

The diagram above shows our basic bowtie risk assessment. Most of the controls are already in place. The controls that we are evaluating in our bowtie cost benefit analysis are marked with a purple tag. This indicates that we have set their status to “proposed” in RiskView, which enables us to separate out their risk reduction effect. Our cost benefit analysis will be focusing on which of the proposed controls are justifiable investments for the risk exposure.

So our proposed controls are:

  • An intrusion detection system: we are considering installing a full intrusion detection system with proximity card readers on all site access points and/or IP CCTV cameras. We have been quoted $100,000 for installation, $5,000 for maintenance, and a service life of 7 years.
  • A security guard service on site available 24/7, which we currently do not have in place. We have been quoted $350,000 per annum with no setup cost.
  • A alarm monitoring system with routine mobile patrols and security alarm response. We have been quoted $50,000 per annum for these services.

Bowtie cost benefit analysis: technical details

When we enter the data values for our controls, we need to specify the implementation cost, ongoing maintenance cost, and expected service life.

For the overall bowtie cost benefit analysis, we also need to set the life of the plant, project or process that the bowtie relates to. In this case, the project life is 3 years. We also need to define the financial and human losses that could result from the scenario.

The calculations in RiskView use an industry-validated model of gross disproportionate factoring. This model is promoted by the UK HSE (found here) to assist with cost-benefit analysis for reducing risk to ALARP.

In layman’s terms, RiskView calculates the present value of a control based on the implementation cost, ongoing maintenance cost, and expected service life. This reduces the cost to a single dollar figure. RiskView calculates the current risk exposure by adding up all the consequence costs and multiplying this by the current consequence likelihood.

RiskView also calculates the proposed risk exposure, which allows for the risk reduction effect of the controls we have set to “proposed” status.

RiskView presents a “reasonable amount to spend to achieve the exposure level”, which is essential the risk exposure multiplied by the life of the plant, project or process. This is an indicator of the potential losses that could be expected, which is a good benchmark for how much we might want to invest in risk controls.

Finally, RiskView gives us a disproportion factor, which is the proposed risk control cost (current plus proposed controls) divided by the current risk exposure level. This gives us a sense of whether it is worth investing in our proposed controls to bring down the risk exposure.

Bowtie cost benefit analysis: the results

Based on the information we input into RiskView, we can get a result of whether our proposed risk control investments are justified or not. If the cost of reducing the risk further would bring the total risk control investment over the total risk exposure cost, the investment may not be justifiable. On the other hand, we might want to spend more than our risk exposure cost if it means we prevent the loss of human life.

In our example, we have some interesting findings. We can separate out different risk control options by setting the ones we want to examine to “proposed” status. The other controls we are evaluating can be set to “rejected” for now while we look at the feasibility of one particular control option.

In this example, our bowtie cost benefit analysis is telling us that it is justifiable to invest in all three of our proposed risk control options. Our current controls are not particularly strong, and the likelihood of opportunistic or deliberate entry into a high-profile construction site is fairly high.

From this perspective, our current risk controls do not reduce the risk to as low as reasonably practicable, because it is reasonably practicable and cost-effective to implement additional controls. The actual distinction of what is justifiable and what is disproportionate needs to be determined by the organisation. The UK HSE does not endorse a particular algorithm for gross disproportion, although it does note that a good rule of thumb would be a factor of up to 3 for risks affecting workers: that is, spending up to 3 times as much as the risk reduction benefit (i.e. the risk exposure cost). It notes that high risks to public safety could justify a disproportion factor of up to 10. Preventing loss of human life may justify spending more on our critical controls if the risk exposure can be brought down.

Using the HSE rules of thumb, we can build a graph like the one below to represent how the disproportion factor changes according to the level of risk.

At a risk exposure cost of $1,000 per year, it might be justifiable to spend up to around $6,000 per annum to reduce the risk (a disproportion factor of 5.80). At a risk exposure cost of $1 million per year (e.g. fatalities), it might be justifiable to spend around $8 million to reduce the risk. The level of acceptable spending on risk exposure needs to be determined by the organisation, bearing in mind that the reasoning behind the decision may need to be defended in court.

This is where bowtie cost benefit analysis can provide some powerful leverage: with a clearer sense of the dynamics involved in risk and the potential causal pathways, it is possible to have greater confidence in making data-driven decisions on risk spending.

 

The same method of bowtie cost benefit analysis can be used in a range of risk applications. The benefit of this kind of analysis is better decision-making: not just creating savings where additional risk controls are not justified, but also engaging with opportunities to implement additional controls where the risk to human life can be reduced cost-effectively.

New and innovative control measures are an opportunity for improvement: good bowtie cost benefit analysis empowers you to engage with the opportunity, and drive improvement in your organisation’s risk approach.

If you’d like to know more about the calculation methods we use for cost-benefit analysis, you can find our knowledge base article here.

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.