Risk can be a complex subject. The terminology used can create confusion in that – in normal conversation – a hazard, risk and a threat can have similar meanings. However, in terms of risk management, each of those labels has their own distinct meaning.
The first challenge for any organization is in ensuring that the terminology used is widely understood and consistently applied.
Our research has found that those not directly involved in risk management find the BowTie methodology really helpful. The diagram helps in the understanding of how risks are managed in general and, more importantly, in conveying individual risks and how it applies to them.
- The Risk is identified in the middle.
- The left side of the diagram identifies what could cause a particular Risk to happen (Threats) and highlights the barriers and controls in place to Prevent the risk from happening
For this reason the left hand side is referred to as Prevention
- The right side of the diagram identifies what could be the outcomes (Consequences) should the Risk actually happen and highlights controls and barriers in place to try and minimize the severity of those consequences.
For this reason the right hand side is referred to as Recovery.
This diagram is far more capable of conveying risk, and achieving a deeper understanding of those risks and how they are to be managed, than a line item on a spreadsheet.
The BowTie representation highlights the relationship, interaction and dependencies between Hazards, Threats, Risks and Consequences. It highlights why barriers and controls have to be maintained and respected in order to prevent undesirable events from occurring or to minimize the consequences should one occur. .