Category Archives: Risks & the boardroom

How a bow-tie can smarten up corporate risks

BowtieImagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?

Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.

Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.

Typical risk analysis in an annual report

The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;

“Adoption of rigorous policies and processes…”

“Regular performance reviews…”

“Deployment of high quality people..”

These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.

The bow-tie model

If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.

Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.

Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.

We now look at causation of events;

Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.

Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.

And there are the results of an event happening;

Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.

Recovery barriers:  These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.

And then there are escalation factors;

Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.

This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.

An example of a corporate risk

Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;

Bow tie diagram

This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.

If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.

What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.

This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.

Annual Report

The full model would be too big to include in an annual report, but could be summarised in this way;bowtieannreport.jpg

This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.


Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.


Simon Laffin

1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.



Why you might want a pilot running your Risk Committee

CockpitThere’s a saying in aviation: ‘Never fly in the same cockpit with someone braver than you’. Risk management for a pilot is literally a matter of life and death. Have you ever asked yourself whether you would share a boardroom table with executives braver than you are?

Company risks are often presented as long shopping lists; each with a reassuring comment, about how it’s unlikely but that it’s covered off. A typical audit committee, and now the whole board, will be faced by this list and asked to opine as to whether this is a fair summary of the risks facing the business and the mitigations. The board, or more likely the CFO, will then select a dozen of the juicier risks to list in the annual report.

Neither the non-executive director nor the annual report reader is likely ever to gain much nourishment from this exercise. However, the drive of the regulators to be seen to get action from board on risk will be satiated for another year. Has this sort of exercise ever helped to prevent a financial failure?

It’s not a surprise to find that aviation has developed a more insightful way of looking at risk. As the great aviator Ernest K. Gann wrote; “Rule books are paper – they will not cushion a sudden meeting of stone and metal.” The director could well substitute Annual Report for rule book.

Aviation has developed a Threat and Error Management model, which includes looking at risks by their type and then applying a three stage management process; avoid, trap and mitigate, which can equally be applied to business risks.

1. Categorising the types of risks

There are three high level categories of risks and events; unexpected external, expected external, and internal risks. We are, of course, here in the realms of Rumsfeld’s known unknowns and unknown unknowns. Rumsfeld incidentally was a naval pilot himself. An event is when a risk actually becomes a reality.

o Unexpected external risks are, by definition, the most difficult to foresee. To quote Gann again, “The emergencies you train for almost never happen. It’s the one you can’t train for that kills you.” It was, for example, the failure of confidence in AAA securities that was one of the key problems causing the recent financial crisis, yet almost no one predicted this risk could happen.

o An expected external risk might be a rise in inflation or interest rates. These are risks that might reasonable be expected to have a chance of happening. They are the most common type to appear on a risk register, as they are easy to imagine and therefore easier to plan for.

o Internal risks are those that are under your control in the business and are the ones most looked at in traditional control systems. These tend not to be so prominent in external communication of a business’s risk, as to acknowledge them implies that the control systems are not fully reliable.

2. ‘Threat and error management’


Clearly the best outcome is to avoid a risk becoming an event. To achieve this, companies put processes and controls in place or take pre-emptive avoiding action. This is generally applicable only to expected external risks, as it is a tough task to avoid an unexpected external risk. Some expected external risks are also not avoidable. For example, a rise in general interest rates is not within a company’s control, but a campaign against, say working practices, could be avoided by pre- emptively maintaining high standards of care for employees.

Most internal risks are avoided by careful management, strong defined processes and robust control systems. For example, fraud can be deterred by visible deterrents and controls. Increasing visibility of such deterrents (eg cameras) is in fact a prime avoidance technique. However, in any company, internal risks will crystallise into events.


No matter how good the controls and avoidance techniques are, the assumption should be that there will be a breach. All humans make mistakes. No avoidance system is ever 100% full proof. The next stage is therefore to try to trap the event. This is where information systems are crucial.

It is essential to know that the first defence (avoidance) has been breached, so there has to be an alert. Directors need to understand what systems there are to alert managers to any possible, upcoming or actual breaches.

When an event happens, management needs to (a) notice it and (b) interpret it as important. An unexpected external event is particularly tricky to pick up every time. It does not fit easily into a standard control system, as it may not even be monitored. The event may however cause a performance measure or a forecast to move, which may then trigger an alert.

Generally you hope that senior management has the ‘helicopter vision’ to spot unexpected strategic events, but at working level, it may be any employee who spots an unexpected new risk; for example a sudden bout of arson in a local community. The person who initially notices the event may well not be the same as the one who spots its significance.

How good are the communication systems so that these different people can be linked together? The simplest example here would be an employee looking at a bank statement, and querying a suspect transaction. In this case there should be a system to flag and investigate unusual transaction, and an agreed procedure that follows. However, the information system on other less structured risks may be an informal network; for example a casual mention of something new to someone else over the coffee machine. It is easy to forget the informal information systems, but these can be very important.

In summary, the important features of trapping are; noticing an event and then interpreting it as important. The methods for achieving this are both formal and

informal information systems. This may also require preliminary investigation to understand the nature of the event, including cause, extent and implications. Trapping unexpected external events is particularly problematic, as, by definition, you do not know what you are looking for.


Having trapped the event, the task is now to mitigate its effects. This may well require in-depth investigation, in order to understand fully what happened, which controls failed and what can be done to minimise the ill effects of the breach.

The direct and indirect effects of the breach need to be identified. Indirect effects can be often missed. The event itself may be mitigated by, for example, removing an errant individual, but there may be a loss of confidence in the that department that causes others to move work elsewhere or put in their own informal double checks, reducing efficiency.

The business may need to compensate and replan for the event. A rise in interest rates, for example, may cause the business to reduce costs elsewhere or conserve cash. A spate of arson is likely to cause the business to both review its insurance cover and improve fire suppressant systems.

Finally the business needs to learn from the breach to reframe processes and controls. In rare cases, it may decide that nothing could be done, particularly from unexpected external events. However generally there will be lessons and enhanced procedures that will either reduce the chances of a future breach, or will mitigate its effects. This tends to be, at least on internal risks, the province of the internal audit recommendations. This feedback is often the most important part of the response, as the company has learnt how better to handle the risk and to prevent future such events.

Summary – a risk management framework




Visible deterrence

Information systems

In-depth investigation

Defined processes and robust control systems

Informal and formal communication

Direct and indirect effects identified

Interpretation and sensitivity’

Event compensation

Preliminary investigation

Business replanning

Feedback: reframe processes and controls

Applying this thorough framework could help companies and boards better understand and manage all aspects of risks. In particular, it focuses on the importance of; informal and formal communication, the role of everyone in the business to spot possible events, timely and comprehensive information systems, compensation, and feedback.

It also emphasises that every risk should be assumed to be going to become an event. This forces proper consideration of trapping and mitigating, which otherwise tend to be assumed not to need detailed thought. It’s likely, as Gann said, that it will be the risks that you never thought of, or never believed could happen, that will be the most painful. Just ask the people who used to believe in AAA bonds.

Why you wouldn’t want a CEO piloting an airliner

Finals at night

The popular image of a pilot is of a dashing hero, who pulls off amazing feats of skill to save his aircraft from imminent disaster. However, in reality, what airlines value most in pilots is keeping to procedures and operating according to checklists, acting with defined responses to various planned and unplanned events. That’s not to deny that pilots possess considerable skills and knowledge. It’s just that these are best deployed in known routines and responses. You don’t really want a pilot inventing a new dashing way to land a jumbo jet full of passengers.

That makes a pilot different to a CEO. You want a CEO who does lead the business into new ventures and innovative ways of working. These sets of skills are rare and so we end up looking harder for the right CEO, and paying them a lot more money. We end up with the superstar CEO.

Whilst this may be the right strategy, it does have some undesirable consequences. Much of the responsibility for performance is placed solely with the CEO. If something goes wrong, the media, politicians, and often investors, are out calling for the CEO’s head.

The CEO can’t complain about this, as it’s the flip side to demanding the superstar salary. Their remuneration and incentives are, after all, based on the idea that the CEO is making a massively disproportionate contribution to company performance.

But it’s also rather convenient for others. For the media, it’s a simple age-old people story; another Icarus melts his wings and falls to earth. For investors, it can be reassuring. Perhaps they didn’t invest behind the wrong business model, the chief just let them down. Even the other board directors can deflect difficult questions about their own role by taking decisive action on the boss.

The problem with this familiar narrative is that, whilst it will have some truth, it is never the whole story. It enables others to avoid the sort of soul searching that might produce more insights and more long-term solutions.

It enables regulators to avoid proper forensic inquiries into company failures; investigations that might produce real explanations as to how all the corporate governance, rulebooks, regulation, overseers, auditors, independent non-executive directors, and well-informed investors have all failed to stop the egregious corporate failures as we have seen in the last few years.

How did the boards of Lehmans, Merrill Lynch, Royal Bank of Scotland, and others, fail to spot their looming problems? They were full of very intelligent, experienced directors, so there must have been a systemic problem. But there has been very little attempt to learn from these events, because the focus has always tended to be on blaming the individuals at the very top, not understanding the systemic issues.

I joined the board of Northern Rock in late 2007, just after it had suffered the first run on a British bank in 150 years. I then conducted an inquiry into what had happened, in order to understand if there was a case to sue either the previous management or the auditors (there wasn’t). However, I learnt a lot about why it had happened. The then UK banking regulator never once spoke to me about the inquiry, and, to my knowledge, never forensically investigated what really happened at the bank.

It’s so much easier just to shoot people, than it is to find out the real story. It’s also much less likely to expose your own failings.

The result is that we haven’t really learnt the lessons of the last few years. Well-meaning corporate governance rules have however proliferated. Regulators have begun to accept that behavioural factors are an issue. However they have responded by, for example, insisting now that companies list out their risk factors and opine about their ‘risk appetites’. You somehow doubt that an expert in human behaviour was involved in devising that remedy.

No one links new governance rules to the precise reasons for previous failures. No regulator assures us that if only companies had been applying their new rule, that failure wouldn’t have happened. There is simply no linkage between corporate failures, analysis of their causes and new regulation. That’s because regulators go straight from reacting to the public outcry about corporate failures to drafting new regulation, missing out the analysis stage completely.

So you wouldn’t want a CEO piloting your airliner, but we could certainly do with business problems being focussed less on ‘pilot error’ and more on really understanding what exactly happened and why. This must be primarily aimed at preventing failures recurring. Isn’t that more important than taking revenge on individual executives?

Why aviation is safer than the boardroom

Featured image

The basic model of commercial aviation is a thin tube of highly pressurised metal being propelled at 600 miles per hour by inflammable fuel at 35,000 feet in all weathers at temperatures of -57 degrees. So have you ever wondered how aviation got to be one of the safest forms of transport, despite being inherently full of such potentially catastrophic risks?

On the other hand, the average boardroom, comfortably at 20 degrees, often going nowhere, an executive suite above the ground, continues to struggle with business risks, and major business incidents and errors are showing no signs of reducing.

There are of course many reasons why aviation risk management is more advanced than the corporate equivalent. There is also one reason why it is not. It’s not because one group is cleverer or more dedicated than the other.

Most of the explanation lies in the imperative to get aviation safety right. The feedback loop on an aircraft is very fast and exceptionally forceful. If bad decisions can kill both you and hundreds of passengers at once, then you will tend to take risk management very seriously indeed. By contrast, poor board decisions usually take months, if not years, to become evident, and tend to result in financial losses that are often survivable for the executives concerned.

Business could learn a vast amount from the risk culture that aviation has developed as a result of its safety imperative. When something goes wrong in aviation, the major drive is to find out what went wrong, rather than finding culprits. The aim is to learn the lessons and then disseminate recommendations to manufacturers, pilots, operators, air traffic and anyone else, to ensure that this set of events cannot be repeated.

In business, by contrast, the focus is on naming and shaming the director held to be responsible, ensuring he doesn’t get a bonus and possibly gets fired. It’s driven by blood-lust, not analysis.

Aviation puts the emphasis on process, procedures and systems, accepting that humans will make mistakes. Moreover, the higher the stress levels, the more the mistakes that will be made. In the corporate world, the conventional assumption is that executives are too highly paid to make errors, and so if they do, the key outcome is for them to be punished.

Many will argue that this is simplistic. There are of course many other features of aviation risk management. It is often the media and politicians who personalise corporate failures. However, I haven’t heard many corporate commentators argue that the recent problems at Tesco and Morrisons, for example, shouldn’t be blamed on the outgoing CEO’s, but need to be understood in the broader context of the changing market and process failures in the individual companies.

In the end the question is; which of these two models produces a better understanding of what went wrong in a particular event? Which is therefore more likely to produce a lasting improvement in risk management?

Then ask yourself, how safe would you feel in an aircraft regulated by the standards of today’s corporate governance codes?