Tag Archives: boadroom risks aviation

How a bow-tie can smarten up corporate risks

BowtieImagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?

Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.

Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.

Typical risk analysis in an annual report

The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;

“Adoption of rigorous policies and processes…”

“Regular performance reviews…”

“Deployment of high quality people..”

These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.

The bow-tie model

If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.

Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.

Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.

We now look at causation of events;

Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.

Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.

And there are the results of an event happening;

Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.

Recovery barriers:  These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.

And then there are escalation factors;

Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.

This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.

An example of a corporate risk

Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;

Bow tie diagram

This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.

If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.

What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.

This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.

Annual Report

The full model would be too big to include in an annual report, but could be summarised in this way;bowtieannreport.jpg

This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.


Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.


Simon Laffin

1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.




Why aviation is safer than the boardroom

Featured image

The basic model of commercial aviation is a thin tube of highly pressurised metal being propelled at 600 miles per hour by inflammable fuel at 35,000 feet in all weathers at temperatures of -57 degrees. So have you ever wondered how aviation got to be one of the safest forms of transport, despite being inherently full of such potentially catastrophic risks?

On the other hand, the average boardroom, comfortably at 20 degrees, often going nowhere, an executive suite above the ground, continues to struggle with business risks, and major business incidents and errors are showing no signs of reducing.

There are of course many reasons why aviation risk management is more advanced than the corporate equivalent. There is also one reason why it is not. It’s not because one group is cleverer or more dedicated than the other.

Most of the explanation lies in the imperative to get aviation safety right. The feedback loop on an aircraft is very fast and exceptionally forceful. If bad decisions can kill both you and hundreds of passengers at once, then you will tend to take risk management very seriously indeed. By contrast, poor board decisions usually take months, if not years, to become evident, and tend to result in financial losses that are often survivable for the executives concerned.

Business could learn a vast amount from the risk culture that aviation has developed as a result of its safety imperative. When something goes wrong in aviation, the major drive is to find out what went wrong, rather than finding culprits. The aim is to learn the lessons and then disseminate recommendations to manufacturers, pilots, operators, air traffic and anyone else, to ensure that this set of events cannot be repeated.

In business, by contrast, the focus is on naming and shaming the director held to be responsible, ensuring he doesn’t get a bonus and possibly gets fired. It’s driven by blood-lust, not analysis.

Aviation puts the emphasis on process, procedures and systems, accepting that humans will make mistakes. Moreover, the higher the stress levels, the more the mistakes that will be made. In the corporate world, the conventional assumption is that executives are too highly paid to make errors, and so if they do, the key outcome is for them to be punished.

Many will argue that this is simplistic. There are of course many other features of aviation risk management. It is often the media and politicians who personalise corporate failures. However, I haven’t heard many corporate commentators argue that the recent problems at Tesco and Morrisons, for example, shouldn’t be blamed on the outgoing CEO’s, but need to be understood in the broader context of the changing market and process failures in the individual companies.

In the end the question is; which of these two models produces a better understanding of what went wrong in a particular event? Which is therefore more likely to produce a lasting improvement in risk management?

Then ask yourself, how safe would you feel in an aircraft regulated by the standards of today’s corporate governance codes?