The 1st reason why your organization should adopt the bowtie methodology

^{Figure 1 - Safety culture ladder, click here for full image.}

Some organizations tend to be very focused on evolving on this safety culture ladder, while others are content with their current position. Where a company is located on the cultural safety ladder is often not merely a matter of choice but closely relates to aspects such as the specific industry, revenue margin, or geographical location in combination with socio-cultural standards.

Usually when organizations are interested in bowties, they tend to be (or at least strive for) the “Calculative” stage on the ladder. This does not necessarily mean that they instantly know how to approach their risks and hazards. Oftentimes this is the stage where a regulator assists to set some initial minimum thresholds that must be achieved to meet certain safety standards. In other words, the requirements from a regulator will influence the organizations within that industry and thus affect how risk management is executed, e.g. including the utilization of bowties.

Bowtie from a compliance-driven perspective

Thus, there are several companies and industries that are bound by compliance and regulations. For this scenario bowtie would be considered a tool that can help the organization to communicate risk exposure, risk assessment, or coverage and performance against certain regulations or standards.

When organizations need to show for the above-mentioned aspects, they often require a certain format and thus the need for specific reporting arises. From an “off the shelf software” developers’ perspective this is often a challenging topic to tackle, as different industries, regulatory bodies, and geographical locations set different requirements for those specific reports. However, there are common main denominators that can be considered:

• Showing which standards or regulatory requirements are met;
• Showing what the gap between the current performance and the required performance is and how the organization is going to address this.

^{Figure 2 – Compliance Framework: Inspection data linked to objectives through bowtie controls and supporting activities}

In order to address this, the “Compliance Framework” concept is part of our software solutions (BowtieXP combined with AuditXP and BowTieServer). This specific concept connects bowties to regulatory objectives and requirements. This feature could be described as a mapping exercise that allows organizations to split the regulatory standard into specific objectives. Meeting these objectives thereafter can be measured by assessing controls or activities in place on the bowtie framework that contribute to achieve the objectives. See figure 2b for an example of this framework within BowtieXP.

_{^{Figure 2b – Compliance Framework: Inspection data linked to objectives through bowtie controls and supporting activities, click here for a full version of the image}}

The BARS use case

The Basic Aviation Risk Standard, also known as “BARS” is a regulatory standard that has been translated into a concrete Compliance Framework use case. After dissecting the regulatory documentation of this standard, we managed to identify 210 substantive compliance objectives.

^{Figure 3 – BARS dissected in compliance objectives , click here for a full version of the image}

After linking these objectives to the available controls and activities within our (exemplar) aviation company ‘CGE Risk Air’, we managed to identify the gaps between the BARS and our bowtie framework and learned that not all objectives are covered by controls or supporting activities (see Figure 3). This insight allows us to address the gaps by implementing additional controls or supporting activities, or through adjusting the currently existing ones. Those objectives that are linked can be measured against the aggregated performance of all linked controls or activities. It is also possible to assign different maturity levels of all covered objectives as shown in the image below.

^{Figure 4 – Coverage of objectives against controls and supporting activities}

Bowtie from a regulatory perspective

Luckily, regulators do not only push their requirements and standards to the industry with the expectations for organizations to implement them without any help. Of course, some industries do have to deal with such situations, but we would also like to encounter the other side of the coin. There are many cases where a regulatory body shows the intention of helping and assisting the industry to achieve the minimum expected requirements. On several occasions, regulators recognize the communicative power of bowtie and adopt the methodology within their requirements as well as their support to implement it within the industry.

The Significant Seven

A prominent example of a regulatory body, which has adopted bowtie and helps the industry using bowties, is the Civil Aviation Authority in the United Kingdom. Their goal is to make the aviation industry safer by sharing their regulatory requirements through a set of standardized bowties.

^{Figure 5 – The Significant Seven bowtie framework – Source: CAA UK, click here for a full version of the image}

This standardization now allows every organization within the aviation industry to kickstart their risk management process and use these regulatory bowties as a starting point, after which every bowtie can be modified in accordance to meet individual needs. This offers many advantages for all parties involved, as it speeds up the process on the industry side and lowers the threshold to engage in decent risk management. From the regulators’ perspective it standardizes the risk communication language which allows them to review and monitor the industry in a more efficient way. More information about this initiative can be found on the website of the CAA UK.

Pros and Cons

As mentioned before, bowtie is not the only tool to address compliance-based or regulatory aspects within the organization. There are pros and cons on if and why to adopt the bowtie methodology with compliance as a driving force.

Pros

• Measuring and knowing ones own performance compared to regulatory objectives will allow the organization to be prepared for (third party) audits and other inspections.
• Demonstrating performance against objectives will make it easier to communicate with the regulatory body, especially if they are familiar with the bowtie methodology.

Cons

• Allocating too much focus on the compliance-based requirements ignites the question whether nothing else is important. And if it is, does it actually get the right amount of attention, or is the focus on compliance overshadowing other important areas that could be addressed through bowties?
• The requirement of very specific reports for different industries or geographical locations over the world might not be directly covered by the off the shelf software. Bespoke reports might be needed. In order to create more pros and battle the cons, from a developers’ point of view we are trying to deal with certain questions:
  • What are the common denominators for regions/industries which we can use to solve a problem for everyone and include this in the off the shelf software concept?
  • What movement or change can we expect in the forthcoming years from a regulatory point of view and can we anticipate on it (as something that is currently adequate might change in a couple of months)?

Let’s talk!

If you are interested in learning more about bowtie and using the compliance frameworks, or if you want to share your insights and help us take this concept to the next level, please contact us!

Keep an eye out on our website to read about the next reasons why your company should adopt the bowtie method.