Feature: Creating a Picture of Risk

by Cameron Fraser, International Association of Facilitators (IAF) Certified Professional Facilitator, RANA International

We live and work in a complex world and make decisions about risk every day. Experience is an important tool in identifying and assessing risk, but it also has distinct limitations and tends to narrow our focus to what has happened to us in the past. When making decisions about risk, there is a need for a methodical approach to risk identification and assessment in order to ensure we use, but are not limited by, our experience.

There are three keys to risk management or risk-based decision making:

  • The importance of understanding the hazards and risks faced by your organization.
  • The need to be able to scale your approach to your particular operation and situation (e.g. large vs. small operator, introducing a new type to a fleet vs. adding an additional aircraft of the same type, etc.).
  • The significance and difficulty in reducing the consequences (on lives, property, reputation, etc.) of something going wrong in aviation. Thus there is a greater return on focusing risk management efforts on reducing probability rather than consequences.

Humans find it relatively easy to identify consequences and severity; however, we have a much less intuitive grasp on cause and effect and the probability of things occurring.

At its core, risk management is about asking and answering five questions:

  • What could go wrong?
  • How could it happen?
  • How does it affect us?
  • How can we reduce the likelihood of it happening or its impact if it does?
  • What do we need to do next?

What is needed is a methodology to help identify risks, the ways they might occur, and possible outcomes. Only then can those two cornerstones of risk assessment—probability and severity—be evaluated. The bow-tie model is one such methodology. It is both powerful and easily understood. It is scalable and addresses the first three of the five questions asked above.i

Critical language
Prior to outlining the model, it is important to define some critical terms.ii

Hazard: Any real or potential condition that can cause degradation, injury, illness, death or damage to, or loss of, equipment or property.

In describing a hazard, there is a tendency to name it as an outcome, for example, “electrocution,” versus the real hazard, which may be “an exposed, energized, unprotected extension cord.” That tendency narrows the focus, thus reducing the chance that a full range of risks will be considered.

A well-defined hazard statement is one from which the risks, how they might occur and how they might affect us can easily be implied, but are not explicit. For example:

“Operation of a single-engine aircraft into an isolated and distant airport with limited alternates, navigation aids and maintenance facilities.”

This hazard statement describes a common operation in Canada but, while it does not explicitly state anything that could go wrong, the reader can undoubtedly create a healthy list of possibilities.

Risk: The possible injury, illness, death, damage or loss. (An event. Given the hazard, what could go wrong?)iii

Risk scenario: A postulated sequence of events including, as the final event in the chain, the risk. (How could it happen?)

Consequence: The possible outcome(s) should the risk occur. (How does it affect us?)

Risk level: A measurement of risk resulting from a consideration of (at leastiv) probability and severity.

The bow-tie model
Different decisions about risks require different levels of response, and scalability is a key feature of the bow-tie model. The approach chosen must consider the size and complexity of the operation, any time constraints on the decision-making process, and the impact of the decision.

At its simplest, the bow-tie model builds a timeline: the risk (event) preceded by a cause, and followed by a consequence. Thus risk is the knot of the bow tie and the cause(s) and consequence(s) are the “wings” (see Figure 1).

figure 1 - Bow-tie model (risk management)
Figure 1

It is important to realize that the way we do this work and the way we record this work is a bit at odds. Although we read the bow tie left to right as a possible timeline, we identify the risk first, and then identify causal event(s) to the left and consequence(s) to the right.

Assessing risk
Risk cannot be examined without considering both probability and severity. The mechanics of assessing severity are relatively easy. Regardless of whether you are using a simple high, medium, low scale, or a five-point scale with descriptors for each level, severity only rates the impact of the consequence.

Probability, however, is rated across the whole sequence of events. In the simple example in Figure 1 it would mean asking, “what is the probability of suffering fuel starvation, leading to an engine failure and a forced landing?” There are two commonly made mistakes around the assessment of probabilityv:

  • Rating only a single element of the scenario: “What is the probability of suffering an engine failure?” Doing so may cause an unrealistic evaluation of the level of risk. Single negative events may occur frequently, but multiple layers of defence prevent them from snowballing.
  • Assuming the cause has occurred and rating the probability of the consequence: “If we suffer fuel starvation what is the probability of an engine failure?” Doing so can cause an unrealistically high evaluation of the level of risk. In the example, if you have fuel starvation, an engine failure is no longer a risk—it’s a certainty.

While not immediately intuitive, rating probability across the whole range of cause-risk-consequence is consistent with what we know about aircraft accidents and incidents: they are not single-cause situations, and several layers of defence need to fail before things go very wrong.vi

Finally, this clarity around probability and severity is critical for identifying mitigations. The level of risk is assessed by multiplying the rating of probability by the rating of severity. The resulting risk level is the trigger that tells you the relative ranking of risks. The individual probability and severity numbers tell you what kind of mitigation is most appropriate: prevention of causes as defined by the risk scenario or recovery from consequences.

Scaling the bow-tie model: Adjusting for complexity
A risk with a single cause and single outcome is very rare, so the approach to identifying risks, causes, and consequences must be scalable. There are many tools available that can be used or adapted to help build risk bow ties. These may include the Kepner and Tregoe problem analysis process first articulated in the late 1960s,vii the Ishikawa fish bone cause and effect diagram, or fault tree and event tree analyses.

What follows in Figure 2 is one level of sophistication up from the simple bow tie. This generates more scenarios for analysis: twelve related to fuel starvation (three possible starting points x four possible outcomes).

At this level of sophistication we may classify the types of cause. Commonly used categories are natural, economic, technical and humansviii. In the example in Figure 2, there are natural, technical, and human causes and each type would be mitigated differently. In addition, identifying a type of cause helps ensure that a range of possibilities has been covered. If you have natural, economic and technical causes, but have failed to consider human causes, you might wish to expand your scenario-building efforts.

One level of complexity higher uses the fault tree and event tree analysis for the scenarios and consequences, respectively. This provides an increased level of detail on the consequence-side of the bow tie, which means many more scenarios. This approach can generate hundreds—and perhaps thousands—of possible risk scenarios. While this may accurately represent the complexity of aviation, it can become difficult to manage. What is needed is a scaled approach to fit the circumstances with a combination of the above methodologies to create the most useful approach in any given situation.

The most practical approach has generally been to use the fault tree analysis for generating scenarios while limiting the identification of consequences to a single level. This reduces the complexity and number of scenarios, while focusing efforts on elaborating the causes/probability side of the bow tie, which is where those in aviation can create the most effective mitigation.

Figure 2 - Bow-tie model (risk management)
Figure 2

Putting it into practice
When working with groups on risk assessments, identifying a large number of bow ties takes relatively little time. The larger effort comes when assessing them for probability and severity. It is recommended that you:

  • use post-it notes and a large wall;
  • involve a group with a range of expertise and experience;
  • assign someone from your organization to act as facilitator. This person does not contribute to the discussions, instead, he or she keeps the group organized and on task, and records the work;
  • start by brainstorming risks. You may wish to sort the list into high, medium and low priorities to help decide which ones you use first for building bow ties;
  • take each risk and work backwards to identify possible causes. Ask yourself “why?” five times. Why did the engine fail? Fuel starvation. Why did we have fuel starvation? Error in flight planning, etc.;
  • identify consequences once you have scenarios built. Similar to the value gained by identifying human, natural, economic and technical causes for scenarios, it can be useful to identify categories of consequences. Some common types include:

    • property,
    • health,
    • finance,
    • liability,
    • people,
    • environment,
    • stakeholder/customer/public confidence.

A last caveat: anyone working in risk-based decision making should accept that it is not possible to identify every risk and every risk scenario or consequence. With appropriate effort, you will develop a sampling that will generate a range of mitigations that, in turn, will address the identified risks and probably some you hadn’t thought of. In effect, if thinking about Reason’s elegant swiss-cheese model, you are adding several more layers of defence and closing some holes in existing defences as well.

The identification of a hazard—and the associated risks, causes and consequences in the form of the bow-tie model—lies at the very heart of risk assessment. Do this well, and you are half-way home to completing a well-thought-out and well-documented risk assessment, and are further contributing to the overall safety of your operation.

Cameron Fraser is a certified professional facilitator who has over 25 years of experience in areas such as strategic thinking, business and project planning, process improvement, decision-making, collaborative problem-solving and the delivery of training in both the public and private sectors. He can be reached at cfraser@ranaprocess.com.

Decorative line

Note that the term bow-tie model has been used in various ways by a variety of individuals. Some use it as a pure description of a risk situation; others use it to show how mitigations fit into a chain of events or consequences. Both approaches are valid and this article deals with the former approach, consistent with Transport Canada Civil Aviation’s risk management methodology, which separates the identification and mitigation of risk.

ii Some of these terms are defined differently than in other risk management processes. The author’s intention is not necessarily to have these definitions adopted by others, but rather to provide users with definitions for the information required—and to have the terms used consistently. The author has seen risk management presentations use the words “hazard” and “risk” interchangeably. He has also seen examples where terms are defined one way but used in another. Effective processes require that those who follow them focus on one type of information at a time, and the language used in the process needs to support that. In this article “hazard”, “risk”, “risk scenario”, “consequence” and “risk level” all refer to discrete pieces of information to be developed—through individual steps in a process—in order to understand and manage those things that could go wrong.

iii The failure to maintain the distinction between hazard (the condition) and risk (the possible event), and risk and risk level (or risk index—the measure of probability and severity) generally leads to confusion and frustration.

iv The “at least” is because some organizations use additional measures, such as exposure, to refine their picture of risk. That’s fine, but you cannot assess risk without both probability and severity information. Anything else is optional.

Making either of these errors will probably cause you to inflate the assessment of the risk level. The good news is that this will generally require a more conservative response, resulting in a greater margin of safety. On the other hand, it means you will be dedicating more effort than necessary to managing a particular risk. In the worst-case scenario, it will affect the credibility of the assessment (“That’s way too high. We know it’s not right so let’s ignore the assessment.”)

vi Sydney Dekker has said, “Murphy’s Law is wrong. What can go wrong usually goes right…” (see The Field Guide to Human Error Investigations). The difficulty occurs when a number of things go wrong in a short period of time.

vii See The New Rational Manager© 1981, Kepner and Tregoe Inc.

viii  Some have suggested removing human as a type of cause. The logic, as suggested by Sydney Dekker, is that “human error is not an explanation…human error demands explanation”. Others have suggested considering systemic causes as an additional category.


Now available by E-bulletin:
Advisory Circulars and Feedback magazine!

E-bulletin now gives you the opportunity to receive e-mail notifications of all newly issued Advisory Circulars and new issues of Feedback magazine.
To subscribe, please visit Transport Canada’s Civil Aviation Online Reference Centre at:
and click on "Sign up for E-bulletin!"

Date modified: