The bow-tie method is a powerful tool for visualizing and managing risks. Named after its distinctive shape, this tool is used to analyze the causes and consequences of potential risks.
At the center of the bow-tie diagram is the “top event,” which represents the risk being analyzed. On the left side of the diagram are the potential causes of the top event, while on the right side are the potential consequences. The diagram also includes barriers or controls that can be put in place to prevent or mitigate the risk.
To create a bow-tie diagram identify the “top event” representing the risk being analyzed. This is placed at the center of the diagram.
Next, you identify the potential causes of the top event and place them on the left side of the diagram. These causes can be further broken down into sub-causes if necessary.
On the right side of the diagram, you identify the potential consequences of the top event. These can also be further broken down into sub-consequences if necessary.
Once you have identified the causes and consequences of the top event, you can then add barriers or controls to the diagram. These are measures that can be put in place to prevent or mitigate the risk. Barriers can be placed between the causes and the top event to prevent it from occurring, while controls can be placed between the top event and its consequences to mitigate their impact.
The bow-tie method works by providing a clear and concise visual representation of a risk and its potential impacts. This allows stakeholders to better understand the risk and identify areas where additional controls may be needed.
This tool also works nicely with desirable consequences.
This picture showed up when I typed bow-tie on my computer. It’s relevant
I’ve recently seen a few audits that point out something along the line of “Recommendation to revise Quality Risk Management Process/Procedure to include detectability as a variable in determining Risk Priority Numbers (RPNs). The current process only includes the frequency and severity of impact in the calculation. However, ICH Q9 also recognizes the use of risk management tools which include the ability to detect harm (detectability) in the estimation of risk (refer to the section titled “Risk analysis”).”
So, first of all, that’s not what Q9 says. Q9 (R1) is actually pretty clear here, stating “Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.”
Q9 later goes on to state “Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.”
Q9 clearly recognizes that detectability is useful sometimes, with specific tools in specific cases. This is in alignment with risk management thinking in general, for example ISO 31000:2018 states that Risk analysis should consider factors such as:
— the likelihood of events and consequences; — the nature and magnitude of consequences; — complexity and connectivity; — time-related factors and volatility; — the effectiveness of existing controls; — sensitivity and confidence levels.
Detectability is then one of several methods to consider in risk analysis. The selection criteria for tools should take into account situations when detectability is desired and drive to use of those tools, for example, the FMEA which is built to determine how and when a failure can be detected. In other tools, detectability is usually built into the evaluation of current controls and is often captured in likelihood or somewhere else
When it comes to risk, avoid a one-size fits all. Think of what the intent is and use the right tool for the job.
Different Kinds of Unknowns, Source: Smithson (1989, p. 9); also in Bammer et al. (2008, p. 294).
An alternative way to look at uncertainty is offered by Klir, which adds discord to the mix.
Work-As-Prescribed can be a real avenue for all three of these uncertainties. But by using risk management to examine the possibilities of these uncertainties we can truly interrogate. This is one of the things we mean by risk management and knowledge management being bound at the hip as enablers.
To do this we need to make sure that:
There is the management of information quality. Management of information quality is crucial in risk management because uncertainty is prevalent. Uncertainty, as a state for which we lack information, means that uncertainty analysis should play an integral part in risk management to ensure that the uncertainty in the risk management process is kept at a feasible level.
There is explicit management of either existing knowledge that can be applied to improve the quality of the analyses or to improve the knowledge acquired in the process that can be used in the follow-up process. Knowledge management is pivotal to ensuring an effective risk management process by providing context and learning possibilities. In essence, risk management is not just about managing risks – the entire context surrounding the risks must be understood and managed effectively.
In the current world scenario, which is marked by high volatility, uncertainty, complexity, and ambiguity (VUCA), threats are increasingly unforeseen. As organizations, we are striving for this concept of Resilience.
Resilience is one of those hot words, and like many hot business terms it can mean a few different things depending on who is using it, and that can lead to confusion. I tend to see the following uses, which are similar in theme.
Where used
Meaning
Physics
The property of a material to absorb energy when deformed and not fracture nor break; in other words, the material’s elasticity.
Ecology
The capacity of an ecosystem to absorb and respond to disturbances without permanent damage to the relationships between species.
Psychology
An individual’s coping mechanisms and strategies.
Organizational and Management studies
The ability to maintain an acceptable level of service in the face of periodic or catastrophic systemic and singular faults and disruptions (e.g. natural disasters, cyber or terrorist attacks, supply chain disturbances).
For our purposes, resilience can be viewed as the ability of an organization to maintain quality over time, in the face of faults and disruptions. Given we live in a time of disruption, resilience is obviously of great interest to us.
In my post “Principles behind a good system” I lay out eight principles for good system development. Resilience is not a principle, it is an outcome. It is through applying our principles we gain resilience. However, like any outcome we need to design for it deliberately.
Knowledge management is a key enabler for quality, and should firmly be part of our standards of practice and competencies. There is a host of practices, and one tool that should be in our toolboxes as quality professionals is the Community of Practice (COP).
What is a Community of Practice?
Wenger, Trayner, and de Laat (2011) defined a Community of Practice as a “learning partnership among people who find it useful to learn from and with each other about a particular domain. They use each other’s experience of practice as a learning resource.” Etienne Wagner is the theoretical origin of the idea of a Community of Practice, as well as a great deal of the subsequent development of the concept.
Communities of practice are groups of people who share a passion for something that they know how to do, and who interact regularly in order to learn how to do it better. As such, they are a great tool for continuous improvement.
These communities can be defined by disciplines, by problems, or by situations. They can be internal or external. A group of deviation investigators who want to perform better investigations, contamination control experts sharing across sites, the list is probably endless for whenever there is a shared problem to be solved.
The idea is to enable practitioners to manage knowledge. Practitioners have a special connection with each other because they share actual experiences. They understand each other’s stories, difficulties, and insights. This allows them to learn from each other and build on each other’s expertise.
There are three fundamental characteristics of communities:
Domain: the area of knowledge that brings the community together, gives it its identity, and defines the key issues that members need to address. A community of practice is not just a personal network: it is about something. Its identity is defined not just by a task, as it would be for a team, but by an “area” of knowledge that needs to be explored and developed.
Community: the group of people for whom the domain is relevant, the quality of the relationships among members, and the definition of the boundary between the inside and the outside. A community of practice is not just a Web site or a library; it involves people who interact and who develop relationships that enable them to address problems and share knowledge.
Practice: the body of knowledge, methods, tools, stories, cases, documents, which members share and develop together. A community of practice is not merely a community of interest. It brings together practitioners who are involved in doing something. Over time, they accumulate practical knowledge in their domain, which makes a difference to their ability to act individually and collectively.
The combination of domain, community, and practice is what enables communities of practice to manage knowledge. Domain provides a common focus; community builds relationships that enable collective learning; and practice anchors the learning in what people do. Cultivating communities of practice requires paying attention to all three elements.
Communities of Practice are different than workgroups or project teams.
What’s the purpose?
Who belongs?
What holds it together?
How long does it last?
Community of Practice
To develop members’ capabilities. To build and exchange knowledge
Members who share domain and community
Commitment from the organization. Identification with the group’s expertise. Passion
As long as there is interest in maintaining the group
Formal work group
To deliver a product or service
Everyone who reports to the group’s manager
Job requirements and common goals
Until the next reorganization
Project team
To accomplish a specific task
Employee’s assigned by management
The project’s milestones and goals
Until the project has been completed
Informal network
To collect and pass on business information
Friends and business acquantainces
Mutual needs
As long as people have a reason to connect
Types of organizing blocks
Establishing a Community of Practice
Sponsorship
For a Community of Practice to thrive it is crucial for the organization to provide adequate sponsorship. Sponsorship are those leaders who sees that a community can deliver value and therefore makes sure that the community has the resources it needs to function and that its ideas and proposals find their way into the organization. While there is often one specific sponsor, it is more useful to think about the sponsorship structure that enables the communities to thrive and have an impact on the performance of the organization. This includes high-level executive sponsorship as well as the sponsorship of line managers who control the time usage of employees. The role of sponsorship includes:
Translating strategic imperatives into a knowledge-centric vision of the organization
Legitimizing the work of communities in terms of strategic priorities
Channeling appropriate resources to ensure sustained success
Giving a voice to the insights and proposals of communities so they affect the way business is conducted
Negotiating accountability between line operations and communities (e.g., who decides which “best practices” to adopt)
Support Structure
Communities of Practice need organizational support to function. This support includes:
A few explicit roles, some of which are recognized by the formal organization and resourced with dedicated time
Direct resources for the nurturing of the community infrastructure including meeting places, travel funds, and money for specific projects
Technological infrastructure that enables members to communicate regularly and to accumulate documents
It pays when you use communities of practice in a systematic way to put together a small “support team” of internal consultants who provide logistic and process advice for communities, including coaching community leaders, educational activities to raise awareness and skills, facilitation services, communication with management, and coordination across the various community of practices. But this is certainly not needed.
Process Owners and Communities of Practice go hand-in-hand. Often it is either the Process Owner in a governance or organizing role; or the community of practice is made up of process owners across the network.
Recognition Structure
Communities of Practice allows its participants to build reputation, a crucial asset in the knowledge economy. Such reputation building depends on both peer and organizational recognition.
Peer recognition: community-based feedback and acknowledgement mechanisms that celebrate community participation
Organizational recognition: rubric in performance appraisal for community contributions and career paths for people who take on community leadership
Investigations of a Dog 
