Stage 3 – Establish the vulnerability of the system and the critical controls

Once the risk profile has been established (the bow ties) it becomes possible to establish the vulnerability of the organisation to the identified hazards and the criticality of the controls. This is an important step as it ensures that the right areas are audited and measured as appropriate.

Each threat line is likely to have a number of controls on it to ensure that the causal factor does not give rise to the hazard. 

It is possible for there to be no controls: this indicates that the causal factor is not protected and is therefore potentially highly vulnerable. 

Conversely a threat line with many controls is likely to be less vulnerable, IF the controls are in place. 

Those threat lines with higher frequency causal factors and lower numbers of effective controls are more vulnerable that those without. For example, on the bow tie in the manual handling example it is clear that the correct installation of lugs is critical to preventing unintended movement of the ramp and a manual handling incident. Equally, controls which act to reduce the likelihood of a number of causal factors occurring are more critical than others with less influence. For example, the training of staff in correct manual handling appears in numerous areas as a preventative barrier. 

This forms an important consideration in stage 4, which covers the activities needed to ensure that the controls are in place and effective. A control would be classed as more critical if it appears in multiple threat lines but is also a sole control for the highest frequency causal factor.

This stage allows for an early assessment of what areas of the risk control system may need to be monitored or audited. It also shapes what areas of control will be evaluated in stage 4.

Figure 1 below provides an overview of a six stage approach to assurance. The last three stages form a management cycle once the first six steps are completed.

Six stage approach to assurance