The purpose of rating control effectiveness is to highlight areas of strength and weakness within the bowtie, potentially using this information as a basis for a matrix-based risk assessment.
The results are typically displayed according to a colour code (e.g. red for very poor through to green at the good end of the scale).
This makes the results very easy to interpret even for users with little prior exposure to the methodology.
When creating your effectiveness scale consider the usefulness of allocating “average” as a score. What does an average control tell you and how does it prioritise action areas?
Considerations for rating the effectiveness of individual controls
The two main considerations for rating control effectiveness of individual controls are adequacy and assurance:
This describes to what extent a properly functioning control will interrupt a particular scenario.
For example: a handheld fire extinguisher may be very effective for fighting small fires (such as a galley oven fire) however its effectiveness in a large fuel spill fire would be negligible.
This is the main reason why care must be taken if copy / pasting a control into a different area of the diagram or a different bowtie e.g. it could be that the effectiveness is different, because the adequacy is different in the new scenario.
Other terms sometimes used are validity or impact.
Having a satisfactory control is not enough though; it needs to actually work when required. Assurance refers to the level of certainty that the control will function as intended when it is called upon.
Other terms sometimes used are availability or reliability.
Assessing the above factors requires consideration of the escalation factors.
Before assigning an effectiveness rating to a control, you will first need to decide:
- how significant the associated escalation factors are
- how well they are being managed by the escalation factor controls
Following this process you are then able to make an informed decision as to the control effectiveness.