Make Risk Visible.
Independent review and clarification of your current risk basis, assumptions, and control effectiveness.
We examine
- How risk is currently identified and articulated.
- The assumptions embedded within your risk basis.
- The link between risk scenarios and real operating conditions.
- The effectiveness and integrity of the controls relied on.
- The visibility of drift, degradation and emerging threats.
This work is method-agnostic and evidence-led.
Whether your organisation uses ISO 31000 principles, bowtie analysis, barrier management, HAZOP, LOPA, FMEA, quantitative risk modelling, or a hybrid approach, the objective is the same:
Test whether the current risk picture is credible, complete, and decision-useful.
Risk is not only about low-frequency high-consequence events. It includes strategic, operational, financial, environmental, and reputational exposures that affect objectives.
Manage Risk Across the Full Cycle
Most organisations have a risk framework. Fewer can see, with confidence, what truly matters, where risk sits, how it could unfold, whether controls are sufficient, and whether those controls will still hold as conditions change. The full lifecycle keeps risk work anchored to reality.
01
Establish Context
Anchor risk work to real decisions, constraints, and operating conditions.
Purpose
Clarify the consequences of failure, and the boundaries that apply.
What 'this done well' looks like
- Legal duties relevant to the activity are explicitly recognised and scoped.
- Recognised expectations, standards and guidance inform the context without dictating it blindly.
- Corporate risk criteria and appetite, policy, and governance expectations are aligned to the decision at hand.
- Assumptions are surfaced early, and operational reality is acknowledged rather than edited out.
Evolution Support
- Clarify who is accountable, what failure would mean, and over what time horizon.
- Surface assumptions before a method is chosen.
- Translate unease into testable risk questions.
- Define the system boundary around real work.
Appropriate Tools/Techniques
Stakeholder Mapping
Risk Criteria Calibration
Context Diagrams / System Boundaries
Assumptions Log / Key Uncertainties
Structured Interviews
Legal and Regulatory Duty Mapping
High-Level Scenario Framing
Delphi Technique
Business Impact Analysis
PESTLE
Common traps
- Premature tool/technique selection
- Use of generic risk matrices without calibrated criteria
- Treating context-setting as administrative
- Defaulting to familiar tools/techniques
02
Identify Risk
Surface credible unwanted events, failure modes, and uncertainty.
Purpose
Identify what could realistically go wrong, how it could unfold, and the conditions under which it becomes credible.
What 'this done well' looks like
- Statutory hazard categories relevant to the activity are recognised and considered.
- Regulatory and industry expectations around hazard identification are reflected.
- Internal incident history, near misses, and operational experience are integrated.
- Frontline reality informs the risk picture, not just workshop output.
Evolution Support
- Challenge assumptions about “that wouldn’t happen here.”
- Separate plausible risk from hypothetical speculation.
- Surface weak signals, drift, and normalised deviance.
- Ensure identification reflects how work is actually done, not how it is described.
Appropriate Tools/Techniques
HAZID / PHA
HAZOP
SWIFT
Structured Interviews
Brainstorming
FMEA
Incident & Near Miss Review
Human Reliability Analysis
Scenario Analysis
Ishikawa (Fishbone)
Bow Tie Analysis
Common traps
- Listing hazards without understanding how harm, damage or loss could occur
- Treating brainstorming as sufficient rigour
- Confusing low frequency with low consequence
- Assuming absence of evidence equals evidence of absence
03
Analyse Risk
Understand likelihood, consequence, uncertainty, and control effectiveness.
Purpose
Assess how and how often harm could occur, what the consequences would be, and how reliable existing controls actually are.
What 'this done well' looks like
- Legal and regulatory expectations around risk assessment methodology are met.
- Industry-accepted techniques are applied proportionately, not mechanically.
- Corporate risk criteria are used consistently and transparently.
- Uncertainty and data limitations are explicitly acknowledged.
Evolution Support
- Test whether chosen methods match the decision being supported.
- Test control strength, independence, and degradation.
- Separate evidence from assumption in likelihood and consequence judgments.
- Challenge false precision and unjustified confidence.
Appropriate Tools/Techniques
Calibrated Consequence/Probability Matrix
Fault Tree Analysis
Event Tree Analysis
Cause & Consequence Analysis
LOPA
Human Reliability Analysis
Sensitivity Analysis
Bow Tie Quantification
Consequence Modelling
RCM Insights
Monte Carlo Simulation
Bayesian Networks
Markov Analysis
Common traps
- Treating numbers as truth rather than model outputs
- Applying complex techniques without reliable input data
- Assuming controls are fully effective without evidence
- Ignoring uncertainty ranges in favour of single-point estimates
04
Evaluate Risk
Determine whether risk is acceptable, tolerable, or requires action.
Purpose
Compare analysed risk against agreed criteria and decide whether it is acceptable, tolerable with controls, or requires further reduction.
What 'this done well' looks like
- Statutory duties regarding tolerability and gross disproportion are properly considered.
- Regulatory and industry expectations on ALARP / SFAIRP are reflected where relevant.
- Corporate risk appetite and escalation thresholds are applied consistently.
- Decisions are documented clearly, including rationale and uncertainty.
Evolution Support
- Clarify who decides, and the consequence of under or over-reaction.
- Test alignment between risk appetite statements and actual behaviour.
- Surface implicit risk tolerance that may differ from stated policy.
- Ensure trade-offs are explicit rather than accidental.
Appropriate Tools/Techniques
Calibrated Risk Matrix
Risk Indices
FN Curves
Cost Benefit Analysis
MCDA
Decision Tree
Decision Conferencing
Bow Tie Review
Independent Peer Review
ALARP/SFAIRP
Common traps
- Confusing analysis with decision
- Applying risk matrices without calibrated criteria
- Hiding behind “corporate policy” instead of exercising accountable judgement
- Treating ALARP as paperwork rather than reasoning
05
Treat Risk
Select and implement measures that reduce risk to a level that is justified, effective, and sustainable.
Purpose
Define and prioritise risk reduction measures that are proportionate, targeted, and capable of working in the real world.
What 'this done well' looks like
- Statutory requirements for risk reduction and hierarchy of control are demonstrably applied.
- Regulatory and industry expectations on critical controls and barrier integrity are reflected.
- Corporate standards and engineering governance are followed consistently.
- Controls are practical, resourced, and aligned with how work is actually performed.
Evolution Support
- Clarify which controls are truly risk-critical and which are cosmetic.
- Test whether proposed measures address causes, not just symptoms.
- Sequence interventions so effort is focused where it shifts trajectory most.
- Ensure accountability for implementation is explicit and realistic.
Appropriate Tools/Techniques
Hierarchy of Controls
Critical Control Identification & Performance Standards
Barrier Strategy
Bow Tie Refinement
Management of Change
Implementation Planning
Standards Alignment & Governance Integration
LOPA
Human Factors Redesign
Cost Benefit Analysis
Common traps
- Adding controls without removing ineffective ones
- Confusing documentation with protection
- Over-engineering low material risks while under-addressing critical ones
- Implementing measures that look good in policy but fail in operation
06
Monitor & Review
Ensure controls remain effective as conditions change and time passes.
Purpose
Confirm that risk controls continue to function as intended, and detect drift before failure occurs.
What 'this done well' looks like
- Statutory inspection, testing, and review duties are clearly defined and met.
- Regulatory and industry expectations on verification and assurance are reflected.
- Internal audit, assurance, and governance processes are aligned to material risk.
- Leading and lagging indicators are grounded in operational reality, not just dashboards.
Evolution Support
- Distinguish meaningful signal from performance noise.
- Test whether controls are working in practice, not just on paper.
- Examine weak signals, near misses, and operational workarounds.
- Recalibrate monitoring when the system, environment, or strategy changes.
Appropriate Tools/Techniques
Control Effectiveness Verification
Assurance Mapping
Leading & Lagging Indicators
Barrier Health Monitoring
Independent Review
Weak Signal Learning Loops
Risk Refresh Triggers
SPC for Drift Detection
Risk-Based Tactical Audits
Culture Pulse Checks
Common traps
- Measuring activity instead of control effectiveness
- Treating absence of incidents as evidence of safety
- Allowing audit cycles to replace thinking
- Ignoring weak signals because they are inconvenient
Risk is not a document. It is a moving system that must be understood, decided upon, acted on, and revisited.
Serious risk thinking starts with clarity.
If you carry accountability for risk, this is where it starts
End the unease.
Make risk visible.
Start with a focused conversation.
Prefer to see examples first?
See the work in practice