Risk Management Tools

This section provides brief guidance on the use of a number of the most widely applicable and
commonly used techniques to support the application of the risk management process. Many other
tools are available, and mine action risk managers are encouraged to explore options, make use of
guidance found in other publications (please refer to the links in this document and the Resource
Library), and apply those techniques most suitable for the demands of their own projects and
programmes.

For example: IEC 31010:2019 Risk management – Risk assessment techniques1 provides detailed
guidance on the process of planning, implementing, verifying and validating the use of the techniques
for assessing risk in a wide range of situations. The tools are used to assist in making decisions where
there is uncertainty, to provide information about particular risks and as part of a process for managing
risk. The document provides summaries of a range of selected techniques, compares their possible
applications, benefits and limitations and gives references to other documents where the tools are
described in more detail. IEC 31010:2019 is the second edition thus cancels and replaces the 2009
published first edition entitled, ISO 31010:2009 Risk management – Risk assessment techniques.

Appendix B of IMAS 07.14, Risk Management in Mine Action describes risk management tools that are
applicable to different elements of the mine action risk management cycle as follows:

Tool Context Risk Risk Risk Risk Risk

/ scope Identificati analysis evaluation treatment Review
on
Risk Register X X X X X X
PESTLE X X
SWIFT X X X
SWOT X X X
Mine Action X
Architecture
Consequence/like X X
lihood matrix
Bow Tie Analysis X X X

This section however, elaborates on the risk register, PESTLE, SWOT and bow tie analysis in regard
to what to use them for, how to apply them, and their benefits and limitations. The aim of all such tools
is to provide a description of different risk associated factors that influence an organisation, programme
and project, and to help planners and managers identify trends, relationships and priorities within a
complex environment.

1
For more detailed information on the risk assessment techniques, please consult the abstract of IEC 31010:2019 Risk
management – Risk assessment techniques via https://www.iso.org/standard/72140.html. The document is available for
purchase.
1. Risk register
1.1 What to use the tool for
The risk register provides the primary means of recording risks that have been identified, assessments
of their significance, details of treatment measures and evidence that reviews have been conducted.
The risk register can be used at corporate, departmental, operational and the project level as well as to
share risks specific information to stakeholders, including top management, and highlight their
significance.

The information that is incorporated into a risk register is usually the output from various risk
assessment techniques such as tools for eliciting views from stakeholders and experts, for identifying
risk, for determining sources, causes and drivers of risk, techniques for analysing controls in addition
to accounts of failures.2

The risk register should be managed as a controlled document in accordance with Section 19
(Documentation) of IMAS 07.12, Quality Management in Mine Action.

1.2 How to apply the tool

Mine action managers may choose to adapt and adjust the layout of the risk register to reflect policies,
requirements and circumstances related to their own mine action organisations, but it is recommended
that any risk register include as a minimum:

• Details of the organisation, programme or project maintaining the risk register;

• Details of the person/job title responsible for ensuring effective implementation of the risk
management system;
• Date on which the risk register was last reviewed;
• For each risk:
o An identifying risk reference;
o A risk category (e.g. Political, Economic, Safety, Environmental, etc.);
o Description of the risk (e.g. road traffic accident; unplanned explosion at a munition site
(UEMS) etc.);
o An assessment of the likelihood of the risk event;
o An assessment of the severity of the consequences of the risk event;
o An assessment of the risk level;
o Risk treatment (mitigation, reduction) measures associated with the risk;
o Details of the person/job title responsible for ensuring that risk treatment measures are
effectively implemented; and
• The date when the register will next be reviewed (noting that some accidents, incidents or other
significant events may trigger a review of the risk register at an earlier date).

Although risks are usually outlined separately, the interdependencies should be highlighted. However,
IEC 31010:20193 clearly states that “in recording information about risks, the distinction between risks
(the potential effects of what might happen) and risk sources (how or why it might happen) and controls
that might fail should be explicit. It can also be useful to indicate the early warning signs that an event
might be about to occur”.

The risk register may be a simple table (in a word-processing or spreadsheet application), a dynamic
database or held within a dedicated risk management App, many of which are available through online
sources.

Note: Diaries and other ‘bring-up’ systems should be used to ensure that risk reviews are conducted at
appropriate intervals (in accordance with section 7.6 (review) of IMAS 07.14, Risk Management
in Mine Action).

2
Please refer to section B1 – B4 of IEC 31010:2019 (E/F), Risk management – Risk assessment techniques
3
IEC 31010:2019 (E/F), Risk management – Risk assessment techniques, pg. 112
1.3 Benefits and limitations
Organisations may wish to include additional detail to reflect their own general management systems,
as well as the application of other recognised risk management systems. Some organisations choose
to include detail of the level of risk before and after implementation of risk treatment measures.

The contents of the risk register should be consistent with the scope of the risk management system as
determined by the responsible mine action managers.

IEC 31010:20194 outlines the following benefits and limitations concerning the risk register:

Benefits:

• Information about risks is brought together in a form where actions required can be identified
• and tracked;
• Information about different risks is presented in a comparable format, which can be used to
indicate priorities and is relatively easy to interrogate; and
• The construction of a risk register usually involves many people and raises general
awareness of the need to manage risk.

Limitations:

• Risks captured in risk registers are typically based on events, which can make it difficult to
accurately characterise some forms of risk;
• The apparent ease of use can give misplaced confidence in the information because it can
be difficult to describe risks consistently and sources of risk, risks, and weaknesses in
controls for risk are often confused;
• There are many different ways to describe a risk and any priority allocated will depend on
the way the risk is described and the level of disaggregation of the issue;
• Considerable effort is required to keep a risk register up to date (for example, all proposed
treatments should be listed as current controls once they are implemented, new risks should
be continually added and those that no longer exist removed); and
• Risks are typically captured in risk registers individually. This can make it difficult to
consolidate information to develop an overall treatment programme.

1.4 Links to video illustrations:

Risk Identification and Risk Register:
https://www.youtube.com/watch?v=jVaK3YHW5DU

The Four Steps to Building an Inclusive Risk Register:

https://www.youtube.com/watch?v=mNQzRdWy9Ow

Risk Register in Project Management:

https://www.youtube.com/watch?v=ZdjubaG9Mz0

Using Best Practices to Build your Risk Register:

https://www.youtube.com/watch?v=Vq91ZPfSu_A

4
IEC 31010:2019 (E/F), Risk management – Risk assessment techniques, pg. 113
2. ‘PESTLE’ Analysis
Bringing a comprehensive and open approach to understanding external context is important to ensure
that potentially significant, but unfamiliar risks and sources of risk, are not missed, ignored or forgotten.

2.1 What to use the tool for

The PESTLE technique is used to help identify the external factors influencing a programme,
organisation or project and the decisions it makes about its objectives and how to achieve them. The
PESTLE headings stand for:
• Political - including, national, regional and local governmental, institutional, etc.;
• Economic - including commercial and financial;
• Social - including local communities, human resources and cultural aspects;
• Technical - including operational and technological aspects;
• Legal - including national, international, humanitarian, other laws, regulations, standards, etc.;
and
• Environmental - including the natural and built environment.

The PESTLE approach can be used as an aid memoir/check list to help identify stakeholders/interested
parties (as part of describing the context of a mine action organisation, project or programme), and as
a framework for identifying risks.

Note: PESTLE analysis is a highly useful tool in the realm of risk management. The approach is used
to assist risk decision-making and can be applied as a supporting tool for discussions; a check
list to help identify stakeholders/interested parties, and as a framework for analysing risks,
influences, interests, implications and the effects of aspects of systems on/by those stakeholders
and interested parties5. PESTLE can also be useful in support of many other management tools.

2.2 How to apply the tool

PESTLE can be used during group meetings and to support desktop studies and other analysis of risks,
systems, specific topics or issues and events.

Understanding the context/scope (check list and analysis):

• Determine the focus of the analysis (the entirety of a system, the development of a new
regulation, an individual organisation’s operations, an activity, a task, etc.);
• Decide whether it is necessary to split the analysis into different levels, such as:
o Local, regional, national and international;
o Strategic, operational, and technical; and
o Risk education, land release, PSSM, etc.
• List stakeholders/interested parties/aspects relevant to the scope of the analysis under each
PESTLE heading; and
• Consider associating additional detail with each entry such as expectations, requirements,
preferences, etc.

Identifying the risk:

• Determine the focus of the analysis (an organisational element, an activity, a piece of
equipment, etc.); and
• List risks under each of the PESTLE headings.

5
GICHD 2014, Guide to Strategic Planning in Mine Action, pg.22, https://www.gichd.org/fileadmin/GICHD-resources/rec-
documents/Guide-to_strategic-planning-in-MA-Jun2014.pdf
2.3 Benefits and limitations
PESTLE provides a widely applicable and easy-to-use way to encourage users to identify and consider
a broader spectrum of risk related issues, aspects and implications that may fall outside their normal
day-to-day experience or focus in relation to an organisation, programme and project.

PESTLE is focused on external environments/contexts and is not well adapted to analysis of factors
inside organisations. If the scope is not well defined (and the analysis stays within the scope) PESTLE
can become unwieldy with excessive information that is hard to analyse and understand.

2.4 Link to video illustration:

PESTLE & SWOT Techniques in Business Analysis Tutorial for Beginners:
https://www.youtube.com/watch?v=TBlVbPNqPoM

3. ‘SWOT‘ Analysis
3.1 What to use the tool for
The basic Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis can help mine action
managers to identify and understand important risk associated aspects of both the internal and external
context within which they work.

Advanced SWOT analysis raises key questions about the relationship between the Strengths,
Weaknesses, Opportunities and Threats to help inform the planning process6 and can help develop
appropriate risk treatments.

A SWOT analysis is best conducted by a group or team including representatives of as wide a selection
of stakeholders as possible.

Note: SWOT analysis is a key tool in the strategic planning process and may be applied in a range of
other organisational, business and planning processes.

3.2 How to apply the tool

3.2.1 Basic ‘SWOT‘ for contextual analysis and risk identification
Strengths

Strengths are determined by internal factors. Questions to help identify underlying strengths can
include:

• What activities do we do well?

• What aspects of what we do make us attractive to partners, customers, donors, beneficiaries?
• What assets and resources do we have that we could not do without?
• What factors have contributed most to our successes?
• What advantages do we offer over other organisations or programmes?
• What do our stakeholders see as our strengths?
• What specialised skills, techniques, equipment or methodologies do we use?

Weaknesses

Weaknesses are also determined by internal factors. Questions relating to weaknesses can include:

6
GICHD 2014, Guide to Strategic Planning in Mine Action, pg.21, https://www.gichd.org/fileadmin/GICHD-resources/rec-
documents/Guide-to_strategic-planning-in-MA-Jun2014.pdf
 • What aspects, processes, elements need urgent improvement?
• Which factors have contributed most to our failures or problems?
• What limitations are preventing us from improving, expanding or making more of a difference?
• What factors have contributed to loss of bids, opportunities, customers, donors, etc.?

Opportunities

Opportunities reflect aspects of the external context. Questions relating to opportunities include:

• What could we be doing that we are not?

• Are there changes in the external context that create opportunities?
• Could we help address requirements that other organisations are struggling with?
• Are we fully reflecting the confidence of our external stakeholders and the needs they have?

Threats

Threats are a feature of the external context. Questions relating to threats could include:

• What external factors could stop our ability to work permanently or temporarily?
• What external factors could make it harder for us to work efficiently?
• Are there changes and trends in the security situation that may hinder or prevent our ability to
work and succeed?
• Are there changes in the political, economic or legal landscape that may impact negatively on
us?
• Are there social or cultural changes that may impact negatively on our ability to be effective
and/or efficient in achieving our objectives?

Mine action managers should identify additional questions relevant to the scope of activities and risks
for which they are responsible.

The results of the SWOT analysis are often captured in a simple matrix:

Helpful Harmful
(to achieving objectives) (to achieving objectives)
Internal
(attributes of the Strengths: Weaknesses
organisation)
External
(attributes of the context) Opportunities: Threats

3.2.2 Advanced ‘SWOT‘ analysis and risk treatment

In an advanced SWOT analysis the relationships between the four components (Strengths,
Weaknesses, Opportunities and Threats) of the analysis are considered in order to:

• Take advantage of opportunities by using strengths; and

• Reduce weaknesses that may make threats a reality.

The results of such an analysis can be captured in a similar matrix 7:

7
GICHD 2014, Guide to Strategic Planning in Mine Action, pg.21, https://www.gichd.org/fileadmin/GICHD-resources/rec-
documents/Guide-to_strategic-planning-in-MA-Jun2014.pdf
The actions that arise from the advanced SWOT constitute risk treatments. They reduce the likelihood
of negative events, they increase the likelihood of positive ones, and they reduce negative
consequences and promote positive ones.

3.3 Benefits and limitations

SWOT analysis is easy to perform and anyone who has understanding of the organisation or element
under consideration can perform the analysis. SWOT analysis helps stakeholders understand a
programme or organisation better and can feed into the development of goals and objectives to support
successful and improving operations.

SWOT analysis does not offer solutions on its own or prioritise actions, and there is a risk that it may
generate a great deal of information, not all of it helpful. SWOT needs to be part of a wider risk
management process. It may be difficult to determine how to categorise some factors.

3.4 Links to video illustrations:

PESTLE & SWOT Techniques in Business Analysis Tutorial for Beginners:
https://www.youtube.com/watch?v=TBlVbPNqPoM

SWOT Analysis - What is SWOT? Definition, Examples and How to Do a SWOT Analysis:
https://www.youtube.com/watch?v=JXXHqM6RzZQ

SWOT Analysis Explained Step by Step:

https://www.youtube.com/watch?v=Ath_K1OuPzw

Case examples:

Tesla SWOT analysis 2020:

https://www.youtube.com/watch?v=I7CT8Ox_Gcg&t=7s

Starbucks SWOT Analysis:

https://www.youtube.com/watch?v=mR9eICQJLXA
4. Bow Tie Analysis
4.1 What to use the tool for
Bow tie analysis is useful for analysing risks/events that may have more than one possible cause and
that can have a range of consequences.

A bow tie analysis can be illustrated as the following 8:

Note: Bow tie analysis supports mine action managers in the analysis, evaluation and treatment of risk
related aspects in their organisation, programme and project.

The tool can be applied to investigate in detail the causes and predominantly serious consequences of
risks that are outputs from of other risk management techniques such as the risk register (see above).
IEC 31010:20199 gives a comprehensive explanation of the usage of the bow tie analysis by stating
that “a bow tie is used when assessing controls to check that each pathway from cause to event and
event to consequence has effective controls, and that factors that could cause controls to fail (including
management systems failures) are recognized.” Therefore, the bow tie analysis is well fitted to
proactively analysis possible risks but also to investigate occurred causes and consequences of risks.

4.2 How to apply the tool

The bow tie illustrates the path from causes of an event to its consequences. IEC 31010:201910 explains
that this tool “shows the controls that modify the likelihood of the event and those that modify the
consequences if the event occurs. It can be considered as a simplified representation of a fault
tree or success tree (analysing the cause of an event) and an event tree (analysing the
consequences).”11

8
GICHD 2015, Management of Residual Explosive Remnants of War (MORE), pg. 21,
https://www.gichd.org/en/resources/publications/detail/publication/management-of-residual-explosive-remnants-of-war-more-
issue-briefs/
9
IEC 31010:2019 (E/F), Risk management – Risk assessment techniques, pg. 61
10
IEC 31010:2019 (E/F), Risk management – Risk assessment techniques, pg. 60
11
More information about the fault tree analysis, event tree analysis or LOPA can be found in IEC 31010:2019 (E/F), Risk
management – Risk assessment techniques, section B.5.7, B.5.6 and B.4.4
The bow tie diagram can be drawn direct from a brainstorming session and includes the following:

• A risk is identified for analysis and is placed at the central knot of the bow tie;
• Risk causes (hazards in a safety context) are listed and the mechanisms by which they give
rise to the risk are discussed and described;
• Lines are drawn between each cause and the risk;
• Factors which could escalate the situation can also be included on the left-hand side of the
diagram;
• Barriers which could prevent a cause leading to the central event are identified and represented
as vertical lines cutting across the relevant cause line;
• Barriers to escalation can also be included as vertical lines in the left side of the diagram;
• On the right-hand side of the diagram consequences are identified and listed, with consequence
lines leading out from the central event; and
• Barriers that prevent or mitigate consequences are shown as vertical lines cutting across the
relevant consequence lines.

4.3 Benefits and limitations

Bow tie analysis provides a simple, easy to understand diagrammatic representation of a risk, its
causes, consequences, and possible controls.

Users should be careful to ensure that the analysis does not oversimplify more complex situations.

IEC 31010:201912 outlines the following benefits and limitations concerning the bow tie analysis:

Benefits:
• It is simple to understand and gives a clear pictorial representation of an event and its
causes and consequences;
• It focuses attention on controls which are supposed to be in place and their effectiveness;
• It can be used for desirable consequences as well as undesirable ones; and
• It does not need a high level of expertise to use.

Limitations:
• A bow tie cannot depict a situation where pathways from causes to the event are not
independent (i.e. where there would be AND gates in a fault tree); and
• It can over-simplify complex situations particularly where quantification is attempted.

4.4 Links to video illustrations:

Risk bowtie: How to create and use:
https://www.youtube.com/watch?v=PHbLQWqojC8

Root Cause Analysis: the Bow Tie:

https://www.youtube.com/watch?v=EHlmqkkNrKo

Case examples:

How to read a Bowtie Analysis:

https://www.youtube.com/watch?v=dH81Fr5GhSo

12
IEC 31010:2019 (E/F), Risk management – Risk assessment techniques, pg. 62