A production manager at a petrochemical plant in Kerteh pulls out the risk register after a process release. He points to the row. Likelihood: Possible. Severity: Major. Risk Level: Medium — acceptable with controls.
“We assessed this risk,” he says. “Why did this happen?”
Because the risk matrix told you the score. It never told you whether the controls were actually in place.
What the Risk Register Doesn’t Show
The controls listed in the Kerteh register: two isolation valves, a pressure relief system, and a permit-to-work process. What the risk matrix didn’t show:
- The first isolation valve had a known seal leak that maintenance had been deferring for six weeks.
- The pressure relief system had last been tested 14 months ago — four months past its verification interval.
- The permit-to-work process had become a signing exercise — nobody was verifying the physical conditions it was supposed to confirm before work began.
All three controls existed on paper. None of them were working. The risk register showed “Medium — acceptable with controls.” The controls were not controlling anything.
The Fundamental Limitation of the Risk Matrix
A risk matrix is a scoring tool. It takes a hazard, estimates likelihood and severity, and produces a risk level. It is useful for prioritising which risks to address. It is not designed to show whether the controls assigned to a risk are functioning in the field.
The risk score reflects the assumption that controls are in place and working. It doesn’t verify that assumption. It can’t. The matrix has no mechanism for capturing a deferred maintenance item on an isolation valve, or a permit process that has drifted from a verification step into a signature ritual.
Under CIMAH 1996 (Control of Industrial Major Accident Hazards), major hazard installations in Malaysia are required to demonstrate control of their highest-consequence risks. A risk score doesn’t demonstrate control. A functioning barrier does — and demonstrating that barriers are functioning requires something the risk matrix was never designed to do.
What Bowtie Analysis Shows Instead
A Bowtie analysis maps every barrier sitting between your hazard and your worst-case consequence. It shows the barrier, its owner, and the degradation factors that could cause it to fail. It doesn’t ask “do we have controls?” It asks “are the controls holding — and what would cause them to stop?”
In a Bowtie diagram, the top event sits at the centre. On the left: the threats that could trigger it, each with barriers designed to prevent escalation. On the right: the consequences, each with barriers designed to limit harm. Every barrier is named, owned, and connected to the conditions that could degrade it.
For the Kerteh plant, a functioning Bowtie analysis would have shown the seal leak deferral as an active degradation factor on the isolation valve barrier. It would have flagged the overdue test on the pressure relief system. It would have identified the permit-to-work drift as a barrier whose function was compromised. None of that would have been visible in the risk register. All of it would have been visible in the Bowtie.
Using Bowtie Analysis to Verify Barrier Integrity
The Bowtie methodology is most powerful when used as a live management tool — not just a one-time documentation exercise. The Bowtie diagram establishes what the barriers are and what their performance standards should be. Ongoing operations verify that those standards are being met.
In practice, this means:
- Each critical barrier has a named owner — the person accountable for ensuring it is maintained and functional
- Each barrier has a defined verification interval — the frequency at which its functioning is confirmed, not just recorded
- Degradation factors are tracked — so that known threats to barrier integrity (like a deferred maintenance item) are visible at the management level, not buried in a maintenance backlog
When you can answer those questions for your highest-risk hazards, you’re doing what the risk register was never designed to do: demonstrating that control is real, not just scored.
Bowtie Analysis and CIMAH Compliance in Malaysia
Under CIMAH 1996, operators of major hazard facilities in Malaysia must produce and maintain a Safety Report that demonstrates control of major accident hazards. The safety case approach embedded in CIMAH is built around the concept of barrier effectiveness — not risk scores. Bowtie analysis is recognised by DOSH as a valid methodology for demonstrating barrier-based risk control under CIMAH.
For non-CIMAH facilities, the principle applies equally. Under the OSH (Amendment) Act 2022, employers must demonstrate they have taken reasonable steps to control workplace hazards. A Bowtie analysis that maps active barriers and tracks their performance standards is a stronger demonstration of that duty than a risk register entry that assumes controls are working.
The Diagnostic Question
Look at your highest-risk items right now. Can you name every barrier? Can you name the owner of each one? Can you state when each barrier was last verified — physically, not just documented?
If you can’t answer those questions, your risk register is showing you a score. It’s not showing you whether the risk is controlled.
Learn Bowtie Analysis in Malaysia
Bowtie analysis training in Malaysia is delivered by Asyraf Khalil — a CGE Risk certified Bowtie practitioner with 15 years of experience facilitating BowtieXP across oil and gas, manufacturing, maritime, and healthcare sectors. The programme covers barrier identification, degradation factor analysis, and the use of Bowtie as an ongoing management tool.
Learn more about Bowtie Analysis Training →
Or contact us to discuss in-house delivery for your team.