top of page
Search
  • Julian Talbot
    • May 25, 2018
    • 6 min read

Risk BowTie Method

BowTie is one of my favorite risk management tools. It supports a complex analysis but is so simple that even a five-year-old can understand it. It is also visual, which makes it a great communication tool. You'll regularly see it featured in my books, training, and webinars.

 

BowTie analysis draws its name from its shape, reminiscent of a traditional necktie. The precise origin of this method is unclear, but it seems to have evolved from cause and consequence diagrams in the 1970s. A major limitation of ‘cause-event-consequence’ diagrams is that they don’t show the full complexity of a scenario.  


The first formal use of BowTie as a documented method appeared in the 1990s when Shell Group adopted the method to show causal links between sources of risk and consequences. The oil & gas industry and many other industries have since adopted it.


Risk Bow-Tie Model

Figure 1: Risk BowTie

You can consider multiple Events if the causal links from risk Sources to the Event(s) to Consequences are credible. Still, the focal point for BowTie analysis is usually a single risk Event. At the center of the BowTie diagram is the risk Event. In this example, a fire. To the left is what might cause the event (e.g., lightning, arson, an electrical fault). On the right-hand side are the potential outcomes (e.g., death, building damage, financial loss). 

 

The left and right sides are larger than the center because many sources might lead to a single risk Event. That single Event can, in turn, lead to many Consequences. 


Risk Causation

Figure 2: Risk Causation

In reality, most sources of risk can create many events. Even a single event can cause many consequences. 

Risk Causation Example

Figure 3: Risk Causation Example

Choosing an ‘Event’ at the center of the BowTie provides a focus for analysis. 



Figure 4: Risk Bow Tie Single Event

Structure and Application

BowTie expresses likelihood and consequence management via the left and right-hand sides of the Event using similar concepts to the Swiss Cheese Model and Escalation Factors. 


Risk Controls in Bow-Tie

Figure 5: Risk Controls

BowTie diagrams depict the relationship between Sources of risk, Controls, Escalation Factors, Events, and Consequences. Some benefits include: 

  • full range of initiating causes can be shown

  • existing controls (intervening safeguards/barriers) are depicted

  • causal pathway in which these combine and escalate can be shown

  • consequence management (right) side shows post-event controls

  • multiple possible consequence outcomes can be depicted

  • causal pathway effects of controls are made explicit

In the BowTie, Controls change the likelihood or consequence of a risk but Escalation Factors are conditions that can vary the effectiveness of likelihood or consequence Controls.  Escalation Factors might include fatigue, competency, the environment, foreign exchange, drug use, human error, etc.

 

For example, controls such as fire detection and suppression systems might be more likely to fail on an oil rig than in an office building due to the corrosive saltwater environment. In this instance, Controls such as regular inspections, testing, and preventative maintenance programs might mitigate that Escalation Factor.

 

It’s important to remember that, as illustrated below, not all controls will effectively manage all sources of risk or mitigate all consequences. 


Risk Control Relationships in Bow-Tie Model

Figure 6: Control Relationships


Figure 7: BowTie Structure Example

  • Sources of risk. Threats, hazards, exposures, vulnerabilities, opportunities, or circumstances which cause a risk event.

  • Likelihood controls. Measures to reduce the likelihood of negative risk events or increase the likelihood of positive events.

  • Likelihood escalation factors. Elements that might change the effectiveness of likelihood controls.

  • Likelihood escalation controls. Resources, risk treatments, mitigations, or barriers that affect or manage escalation factors.

  • Event(s). Incident(s) or risk event(s) which may occur as a result of the sources of risk and could impact on objectives.

  • Consequence controls. Measures to support or change the consequences of the risk event(s).

  • Consequence escalation factors. Elements that through cascading or cumulative effects could lead to changes in the effect of consequence controls.

  • Consequence escalation controls. Resources, risk treatments, mitigations, or barriers that modify the effect of escalation factors.

  • Consequences. Outcome(s) of a risk event that could affect objectives. 



Risk Bow-Tie Factory Fire Example Diagram in Pretty Colors by Julian Talbot

Figure 8: Factory Fire Example

Advantages of BowTies

Bow-ties are not a universal panacea, but they have practical benefits, including many we find in only a few methodologies: 

  • Repeatable. A robust and consistent method for documenting existing controls and linking them to the risks they are treating.  

  • Integrated. A framework where risks and management procedures can be linked and compared.   

  • Causal. Highlighting causal links between risks, controls, sources, events, and potential consequences.  

  • Systems and gap analysis. Facilitates identification of deficiencies or missing risk controls.  

  • Visual. Risks are easily communicated and understood at all levels of an organization.  

  • Complementary. Aligns with and complements other methodologies such as Likelihood and Consequence Management, P2R2, Swiss Cheese, and Root Cause Analysis.  

  • Aligned with better practice methodologies to support management decision-making and evaluation of risks.  

  • Adequacy of Existing Controls. Existing Controls are identified, listed, and linked to specific threats and can be assessed by their effectiveness.  

  • Scenario-modeling. Typical scenarios and relationships can be depicted on the pre-event side (left side) of the BowTie diagram.

  • Vulnerabilities. BowTie can highlight areas where controls are poor.

  • Audit. BowTie diagrams can show auditors and managers the conceptual application of management systems.  

  • Defining. Define the meaning and relative roles of key terms.


Example of using a Bow-Tie diagram to define risk management terms (in pretty colors of course :-)

Figure 9: Example of Using Bow-Tie to Define Terms

It is important to understand there isn’t a single correct way, and BowTies can be adapted for each specific context and organization.  


Another example of using Bow-Tie diagrams to define and show relationship of risk management terms

Figure 10: Second Example of Defined Terms Illustrated by Bow-Tie

Positive Risks

BowTie can also illustrate the Sources, Controls, and risk Events that could turn an opportunity into a benefit. When managing a project or implementing a plan, for example, starting a business or choosing to start a project, the intention is to increase the positive consequences.

The following example illustrates a funds management product.


Positive Risk Bow-Tie Example using Financial Services Product Development

Figure 11: Financial Product Example

Although unusual, positive and negative consequences can be plotted in a single BowTie to illustrate the Sources (Threats and Opportunities) and Consequences (Benefits and Losses) of a single event.


Aligning postitive and negative risks on a risk Bow-Tie model

Figure 12: Threats and Opportunities

Even terrible events such as car accidents can generate both positive outcomes. Accidents are good for repair businesses, new car salespeople, and demand for enhanced safety features.


Positive and negative risks associate with car accidents using Bow-Tie model

Figure 13: Car Crash Example

Bow-Tie Tables

Although useful as a visual metaphor or illustration of risk controls, we magnify the power of the BowTie method when used in a table. This level of analysis is only worth the effort for major projects or enterprise risk assessments. 


The BowTie model moves the left to right ’Source to Consequence’ elements to a top-to-bottom format in a table. Each part in the BowTie can then be linked to specific controls. This is best done by creating a separate list of controls because many controls relate to more than one escalation factor or barrier.


Showing relationship of Bow-Tie diagram to Bow-Tie table

Figure 14: BowTie Diagram to Table

The following example highlights one approach in which a BowTie table might produce a comprehensive evaluation of a risk event.

Table 1: Example of a BowTie Table Structure


Example of a Bow-Tie Table Format

Table 2: Example of Structure of Blank BowTie Table


Bow-Tie Table Structure

Table 3: Example of Structure of Blank BowTie Controls Table


Example of a Controls Register Table

BowTie Controls Example

The Controls shown in the table below are examples only and are cross-referenced in the Bow Tie Assessment Table.


Notes:

  1. It may be appropriate to document organizational Controls before establishing the BowTie table and again when the BowTie table is complete.   

  2. The inability to list an existing control proposed in the BowTie table highlights a gap in Control systems.   

  3. Not all Controls have a reference number.   

  4. Not all Controls are documented because some are cultural, social, or physical.

  5. Controls with a physical form (e.g., handrails) should have a specific reference, such as a policy, procedure, or engineering specification.  

  6. Controls should have enough detail to be auditable or some form of evidence produced.   

  7. If a Control exists but isn’t documented, you may need to create a controlled record such as a photograph, sworn statement, archived computer log, or cultural survey.

Table 4: Example of BowTie Controls Table


Example of Truncated Bow-Tie Controls Table with Data

BowTie Table Example

 

This table demonstrates how a complex analysis can be conducted for security-related events.

 

The BowTie in the example below relates to a security risk analysis. However, the same approach will work well for safety, environment, financial, project, enterprise risk management, or any risk analysis.

 

 

Note: Reference numbers refer to controls from the above BowTie Table. Superscript text <Ref # xxx> refers to the control numbers listed in a separate Controls table.

 

Table 5: Example of Complex BowTie Table





 

How to Use BowTie Technique

The Bow-Tie method can be used in several ways, including as the focus of a facilitated group workshop or risk analysis. One of the best uses is analyzing, reporting, and communicating potential risks, actual incidents, and near-misses.


In another article, I will talk about how it can be expanded for Root Cause Analysis (RCA).


Drop me a line if you'd like to attend a full-day training course on Bow-Tie analysis (either online or in person). I will put it on again in the training program if there is enough interest.

 

This Bow-Tie article is an excerpt from a book due soon. If you'd like to know when the book and training course will be launched, subscribe or contact me to find out more.



 

If you are looking for a risk management solution, look no further. Some friends and I have built a platform to align with the ISO31000 risk management process. It also has a very cool control effectiveness rating module, threat assessment, hazard ranking, and asset criticality rating systems.



 

NEED SOME HELP?

if you'd like a one-on-one consultation to help with a particular challenge you can reach me via this link.

This free template might also help. It's a simple process that has helped me solve many problems for organizations and personally.

bottom of page