Bowtie analysis: A visual approach to understanding risk

Risk is uncertainty. It is anything that may happen to derail progress towards corporate objectives and goals, or that may (positively or negatively) impact the outcomes of these objectives.

Tracking risks and preparing for potential risk events is essential to business operations. By analyzing potential outcomes and their possible causes, companies are better prepared to respond when risk events occur. It’s a measure of probability — how likely an event is to occur based on multiple, interconnected factors, and the possible impacts on the organization.

As risks evolve, however, analysis becomes more complex. Risks may be physical or digital, internal or external, and interconnected, making them harder to track and prepare for.

Scenario planning can help improve risk analysis by quantifying causes, consequences, and controls. One popular type of visual analysis is the bowtie method. Originally used by manufacturing organizations and the oil and gas industry for process safety and risk identification, bowtie analysis has become a critical tool for any chief resource officer (CRO) managing risk of any type.

What is a bowtie analysis, and why it matters

A bowtie analysis is a visual representation of a single material risk event. Bowtie diagrams include potential risk causes (also called threats) and possible consequences (also called impacts or outcomes), and indicate which (if any) controls (also called barriers) are in place to reduce the likelihood of an event or its impact.

Here’s an overview of the model in more detail:

Diagram anatomy

A bowtie analysis has six common components:

1. Risk event

The risk event is the risk itself. In the example above, the risk event is a building fire.

The risk event sits in the center of the bowtie, with threats on the left and consequences on the right.

2. Causes

Causes are conditions that could lead to the risk event and are located on the left side of the bowtie. In our example, threats could be an electrical issue, an equipment failure in the cafeteria, or the improper use of microwaves or hot plates.

Left unchecked, these causes lead to the risk event. For example, if an electrical issue goes undetected, it may lead to an unexpected short-circuit, in turn starting a fire.

3. Consequences

Consequences are the potential outcomes of the risk event and appear on the right side of the bowtie. There may be multiple consequences tied to a single top event.

For a building fire, consequences could include property damage or injuries.

4. Preventive controls

Controls are divided into two types: preventive and mitigating.

Preventive controls limit the chance of threats leading to risk events. In our example, they could be electrical inspections or staff training to handle kitchen or breakroom fires. These barriers are placed between causes and risks in bowtie diagrams.

5. Mitigating controls

Mitigating controls are designed to limit the impact of consequences if a risk event occurs. For a building fire, they could include alarms, extinguishers, or sprinklers. They are placed between risk events and consequences in a bowtie analysis.

6. Quantification

Quantification is the process of adding data-driven values to bowtie analysis diagrams to provide real-world context. For example, assessment of electrical systems and possible fire hazards might indicate a 5% chance of electrical fires under specific conditions.

Bowtie analysis vs. other risk tools

Effective risk analysis depends on a layered approach. While bowtie analysis offers clear delineation between reactive and proactive risk management, it’s designed to analyze a specific risk event.

Other tools, such as risk matrix models and decision trees, provide additional context.

Risk matrix models

A risk matrix is a grid-based visualization that assesses risks based on likelihood and impact. Each risk is typically assigned a color that represents its overall risk rating: green for low, yellow for medium, orange for high, and red for severe.

Risk matrices are ideal for evaluating the potential likelihood and impact of multiple threats at a high level. Bowtie models are used for deeper dives into a single risk.

Decision trees

Decision trees are flowchart-like models that map all potential outcomes of a decision. They also help quantify the risks and likelihoods of each outcome.

Here’s an example of a decision tree in practice.

Company A is selecting a new software tool. This is the decision — the choice to replace current technology with an updated version. Potential outcomes include positive impacts such as increased performance and reduced error rates. They also include potential risks, such as data breaches or integration failures, that could expose financial or customer data. Each outcome is analyzed to determine its probability, providing a general sense of risk and reward that helps inform decision-making.

Decision trees are used to assess the potential consequences of a conscious organizational choice. As a result, the focus of decision trees is not mapping risk but mapping all potential outcomes. This makes them ideal for planning and strategy.

Bowtie diagrams, meanwhile, center on actions outside of company control that could lead to risk and the consequences of these actions.

Selecting the right risk model

Bowtie analysis is often the best starting point for complete risk evaluation and mitigation. This is because bowtie models help place risks within a real-world context, in turn enabling the use of risk matrix and decision tree frameworks.

Visualization of barriers

Bowtie analysis helps teams visualize barriers by placing them in context. This enables the evaluation of barrier effectiveness and identification of effective controls to reduce possible risk.

Consider the threat of a cybersecurity breach. Barriers to help prevent this breach include two-factor authentication (2FA), spam email detection, and identity and access management (IAM) tools.

Application areas

Initially, bowtie analysis was used to identify and reduce the risk of industrial workplace accidents. It makes sense — the clear delineation of threats, escalation factors, barriers, and consequences enabled safety teams to better predict and respond to possible risks.

Today, the bowtie methodology is used across organizations for risks of any kind. One prime example is cybersecurity. Given the multifaceted nature of cyber threats, bowtie diagrams offer a way to limit extraneous data and focus on key conditions.

Bowtie diagrams can also be used to map out common concerns, such as financial fraud or machine failure, along with high-impact, lower-rate risks, including natural disasters or supply chain breakdowns.

When bowtie analysis adds value (use cases & criteria)

A bowtie analysis adds the most value in two conditions: in high-impact, multi-causal risk events and as a complement to existing risk assessment tools.

High-impact, multi-causal risk use case

While it’s possible to use bowtie diagrams for any risk, businesses are often better served using these assessments for high-impact, multi-causal use cases.

As the bowtie image above shows, companies can map multiple threats (causes), consequences (impacts), and barriers (controls) to a risk event. This makes it possible to create multiple responses based on the nature of the threat and the path it takes through your organization.

Complement to existing tools

Bowtie analysis is also useful in conjunction with existing tools, such as internal risk audits, third-party risk assessments, and other risk models.

Consider a company that relies on a third-party supplier for key product components. If this supplier suffers a data breach, the consequences could be severe. While third-party risk assessments and supply chain risk scenario planning can help identify both likely and possible issues, the number of possible compromise paths can make it difficult for teams to visualize the path of a problem from start to finish.

This is where bowtie tools excel, by providing a clear delineation between threat, barriers, events, and consequences.

Limitations and constraints

It’s also worth considering the limitations and constraints of bowtie models:

The need for specialized knowledge

Specialized knowledge may be required to identify causes, consequences, and controls. You’ll need to identify the right experts and risk owners in your organization to build an effective bowtie analysis. If you don’t have this type of knowledge in-house, you may need to leverage a third-party provider.

The time required to develop meaningful models

In-depth models take time to build. While simpler models might take a few days or a week, larger models could take one, two, or more months.

The interconnected nature of controls

Controls are often interconnected. For example, cybersecurity tools such as MFA, encryption, and spam detection all exist as part of the same ecosystem. If companies experience system downtime, all these barriers fall simultaneously, exposing them to risk from multiple threats.

Failing to recognize this interconnected nature can create a false sense of security.

How to build a bowtie analysis (step by step)

It’s one thing to understand the value of bowtie analysis. It’s another thing to build one for your business. Here are five steps for building a bowtie.

1. Identify your hazard and top event

Start by identifying your model’s hazard and related top event. While the hazard can be reasonably broad, the top event should be specific and well-defined.

2. Connect threats and consequences

Link specific threats to consequences. This is accomplished using an “if... then” approach. If threat A happens, what is consequence B? Follow this process for threats B, C, and D, as needed.

3. Define preventive/mitigative barriers

Next is defining preventive and mitigative barriers. Preventive barriers should reduce the risk of threat A leading to the top event, while mitigative barriers reduce the risk of your top event leading to consequence A.

4. Pinpoint escalation factors

With threats, consequences, and barriers established, consider possible escalation factors. What could cause your barriers to become less useful or fail?

5. Implement maintenance and stakeholder validation processes

Finally, make sure to build in regular model maintenance and stakeholder validation processes. Maintenance keeps diagrams up to date with new threats, consequences, and barriers, while stakeholder validation ensures models align with current business goals and long-term strategies.

How to embed bowtie analysis in a mature risk control program

Bowtie assessments work best as part of a mature risk program that scales in response to emerging threats. To embed bowtie frameworks, companies should do the following:

Ensure data flow from GRC/ERM

Effective models depend on accurate and relevant data. As a result, companies must ensure data flow to and from enterprise risk management (ERM) and governance, risk, and compliance (GRC) tools. It’s especially helpful to leverage existing risks, risk events, and controls within your bowtie analysis, alongside potential risk events and controls, without impacting your already established risk universe.

Integrate tooling and automation

Automation and tooling integrations streamline the creation and management of models. In practice, this may include the automatic collection of data from multiple sources or the deployment of risk management tools that provide unified platforms for complete visibility.

Leverage AI

AI is a powerful companion to bowtie analysis. AI-enabled evaluations of risk, causes, and consequences can help companies discover new connections and deploy targeted barriers that reduce overall risk.

Common pitfalls CROs face with bowtie adoption

CROs often face pitfalls with bowtie adoption and implementation, like these:

Oversimplification

While diagrams should be straightforward, they should not be simplistic. This is because oversimplification can minimize the impact presented by a possible hazard or top event.

For example, if a consequence of network compromise is simply listed as “data loss,” this doesn’t tell the full story. The type of data is relevant — if public-facing, anonymized information is stolen, it could prove time-consuming to remediate storage tools.

If, however, compromise leads to the theft or destruction of personally identifiable information (PII), financial data, or other assets that are governed by compliance standards, companies could face the loss of both revenue and reputation. According to IBM, data breaches now cost companies an average of $4.4 million.

Stale diagrams

Risks are not static. As a result, bowtie diagrams must be regularly updated to reflect the current risk conditions. Using stale diagrams can create a false sense of security — while businesses are focused on outdated threats, new issues may escape notice and wreak havoc on operations. Dynamic risk assessments are critical to deliver actionable insight.

Undefined barriers

Bowtie models require clearly defined barriers. If barriers are vague, it’s harder for companies to protect against threats and resolve potential recovery issues.

Consider the data loss example above. One common protective barrier is encryption. Simply labeling it as “encryption,” however, doesn’t provide enough context. What type of encryption? What data is encrypted? Where is it located? Clear definitions are key.

Tooling challenges

Making the most of bowtie models requires alignment with security tools. Many CROs, however, face challenges with legacy security tools that may be difficult to link with enterprise risk management (ERM) solutions.

To reduce the impact of these challenges, it’s critical to inventory current assets and applications and ensure they’re capable of supporting bowtie diagrams.

Key questions to ask before using bowtie analysis in your organization

Not sure if bowtie is your best bet? Start with these four questions.

What are our most material risk events?

The bigger the risk, the more useful the bowtie. Identify your biggest risks, then map their hazards, top events, threats, and consequences.

What are our standard definitions?

It’s worth creating standard definitions for threats, consequences, hazards, and top events. For example, data loss is a common consequence of a network breach. But data loss is a broad term — depending on the type and amount of data lost or stolen, companies could suffer minor inconvenience or major impacts.

As a result, it’s a good idea to build standard definitions for different types of data loss that include data type, location, value, and any associated regulatory risks. One option is a level-based framework: Level 1 data loss indicates public-facing data, Level 2 covers financial or intellectual property information, and Level 3 describes any personally identifiable information (PII) that is subject to regulatory requirements such as GDPR or CCPA.

Where does bowtie analysis fit in our organization?

As noted above, bowtie models are ideal for high-risk, multi-source events. Comprehensive risk assessments help pinpoint these events and create a framework for bowtie applications.

How much granularity is required?

While granular data generally delivers better results, over-focusing on the details can significantly increase the time required to create bowtie models, which in turn limits their usability. Find a balance between granular and general for the best results.

Need a better bowtie? See how Optro helps CROs identify control gaps and visualize complex risks using structured risk assessment frameworks. Get started today.

About the authors

Claire Feeney is a Senior Product Marketing Manager at Optro focused on ESG and RiskOversight. In her role, she helps support organizations in transforming their enterprise risk management and sustainability programs. Prior to joining Optro, Claire worked in product marketing at OneTrust, VMware, and Infor. Connect with Claire on LinkedIn.

Marco Dyer is a Staff Product Manager at Optro, where he spearheads the development of risk quantification and scenario modeling initiatives. With over 13 years of experience scaling products within high-growth software organizations, Marco is dedicated to building tools that transform complex risk data into actionable business strategy. He is passionate about empowering customers to modernize their operations and achieve measurable, data-driven outcomes.