Skip to main content
All CollectionsGetting Started
How to Build a Risk Bow Tie Diagram
How to Build a Risk Bow Tie Diagram
D
Written by Daniel Mohammed
Updated over a week ago

How to Build a Risk Bow Tie Diagram

Risk Bow Tie Diagrams get their name from their distinctive shape. Risk Bow Tie Diagrams have become very popular risk analysis tools in Enterprise Risk Management programs, because they allow Users to capture and display several scenarios in one intuitive diagram.

The event that the organization is concerned may occur is called the Risk Event, and is captured in the center of the diagram. This section starts out pre-populated with whatever was entered as the Risk Name. It can be edited simply by clicking on the text. After a Risk has been created, any edits to the Risk Name or Risk Event fields will be independent of each other and will not affect the other field.

The User can then capture the Root Causes that could trigger the Risk Event in the left-most column, and enter the Consequences that would result from the Risk in the far-right column. Mitigations can then be entered as either Pre-Event Mitigations or Post-Event Mitigations. Pre-Event Mitigations are steps that have already been taken to reduce the inherent risk level. Post-Event Mitigations are steps that can be taken after a Risk Event occurs, in order to lessen or shorten the final impact of Risk Events.

The existing Mitigations listed in the Bow Tie diagram are also called Controls. Note that in the typical use of a Bow Tie diagram, future planned Mitigations are not included in the Bow Tie diagram. Instead, they are created and tracked as Action Plans. Similarly, under normal practice, future planned Mitigations that have not been implemented will not typically be considered when determining overall levels of Control Effectiveness and overall Residual Risk levels, because the planned Mitigations are not functioning yet. Once Action Plans are completed, Users can then add the new Mitigations to the Bow Tie diagram and reassess the Risk scores.

To edit or enter an item into a Bow Tie Diagram, a Standard or Admin User clicks on the blue “add or create new…” link in each Bow Tie section. This will expose a dropdown list that will allow the User to select from the existing list of items. In this example, the User could click on the first highlighted item to add it to the Bow Tie.

The User can also type in the empty field to search for an existing item. If the item is not found, the User will be presented with an option to add the new item.

Note that items added to a Bow Tie Diagram are more than just text. Each item is a record on its own in the system, such that it can be attached to multiple Risks and other resources (e.g. Key Indicators, Action Plans etc.), in many-to-many connections. These items also have their own Explorer Consoles (aka Registers), allowing Users to explore many-to-many connections, perform root cause analysis, control analysis, and more.

If your organization is using the optional Portfolio feature, when Admin Users and Standard Users click the blue “add or create new…” link to activate the dropdown, they will see all of the items in the dropdown that they have access to (based on their Portfolio access permissions).

If any of the items in the list are from a different Portfolio than the current risk, their portfolio will be shown in square brackets at the end of the item name.

In the example pictured below, the Root Cause named “100 Year Flood…” is in a Portfolio called “ESG”.

If the User selects an item from a different Portfolio than the Risk, they will receive a pop up warning providing them with the options to either move or copy the item to the current Risk.

Note that items from all Portfolios are shown to Users to make them aware of other available options and to reduce confusion (e.g., if a User recalls that an item exists but does not realize it is in a different Portfolio). Also please note that this “multi-Porfolio” view will only affect Admin Users and Standard Users with access to more than one Portfolio. Presumably, these will be more frequent Users of the system (aka “Power Users”) who will not be confused by the additional options.

The Risk Bow Tie section is not mandatory and can be collapsed by a User clicking on the Arrow Icon beside the section title. The expanded / collapsed status is saved in the User’s browser cache and will be remembered through subsequent screen refreshes and logout / login cycles. The status remains until the User changes it or clears their browser cache.

Indicator Alert Icons may appear on items in the Bow Tie diagram. These icons signal to the User that the item has at least one attached Indicator in Alert Status. Being in Alert status may mean that the Indicator has exceeded its predefined tolerance limits, or that the Indicator was not updated when required. Either way, the Alert serves as a warning to the User that the context for the Risk may be changing and that further investigation may be required, including a potential reassessment of the Risk.

Each Bow Tie item with an alert on it will be included in the Alert total at the top of the Risk Details screen, as described earlier here. The creation, configuration, and management of Indicators (including setting tolerance levels and managing Alerts) is described in a later section of this User Guide.

Mitigation Effectiveness Scores may appear in the left corner of Mitigations in the Bow Tie diagram. Users can click on a Mitigation to open the Mitigation Details page and set an effectiveness score for the Mitigation, as described here in a later section of this User Guide. Users may also set a weighting for each Mitigation on the Mitigation Details page, if the Mitigation is deemed to be significantly more or less important to the control of the Risk.

When at least one Mitigation has been scored in a column of the Bow Tie, a weighted average will be automatically calculated and displayed at the top of the column, as shown in the upper image. Note that Users do not need to score all Mitigations, and only Mitigations that have been scored will be included in the weighted average. Weighted averages may appear in either, both, or neither of the Pre-Event and Post-Event columns.

When at least one Mitigation has been scored, the total weighted average of all Mitigations in the Bow Tie diagram will be calculated and displayed in the Risk Scoring Section at the top of the Risk Details Screen. This score may be helpful to the User when selecting the overall Control Effectiveness for the Risk.

Note that when there is a large difference between the weighted average of the individual Mitigation scores from the Bow Tie diagram and the overall Control Effectiveness for the Risk in the Risk Scoring Section, a yellow warning color may appear in the Enterprise Risk Console. This warning tells the User that the Risk Control Effectiveness may no longer be valid and should be reviewed and possibly adjusted.

For Users and Admins who are interested, a more detailed article on completing bow tie diagrams can be found on the Tracker Networks website.

Did this answer your question?