Like Risk records, each of the items in the Bow Tie Diagram have their own explorer screens. This includes the Root Causes Explorer, the Mitigations Explorer (pictured below), and the Consequences Explorer.
These explorers can be accessed by all User types by clicking on the down arrow beside the “Risks” option in the upper gray menu bar.
The three explorer screens for Causes, Consequences, and Mitigations function in the same manner and will be described together in this section.
These explorer screens also possess many of the same features and functions as the Enterprise Risk Console. Users can search for an individual record by using the dropdown filter in the Name column. Several columns can be sorted A-Z and Z-A by clicking the column title in the column header. Individual records are opened by Users clicking on the blue record name in the leftmost Name column.
Some of these explorers show columns that are unique to the resource type. For example, the Mitigations Explorer pictured above shows a “Control” column which displays the control effectiveness value that has been set for each individual control. Note that the Control Effectiveness rating set for an individual mitigation is different from the overall Control Effectiveness value that is set at the risk level.
a. Portfolio Column (Optional Feature) & Duplicate Records in Explorers
The Portfolio column will only appear if the Portfolio feature (described in this article) has been enabled by the system administrator. Admin Users will see all Portfolios and related data in these explorer windows. Standard Users and Read Only users will only see the Portfolios and data that they have been granted access to.
Users with access to multiple Portfolios may see records in these explorer screens which have similar names and appear to be duplicates.
One reason this may occur is if the same Root Cause has been created in multiple Portfolios, as pictured in the example above.
Note that this duplication will only be visible to Users who have access to allow them to see multiple Portfolios. Standard and Read Only Users with access to only a single Portfolio will only see one of the items.
There are times, however, when duplication of records may occur within a single Portfolio. In those instances, Admin and Standard Users can use the merge feature if they want to combine the two records while preserving their relationships to risks and other records.
b. Related Risks Column, Root Cause Analysis & More
All three explorer windows include a column for “Related Risks” which shows the number of Risks that each item is connected to. Note that this column can be sorted from low-high and high-low by clicking on the Related Risks title in the column header.
The number of connected Risks is shown as a blue hyperlink that can be clicked by all User Types. When clicked, the Enterprise Risk Console will be loaded to display the specific risks that are connected to the item.
The example above shows the Risk Console filtered for the three Risks connected to the Root Cause called “Ransomware Attack”. A special custom filter appears at the top of the Risk Console screen under the screen title. Users can click the x in this filter to clear the filter and return the console to the standard view.
With these features, Users can easily explore the many-to-many connections between Risks and the various Bow Tie items, allowing for fast and easy Root Cause Analysis, Control Analysis, Consequence Analysis, and more.
c. Adding New Records
Admin and Standard Users can create new records directly from the explorer screens by clicking on the blue “Add New…” button in the top right corner of the screen.
If the Portfolio feature is enabled, the User will be given the option to assign the item to a specific Portfolio when the item is created. Alternatively, the Portfolio can be changed from the item Details screen.
Note that when a Root Cause, Mitigation, or Consequence are created from a Risk Bow Tie diagram, the items are automatically linked to the Risk. When, however, an item is created from an Explorer window, it will not be initially attached to any other records. Links to Risks and other records can be created later from the items Details screen described below.
d. Details Screens for Root Causes, Mitigations, and Consequences
Each of the records for Root Causes, Mitigations, and Consequences has a Details screen that is similar to the Mitigation Details screen pictured below.
These details screens function in a similar fashion to the Risk Details screen. This includes the inclusion of an automatic change log (accessed via the menu in the Mitigation Details screen), the ability for Admin and Standard Users to link documents and other resources through hyperlinks in the Linked Resources section, the ability for Users to add additional notes, and the ability for Users to connect Risk and Performance Indicators directly to Causes, Mitigations, and Consequences (in addition to Risks and Action Plans).
Some Details screens have extra features specific to the resource type. These include:
Control Effectiveness (Mitigation Details screen)
| This field allows Users to set the control effectiveness value for an individual Mitigation. The value set, along with the User Name and timestamp is captured in the change log and is displayed to the right of the drop down fields. The User may also set a weighting, based on the relative importance of a Mitigation to managing its associated Risk(s).
Control Effectiveness values and weights set on this details screen will be displayed in the Risk Bow Tie diagram and will be used in the weighted average calculations in the Risk Details screen.
Note that there are some cases where the effectiveness of a specific mitigation may vary depending on the Risk that it is connected to. In these cases, some Users find it helpful to create multiple copies of the Mitigation with different names (e.g. Mitigation XYZ for Scenario A and Mitigation XYZ for Scenario B). In effect, they create a naming convention in which the name of the Mitigation is a Mitigation Statement that describes its use scenario. While this may result in more Mitigation records being created, the system has been designed to easily accommodate this and Mitigations can be viewed, filtered and managed through the Explorer screen described earlier. |
Attached Action Plans (Mitigation Details screen)
| Like Risks, Mitigations can be directly connected to Action Plans. Action Plans can be a helpful way to monitor the progress of activities that need to be completed related to a specific Mitigation. |
Financial Impact (Consequence Details screen)
| This represents the potential financial impact that the organization would face if the specific Consequence were to be realized. The amount saved on this Details screen is shown in the Financial Impact column of the Consequences Explorer and is available for advanced analysis and reporting through the data export feature. |
e. Merging Duplicate Records
There are times when unnecessary duplicate Root Causes, Mitigations, and Consequences may be created by Users who inadvertently create new Bow Tie items rather than using existing ones.
Unneeded duplicates can be removed with the Delete and Merge options in the menu button in the top right corner of the Details screen.
Deleting a record deletes the record AND all of its links to other resources in the system (e.g. removing it from associated Bow Tie diagrams). Merging an item with another record deletes the item, but transfers its links to the item it is being merged into. In this way, duplicate records will be removed without removing items from Bow Tie diagrams. Note, however, that the change log history of an item that was deleted through a merge function will not be transferred and will instead be deleted with the item.
In addition, when the Portfolio feature is enabled, items can only be merged with other items that are in the same Portfolio. Note that duplication of items across Portfolios is normal and only will be visible to Amin Users and Standard Users who have access to multiple Portfolios. The delete function can be used for items regardless of their portfolio assignment.
f. Moving Items to Different Portfolios
If the Portfolio feature is enabled, Users can use the Portfolio dropdown field in the item Details screen to assign the item to a new Portfolio. As in other screens, Standard Users will only see the Portfolio options that they have been granted access to. Admin Users can always see all Portfolios.
If a User attempts to change the Portfolio of an item that is used in Bow Tie diagrams, they will receive a warning letting them know that they need to first remove the item from its related Risks (i.e. Bow Tie diagrams) before the item’s Portfolio can be changed. This rule is intended to ensure that Users with access to the connected Risk do not have the item removed from the Risk’s Bow Tie diagram. A User who wishes to change the Portfolio of an item in this scenario should first visit the Bow Tie Diagram of each attached risk to disconnect it from the risk. They may choose to replace it with a copy of the item, in order to preserve the original Bow Tie diagram.