Back to Documentation

Bowtie Analysis

Visualize and manage risk pathways with the bowtie method. Understand how causes lead to risks, how risks lead to effects, and where your controls fit in.

Accessing the Bowtie View

To access the bowtie diagram for any risk, open the risk's detail page and click the "Bowtie" tab. This provides the full interactive diagram where you can define causes, effects, and attach measures.

Understanding the Bowtie Layout

The bowtie diagram provides a clear visual representation of risk pathways. The layout follows a left-to-right flow: Causes on the left, the Risk Event in the center, and Effects on the right. This creates the distinctive bowtie shape.

Prevention Measures
Mitigation Measures
Cause 1
Cause 2
Cause 3
Risk Event
RISK
Effect 1
Effect 2
Effect 3
What triggers the risk?
What happens if risk occurs?

Left Side: Causes

Events or conditions that could trigger the risk. Prevention measures are placed here to reduce the probability of the risk occurring.

Right Side: Effects

Consequences that could result if the risk materializes. Mitigation measures are placed here to reduce the impact of the risk.

Key Concept: Events Can Play Multiple Roles

In Risk Companion, the same event can serve as a cause for one risk and an effect for another. This reflects how risks cascade through an organization:

  • A "Server Outage" might be an effect of "Power Failure" risk
  • The same "Server Outage" can be a cause of "Data Loss" risk

Adding Causes and Effects

Building your bowtie starts with identifying what could trigger the risk (causes) and what could happen if the risk occurs (effects).

Adding Causes (Left Side)

  1. 1Click the "Add Cause" button on the left side of the bowtie diagram
  2. 2Search for an existing event or create a new one by entering a title
  3. 3The cause will appear connected to the central risk event

Tip: Causes answer the question "What could trigger this risk?"

Adding Effects (Right Side)

  1. 1Click the "Add Effect" button on the right side of the bowtie diagram
  2. 2Search for an existing event or create a new one by entering a title
  3. 3The effect will appear connected from the central risk event

Tip: Effects answer the question "What happens if this risk occurs?"

Example: Data Breach Risk

Causes (triggers):

  • - Successful phishing attack
  • - Unpatched software vulnerability
  • - Insider threat / malicious employee
  • - Third-party vendor compromise
  • - Lost or stolen device

Effects (consequences):

  • - Financial loss from regulatory fines
  • - Reputational damage
  • - Customer churn
  • - Legal liability and lawsuits
  • - Operational disruption

Attaching Measures to Connections

Measures are the controls that either prevent risks from occurring or mitigate their impact. In Risk Companion, measures attach to specific connections in the bowtie:

Prevention Measures

Attach to Cause → Risk connections. Click on the connection line between a cause and the risk, then select "Add Measure" to attach a preventive control.

Goal: Reduce the probability of the risk occurring.

Mitigation Measures

Attach to Risk → Effect connections. Click on the connection line between the risk and an effect, then select "Add Measure" to attach a mitigation control.

Goal: Reduce the impact if the risk occurs.

How to Attach a Measure

  1. 1Click on the connection line between a cause and the risk (for prevention) or between the risk and an effect (for mitigation)
  2. 2Select "Add Measure" from the context menu
  3. 3Fill in the measure details: title, owner, due date, status, and effectiveness rating
  4. 4The measure will appear as a barrier on that connection line

Measure Properties

TitleName of the control or action
OwnerPerson responsible for implementation
Due DateTarget completion date
StatusNot Started, In Progress, Complete
EffectivenessHow effective the measure is at reducing risk (High, Medium, Low)

Drag-and-Drop Functionality

Risk Companion supports drag-and-drop to help you reorganize your bowtie diagram. This makes it easy to reassign measures or restructure your analysis as your understanding evolves.

Moving Measures Between Connections

If you realize a measure better belongs on a different cause or effect connection:

  1. 1. Click and hold the measure you want to move
  2. 2. Drag it to the new connection line (cause-to-risk or risk-to-effect)
  3. 3. Release to drop the measure in its new position

Reordering Causes and Effects

Drag causes up or down on the left side, or effects up or down on the right side, to reorder them visually. This helps you group related items or prioritize by importance.

Tips for Effective Bowtie Analysis

1. Start with the Risk Event

Define a clear, specific risk event before adding causes and effects. A well-defined risk makes it easier to identify relevant triggers and consequences. Avoid vague risks like "Something bad happens" - be specific: "Customer data breach exposes PII."

2. Brainstorm Causes Broadly, Then Prioritize

Initially, add all possible causes without filtering. Then review and prioritize based on likelihood and your ability to control them. Focus prevention measures on the most probable or impactful causes.

3. Consider Cascading Effects

Remember that an effect of one risk can be a cause for another. Use Risk Companion's ability to reuse events across multiple bowties to model these risk cascades and identify critical control points.

4. Balance Prevention and Mitigation

Don't put all your controls on one side. Even with strong prevention measures, you need mitigation in case the risk occurs. Aim for defense in depth with barriers on both sides of the bowtie.

5. Assign Clear Ownership

Every measure should have an owner responsible for its implementation and maintenance. Use the owner field to ensure accountability and enable follow-up during reviews.

6. Review and Update Regularly

Bowtie diagrams are living documents. Schedule regular reviews to update measure status, reassess effectiveness, and add new causes or effects as your risk landscape changes.

Example: Complete Bowtie with Measures

Prevention Measures
Mitigation Measures
Phishing Attack
Security Training
Email Filtering
Unpatched Software
Patch Management
Lost Device
Device Encryption
Remote Wipe
Risk
DATA BREACH
Incident Response
Financial Loss
PR Crisis Plan
Reputation Damage
Legal Counsel
Legal Liability

Prevention Measures (Left Side)

  • Security awareness training - Reduces likelihood of successful phishing
  • Automated patch management - Reduces vulnerability window
  • Device encryption - Protects data on lost devices
  • Remote wipe policy - Enables rapid response to device loss

Mitigation Measures (Right Side)

  • Incident response plan - Ensures rapid, coordinated response
  • PR crisis plan - Protects reputation through communication
  • Legal counsel - Manages liability and compliance
  • Cyber insurance - Transfers financial impact

Practical Example: Supply Chain Disruption

Here is a complete bowtie analysis for a supply chain disruption risk:

Prevention Measures
Mitigation Measures
Supplier Bankruptcy
Supplier Monitoring
Multiple Sources
Natural Disaster
Geographic Diversity
BCP Plans
Quality Issues
Incoming Inspection
Supplier Audits
Risk
SUPPLY CHAIN
DISRUPTION
Safety Stock
Alt Suppliers
Production Delays
Insurance
Force Majeure
Revenue Loss
Recall Plan
Customer Comms
Reputation Damage

Prevention Measures in Action

  • Supplier monitoring: Early warning of financial issues
  • Multiple sources: No single point of failure
  • Geographic diversity: Protects against regional disasters
  • Incoming inspection: Catches quality issues early

Mitigation Measures in Action

  • Safety stock: Buffer against short-term disruption
  • Alternative suppliers: Quick switch capability
  • Insurance: Financial protection
  • Customer communication: Protects relationships

Need more help with Bowtie Analysis?

Our team can help you set up effective bowtie diagrams for your organization's risks.

Request a DemoContact Support