About bow-tie

A bow-tie risk diagram is centred on a specific bad outcome. To its left are the risks that will result in the outcome; to the right are the consequences that will follow on. Risks are reduced by the application of countermeasures, whilst the impact of the consequences is reduced by mitigations. RiskTree uses bow-tie diagrams to extend the risks from its tree diagrams out to the consequences of the bad outcomes. This can be done because each branch of a RiskTree, from the lowest node (the risk) to the root node (usually a generic bad outcome) form the left-hand side of a bow-tie diagram.

The example above shows a simple bow-tie diagram with three risks leading to the outcome, and two consequences. The diagram illustrates the risks that lead to the loss of customer data, which is then used for identity theft. The is results in a fine from the ICO and a loss of sales. There are two countermeasures across the three risks (CM1:0 and CM1:1), and one mitigation against the consequence of ICO fine.

Bow-tie assessment

As well as being able to create bow-tie diagrams in RiskTree, the diagrams can also be quantified and assessed. Consequences have impacts assigned to them; these are the types of effect that the consequences will have, together with their severity. They can also have escalation points assigned; these are things that will reduce the effectiveness of the countermeasure. Mitigations will alter the scale of these impacts. Each outcome can then have the level of their risks and consequences calculated to give an overall score for the outcome, allowing them to be considered in a quantitative manner. Like countermeasures, mitigations can be flagged as existing or target, allowing for intrinsic, residual, and target scores to be calculated for outcomes. Like risks, the outcomes can then be prioritized, and this in turn can allow the mitigations to be compared and assessed for their relative importance in terms of the effect that each will have.

Creating a bow-tie diagram

A bow-tie diagram is created once a RiskTree report has been compiled using the Processor, using the bow-tie builder. Outcomes, consequences, and mitigations are assigned to branches of the tree. Existing items can be quickly reused where they occur on multiple branches. The bow-tie diagrams can then be viewed on the 'Bow-tie' tab in the report. The assessment is quickly made, and this generates a table of the outcomes, as well as enabling the scores to be seen both numerically and through the use of colour on the bow-tie diagrams.

Related information