December 17, 2019
By Jay Mui, PMP, MBA | Supervisor, Risk & Advisory Services
Well if you are being literal, 17th century Croatian mercenaries would use a scarf to hold together the openings at the neck of their shirts. King Louis XIII, a great employer of these mercenaries, so enjoyed and promoted this look that it soon became quite fashionable. Eventually it evolved into the modern day bow tie. Warren St. John of The New York Times wrote that, “The bow tie hints at intellectualism, real or feigned, and sometimes suggests technical acumen, perhaps because it is so hard to tie.”
In risk management, the Bow Tie Method uses technical acumen and (real) intellectual content to project the risk from an event such as a data breach, fraud incident or unexpected leadership departure. While the Croatian mercenaries decorated their shirt necks with a scarf, risk bow ties are used to protect the “necks” of modern day organizations.
Why Consider the Bow Tie Method?
The bow tie method is a powerful tool that allows risk events to be visualized in an easy-to-understand picture. The simple diagram created from this method allows users to clearly outline the risks and differentiate between proactive and reactive risk management.
The following are key aspects of an effective bow tie analysis:
- Causes
- Controls
- Risk Event
- Mitigation
- Consequences
Tying all this information together creates a visual story that helps leadership address risk to the organization. To demonstrate, let’s separate the diagram into three parts: the left loop, the knot and the right loop.
Many times, several elements together could kick off the risk event. In the bow tie methodology, these are called Causes and are indicated on the “left loop” of the analysis. Each cause has the potential to trigger the risk event if no action is taken to control it.
By definition, the purpose of risk management is to control risks. This is done by setting up barriers intended to prevent specific risk events from happening. Also known as Controls, these barriers are any actions taken against an adverse force or intention in order to maintain a desired state. Accordingly, controls are put in place to mitigate the effect(s) of specific risk event causes identified on the left side of the bow tie.
Unfortunately, controls cannot prevent all causes, so the result is the occurrence of a Risk Event. The risk event sits in the middle of the chart and represents “the knot.” The triggered event may not be catastrophic yet, but the threat and potentially harmful consequence of the risk is present. If the organization does not prevent the risk event from occurring, or reduce its likelihood with effective internal controls, Mitigation is the next defense in their risk arsenal. Mitigations are strategies developed to minimize the effects of a risk. Subject Matter Experts (SMEs) and senior leadership should undertake a thorough process of brainstorming all possible risk effects and determine how to reduce potentially negative outcomes. Four commonly used risk mitigation techniques (recommended by Enterprise Risk Management (ERM) guidelines such as COSO and ISO 31000) include Avoid, Transfer, Mitigate, and Accept.
Similar to controls, mitigations are not perfect. There are still situations mitigation cannot address. Consequences are outlined in the “right loop.” Consequences are the results of a triggered undesired risk event negatively affecting an organization.
The Benefits and Limitations of Bow Tie Analysis
Because risk is inherent to all industries, the bow tie methodology can be a powerful tool for businesses and nonprofits alike, allowing a versatile and structured approach to risk management. There are several benefits of bow tie diagrams. First, they are easy to use and develop a view that is intuitive for leadership to understand which make them an excellent tool to facilitate risk discussions.
Second, the structure of bow tie diagram helps to point to required mitigations, based on the root causes that trigger risks and the consequences that result. Bow tie diagrams naturally bridge the gap between both the proactive mitigations employed to prevent a Risk Event and the reactive mitigations that can help an organization recover faster and decrease the impact.
Finally, bow tie diagrams are helpful because they provide a foundation for root cause analysis of risks and increased scrutiny of the links between mitigations and consequences with other risks.
Ideally, the risk bow tie approach should be based on a collaboration between the individual risk owners/managers and the ERM team. It is also important to note that while an ERM team may be designed within the organization, risk and controls are the responsibility of all employees.
Although the bow tie represents an all-inclusive solution, there are no guarantees that it will protect the organization from all risk events and impacts. However, the thoughtful and systematic approach outlined in this process can significantly decrease an organization’s vulnerability. Perhaps more importantly, it forces the organization and its employees to think more holistically about risk ― and how individual actions and events can have a significant impact on the organization.
Learn More
GRF’s Risk & Advisory Services practice offers clients resources and proven best practices for effectively managing organizational risk.
Additional blog posts and recorded webinars on risk topics:
Why Associations are Implementing Enterprise Risk Management
Enterprise Risk Management for Nonprofits & Associations: Where Strategy Meets Risk
Be Prepared: Why Enterprise Risk Management is Essential for Nonprofits
Internal Audit is a Critical Investment for Nonprofit Organizations
Vulnerability Scanning and Penetration Testing Offer Tools for a Strong Security Posture
For questions or more information on risk management, contact Melissa Musser, CPA, CITP, CISA, Risk & Advisory Service Principal at mmusser@grfcpa.com.