A classic bow tie is a great fit for a stylish, formal event.
A risk bow tie is a great fit for an ERM program and can really move your enterprise risk discussions forward.
From their origins in managing hazards in the Australian energy sector, risk bow tie diagrams have really caught on as a useful tool for enterprise risk programs administered for executive teams and Boards of Directors.
And while it can take 10 steps to get a bow tie perfect on your tuxedo, a helpful risk bow tie diagram can be quickly generated out in 3 easy steps.
A risk bow tie diagram gets its name for the bow tie shape that it forms. The centre of the bow tie is the “risk event” that an organization would like to avoid or lessen the impact of. Root causes and consequences are mapped on either side of the event, along with the controls the organization has in place.
The power of the bow tie diagram is its ability to model complex risks in a single intuitive diagram. Multiple scenarios can be displayed at once and causality and control effectiveness can be considered in a concise, intuitive manner. This makes risk bow tie diagrams an extremely helpful tool for executive risk workshop discussions.
Here are those three easy steps to create a risk bow tie diagram:
1) Add the risk event to the centre of the diagram
This is the event that your organization wishes to avoid or lessen the impact of. A brief description of what the event would entail will provide context for your management team.
2) Identify the root causes and consequences of the event
Root causes are the contributing factors that trigger the risk event or increase the likelihood of it happening. For example, the root cause of a serious data breach might be a cyber attack. Root causes get added to the left side of the bow tie. Consequences are the negative outcomes that would result from the risk event occurring. The consequences of a data breach may be loss of customers, reputational damage, regulatory penalties, legal expenses etc. Consequences go on the right side of the bow tie.
3) Identify your pre-event and post-event controls or mitigations
Pre-event controls are measures that seek to reduce the likelihood of a risk event occurring. They go between root causes and the risk event on the bow tie diagram. Post-event mitigations are measures that seek to lessen the impact of risk events when they do occur. They go between the risk event and consequences on your bow tie diagram.
Once you have these pieces filled out, you can brainstorm what further controls might be used to manage the risk, identify common root causes that affect multiple risks, action plans that should be implemented to manage the risk and more.
And just like that, you are on your way.
We have had quite a bit of positive experience with bow ties in ERM programs and with bow tie functionality in our Essential ERM platform. If you’d like to discuss or have any questions, let us know! Also tell us if you know an easy way to do a Half-Windsor…
Miles Smit, PhD