Maximise Gain Minimise Loss Increase Value Promote Efficiency Identify Weaknesses Improve Processes Strengthen your Business

BowTie Risk Management Methodology


Despite it being arguably the most effective Risk Management paradigm around today, most organisations are not aware of the beauty, power and persuasiveness of BowTie Risk Management methodology.

Those who are aware of it are either using it, or make up the vast remainder, who have heard good things about it, but don't really know what it is or where to start.

In this post i'll show you what BowTie Risk Management methodology is all about.

Interest in BowTie Risk Management methodology is on the rise.

Although it has been around, in many guises since (apparently) the 70s, and has become relatively widespread in the Oil, Gas and Chemical industries, this risk management methodology which is suitable for all businesses and industries is largely unknown.

From 2013 - 2015, 95% of our software requests were for BowTie systems and help about BowTie methodology.

What is BowTie Risk Management?

BowTie methodology is a structured, yet graphical approach to describing and analysing a cause to consequence pathway of potential events (risk events, safety events, process events etc), controlling them, and then importantly communicating them - all with the aim of minimising loss and maximising gain of any kind.

Unlike most Risk Management protocols, BowTie is interactive, graphical, user friendly, visual, collaborative and highly communicable - no more lists and spreadsheets!

There are 10 key components to a BowTie: a single Hazard, a single Top Event and an unlimited amount of Threats, Consequences, Escalation Factors (2 types) and Controls ( 4 types), all of which are described below.

Although the first step of your BowTie analysis is always defining the Hazard and Top Event, after that the order in which you brainstorm the Risk Assessment via BowTie production is up to you. Commonly, you would define your Threats and Consequences first and work inwards from there.

Centre of the BowTie diagram


A hazard is anything whatsoever that has the potential to cause a risk event (Top Event).

Safety example: Working at height

Enterprise example: Staff

Top Event

A Top Event is the centre of your BowTie. It is an undesired event/ risk event that could happen due to the presence of the Hazard.

Safety example: Worker falls from height

Enterprise example: Staff productivity is very low

Left side of the BowTie diagram

The left hand side of the BowTie is all about working out the PROBABILITY of a Top Event happening, and preventing it.


Threats are anything that promote the progression of the Hazard leading to the Top Event. There can be, and likely will be multiple of these.

Safety example: Wind

Enterprise example: Recruitment procedure


Barriers are a form of Risk Control. They are put in place to reduce the probability of the Threat leading to the Top Event. Just like all Risk Controls, Barriers can be anything at all - work orders, management procedures, equipment, maintenance, training etc. The key to a Barrier is that it reduces risk via reducing the probability, and it is entirely independent of other Barriers.

Safety example: Wind shields

Enterprise example: Candidates to undergo suitability check

Escalation Factors

An Escalation Factor is something that inhibits the effectiveness of the Barrier - that is, it reduces the probability reduction power of the Barrier and therefore increases risk. Escalation Factors in BowTie analysis are a fantastic way of adding further scrutiny to your Risk Management plan as they identify flaws in Risk Controls.

Safety example: Wind shield fails

Enterprise example: Suitability check ineffective

Escalation Factor Controls

An Escalation Factor Control is a form of Risk Control and is put in place to reduce the probability of a defined Escalation Factor negatively influencing a Barrier - Escalation Factor Controls reduce risk. Escalation Factor Controls in BowTie analysis can be viewed as a 'belt and braces' approach to Risk Management in that they add a further level of Risk Control to your Risk Management plan. Arguably, it is the Escalation Factor Controls that make BowTie methodology such a robust Risk Management tool - they are downstream Risk Controls put in place to aid upstream Risk Controls.

Safety example: Wind shield to be checked prior to every usage

Enterprise example: Hire an expert external consultancy to administer role-specific examinations

Right side of the BowTie diagram

The right hand side of the BowTie is all about working out and reducing the IMPACT that the Top Event could have on your organisation.


A Consequence is something that could happen if the Top Event were to become a reality, and it is almost always something negative or undesired. A Consequence is always downstream of the Top Event, and when carrying out your BowTie analysis, on the right hand side, you need to assume that the Top Event has already occurred when conducting your analysis.

Safety example: Worker is severely injured as a result of falling from height

Enterprise example: Profits fall

Recovery Measures

A Recovery Measure is another form of Risk Control and it is put in place between the Top Event and Consequence in order to reduce the probability of the Top Event (after it has happened) leading to the Consequence. Recovery Measures reduce risk. Again, you have to assume that the Top Event has occurred when putting in place Recovery Measures; if you don't, it is quite easy to confuse Barriers with Recovery Measures (this is shown in the safety example below)

Safety example: Provision of a harness.
Many people would say a harness is a Barrier, however, we have stated that our Top Event is 'worker falls from height'. A harness will not stop someone falling, but it will prevent serious injury should they fall, which we have defined as our Consequence - a harness is therefore a Recovery Measure in this case - nomenclature and context is important in BowTie analysis.

Enterprise example: Continual communication with shareholders

Recovery Measure Escalation Factors

Much like the left hand side Escalation Factors, the Recovery Measure Escalation Factors represent a further level in your Risk Management plan, and they are things that reduce the effectiveness of your Recovery Measure - they increase Risk by inhibiting the probability reducing power of your Recovery Measure.

Safety example: Harness fails

Enterprise example: Shareholders do not respond well to PR communications

Recovery Measure Escalation Factor Controls

Recovery Measure Escalation Factor Controls are a type of Risk Control that are put in place to prevent the negative effect of the Recovery Measure Escalation Factor they are attached to - they reduce risk. In fact, Recovery Measure Escalation Factor Controls represent the last line of defence in your BowTie analysis/ Risk Management plan because it is here that you srutinise down to the lowest level about how to prevent a Consequence from occurring as a result of a Top Event coming into fruition.

Safety example: Harness to be maintained at regular intervals

Enterprise example: Financial Insurance

In conjunction with the text above, and the main diagram of this post, I have explained the key component of a BowTie diagram, and how BowTies are used for Risk Management.

This description represents a qualitative approach to BowTie Risk Management i.e. we haven't defined any values - we have simply described a chain of events.

In my next post, I will show you how to use BowTie Risk Methodology in a quantitative way - that is, to use BowTie Risk Management to fully quantify your Risk Management plan and add values to it- making it an extremely powerful risk tool when it comes to Risk Assessment, Risk Prioritisation, Risk Control and Risk Communication.


Leave a comment

Share Risksoft


We create interactive multi-platform browser based enterprise class risk management, safety management and process management software.

With expertise in risk management and software development, we work closely with our clients in numerous industries to provide off-the-shelf and bespoke risk management solutions using the latest PHP5 and HTML5 Canvas technology to international standards.

Photo Stream

BowTie Risk Management Methodology
When is it time to start thinking how the EU Referendum could affect your business?
Could a focus on reputation risk promote all-round more effective enterprise risk management?
Human factors risk in software and web application development
Why is the multibillion dollar SaaS software market suddenly booming?
What exactly is Risk Management?

Blog Tags

All Aviation BowTie Brexit Budget 2015 Business Risk Clinical Research Compliance Risk Cyber Security Defence Enterprise Risk Management EU Referendum Financial Risk Fire Risk Fracking Health and Medicine HSE Bulletins Human Factors Miscellaneous Oil and Gas Opportunity Risk Process Management Reputation Risk Risk Assessment Law Risk Management Risk Management Software Risksoft News SaaS Safety Management Science Security Social Media Software Development Strategic Risk What Could Possibly Go Wrong?


Maximise Gain Minimise Loss Increase Value Promote Efficiency Identify Weaknesses Improve Processes Strengthen your Business