The Bowtie methodology has its name due to the visual risk graphs layout. It resembles a bowtie. This type of diagram illustrates risks and events in a timeline fashion. The goal is to identify all the situations that can lead to a specific event and ensure that there are adequate mitigation measures that will prevent the event from happening. If it then happens anyway there might be mitigation measures regulating consequences. If the analysis indicates that one of the paths to the event is non-mitigated, while another path has multiple mitigation measures installed (controls), this is an indication that the risk mitigation strategy might not be as balanced as intended.

  • The event at issue is at the circle in the center of the bowtie.
  • The left side (blue), depicts what can be done in advance that will prevent the event from happening (e.g., the likelihood). An event can be mitigated by choosing mitigation measures (preventive controls) that address the likelihood for an event to occur.
  • The right side of the diagram (red), depicts what might happen if the event occurs.  Mitigation measures (preventive barrier) that control the consequences of the event may be deployed.

Many software packages exist that can assist with the analysis; however, brainstorming session with post-it notes on a white board can do the job as well. What is important is that the right people are in the room, and that the room and brainstorming session is managed well, not the fancy software.