Bow-Tie Risk Assessment

A step-by-step guide to identifying hazards, unwanted top events, and the barriers that keep them under control.

What is a bow-tie diagram?

A bow-tie diagram visualises the relationship between the causes of an unwanted event and its consequences, with the top event at the centre. On the left side are the threats (causes) that could trigger the top event; on the right side are the consequences that follow if the top event occurs. Barriers on each side represent the controls that either prevent the top event from happening or mitigate its impact.

Threat 1
Threat 2
Threat 3
Barrier
Barrier
Barrier
Top Event
Barrier
Barrier
Barrier
Consequence 1
Consequence 2
Consequence 3

How to perform a risk assessment

1

Define your hazards

Go to Hazards →

A hazard is a source of potential harm — a physical asset, substance, system, or situation with inherent danger. It is not yet an event; it is the precondition that makes harm possible.

Examples

  • Corporate IT Infrastructure
  • Chemical process plant operating with flammable hydrocarbons
  • High-voltage electrical substation
2

Identify the top event for each hazard

The top event is the specific unwanted event at the centre of the bow-tie — the moment control of the hazard is lost. Each hazard may have one or more top events; create a separate assessment for each one.

Key principle

The top event is a pivot point, not a consequence. It describes the loss of control itself, not the damage that results from it. Keep it specific and verifiable.

Examples

  • Ransomware deployed on the ERP software suite
  • Uncontrolled release of flammable hydrocarbons
  • Unauthorised access to industrial control system
3

Create an assessment and add threats

+ New Assessment →

Threats are the causes on the left side of the bow-tie. Be specific enough that a barrier can be directly linked to each threat.

Technical

Equipment failure, software vulnerability, unpatched system

Human

Operator error, phishing, social engineering, insider threat

Organisational

Process gap, missing procedure, inadequate oversight

4

Identify consequences

Consequences appear on the right side and describe the outcomes if the top event is not controlled. List all realistic consequence types so that mitigation barriers can be assigned to each.

Examples for "Ransomware on ERP"

  • ERP system unavailability — core business processes halted
  • Loss or corruption of financial and transactional data
  • Supply chain disruption — orders and deliveries cannot be processed
5

Add barriers to each path

Go to Library →

Barriers are the controls that interrupt a threat path or reduce the impact of a consequence.

Prevention

Left (threat) side — stop the top event from occurring.

Mitigation

Right (consequence) side — reduce or contain impact after the top event.

6

Evaluate barrier implementations

For each barrier used in an assessment, record how it is implemented, link to evidence, and score its effectiveness 0–100 %. This score is reflected in the bow-tie diagram colour.

Go to Implementations →
7

Review and iterate

Revisit the dashboard regularly to track coverage trends, identify under-evaluated barriers, and verify that MITRE attack categories are adequately addressed.

  • ✓ Every threat path has at least one prevention barrier
  • ✓ Every consequence path has at least one mitigation barrier
  • ✓ All barriers in use are evaluated
  • ✓ Barrier ownership and testing schedule is documented

Ready to start?

Define your first hazard, then create a bow-tie assessment for each top event.

Define Hazards + New Assessment