Risk assessment lies at the heart of the joint IRM, AIRMIC and ALARM risk management standard. And one of the most powerful and increasingly popular risk assessment techniques is the ‘bow-tie’ method, so called because it describes the
management of risk in the shape of a bow-tie. This method goes beyond the usual risk assessment snapshot and puts emphasis on the linkage between risk controls and the management system. It thus can help to ensure that risks are truly managed, rather than just analysed. It forces practitioners into undertaking a comprehensive and structured approach to risk assessment, and it is also an excellent means of communicating risk issues to non-specialists.
The bow-tie method provides a readily-understood visualisation of the relationships between the causes of business upsets, the escalation of such events, the controls preventing the event from occurring and the preparedness measures in place to limit the business impact (Fig 1). More importantly, the preventive and mitigating measures are linked to tasks, procedures, responsible individuals and competencies. This highlights the crucial connection between risk controls (whether hardware, procedural or competence based) and the management system necessary for assuring their ongoing