Bow-tie Analysis:
A Practical Guide to Understanding Causes, Consequences and Controls

Bow-tie analysis is a risk management tool used to show how a risk can develop, what might cause it, what consequences could follow, and what controls are in place to prevent or reduce harm.

At its simplest, bow-tie analysis asks:

What could cause the unwanted event, what could happen afterwards, what controls stop it happening, and what controls reduce the impact if it does happen?

That makes it useful for risk management, health and safety, project management, construction, property, manufacturing, healthcare, cyber security, business continuity, charity governance, public sector services and board reporting.

The Bowtie method is widely used as a visual risk analysis tool because it helps organisations understand and communicate how high-risk scenarios may develop, while highlighting the effectiveness of controls.

Used properly, bow-tie analysis helps organisations move beyond a simple risk score and understand the full pathway from cause to consequence.

What is bow-tie analysis?

Bow-tie analysis is a visual method of risk assessment.

It is called a bow-tie because the completed diagram looks like a bow-tie:

1. The hazard or source of risk sits on the left or at the centre.
2. The top event sits in the middle.
3. The threats or causes sit on the left.
4. The consequences sit on the right.
5. The preventive controls sit between the threats and the top event.
6. The mitigating controls sit between the top event and the consequences.
7. The escalation factors show what might weaken or defeat the controls.

Public Health Wales describes the bow-tie model as a visualisation tool that can describe an incident in relation to initial causes, negative consequences and barriers that prevent or control the hazard.

In simple terms:

The left side asks: what could cause the problem?

The centre asks: what is the point where control is lost?

The right side asks: what could happen afterwards?

The controls ask: what stops it, and what reduces the damage?

This makes bow-tie analysis especially useful where a risk has several possible causes and several possible consequences.

History and development of bow-tie analysis

Bow-tie analysis developed from the wider fields of hazard analysis, fault tree analysis, event tree analysis, process safety and barrier management.

The UK Government has stated that BowTie has roots in chemical industry course notes for a University of Queensland lecture on hazard analysis in 1979, although the exact origin is unclear. It also notes that mainstream use began after the Piper Alpha disaster, with Royal Dutch Shell adopting the methodology as a company standard for analysing and managing risk.

The method became particularly associated with high-risk sectors because it allowed complex risk scenarios to be shown visually. The same UK Government source notes that BowTie has found use in oil and gas, chemical safety, mining, rail, and civilian and military aviation.

The Rail Safety and Standards Board explains that the Bowtie method has grown in popularity since the 1990s as a visual way of capturing an overview of risk management practices, first originating in oil and gas and then expanding into sectors such as aviation, mining, maritime, chemical, financial and healthcare.

Over time, bow-tie analysis has moved beyond process safety. It is now used for operational risk, enterprise risk, environmental risk, healthcare risk, business continuity, cyber security and organisational governance.

The main elements of a bow-tie analysis

1. Hazard

A hazard is a source of potential harm.

It might be:

1. A dangerous activity.
2. A system.
3. A process.
4. A material.
5. A piece of equipment.
6. A working environment.
7. A financial dependency.
8. A data system.
9. A vulnerable service process.
10. A project condition.

In safety settings, the hazard may be something physical, such as working at height, a chemical process, heavy machinery or medication.

In business settings, the hazard may be something broader, such as dependency on one supplier, reliance on one IT platform, exposure to cyber attack, or dependence on one major customer.

The hazard sets the scope of the analysis.

2. Top event

The top event is the point at which control over the hazard is lost.

It is not usually the final consequence. It is the central event that allows consequences to follow.

Examples include:

1. Loss of containment.
2. Unauthorised access to data.
3. Failure of a critical supplier.
4. Loss of a key employee.
5. Failure of a payment system.
6. Missed statutory deadline.
7. Loss of site access.
8. Planning delay.
9. Medication error.
10. System outage.

Public Health Wales defines the top event as the point chosen in time when control over the hazard is lost.

The top event is one of the most important parts of the bow-tie. If it is defined too vaguely, the rest of the analysis becomes weak.

3. Threats

Threats are the possible causes of the top event.

They sit on the left-hand side of the bow-tie.

For example, if the top event is system outage, threats may include:

1. Hardware failure.
2. Software bug.
3. Cyber attack.
4. Supplier failure.
5. Power cut.
6. Human error.
7. Failed update.
8. Poor maintenance.
9. Overloaded capacity.
10. Network failure.

If the top event is missed statutory deadline, threats may include:

1. Client information received late.
2. Staff absence.
3. Poor workflow.
4. Incorrect diary entry.
5. Software error.
6. Lack of review.
7. Inadequate training.
8. Poor communication.
9. Unexpected technical query.
10. Weak escalation process.

Threats should be credible. The aim is not to list every theoretical possibility, but to identify realistic causes that need controls.

4. Preventive controls

Preventive controls are the barriers that reduce the likelihood of the top event occurring.

They sit between threats and the top event.

Examples include:

1. Staff training.
2. Maintenance procedures.
3. Access controls.
4. Approval limits.
5. Checklists.
6. Supplier due diligence.
7. Quality review.
8. Segregation of duties.
9. System monitoring.
10. Fire prevention measures.
11. Cyber security controls.
12. Contract management.
13. Diary controls.
14. Safe systems of work.
15. Client onboarding procedures.

Preventive controls answer the question:

What stops this threat causing the top event?

A good bow-tie does not simply list controls. It should also test whether those controls are suitable, effective, owned and maintained.

5. Consequences

Consequences are the outcomes that may happen after the top event.

They sit on the right-hand side of the bow-tie.

For example, if the top event is system outage, consequences may include:

1. Service disruption.
2. Lost sales.
3. Customer complaints.
4. Missed deadlines.
5. Data loss.
6. Regulatory reporting.
7. Reputational damage.
8. Staff downtime.
9. Financial cost.
10. Contract penalties.

If the top event is supplier failure, consequences may include:

1. Production delay.
2. Customer delivery failure.
3. Increased cost.
4. Need for emergency sourcing.
5. Loss of customer confidence.
6. Programme delay.
7. Contract dispute.
8. Reduced margin.
9. Reputational damage.
10. Cash flow pressure.

Consequences should be specific enough to support planning.

6. Mitigating controls

Mitigating controls are the barriers that reduce the impact after the top event has occurred.

They sit between the top event and the consequences.

Examples include:

1. Business continuity plan.
2. Disaster recovery plan.
3. Insurance.
4. Incident response plan.
5. Emergency procedures.
6. Alternative supplier arrangements.
7. Communication plan.
8. Backup systems.
9. Contingency budget.
10. Customer notification process.
11. Legal support.
12. Safeguarding escalation.
13. Manual workaround.
14. Crisis management team.
15. Recovery timetable.

Mitigating controls answer the question:

If the top event happens, what reduces the damage?

This is one of the strengths of bow-tie analysis. It does not only ask how to prevent something. It also asks how to respond if prevention fails.

7. Escalation factors

Escalation factors are conditions that weaken, defeat or reduce the effectiveness of a control.

Examples include:

1. Staff not trained.
2. Procedure not followed.
3. System not maintained.
4. Key person absent.
5. Supplier not audited.
6. Backup not tested.
7. Alarm ignored.
8. Checklist outdated.
9. Policy not communicated.
10. Control owner unclear.
11. Budget not available.
12. Poor data quality.
13. High workload.
14. Weak supervision.
15. Complacency.

Public Health Wales defines escalation factors as conditions that defeat or reduce the effectiveness of a barrier.

This is extremely important because many controls look good on paper but fail in practice.

For example, a business continuity plan is only useful if it is current, understood and tested.

8. Escalation controls

Escalation controls are measures designed to protect the main controls from failing.

For example:

1. Refresher training protects the staff training control.
2. Audit checks protect the procedure control.
3. Backup testing protects the disaster recovery control.
4. Contract review protects the supplier control.
5. Supervision protects the checklist control.
6. Maintenance schedules protect the equipment control.
7. Internal audit protects the financial control.
8. Access review protects the cyber control.
9. Board reporting protects the governance control.
10. Mock exercises protect the emergency response control.

This makes bow-tie analysis more than a diagram. It becomes a way of testing whether risk controls are reliable.

Why bow-tie analysis matters

Bow-tie analysis matters because many risk tools show that a risk exists, but not how it develops.

A risk register might say:

Cyber attack: high risk.

A risk matrix might score it:

Likelihood 4 x Impact 5 = 20.

That may be useful, but it does not show:

1. What could cause the attack.
2. Which controls reduce the likelihood.
3. What would happen if the attack succeeded.
4. Which controls reduce the impact.
5. Which controls are weak.
6. Who owns the controls.
7. What escalation factors could defeat the controls.
8. What improvement actions are needed.

Bow-tie analysis fills that gap.

The Health Economics Unit’s guide explains that bow-tie analysis can make sources of risk, control effectiveness, potential consequences and gaps in risk management easily visible and understandable to a wide audience.

That is the real strength of the tool. It makes risk easier to understand, discuss and manage.

When to use bow-tie analysis

Bow-tie analysis is useful when a risk is important enough to need more than a simple risk score.

Good uses include:

1. High-impact risks.
2. Complex risks with several causes and consequences.
3. Safety-critical processes.
4. Business continuity risks.
5. Cyber security risks.
6. Construction risks.
7. Property development risks.
8. Healthcare and social care risks.
9. Project delivery risks.
10. Supplier failure risks.
11. Financial control risks.
12. Reputation risks.
13. Safeguarding risks.
14. Environmental risks.
15. Operational risks.
16. Regulatory risks.
17. Major change programmes.
18. Board or trustee risk review.
19. Incident learning.
20. Control assurance.

It is especially useful when the organisation needs to understand whether controls are actually sufficient.

It is less useful for minor risks that can be managed easily through normal controls. A full bow-tie diagram takes time, so it should be used where the risk justifies the effort.

Bow-tie analysis in different industries

SMEs and owner-managed businesses

For SMEs, bow-tie analysis can help make serious risks easier to understand.

Small businesses often manage risk informally. That can work for day-to-day matters, but it can leave the business exposed to major events.

Typical SME bow-tie topics include:

1. Loss of a major customer.
2. Cash flow failure.
3. Cyber attack.
4. Key person absence.
5. Supplier failure.
6. Major debtor default.
7. Loss of premises.
8. Reputational damage.
9. Serious customer complaint.
10. System failure.

Example:

Hazard: Reliance on one major customer.
Top event: Major customer terminates contract.
Threats: Poor service, price dispute, customer insolvency, competitor offer, relationship breakdown.
Preventive controls: Account management, service reviews, contract monitoring, customer satisfaction checks.
Consequences: Revenue loss, cash pressure, staff underutilisation, reduced profitability.
Mitigating controls: New business pipeline, cost control plan, cash reserves, alternative customer development.

For SMEs, the aim is not a complex technical diagram. The aim is a practical view of what could happen and what controls matter most.

Manufacturing

Manufacturing businesses are well suited to bow-tie analysis because many risks involve clear causes, controls and consequences.

Typical topics include:

1. Machinery breakdown.
2. Product defect.
3. Supplier failure.
4. Health and safety incident.
5. Production shutdown.
6. Quality failure.
7. Fire.
8. Energy disruption.
9. Environmental release.
10. Product recall.

Example:

Hazard: Operation of critical machinery.
Top event: Machine failure during production.
Threats: Poor maintenance, operator error, component wear, overload, power instability.
Preventive controls: Planned maintenance, operator training, inspection checks, alarms, operating limits.
Consequences: Production delay, injury risk, scrap, customer late delivery, repair cost.
Mitigating controls: Emergency stop procedures, spare parts, alternative production route, customer communication, insurance.

For manufacturing, bow-tie analysis should be linked to maintenance records, health and safety data, quality reports and production planning.

Retail and ecommerce

Retail and ecommerce businesses can use bow-tie analysis for customer, technology, stock and fulfilment risks.

Typical topics include:

1. Website outage.
2. Payment processing failure.
3. Stock shortage.
4. Delivery failure.
5. Major product return issue.
6. Cyber attack.
7. Negative review surge.
8. Supplier failure.
9. Marketplace suspension.
10. Pricing error.

Example:

Hazard: Dependence on ecommerce platform.
Top event: Website unavailable during trading period.
Threats: Hosting failure, failed update, cyber attack, payment integration fault, traffic overload.
Preventive controls: Monitoring, change control, security updates, capacity planning, supplier service levels.
Consequences: Lost sales, customer complaints, reputational damage, support backlog.
Mitigating controls: Incident response plan, backup communication channels, customer messaging, manual order process, disaster recovery.

For ecommerce, bow-tie analysis is useful because technology failures can quickly affect revenue and reputation.

Professional services

Professional services firms can use bow-tie analysis for deadline, quality, compliance and client relationship risks.

Typical topics include:

1. Missed filing deadline.
2. Professional negligence claim.
3. Data breach.
4. Conflict of interest.
5. Loss of key client.
6. Scope dispute.
7. Poor file review.
8. Client complaint.
9. Fee dispute.
10. Staff capacity failure.

Example:

Hazard: Statutory compliance work for clients.
Top event: Filing deadline missed.
Threats: Client information late, staff sickness, diary error, poor workflow, technical query unresolved.
Preventive controls: Deadline tracking, client reminders, workflow review, staff cover, manager review.
Consequences: Penalties, client dissatisfaction, complaint, reputational damage, professional risk.
Mitigating controls: Immediate client communication, appeal process, insurer notification where needed, remedial review, process improvement.

For accountants, solicitors, consultants, architects and advisers, bow-tie analysis helps connect professional standards, workflow controls and client impact.

Charities and voluntary organisations

Charities can use bow-tie analysis for safeguarding, funding, service delivery and governance risks.

Typical topics include:

1. Safeguarding failure.
2. Loss of major funding.
3. Volunteer shortage.
4. Service demand exceeding capacity.
5. Data protection breach.
6. Reputational damage.
7. Trustee vacancy.
8. Poor impact reporting.
9. Partner failure.
10. Staff burnout.

Example:

Hazard: Delivery of services to vulnerable families or individuals.
Top event: Safeguarding concern not escalated properly.
Threats: Poor training, unclear process, staff overload, weak supervision, poor record keeping.
Preventive controls: Safeguarding policy, training, supervision, case review, clear escalation routes.
Consequences: Harm to beneficiary, regulatory concern, loss of trust, funding risk, reputational damage.
Mitigating controls: Immediate safeguarding referral, incident review, trustee notification, support for affected individuals, external advice.

For charities, bow-tie analysis should support safeguarding culture and trustee oversight. It should not replace formal safeguarding procedures or case records.

Public sector and local government

Public bodies can use bow-tie analysis for service delivery, statutory duties, cyber risk, procurement, major projects and public safety.

Typical topics include:

1. Failure to meet statutory duty.
2. Contractor failure.
3. Service backlog.
4. Cyber attack.
5. Budget overspend.
6. Public consultation failure.
7. Legal challenge.
8. Data breach.
9. Major incident response.
10. Poor procurement outcome.

Example:

Hazard: Dependence on external contractor for critical service.
Top event: Contractor fails to deliver service.
Threats: Contractor insolvency, poor performance, staff shortage, contract ambiguity, weak monitoring.
Preventive controls: Due diligence, contract management, performance reporting, escalation meetings, financial checks.
Consequences: Service disruption, resident dissatisfaction, legal exposure, emergency costs, reputational damage.
Mitigating controls: Step-in rights, contingency contractor, emergency communication plan, legal support, service continuity plan.

For public bodies, bow-tie analysis should be linked to governance, procurement, audit, service continuity and public accountability.

Property and construction

Property and construction projects are strong candidates for bow-tie analysis because they often involve high-value, high-impact risks.

Typical topics include:

1. Planning refusal.
2. Contractor insolvency.
3. Health and safety incident.
4. Site access failure.
5. Utilities delay.
6. Cost overrun.
7. Flooding.
8. Fire.
9. Structural defect.
10. Tenant disruption.

Example:

Hazard: Live construction work on occupied site.
Top event: Unsafe interaction between site works and occupiers.
Threats: Poor segregation, weak communication, contractor error, access confusion, inadequate signage.
Preventive controls: Construction phase plan, site induction, physical barriers, permit system, communication with occupiers.
Consequences: Injury, work stoppage, enforcement action, claim, reputational damage.
Mitigating controls: First aid response, incident reporting, emergency plan, insurer notification, corrective action review.

For property and construction, bow-tie analysis should sit alongside the risk register, method statements, construction phase plan, insurance, legal review and project programme.

Technology and software

Technology teams can use bow-tie analysis to understand cyber, data, system and delivery risks.

Typical topics include:

1. Data breach.
2. System outage.
3. Failed deployment.
4. Data migration failure.
5. AI output error.
6. User adoption failure.
7. Platform dependency.
8. Integration failure.
9. Ransomware attack.
10. Loss of critical developer knowledge.

Example:

Hazard: Sensitive customer data stored in business systems.
Top event: Unauthorised access to data.
Threats: Phishing, weak passwords, unpatched software, excessive permissions, supplier vulnerability.
Preventive controls: Multi-factor authentication, patch management, access review, staff training, supplier security checks.
Consequences: Data loss, regulatory reporting, customer concern, reputational damage, financial cost.
Mitigating controls: Incident response plan, backups, legal advice, customer communication, cyber insurance, forensic support.

For technology and cyber risk, bow-tie analysis helps show that security is not one control. It is a system of controls.

Healthcare and social care

Healthcare and social care organisations can use bow-tie analysis for patient safety, medication, safeguarding, staffing and service continuity risks.

Typical topics include:

1. Medication error.
2. Safeguarding concern.
3. Infection control failure.
4. Poor handover.
5. Staff shortage.
6. Equipment failure.
7. Data breach.
8. Missed appointment.
9. Care plan error.
10. Failure to escalate deterioration.

Public Health Wales notes that bow-tie analysis can be used prospectively or retrospectively and can support communication of risks and controls to relevant stakeholders.

In this sector, bow-tie analysis should support professional judgement, safeguarding, clinical governance and quality improvement. It should not replace formal incident reporting or clinical procedures.

Education and training

Education providers can use bow-tie analysis for safeguarding, learner outcomes, digital platforms, funding compliance and course delivery.

Typical topics include:

1. Safeguarding concern not escalated.
2. Learner dropout.
3. Low attendance.
4. Funding evidence failure.
5. Tutor absence.
6. Assessment delay.
7. Platform outage.
8. Poor employer placement.
9. Accreditation issue.
10. Data breach.

Example:

Hazard: Delivery of accredited training programme.
Top event: Required assessment evidence missing.
Threats: Poor learner record keeping, tutor absence, unclear guidance, system issue, weak quality checks.
Preventive controls: Assessment checklist, tutor training, learner tracking, internal verification, system access controls.
Consequences: Funding clawback, learner delay, quality concern, reputational damage.
Mitigating controls: Evidence recovery plan, awarding body communication, learner support, internal review, corrective action.

For education, bow-tie analysis should connect to safeguarding, quality assurance, learner outcomes and funding compliance.

How to carry out bow-tie analysis properly

1. Define the purpose

Start with a clear reason for doing the analysis.

For example:

1. To understand a high-scoring risk.
2. To review control effectiveness.
3. To support board risk reporting.
4. To investigate an incident.
5. To support a project risk review.
6. To improve safety culture.
7. To test business continuity arrangements.
8. To explain a complex risk to stakeholders.

Without a clear purpose, the bow-tie can become too broad.

2. Define the scope

Decide what the bow-tie will cover.

A bow-tie should usually focus on one main top event.

For example:

1. Data breach.
2. Loss of major customer.
3. Contractor failure.
4. Medication error.
5. Serious injury on site.
6. Failure to meet statutory deadline.
7. Service outage.
8. Grant funding withdrawal.

If the scope is too wide, the diagram becomes confusing. If it is too narrow, it may miss important causes and consequences.

3. Identify the hazard

Define the hazard clearly.

Ask:

1. What is the source of potential harm?
2. What activity, process, system or condition creates exposure?
3. What are we trying to keep under control?
4. What could become dangerous if control is lost?

The hazard should be broad enough to explain the source of risk, but specific enough to guide the analysis.

4. Define the top event

The top event is the centre of the diagram.

Ask:

1. What is the moment control is lost?
2. What event links the causes and consequences?
3. Is this a cause, or is it the central event?
4. Is this a consequence, or does it happen before consequences unfold?
5. Can the top event be described in one clear sentence?

A weak top event leads to a weak bow-tie.

For example:

Weak:

Cyber risk.

Stronger:

Unauthorised access to customer data.

5. Identify threats

List the credible causes that could lead to the top event.

Ask:

1. What could cause the top event?
2. What has caused similar events before?
3. What are staff worried about?
4. What do incident records show?
5. What do audits show?
6. What external threats exist?
7. What assumptions are being made?
8. What dependencies could fail?

Keep the list focused. A bow-tie should show credible threats, not every imaginable possibility.

6. Identify preventive controls

For each threat, identify controls that reduce the likelihood of the top event.

Ask:

1. What stops this threat?
2. Is the control already in place?
3. Who owns it?
4. Is it documented?
5. Is it working?
6. How do we know?
7. When was it last tested?
8. What evidence exists?

This is where bow-tie analysis starts to add real value.

It shows whether controls are real or assumed.

7. Identify consequences

List the credible consequences if the top event occurs.

Ask:

1. What could happen next?
2. Who would be affected?
3. What would the financial impact be?
4. What would the operational impact be?
5. What would the safety impact be?
6. What would the legal or regulatory impact be?
7. What would the reputational impact be?
8. What would happen to customers, service users or beneficiaries?

Consequences should be realistic and useful for planning.

8. Identify mitigating controls

For each consequence, identify controls that reduce impact.

Ask:

1. What limits the damage?
2. What response plan exists?
3. Who activates it?
4. Has it been tested?
5. What resources are needed?
6. What communication is required?
7. What external support is needed?
8. What evidence shows the control would work?

This helps separate prevention from response.

Both matter.

9. Identify escalation factors

For each important control, ask what could make it fail.

For example:

1. Training not refreshed.
2. Procedure not followed.
3. System not tested.
4. Owner unclear.
5. Supplier not monitored.
6. Data inaccurate.
7. Staff under pressure.
8. Alarm ignored.
9. Policy out of date.
10. No budget for maintenance.

Escalation factors are often where the most useful improvement actions appear.

10. Agree actions, owners and review

A bow-tie should lead to action.

Record:

1. Control gaps.
2. Weak controls.
3. Missing evidence.
4. Escalation factors.
5. Required improvements.
6. Risk owner.
7. Control owner.
8. Action owner.
9. Deadline.
10. Review date.

Without this step, the bow-tie is only a diagram.

Common mistakes in bow-tie analysis

Mistake 1: Choosing a vague top event

If the top event is unclear, the whole analysis becomes confused.

Terms such as “financial risk”, “staff risk” or “cyber risk” are too broad.

Mistake 2: Mixing causes and consequences

Threats belong on the left.

Consequences belong on the right.

The top event sits in the middle.

Mixing them weakens the logic.

Mistake 3: Listing controls that do not really exist

A control should not be included just because it ought to exist.

If it is not actually implemented, it is an action, not a current control.

Mistake 4: Ignoring control effectiveness

A control may exist but be weak.

For example, a policy that nobody reads is not a strong control.

Mistake 5: Ignoring escalation factors

Controls fail for reasons.

Escalation factors help identify those reasons.

Ignoring them creates false confidence.

Mistake 6: Making the diagram too complicated

A bow-tie should clarify risk.

If it becomes too crowded, it may need to be split into several diagrams.

Mistake 7: Using it only after incidents

Bow-tie analysis can be retrospective, but it is also useful prospectively.

It should help prevent problems, not only explain them afterwards.

Mistake 8: No ownership

Controls need owners.

Actions need owners.

A bow-tie without ownership is weak.

Mistake 9: Treating the bow-tie as a one-off exercise

Risks, controls and circumstances change.

Bow-ties should be reviewed.

Mistake 10: Not linking to the risk register

A bow-tie should support the risk register, not sit separately from it.

Control gaps and actions should feed into live risk management.

Limitations and weaknesses of bow-tie analysis

Bow-tie analysis is useful, but it has limits.

It can oversimplify complex systems

A bow-tie is a simplified model.

Real events may involve feedback loops, human behaviour, culture, system interactions and changing conditions.

It depends on good judgement

The quality of the bow-tie depends on the people creating it.

If threats, controls or consequences are missed, the diagram may be misleading.

It can create false confidence

A neat bow-tie can make controls look stronger than they are.

Evidence is essential.

It can become too detailed

A very large bow-tie can become difficult to read.

Complex risks may need several linked diagrams.

It may not quantify risk

Bow-tie analysis is often qualitative.

It shows pathways and controls, but it may not give a precise probability or financial value.

It can underplay cultural factors

Culture, leadership, workload and incentives can affect many controls.

These factors can be difficult to show clearly in a simple diagram.

It must be maintained

Controls change.

People change.

Systems change.

Suppliers change.

A bow-tie that is not reviewed becomes stale.

It does not replace specialist analysis

Bow-tie analysis does not replace engineering analysis, clinical review, legal advice, cyber testing, financial modelling, health and safety assessment or professional judgement.

It is a tool for understanding and communicating risk pathways.

Bow-tie analysis compared with other strategic and management tools

Bow-tie analysis and risk register

A risk register records risks, controls, owners, actions and review dates.

Bow-tie analysis explains how a risk develops and how controls work.

Use the risk register to manage the overall risk process.

Use bow-tie analysis to understand important risks in more depth.

Bow-tie analysis and risk matrix

A risk matrix scores risks by likelihood and impact.

Bow-tie analysis shows the pathway from causes to consequences.

Use the risk matrix to prioritise.

Use bow-tie analysis to understand and improve controls.

Bow-tie analysis and issue log

An issue log records problems that have already happened.

Bow-tie analysis can be used retrospectively to understand how an issue occurred and what controls failed.

It can also be used prospectively to prevent similar issues in future.

Bow-tie analysis and assumptions log

Assumptions logs record what the plan is relying on.

Some assumptions may become threats in a bow-tie.

For example, the assumption that a supplier will deliver on time may link to a supplier failure top event.

Bow-tie analysis and root cause analysis

Root cause analysis looks backwards to understand why something happened.

Bow-tie analysis can look backwards or forwards.

Use root cause analysis after an incident.

Use bow-tie analysis to map causes, controls and consequences before or after an event.

Bow-tie analysis and business continuity planning

Business continuity planning explains how the organisation continues after disruption.

Bow-tie analysis helps show what could cause disruption, what controls prevent it, and what mitigating controls reduce the consequences.

Bow-tie analysis and internal audit

Internal audit tests whether controls are designed and operating effectively.

Bow-tie analysis helps identify which controls matter most and where assurance may be needed.

Bow-tie analysis and scenario planning

Scenario planning explores different possible futures.

Bow-tie analysis examines a specific risk event in detail.

Use scenario planning for broad uncertainty.

Use bow-tie analysis for defined risk pathways.

Bow-tie analysis and risk appetite

Risk appetite defines how much risk the organisation is willing to accept.

Bow-tie analysis helps show whether current controls reduce risk to an acceptable level.

Alternatives and complementary frameworks

Risk register

Use a risk register to record and manage risks across the organisation or project.

Bow-tie analysis can feed into it.

Risk matrix

Use a risk matrix to prioritise risks by likelihood and impact.

Bow-tie analysis is useful for the risks that need deeper review.

Root cause analysis

Use root cause analysis after an incident to understand why it happened.

Bow-tie analysis can then help design better controls.

Fault tree analysis

Fault tree analysis examines the causes of a failure in more technical detail.

Use it for complex technical systems where detailed causal logic is needed.

Event tree analysis

Event tree analysis examines possible outcomes after an initiating event.

Bow-tie analysis combines fault tree style thinking on the left with event tree style thinking on the right, but in a more accessible visual format.

Failure Mode and Effects Analysis

Use Failure Mode and Effects Analysis for product, process, engineering and quality risks.

It is useful where each failure mode needs structured assessment.

Business continuity plan

Use a business continuity plan to prepare the response to disruption.

Bow-tie analysis can identify where continuity planning is needed.

Control assurance framework

Use a control assurance framework to test whether controls are designed, implemented and operating effectively.

Bow-tie analysis helps identify the controls that need assurance.

A practical bow-tie analysis template

A useful bow-tie analysis template should include:

1. Bow-tie reference.
2. Date created.
3. Risk owner.
4. Hazard.
5. Top event.
6. Threats.
7. Preventive controls.
8. Control owners.
9. Escalation factors.
10. Escalation controls.
11. Consequences.
12. Mitigating controls.
13. Control effectiveness.
14. Evidence of control operation.
15. Gaps identified.
16. Actions required.
17. Action owners.
18. Deadlines.
19. Linked risk register reference.
20. Review date.

Example:

Hazard: Dependence on key IT system.

Top event: System unavailable during business hours.

Threats: Cyber attack, supplier outage, failed update, power failure, capacity overload.

Preventive controls: Cyber controls, change control, supplier service levels, monitoring, capacity planning.

Consequences: Service disruption, customer complaints, lost income, staff downtime, reputational damage.

Mitigating controls: Disaster recovery plan, manual workaround, customer communication plan, backup access, incident response process.

Escalation factors: Backups not tested, supplier contact outdated, staff unaware of manual process, recovery plan not rehearsed.

Actions: Test backups, update supplier escalation contacts, run recovery exercise, train staff on manual workaround.

Owner: Operations Director.

Review date: Quarterly.

Questions to ask during bow-tie analysis

Hazard questions

1. What is the source of potential harm?
2. What activity, process or system creates the exposure?
3. What are we trying to keep under control?
4. Who or what could be affected?
5. Is the hazard clearly defined?
6. Is the scope too broad?
7. Is the scope too narrow?
8. Is this risk important enough for bow-tie analysis?
9. What objective could be affected?
10. Who should be involved in the analysis?

Top event questions

1. What is the point where control is lost?
2. Is this a specific event?
3. Is it too vague?
4. Is it really a cause?
5. Is it really a consequence?
6. Can it be written clearly?
7. Does it link causes and consequences?
8. Has this happened before?
9. Could it happen in several ways?
10. Is one bow-tie enough, or are several needed?

Threat questions

1. What could cause the top event?
2. What has caused similar events before?
3. What do incidents and near misses show?
4. What do audits show?
5. What do staff say?
6. What external threats exist?
7. What supplier risks exist?
8. What human factors matter?
9. What system weaknesses matter?
10. Which threats are credible?

Preventive control questions

1. What stops each threat?
2. Is the control real?
3. Is the control documented?
4. Who owns it?
5. Is it effective?
6. How do we know it works?
7. When was it last tested?
8. Is there evidence?
9. Are there gaps?
10. Is further action needed?

Consequence questions

1. What could happen after the top event?
2. Who would be affected?
3. What would the financial impact be?
4. What would the safety impact be?
5. What would the customer impact be?
6. What would the legal impact be?
7. What would the reputational impact be?
8. What would the operational impact be?
9. What would the strategic impact be?
10. Which consequences matter most?

Mitigating control questions

1. What reduces the impact?
2. What response plan exists?
3. Who activates it?
4. Is the response tested?
5. Are resources available?
6. Is communication planned?
7. Is external support needed?
8. Is insurance relevant?
9. Is the control effective?
10. What gaps remain?

Escalation factor questions

1. What could make this control fail?
2. Could staff forget or ignore the control?
3. Could workload weaken it?
4. Could systems fail?
5. Could training be out of date?
6. Could ownership be unclear?
7. Could maintenance be missed?
8. Could suppliers fail?
9. Could poor culture weaken the control?
10. What protects the control itself?

Governance questions

1. Who owns the bow-tie?
2. Who owns each control?
3. Who reviews control effectiveness?
4. How often is it reviewed?
5. How does it link to the risk register?
6. How are actions tracked?
7. Which issues need escalation?
8. What assurance is required?
9. What should be reported to the board or trustees?
10. What lessons have been learned?

The best way to think about bow-tie analysis

Bow-tie analysis is not just a diagram.

It is a way of understanding how risk develops and how controls protect the organisation.

A good bow-tie analysis should be:

1. Clear.
2. Specific.
3. Visual.
4. Evidence-based.
5. Focused on controls.
6. Honest about weaknesses.
7. Linked to ownership.
8. Linked to action.
9. Reviewed regularly.
10. Connected to the risk register.

A weak bow-tie says:

“Here is a diagram of the risk.”

A strong bow-tie asks:

“What causes this risk, what could happen, which controls matter, how could those controls fail, and what action is needed?”

The key question is not simply:

What does the bow-tie look like?

The better question is:

Does this analysis help us understand and improve control of the risk?

Conclusion: bow-tie analysis turns risk pathways into practical control thinking

Bow-tie analysis remains useful because many risks are not single events.

They are pathways.

A serious incident, service failure, cyber breach, missed deadline, construction delay or safeguarding concern may have several causes, several controls, several consequences and several opportunities for intervention.

Used badly, bow-tie analysis becomes a neat visual diagram that gives false reassurance.

Used properly, it becomes a practical risk management tool. It helps organisations understand causes, consequences, preventive controls, mitigating controls, escalation factors and control weaknesses.

The real value is not in drawing the bow-tie.

The real value is in the discussion, challenge and action it creates.

A strong bow-tie analysis helps an organisation move from saying, “This is a high risk,” to asking, “How exactly could this happen, what stops it, what reduces the impact, and are those controls good enough?”