Bow tie analysis: mapping your key risk drivers

From incident analysis to systematic improvement

Contact our experts

Original content provided by 

BDO Belgium

Bow tie is a way to identify direct and indirect causes as well as the consequences of an incident, a risk event, or even a specific achievement. It can be effective to recognise patterns of operational failures in organisation, as well as recurrent causes of success.  

A bow tie analysis can help you get a complete picture of your risk events. Not only what has happened but why, and what resulted from it. By visually mapping the ramification of causes and impacts, this powerful technique helps you move beyond a single incident response to create truly systematic improvement.  

Read on to learn how a bow tie analysis can transform your understanding of risk drivers and help you build a more resilient organisation. 

Discover our risk blueprint video's

The key concepts of a bow tie analysis framework

The bow tie tool is an advanced form of root cause analysis focused on identifying your risk drivers. Whether you call them causal factors, risk factors, or risk drivers, these elements represent what causes incidents or increases the likelihood of adverse consequences. 

The name “Bow Tie” comes from the distinctive shape created when you expand the traditional cause-event-impact sequence into a comprehensive visual representation. At the centre lies your risk event, the incident that happened or could potentially occur. To the left, you map the various causes by repeatedly asking yourself why this event, its causes, and even the causes of its causes, occurred. Do this until you reach causes that lie outside your organisation's sphere of influence. To the right, you document both direct and indirect impacts, along with the actions taken to manage these consequences. This side of the analysis highlights both detective (how quickly you identified the problem) and corrective controls (how effectively you managed the consequences). 

Here is a practical example to illustrate this framework: imagine your organisation sent contracts to customers without specifying the interest rates. At the centre of your bow tie would be the incident: “contracts sent without interest rates.” 

Understanding causes - example bow tie analysis

Moving to the left, you ask: 

  • “Why did this happen?” Perhaps the program didn't work correctly. 
  • “Why didn't the program work?” There was a coding error.  
  • “Why was there a coding error?” A testing script was missing.  

This questioning continues until you have identified the various causes to the incident, including the failing of missing preventative controls. 

On the right-hand side of the bow tie, lie the details post incidents: detection, direct impacts and indirect consequences of the event: how was the issue detected? Was it through customer complaints, regulatory scrutiny, or internal monitoring? What were direct consequences, such as financial loss or compliance breach? Did it lead to further indirect impacts, such as customer compensation, reputation damage, or regulatory penalties?  

From this simple graphical tool, risk managers can gather a wealth of information. Comprehensive bow tie analyses require the collaboration of all the stakeholders who were involved either in the causes or consequences of an incident.  

Benefits of bow tie analyses: finding patterns across incidents

The most obvious benefit of the bow tie analysis is the deep understanding of individual mishaps. However, its true power emerges when you analyse multiple incidents to identify patterns. Every time your organisation experiences a significant operational incident or near miss, conducting a bow tie analysis creates an opportunity not just for specific improvement but for systematic learning. 

The key insight comes from comparing these analyses to identify so-called “patterns of failures”: recurrent causes appearing across multiple incidents, or specific controls that fail repetitively (e.g. weak segregation of duties, or ineffective four-eyes validation). Likewise, features can emerge from the impacts analyses of multiples incidents, such as long (or short) detection time, customer impacts and complaints (or effective apologies and no attrition). These patterns provide most valuable insights to remedy an organisation’s systemic weaknesses and prevent numerous future incidents. 

For example, if you notice that “inadequate testing” appears as a cause in multiple incidents in IT software rollouts, this may suggest a systemic weakness in the testing process, rather than an isolated issue. Similarly, if you consistently highlight a delayed detection on the impact side, this highlights a broader weakness in your detective controls. 

Patterns of failures – and of success – are linked to an organisations’ way of operating and to corporate culture. Keeping the strengths whilst specifically addressing the weak points through thematic action plans is a core aspect of valuable risk management.  

By identifying patterns, you can implement targeted improvements that address root structural issues rather than symptoms.

Bow tie analysis and pattern identification for a European credit card company

Read our case study

Connecting analysis to Key Risk Indicators

Another powerful application of bow tie analysis is its role in developing leading Key Risk Indicators (KRIs). While we talk in-depth about KRIs in our next article, you should know that this type of analysis provides the foundation for effective risk monitoring. 

Leading KRIs are quantifiable proxies of your risk drivers. You can use both sides of the bow tie diagram to highlight different types of KRIs: 

  1. Cause-based KRIs: these leading indicators measure the fundamental risk drivers. For example, if employee fatigue is a cause, you might track continuous working hours or team vacancy rates. 
  2. Failed preventative control KRIs: when your analysis reveals weaknesses in preventative controls, monitoring these becomes a leading indicator. For instance, if segregation of duties is repeatedly compromised, tracking these weaknesses become valuable KRIs. 
  3. Detection time as a KRI: how quickly you identify issues directly impacts their severity, especially for quickly developing events. Detection time is particularly crucial in cyber attacks, data leakage, or programme trading errors. 
  4. Corrective control KRIs: good incident management is critical to reduce the severity of impacts, especially in crisis. KRIs around your corrective controls help you understand the quality of your incident management and improve your resilience. These KRIs could be about back-ups, recovery sites, emergency processes or communication to affected parties. 

By deriving your KRIs directly from bow tie analyses, you ensure they measure what truly matters – the specific factors driving your organisation’s specific vulnerabilities to risk events. 

Bow-tie tool for KRI's identification

Learning from success: positive bow tie analysis

While traditional risk management focuses on learning from failures, we often overlook an equally valuable source of insight: our successes. Positive risk management represents a powerful complement to traditional approaches. 

Psychology tells us that negative experiences tend to leave a bigger impression than positive ones – a phenomenon known as “negativity bias.” We are naturally more attuned to what hurts us than what helps us. However, this bias is precisely why we should deliberately focus more attention on analysing our successes. 

So why not apply a bow tie analysis to situations where things went extraordinarily well: 

  • projects with extremely tight deadlines that were nevertheless completed on time 
  • system disruptions that were managed without any customer complaints 
  • complex IT transitions executed flawlessly 

When everything works seamlessly in risk management, it often goes unnoticed. The key insight is to deliberately notice these successes and analyse them with the same rigor you would apply to failures. 

From personal experience with complex projects, three lessons consistently emerge from success analysis: 

  1. Have a plan and a backup plan: a plan B helps you execute your primary plan more effectively. Knowing you have fallback options reduces your anxiety of your original plan and improves your performance. 
  2. Seek advice and support: complex challenges rarely have solo solutions. With the support from professional advisors or personal support, you have access to diverse perspectives and resources. 
  3. Remain vigilant and flexible: good risk management requires continuous observation and rapid adaptation. Be willing to adjust your objectives, approaches or timelines based on changing circumstances. 

This positive approach to risk analysis doesn't replace traditional methods. It complements them, creating a more balanced, more inspiring risk management system. 

Bow_Tie_Analysis_Root_Cause_Analysis_Success

Bow tie analysis represents one of the most powerful tools in risk management, offering insights that go far beyond simple incident documentation. By systematically mapping the causes and impacts of your risk events, you gain a deep understanding of what drives vulnerabilities in your organisation and how effectively your controls are functioning.

The true value emerges when you look beyond individual incidents to identify patterns, develop leading indicators, and learn from both failures and successes. This comprehensive approach transforms risk management from a reactive discipline focused on compliance to a strategic capability that drives resilience and sustainable performance.
Ariane Chapelle

In our next article, we will build on these concepts to explore Key Risk Indicators in greater depth, showing how the insights from bow tie analysis can be transformed into an effective monitoring system that provide early warnings of emerging risks.

Do you want to learn more about implementing bow tie analysis in your organisation?

Feel free to contact our experts for more information.

Check out our other risk blueprint articles