How to Run a Risk Voting Workshop
Risk voting is an easy and powerful way to increase executive engagement in your ERM program and generate more value
A step-by-step guide on building risk bow ties for enterprise risk management including tools and templates to get you started.
A risk bow tie is a diagram that helps to visualize a risk event, along with its root causes, consequences and risk mitigations. Risk bow ties get their name from the shape that is created by their diagrams (see Figure 1 below). Risk bow ties started in the hazard management sector but have gained strong popularity in recent years in ERM programs. Executives and managers find them helpful because they communicate risk information in a single easy-to-understand picture. Bow tie diagrams easily display multiple scenarios together and help highlight the difference between proactive and reactive risk management steps.
Risk bow ties are intuitive and the easiest way to explain how they work is to walk through a simple example. The image below is taken from our Essential ERM software system. We will use it for our example going forward but note you do not need software to get started with bow tie diagrams (see bow tie templates at the bottom of this article).
Figure 1. Excerpt from the Risk Details screen in the Essential ERM software system showing a sample bow tie diagram. The bow tie diagram gets its name from the bow tie shape that is created by the 5 columns within it.
For our example, we will walk through a sample operational risk called “Data Center Outage Greater than 24 Hours.” If this risk event were to come to pass, the company’s systems would not be available for a prolonged period, causing serious disruptions for the company and its customers.
We will start with the initial traditional risk assessment process before getting into the bow tie diagram. As shown in Figure 2, the company’s subject matter experts (SMEs) for this risk have initially assessed the likelihood of this risk as “4 Likely” and the impact as “5 Extreme”, multiplied together to generate an inherent risk score of 20. The SMEs have not assessed or considered control effectiveness at this point, so the residual risk is currently the same as the inherent risk. Note that the resulting residual risk score of 20 is higher than the upper risk threshold that was set by the company’s board of directors through their risk appetite framework.
Figure 2. Initial risk scoring of the sample risk “Data Center Outage Greater than 24 hours”.
Now it is time to review the bow tie diagram in more detail. As shown in Figure 3, The bow tie has 5 columns. At the center is the Risk Event. The risk event is the event that we are hoping to prevent – the event that would occur if the risk were to materialize. The root causes that could trigger or contribute to the Risk Event are shown in the far-left column and the consequences that would be realized if the Risk Event occurs are shown on the far-right. Risk mitigations (controls) are shown as either being “pre-event” (trying to stop it from happening) or “post-event” (seeking to minimize impacts).
Figure 3. Blow up view of the 5-column bow tie diagram, showing the Risk Event at the center, the Root Causes in the far left column, the Consequences in the far right column, and the Pre-Event and Post-Event Mitigations in between.
To build a bow tie diagram, the SMEs start by adding in a short description of the risk event. They then consider and document the various root causes that could trigger the event. For example, a cyber attack or a terrorist attack could take down the data center. So could a fire or a flood, especially considering that the data center is located beside a large river. The subway construction ongoing in the area and the possibility of a local power failure. The SMEs can also recall the widespread power outage of 2002 and want to consider that in their assessment as well.
Once primary root causes have been identified, the SMEs go through a similar exercise to identify the consequences that would result from the datacenter outage.
As a final step, risk mitigations are added in either the pre-event or post-event column. Looking at the example, you can see immediately how root causes and consequences both point to the types of mitigations that are required. It is also easy to trace many different scenarios through diagram and to brainstorm about additional ways that mitigations could fail. For example, what if the redundant ISPs (internet service providers) were also knocked offline by a system-wide power failure?
Figure 4. Initial risk scoring of the sample risk “Data Center Outage Greater than 24 hours”. The rating of “Mostly Effective” for Control Effectiveness has lowered the Residual Risk to a score of 6, which falls within the organization’s risk appetite thresholds for this risk.
Once the bow tie diagram is complete, the SMEs can finish their risk rating. As shown by Figure 4 above, the SMEs have taken their current mitigations into account and rated the organization’s overall control effectiveness for this risk as “Mostly Effective.” Based on the organization’s framework, this has lowered the residual likelihood and impact of the risk event, resulting in a residual risk score of 6. Note that this score now falls within the organization’s desired risk appetite thresholds.
Figure 5. Four sample action plans created in response to review of bow tie diagram.
Finally, a review of the bow tie diagram may cause the SMEs to initiate additional Action Plans, either to further lower levels of residual risk or to assess and validate existing controls. In this case, the SMEs have decided to do a business continuity test in the near term while they work through other longer-term plans.
There are several benefits of bow tie diagrams. First, they are easy to use and generate a scenario-based view that is intuitive for business users to understand. Multiple scenarios and a great deal of information can be displayed in one simple diagram. Executives and business users tend to respond well to these diagrams and, when projected on a wall, they are an excellent tool to facilitate risk workshop discussions.
Second, the scenario-based structure of bow tie diagrams helps to point to required mitigations, based on the root causes that trigger risks and the consequences that result. Often risk mitigations are employed over long periods of time without reconsideration of whether they are still necessary or are the most effective option. Related to this, bow tie diagrams naturally bring attention to both the proactive mitigations that can be employed to prevent a Risk Event and the reactive mitigations that can help an organization recover faster and otherwise reduce the harmful impacts.
Finally, bow tie diagrams are helpful because they provide a foundation for root cause analysis and an examination of the links between mitigations and consequences with other risks. Identifying root causes that affect the most risks and the greatest consequences can be helpful in prioritizing mitigation resources. Understanding how mitigations can be shared between risks and root causes can often identify opportunities to pool efforts and reduce mitigation costs.
This form of dependency analysis is made easy with ERM software that can automatically track these relationships and provide real-time drill downs on root cases etc. Even if you do not have ERM software that supports the bow tie model, starting to build bow tie diagrams now will allow you to build up the foundational data for later analysis.
Risk bow ties are easy to build and maintain if you use an enterprise risk management (ERM) software tool that provides native bow tie diagram support. If you would like to experiment with bow tie diagrams, try our Essential ERM system.