On October 10, 2024, Pemex’s Deer Park, Texas, refinery released approximately 27,000 pounds of hydrogen sulfide, killing two contract workers.
The US Chemical Safety Board’s Volume 4 of Chemical Incident Reports, released in 2026, documents 13 major incidents across seven states with two fatalities and more than $1 billion in property damage.
Each one was a barrier failure that a credible Bow-Tie Risk Analysis would have surfaced months earlier.
Bow-Tie Risk Analysis is the visual technique that maps every threat that could trigger a top event, every consequence if the event lands, and every barrier on every pathway. The hazard sits at the center of the knot.
Threats fan left. Consequences fan right. Preventive and mitigative barriers stand on each pathway like checkposts.
The technique is recognized by IEC/ISO 31010:2019 and aligned to ISO 31000:2018.
It is the working language of barrier-based risk management for US enterprises in 2026, particularly in oil and gas, FAA-overseen aviation safety, chemical manufacturing, and increasingly healthcare and cyber.
Figure 1. The Bow-Tie Risk Analysis structure on one page.
What a Bow-Tie Risk Analysis Actually Maps
A Bow-Tie Risk Analysis is a visual risk-assessment method. It maps the cause-event-consequence chain of a single hazard onto one diagram and calls out every barrier by name. The left side is a simplified fault tree.
The right side is a simplified event tree. Both join at the top event in the middle, and the structure mirrors the cause-event-consequence definition of risk in ISO 31000.
The technique works because it forces specificity. A risk register entry that says ‘cyber breach’ becomes a Bow-Tie Risk Analysis with named threats (phishing, unpatched CVE, insider, sub-processor compromise), named consequences (PII exfiltration, regulator notification, customer churn), and named barriers (MFA, patch SLA, DLP, SOC monitoring).
The CGE Risk Bowtie methodology overview remains the canonical practitioner reference.
The Six Components of a Bow-Tie Risk Analysis
| Component | Definition | Worked example (chemical plant) |
| Hazard | Source or condition with potential to cause harm; a normal part of operations | Storage of flammable liquids on site |
| Top event | The moment control over the hazard is lost; no damage yet, but imminent | Uncontrolled release of flammable liquid |
| Threats | Specific causes that could trigger the top event | Tank-wall corrosion; operator transfer error; external impact; overpressure |
| Consequences | Specific outcomes if the top event occurs | Pool fire; toxic vapor cloud; environmental contamination; employee injury |
| Preventive barriers | Controls that stop a threat from reaching the top event (left side) | Corrosion inspection; transfer procedures; bollard protection; SIL-rated interlocks |
| Mitigative barriers | Controls that reduce consequence severity after the top event (right side) | Fire suppression; emergency shutdown; spill containment; evacuation alarm |
On top of those six, escalation factors capture conditions that degrade or defeat a barrier. If the corrosion inspection program is the preventive barrier, an escalation factor might be inspector shortages or a delayed budget cycle.
The Bow-Tie Risk Analysis files that survive a regulator review always identify escalation factors for the critical barriers. A barrier that looks good on paper but fails under stress is worse than no barrier at all.
How to Build a Bow-Tie Risk Analysis: The Seven-Step Workshop
A Bow-Tie Risk Analysis is built in a workshop, not at a desk. The value comes from putting operations, safety, compliance, maintenance, and management in the same room for four hours and forcing the conversation onto a single page. The seven-step sequence below is what works for US enterprise programs in 2026.
Seven Steps of a Bow-Tie Risk Analysis Workshop
| Step | Action | Inputs | Outputs |
| 1 | Identify the hazard | HAZID, HAZOP, risk register top entries | Hazard statement (source of energy or harm, not the event itself) |
| 2 | Define the top event | Process knowledge + workshop facilitation | Single-sentence top event: the moment control is lost |
| 3 | Identify threats (left side) | Failure data, near-miss log, peer-incident review | Specific threat list per pathway |
| 4 | Identify consequences (right side) | Impact categories: safety, environmental, financial, reputation, regulatory | Specific consequence list per pathway |
| 5 | Place preventive barriers | Existing engineering, procedural, human controls | One or more named barriers per threat pathway |
| 6 | Place mitigative barriers | Emergency response, containment, recovery plans | One or more named barriers per consequence pathway |
| 7 | Assess effectiveness and escalation factors | Barrier reliability data, audit findings, incident history | Effectiveness rating + escalation factors + KRI links |
Two design rules carry the workshop. First, every barrier must be specific and verifiable. ‘Permit-to-work system tested quarterly’ is a barrier. ‘Safety culture’ is not. Second, every critical barrier needs an owner and a KRI.
The barrier owner stays accountable for the barrier’s health. The KRI is the leading metric that signals whether the barrier is healthy. Without both, the diagram is decoration.
Barrier Types and Effectiveness in a Bow-Tie Risk Analysis
Barrier effectiveness varies sharply by type. Engineering and hardware barriers (interlocks, bunds, pressure-relief valves) carry the highest reliability. They do not depend on a person remembering to act.
Procedural barriers (permits, checklists, dual-authorization) carry medium reliability. They depend on consistent execution under time pressure.
Human and behavioral barriers (training, awareness, observation) carry the lowest reliability and should never stand alone on a Bow-Tie Risk Analysis pathway.
Figure 2. Barrier types ranked on median effectiveness in a Bow-Tie Risk Analysis.
Barrier Type Comparison for a Bow-Tie Risk Analysis
| Barrier type | Examples | Median effectiveness | Common failure modes | How to strengthen |
| Engineering / hardware | Interlocks, PSVs, bunds, gas detection, MFA enforcement | ~85% | Maintenance backlog, set-point drift, calibration loss | Test cadence + competent-person sign-off + condition KRI |
| Procedural | Permit-to-work, dual approval, change control, runbooks | ~60% | Procedure not followed under time pressure | Audit sample + supervisor sign-off + completion KRI |
| Human / behavioral | Training, observation, awareness, situational judgment | ~35% | Decay over months; ineffective in stress events | Pair with engineering or procedural barrier; never sole barrier |
| Layered (defense-in-depth) | Engineering + procedural + human across multiple pathways | ~95% | Common-cause failure across layers | Independence test; common-cause review every 12 months |
Where Bow-Tie Risk Analysis Is Already Standard in the US
Bow-Tie Risk Analysis is now the default barrier-based risk method in oil and gas, aviation, chemical manufacturing, mining, and increasingly healthcare and cybersecurity.
The US Bureau of Safety and Environmental Enforcement (BSEE) references barrier-based risk management in its offshore oversight. The US Chemical Safety Board uses barrier logic in its incident reports.
The healthcare sector is following, particularly for medication safety after the 2024-2025 ISMP best-practices update.
Figure 3. Bow-Tie Risk Analysis adoption across US industries in 2025.
Bow-Tie Risk Analysis Examples by US Industry
Worked examples are the fastest way to read a Bow-Tie Risk Analysis. The three production-grade examples below cover oil and gas, healthcare, and cybersecurity. Each one follows the seven-step workshop output and would survive a regulator review.
Bow-Tie Risk Analysis Example 1: Oil and Gas Process Safety
| Element | Detail |
| Hazard | Pressurized hydrocarbon inventory in production piping |
| Top event | Loss of containment (hydrocarbon release) |
| Threats | Corrosion or erosion of piping; mechanical seal failure on pump; third-party damage during construction; process overpressure from control-valve failure; vibration-induced fatigue cracking |
| Preventive barriers | Corrosion-monitoring program (UT inspection); pressure safety valves tested annually; mechanical-integrity program; permit-to-work system; SIL-rated process control interlocks |
| Consequences | Jet fire; vapor cloud explosion; fatality or injury; environmental contamination; regulatory enforcement; production shutdown |
| Mitigative barriers | Gas detection with auto-shutdown; fire and gas suppression; emergency shutdown system (ESD); evacuation alarm; oil-spill response plan; mutual-aid agreement |
| Escalation factors | Inspection backlog; PSV set-point drift; simultaneous operations; extreme weather degrading detection |
Bow-Tie Risk Analysis Example 2: Healthcare Patient Safety
| Element | Detail |
| Hazard | Administration of high-alert medications to hospital inpatients |
| Top event | Wrong medication or wrong dose administered to a patient |
| Threats | Physician prescribing error; pharmacy dispensing error; nurse transcription / administration error; look-alike sound-alike confusion; patient misidentification |
| Preventive barriers | Computerized physician order entry (CPOE); clinical decision support alerts; pharmacist order verification; barcode medication administration (BCMA); two-identifier verification |
| Consequences | Adverse drug reaction; patient harm; extended stay; malpractice litigation; CMS or Joint Commission citation; reputational damage |
| Mitigative barriers | Post-administration monitoring; rapid-response team activation; antidote availability; near-miss capture; root-cause analysis; patient communication and disclosure |
| Escalation factors | CPOE downtime; alert fatigue; staffing pressure; new clinical protocol not yet trained |
Healthcare medication safety is a fast-rising application. The ISMP 2024-2025 Targeted Medication Safety Best Practices for Hospitals reflects the same barrier logic, and the Joint Commission National Performance Goal 14 on managing medications treats it as a board-level expectation. The bow-tie is what makes the program visible to non-clinical leadership.
Bow-Tie Risk Analysis Example 3: Cybersecurity Data Breach
| Element | Detail |
| Hazard | Storage and processing of personally identifiable information (PII) in production systems |
| Top event | Unauthorized access to PII database |
| Threats | Phishing-driven credential compromise; unpatched CVE exploited; insider threat; misconfigured cloud storage; third-party vendor compromise |
| Preventive barriers | Multi-factor authentication; patch management with 72-hour critical SLA; privileged access management; security awareness training; vendor risk assessment; network segmentation |
| Consequences | Mass exfiltration; state breach-notification fines; HIPAA or CCPA penalties; class-action litigation; customer churn; operational disruption |
| Mitigative barriers | Data loss prevention (DLP); SIEM/SOC monitoring; tested incident response plan; breach notification procedure; cyber insurance; forensic retainer; customer communication protocol |
| Escalation factors | MFA exception list growing; patch backlog; SOC analyst attrition; vendor SOC 2 expired |
Cyber teams running this Bow-Tie Risk Analysis layer it on top of the NIST Cybersecurity Framework 2.0 and feed the barrier list into a cyber security KRI program. The diagram is what lets the CISO and the board see the same picture.
How a Bow-Tie Risk Analysis Connects to Your ERM Framework
A Bow-Tie Risk Analysis is not a standalone tool. It works best as the visualization layer for a working enterprise risk management program.
Each bow-tie corresponds to a registered risk. Each barrier becomes a control to test. Each barrier needs at least one KRI. Incidents turn into barrier-improvement exercises rather than blame assignments.
Boards see one diagram per top-five risk instead of pages of register text.
Bow-Tie Risk Analysis Connections Across the ERM Framework
| ERM component | How the Bow-Tie Risk Analysis connects |
| Risk register | Top event maps to risk-event description; threats map to causes; consequences map to impacts. See the risk register template and guide. |
| Control assurance | Barriers become the controls internal audit tests. Critical-barrier audit plan replaces generic test sampling. |
| KRI program | Every critical barrier carries at least one KRI. Pair with the KRI dashboard guide. |
| Incident investigation | Bow-tie shows which barriers were in place, which failed, and why. RCA outputs feed back into the diagram. |
| Board reporting | One bow-tie per top-five risk in the board pack replaces dense register text. Barrier-health RAG tells the story. |
| Frameworks | Anchored to ISO 31000 and COSO ERM; recognized in IEC/ISO 31010. |
Bow-Tie Risk Analysis vs Other Risk Assessment Techniques
IEC/ISO 31010:2019 lists about 30 risk assessment techniques. Bow-Tie Risk Analysis sits in the cause-consequence family alongside fault tree analysis (FTA), event tree analysis (ETA), HAZOP, and LOPA.
Each has its own purpose. The bow-tie’s strength is communication. Its limit is that it does not natively calculate probabilities.
Bow-Tie Risk Analysis Compared to Adjacent Techniques
| Technique | What it does | Relationship to Bow-Tie Risk Analysis |
| Fault Tree Analysis (FTA) | Deductive, quantitative, Boolean-logic causes leading to an event | Left side of the bow-tie is a simplified fault tree |
| Event Tree Analysis (ETA) | Forward, quantitative analysis of consequences from an initiating event | Right side of the bow-tie is a simplified event tree |
| HAZOP | Systematic study of process deviations using guidewords | HAZOP outputs feed bow-tie threat and consequence lists |
| FMEA / FMECA | Bottom-up analysis of component failure modes | FMEA failure modes become bow-tie threats |
| LOPA | Semi-quantitative; tests whether protection layers reduce risk to ALARP | LOPA evaluates whether bow-tie barriers are sufficient |
| Scenario analysis | Multiple plausible future states with interconnected variables | Scenarios define common-cause conditions across bow-tie barriers |
Pair the bow-tie with LOPA or FTA for quantitative rigor. Pair it with scenario analysis for strategic breadth. The Bow-Tie Risk Analysis ends up as the layer that ties the rest of the toolkit together.
The HSE risk-assessment library gives the cleanest UK reference; the UpGuard ISO 31010 summary gives a US-language version.
Bow-Tie Risk Analysis Template Structure
A Bow-Tie Risk Analysis can run inside dedicated software, but most US programs start with a workbook template that gets the same job done for the first 10 to 20 hazards.
The template structure below plugs straight into a project risk register and a KRI dashboard.
Bow-Tie Risk Analysis Template Tabs and Contents
| Tab | Contents |
| 1. Overview | Hazard description, top event, risk owner, last review date, linked risk-register reference |
| 2. Threats and preventive barriers | Threat description; preventive barrier(s); barrier owner; barrier type (engineering / procedural / human); effectiveness rating 1-5; escalation factors; linked KRI |
| 3. Consequences and mitigative barriers | Same structure as Tab 2 but for consequence side |
| 4. Barrier health dashboard | Conditional-formatted RAG view of barrier effectiveness; flags overdue tests / inspections; links to KRI feeds |
| 5. Visual diagram | PowerPoint or Visio bow-tie embedded; export-ready for board pack |
| 6. Lessons learned log | Incident or near-miss tied to specific barriers; barrier strength updates |
Frequently Asked Questions About Bow-Tie Risk Analysis
What is a Bow-Tie Risk Analysis in plain language?
A Bow-Tie Risk Analysis is a single-page diagram. It shows how a top event could be triggered (threats on the left), what could happen if it lands (consequences on the right), and which barriers stand in the way of each pathway.
Imperial Chemical Industries developed it in the late 1970s. Royal Dutch Shell refined it in the 1990s. IEC/ISO 31010:2019 recognizes it as a standard risk assessment technique.
What are the six components of a Bow-Tie Risk Analysis?
The six components of a Bow-Tie Risk Analysis are the hazard, the top event, threats, consequences, preventive barriers, and mitigative barriers.
Escalation factors sit on top of any critical barrier. The hazard is the source of harm.
The top event is the moment control is lost. Threats are specific causes that could trigger the top event. Consequences are specific outcomes if it lands.
Barriers are the controls that stop or reduce each pathway.
What is the difference between preventive and mitigative barriers in a Bow-Tie Risk Analysis?
Preventive barriers stop a threat from reaching the top event. They sit on the left side of the Bow-Tie Risk Analysis. Mitigative barriers reduce consequence severity after the top event has occurred.
They sit on the right side. Both are needed. A program with only preventive barriers cannot recover when prevention fails. A program with only mitigative barriers accepts that the top event will happen.
Who should run a Bow-Tie Risk Analysis workshop?
A Bow-Tie Risk Analysis workshop runs with five roles in the room: a frontline operator or supervisor who knows the hazard, a safety or risk professional who facilitates, a maintenance lead, a compliance officer, and a senior manager with authority to fund control changes.
The facilitator owns the methodology. Operations owns the content. Compliance owns the regulatory mapping. Without the operator in the room, the diagram stays theory.
How often should a Bow-Tie Risk Analysis be refreshed?
A Bow-Tie Risk Analysis refreshes per event, not per calendar quarter.
Trigger conditions include any incident on the diagram, any near-miss that exposed a barrier weakness, any change to the underlying process or control, any new regulatory guidance, and any significant change in operating context.
On top of triggers, a calendar-driven annual review keeps the diagrams aligned to the wider risk-assessment cycle.
How does a Bow-Tie Risk Analysis link to ISO 31000 and IEC/ISO 31010?
ISO 31000:2018 sets the framework principles. IEC/ISO 31010:2019 lists the techniques. Bow-Tie Risk Analysis is one of the named techniques in the 31010 list.
It implements the cause-event-consequence definition of risk in 31000 and supports the identify-analyze-evaluate-treat-monitor lifecycle.
Mature US programs use the bow-tie as the visualization layer for the rest of the framework.
Where does Bow-Tie Risk Analysis fall short?
Bow-Tie Risk Analysis does not natively calculate probabilities. For quantitative rigor, pair it with LOPA or FTA.
It also does not handle simultaneous failures across multiple bow-ties. Common-cause analysis needs scenario-based work alongside.
And the diagram is only as good as the workshop that built it. A bow-tie produced by one analyst in isolation carries the same blind spots as the analyst.
What software do I need for a Bow-Tie Risk Analysis?
None to start. PowerPoint, Visio, or Excel are enough for the first 10 to 20 hazards. Once the program scales, dedicated tools like BowTieXP, Presight OpenRisk, or integrated GRC platforms add value through version control, barrier-health tracking, and integration with the risk register. Start with the workbook. Move to the platform once you can list the next 50 hazards by name.
Common Pitfalls in Bow-Tie Risk Analysis Programs
Most stalled US Bow-Tie Risk Analysis programs fail in predictable ways.
The list below covers the seven traps that come up most often during incident reviews and program assessments. Use it as a self-audit before the next regulator inspection or board risk committee.
| Pitfall | Root cause | Remedy |
| Hazard confused with top event | ‘Pressurized pipeline’ written as the top event instead of ‘gas release’ | Hazard = source; top event = moment control is lost |
| Threats and consequences too generic | ‘Human error’ or ‘financial loss’ in place of specifics | Force a noun-verb-object format per threat; force a quantitative consequence per pathway |
| Training and culture listed as barriers | Aspirations dressed up as controls | A barrier must be independently capable of stopping the pathway; train + culture support but never replace |
| No escalation factors | Optimistic picture; barriers assumed to always work | Identify at least two escalation factors per critical barrier |
| No KRI per critical barrier | Diagram and dashboard run on parallel tracks | Every critical barrier carries one KRI feeding the live dashboard |
| One-time exercise, never refreshed | Diagram filed after workshop | Trigger-based refresh + annual review tied to risk-assessment cycle |
| Single-analyst diagram | Built in isolation, not in a workshop | Mandate cross-functional workshop with operations, safety, maintenance, compliance, leadership |
Where Bow-Tie Risk Analysis Is Heading: 2026-2028
The Bow-Tie Risk Analysis discipline is mid-shift. Three shifts will shape the next 24 months for US programs: dynamic bow-ties pulling live data from the operating environment, AI-assisted barrier-failure prediction, and tighter regulator referencing of barrier-based risk management in CSB, BSEE, FAA, and FDA enforcement.
Dynamic bow-ties are moving from pilot to production. Static workshop diagrams give way to bow-ties wired into the SCADA, the maintenance system, the SOC, and the audit findings database. Barrier-effectiveness ratings update in near-real time.
The CGE Risk BowTieXP roadmap already shows the direction; in-house GRC platforms are catching up fast.
AI-assisted barrier-failure prediction will move from research to operational use. Expect models that ingest incident history, near-miss reports, KRI feeds, and audit findings to forecast which barriers are degrading before they fail.
The CISA cybersecurity advisories archive already feeds cyber bow-ties. The same pattern will reach physical-safety bow-ties within 24 months, with OSHA enforcement data and FDA medical-device adverse events likely to feed those models first.
Regulators are tightening their referencing of barrier-based risk management. CSB incident reports use barrier logic more openly with each volume.
BSEE has been moving in the same direction for offshore safety cases. FDA is following for medical-device and pharma quality systems.
A US enterprise running its top risks without a Bow-Tie Risk Analysis program in 2026 is now behind on regulator expectation.
Need help running a Bow-Tie Risk Analysis program for a US enterprise under ISO 31000, IEC/ISO 31010, and the relevant sector regulator? See our risk-advisory services or get in touch.
For more risk-assessment resources, see the complete guide to the risk assessment process, how to conduct a risk assessment, and good questions to ask about risk by ISO 31000 phase.
Adjacent reads from the Risk Publishing library: key elements of a risk register, the free Excel risk register template, the essential risk management process flow chart, inherent versus residual risk, risk mitigation in project management, the ISO 31000 risk management lifecycle, the business continuity management lifecycle, and key risk indicators examples.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.