Every risk has a story. Something causes it. Something makes it worse. Something could have prevented it. The bow-tie diagram tells that entire story in a single visual, and it does so with a clarity that most risk assessment tools cannot match.
If you have ever tried to explain a complex operational risk to a room full of executives, plant managers, or compliance officers, you know the struggle. Risk registers are dense. Heat maps are abstract. Fault trees require a statistics degree to interpret.
The bow-tie method cuts through all of that. It shows the hazard at the center, the threats on the left, the consequences on the right, and the barriers (controls) that stand between them. One picture. Full story.
Originally developed in the late 1970s by Imperial Chemical Industries (ICI) in the UK and later adopted and refined by Royal Dutch Shell in the 1990s, the bow-tie method has become a standard risk assessment technique recognized by IEC/ISO 31010, the international standard for risk assessment techniques that supports the broader ISO 31000 risk management framework.
Today, it is used across oil and gas, aviation, healthcare, cybersecurity, mining, financial services, and virtually any industry where operational risk management matters.
This guide walks you through everything you need to build effective bow-tie diagrams: the components, a step-by-step methodology, real-world examples across multiple US industries, common mistakes to avoid, and a downloadable template you can use immediately. For a broader look at the risk assessment process, see our guide on the Five Steps of the Risk Management Process.
What Is Bow-Tie Risk Analysis?
A bow-tie risk analysis is a visual risk assessment method that maps out the relationship between the causes of a risk event, the event itself, and its potential consequences, along with the preventive and mitigative controls (barriers) that manage each pathway.
The resulting diagram looks like a bow-tie: threats fan out on the left, consequences fan out on the right, and the top event sits at the center knot.
The method combines two well-established analytical techniques into one unified view. The left side of the bow-tie is essentially a simplified fault tree, identifying the causal pathways that could lead to the top event.
The right side functions as an event tree, tracing the potential consequences if the top event occurs. What makes the bow-tie distinctive is the barrier layer: specific controls placed along each pathway to either prevent the event from happening (preventive barriers) or reduce the severity of consequences if it does (mitigative barriers).
This approach aligns directly with the cause-event-consequence structure that ISO 31000 uses to define risk. If you are familiar with the COSO ERM or ISO 31000 frameworks, you will recognize the bow-tie as a practical implementation tool that brings those abstract principles to life on a single page.
The Six Components of a Bow-Tie Diagram
Every bow-tie diagram is built from six core elements. Understanding each one is essential before you start drawing.
| Component | Definition | Example (Chemical Plant) |
| 1. Hazard | A source or condition with the potential to cause harm. A normal part of operations. | Storage of flammable liquids |
| 2. Top Event | The moment control over the hazard is lost. No damage yet, but it is imminent. | Uncontrolled release of flammable liquid |
| 3. Threats | Specific causes or initiating events that could trigger the top event. | Corrosion of tank wall, operator error during transfer, external impact |
| 4. Consequences | Specific outcomes that result if the top event occurs. | Pool fire, toxic vapor cloud, environmental contamination, employee injury |
| 5. Preventive Barriers | Controls that stop a threat from reaching the top event. Placed on the left side. | Corrosion inspection program, transfer procedures, bollard protection |
| 6. Mitigative Barriers | Controls that reduce the severity of consequences after the top event. Placed on the right side. | Fire suppression system, emergency shutdown, spill containment bund, evacuation plan |
A critical addition: escalation factors. These are conditions that can degrade or defeat a barrier. For example, if your preventive barrier is a corrosion inspection program, an escalation factor might be inspector shortages, outdated procedures, or budget cuts that reduce inspection frequency.
Experienced practitioners always identify escalation factors for their most critical barriers, because a barrier that looks good on paper but fails under stress is worse than no barrier at all.
How to Build a Bow-Tie Diagram: Step-by-Step
Building a bow-tie is not something you do alone at your desk. The real value comes from running a cross-functional workshop where operations, safety, compliance, maintenance, and management professionals collaborate. Here is the process.
Step 1: Identify the Hazard
Start with a hazard identification exercise (HAZID, HAZOP, or simply reviewing your risk register). Select hazards with high consequence potential. You do not need a bow-tie for every risk in your register. Focus on your top 5 to 10 major accident hazards or critical operational risks.
Formulate the hazard as a normal aspect of your operations that has the potential to cause harm. “Flammable liquids in storage” is a hazard. “Explosion” is not. The hazard should describe the source of energy or harm, not the event itself.
Step 2: Define the Top Event
The top event is the pivotal moment when control over the hazard is lost, but before damage has actually occurred. This is a judgment call, and it often gets refined during the workshop. A useful test: if you can still prevent consequences after this point, you have probably defined the top event correctly.
Good examples: “Loss of containment from storage tank.” “Unauthorized access to patient records.” “Uncontrolled descent of lifting load.” Avoid vague formulations like “something goes wrong” or overly broad statements like “major accident.”
Step 3: Identify Threats (Left Side)
Work through every credible pathway that could lead to the top event. Be specific. “Equipment failure” is too generic. “Seal failure on transfer pump” gives your team something concrete to assess and control.
Common threat categories include equipment/mechanical failure, human error, external events (weather, third-party impacts), process deviations, and management system failures. For each threat, draw a line from the threat to the top event.
Step 4: Identify Consequences (Right Side)
For each pathway from the top event, trace specific consequences. Again, be concrete. “Environmental damage” is a category, not a consequence. “Hydrocarbon spill into storm drain reaching waterway” is a consequence you can plan against.
Think about consequences across multiple impact dimensions: safety (injury, fatality), environmental, financial, reputational, regulatory, and operational continuity.
This aligns with the impact categories you would use in a business impact analysis. For more on this process, see our guide to
How to Perform a Business Impact Analysis.
Step 5: Place Preventive Barriers (Left Side)
For every threat-to-event pathway, identify the controls that prevent the threat from reaching the top event. Each barrier should be a specific, verifiable control, not a vague aspiration.
Strong barriers: “Automated pressure relief valve (tested quarterly).” “Permit-to-work system for hot work.” “Dual authorization for system access.”
Weak barriers: “Good training.” “Safety culture.” “Awareness.” These are enablers, not barriers. A barrier must be independently capable of stopping the threat pathway.
Step 6: Place Mitigative Barriers (Right Side)
For every event-to-consequence pathway, identify the controls that reduce the severity of the consequence. These include emergency response procedures, containment systems, backup systems, insurance, communication protocols, and recovery plans.
Step 7: Assess Barrier Effectiveness and Identify Escalation Factors
This is where many bow-tie exercises fall short. For each critical barrier, ask: what could cause this barrier to fail or degrade? Document these escalation factors and, where possible, identify escalation factor barriers, which are controls that maintain the integrity of your primary barriers.
For example, if your barrier is a fire suppression system, escalation factors might include: system not tested, water supply interrupted, detection system miscalibrated. Each of these needs its own control. This layered thinking is what separates a compliance-grade bow-tie from one that actually prevents incidents.
Bow-Tie Diagram Examples by Industry
The best way to understand how bow-ties work in practice is to see them applied to real operational risks across different industries.
The examples below are simplified for readability, but each follows the full structure described above.
Example 1: Oil and Gas (Process Safety)
| Element | Detail |
| Hazard | Pressurized hydrocarbon inventory in production piping |
| Top Event | Loss of containment (hydrocarbon release) |
| Threats | Corrosion/erosion of piping; mechanical seal failure on pump; third-party damage during construction; process overpressure due to control valve failure; vibration-induced fatigue cracking |
| Preventive Barriers | Corrosion monitoring program (ultrasonic testing); pressure safety valves (tested annually); mechanical integrity inspection program; permit-to-work system; process control interlocks (SIL-rated) |
| Consequences | Jet fire causing equipment damage; vapor cloud explosion; personnel injury/fatality; environmental contamination; regulatory enforcement action; production shutdown |
| Mitigative Barriers | Gas detection system with automatic shutdown; fire and gas suppression; emergency shutdown system (ESD); evacuation alarm and muster; oil spill response plan; mutual aid agreement with adjacent facilities |
| Escalation Factors | Overdue inspection backlog; safety valve set-point drift; simultaneous operations reducing available response resources; extreme weather conditions degrading detection equipment |
Oil and gas is where the bow-tie method gained its strongest foothold. Shell popularized the approach in the 1990s for safety case development, and it has since become industry standard for managing major accident hazards (MAHs).
The Bureau of Safety and Environmental Enforcement (BSEE) in the US has increasingly referenced barrier-based risk management in its oversight of offshore operations.
Example 2: Healthcare (Patient Safety)
| Element | Detail |
| Hazard | Administration of medications to hospital inpatients |
| Top Event | Wrong medication or wrong dose administered to patient |
| Threats | Physician prescribing error; pharmacy dispensing error; nurse transcription/administration error; look-alike/sound-alike drug confusion; patient misidentification |
| Preventive Barriers | Computerized physician order entry (CPOE); clinical decision support alerts; pharmacist order verification; barcode medication administration (BCMA) scanning; two-patient-identifier verification protocol |
| Consequences | Adverse drug reaction; patient harm/injury; extended hospital stay; malpractice litigation; regulatory citation (CMS/Joint Commission); reputational damage |
| Mitigative Barriers | Post-administration monitoring protocols; rapid response team activation; antidote/reversal agent availability; incident reporting system (near-miss capture); root cause analysis process; patient communication and disclosure protocol |
Healthcare organizations in the US are increasingly adopting bow-tie analysis for patient safety events, particularly medication errors and surgical complications.
The visual format is especially powerful for multidisciplinary teams (physicians, nurses, pharmacists, quality staff) who need a shared understanding of where controls exist and where gaps remain.
Example 3: Cybersecurity (Data Breach)
| Element | Detail |
| Hazard | Storage and processing of personally identifiable information (PII) |
| Top Event | Unauthorized access to PII database |
| Threats | Phishing attack compromising credentials; unpatched vulnerability exploited; insider threat (disgruntled employee); misconfigured cloud storage; third-party vendor compromise |
| Preventive Barriers | Multi-factor authentication (MFA); patch management program (SLA: critical patches within 72 hours); privileged access management; security awareness training; vendor risk assessment program; network segmentation |
| Consequences | Mass data exfiltration; regulatory fines (state breach notification laws, HIPAA, CCPA); class action litigation; customer churn; reputational damage; operational disruption |
| Mitigative Barriers | Data loss prevention (DLP) tools; SIEM/SOC monitoring and alerting; incident response plan (tested annually); breach notification procedures; cyber insurance; forensic investigation retainer; customer communication protocol |
Cybersecurity is one of the fastest-growing application areas for bow-tie analysis. The method is particularly well-suited to mapping threat vectors against the layered defense model that most security architectures follow.
For organizations building their cybersecurity KRI program, the bow-tie provides a natural structure for identifying which indicators to monitor. See our article on Cyber Security Key Risk Indicators Examples for more on this topic.
How Bow-Tie Analysis Fits Into Your ERM Framework
The bow-tie method is not a standalone tool. It works best when integrated into a broader enterprise risk management (ERM) program. Here is how it connects to the major components of a functioning ERM framework.
Risk Register. Each bow-tie corresponds to a risk in your register. The top event maps to the risk event description, the threats map to causes, and consequences map to impacts. Bow-ties give your register entries depth and visual clarity.
Control Assurance. The barriers in your bow-tie become the controls you need to test, monitor, and report on. Internal audit can use the bow-tie to plan control testing by focusing on the barriers that matter most to your critical risks.
Key Risk Indicators (KRIs). Every barrier should have at least one measurable indicator of its health. If your preventive barrier is a “quarterly corrosion inspection,” your KRI might be “percentage of inspections completed on schedule.”
If it is an “MFA policy,” your KRI might be “percentage of accounts with MFA enabled.” This connection between bow-ties and KRIs is where the method becomes operationally powerful. See our detailed guide on Enterprise Risk Management Key Risk Indicators.
Incident Investigation. When an incident occurs, the bow-tie provides a ready-made framework for root cause analysis.
You trace the actual pathway from threat to top event to consequence and ask: which barriers were in place? Which ones failed? Why did they fail? This turns incident investigations into barrier improvement exercises rather than blame assignments.
Board Reporting. Bow-ties are among the most board-friendly risk visualization tools available.
A single diagram communicates more about a critical risk than pages of register text. Many organizations use simplified bow-ties in their board risk packs to illustrate barrier health for their top 5 to 10 risks.
Common Mistakes to Avoid
Confusing the hazard with the top event. This is the most common error. The hazard is the source of potential harm (a normal part of your operations).
The top event is the moment you lose control. “Pressurized gas pipeline” is a hazard. “Gas release from pipeline” is the top event. Getting this wrong throws off the entire diagram.
Being too generic with threats and consequences. “Human error” tells you nothing actionable. “Operator bypasses lockout/tagout procedure during maintenance” tells you exactly where to focus your training, supervision, and procedural controls.
The same principle applies to consequences: “financial loss” is a category, not a consequence.
Listing “training” or “culture” as barriers. A barrier must be independently capable of stopping a threat pathway or reducing a consequence. Training supports barrier effectiveness, but it is not a barrier itself.
A barrier is something you can point to and say: this specific control would stop this specific pathway. Permit-to-work systems, interlocks, physical containment, automated alerts: those are barriers.
Ignoring escalation factors. A bow-tie without escalation factors paints an unrealistically optimistic picture. Every barrier can fail, and understanding the conditions under which it would fail is essential for realistic risk management.
Creating the bow-tie once and filing it away. Bow-ties are living documents. They should be updated when incidents occur, when controls change, when new threats emerge, or during periodic risk reviews. Tie them to your annual risk assessment cycle and your management review process.
Bow-Tie Analysis vs Other Risk Assessment Techniques
IEC/ISO 31010 lists approximately 30 risk assessment techniques, several of which overlap with or complement the bow-tie method. Understanding how they relate helps you pick the right tool for each situation.
| Technique | What It Does | Relationship to Bow-Tie |
| Fault Tree Analysis (FTA) | Deductive analysis of causes leading to an event using Boolean logic gates. Quantitative. | The left side of the bow-tie is a simplified fault tree. FTA goes deeper with probability calculations. |
| Event Tree Analysis (ETA) | Forward analysis of event sequences and outcomes from an initiating event. Quantitative. | The right side of the bow-tie is a simplified event tree. ETA adds branching probability calculations. |
| HAZOP | Systematic study of process deviations using guidewords. Identifies causes and consequences. | HAZOP outputs feed directly into bow-tie threat and consequence identification. |
| FMEA/FMECA | Bottom-up analysis of component failure modes and their effects. | FMEA identifies specific failure modes that become threats in the bow-tie. |
| Scenario Analysis | Explores multiple plausible future states with interconnected variables. | Scenarios can define the conditions under which bow-tie barriers might simultaneously fail. |
| LOPA | Semi-quantitative assessment of whether existing protection layers reduce risk to tolerable levels. | LOPA evaluates whether the barrier layers shown in a bow-tie are sufficient for ALARP. |
The bow-tie’s strength is accessibility. It communicates risk structure to non-specialists in a way that fault trees and event trees cannot. Its limitation is that it does not natively calculate probabilities.
For quantitative rigor, pair the bow-tie with LOPA or FTA. For strategic breadth, pair it with scenario-based risk assessment. The bow-tie becomes your communication and integration layer.
Downloadable Bow-Tie Template: How to Use It
You do not need specialized software to get started with bow-tie analysis. A well-structured Excel or PowerPoint template works for most organizations, especially during initial workshops.
Dedicated software like BowTieXP (by CGE Risk Management Solutions) or Presight OpenRisk adds value when you need version control, barrier performance tracking, and integration with risk registers at scale.
Here is the structure for a practical Excel-based bow-tie template you can build or download:
Template Structure (Excel Workbook)
| Tab Name | Contents |
| 1. Bow-Tie Overview | Hazard description, top event, risk owner, date of last review, linked risk register reference |
| 2. Threats & Preventive Barriers | Column A: Threat description. Column B: Preventive barrier(s) for each threat. Column C: Barrier owner. Column D: Barrier type (engineering, procedural, human). Column E: Effectiveness rating (1-5). Column F: Escalation factors. Column G: KRI linked to barrier. |
| 3. Consequences & Mitigative Barriers | Same structure as Tab 2 but for the right side: consequence descriptions, mitigative barriers, owners, types, effectiveness, escalation factors, and linked KRIs. |
| 4. Barrier Health Dashboard | Summary view with conditional formatting (Red/Amber/Green) showing barrier effectiveness status. Links to KRI data feeds where available. Flags overdue inspections/tests. |
| 5. Visual Diagram | PowerPoint-style visual bow-tie using shapes and connectors. Can also be built directly in PowerPoint or Visio and embedded. |
Tip: Link the barrier effectiveness ratings and KRI columns to your organization’s KRI dashboard so that bow-tie data feeds directly into ongoing risk monitoring rather than sitting in a static file.
Practical Tips for Effective Bow-Tie Workshops
Run workshops with the right people. You need operational people who understand the actual hazards, not just risk analysts who understand the methodology.
The best bow-ties are built by mixed teams: a frontline supervisor, a safety professional, a maintenance lead, a compliance officer, and a risk manager facilitating.
Start with 5 to 10 hazards, not 50. Bow-ties require depth. A well-constructed bow-tie for your single most critical risk is worth more than 50 surface-level diagrams. Begin with the risks that keep your leadership awake at night and expand from there.
Use the “what if” test for barriers. For every barrier, ask: if this barrier was completely removed tomorrow, would the threat reach the top event (or the top event reach the consequence)? If the answer is no because another barrier would still stop it, that is fine, but it also means you have defense-in-depth. If the answer is yes and there is only one barrier on a pathway, you have a single point of failure.
Distinguish between hardware, software, and human barriers. Engineering barriers (interlocks, physical containment) are generally more reliable than procedural barriers (checklists, approvals), which are more reliable than purely human barriers (training, awareness). Knowing the barrier types on each pathway helps you assess overall defense-in-depth quality.
Review and update annually. Tie bow-tie reviews to your annual risk assessment cycle. After any incident or significant near-miss, revisit the relevant bow-tie immediately. Did a barrier fail? Was a threat not previously identified? Update the diagram and the associated controls.
Bringing It All Together
The bow-tie method succeeds where many risk assessment techniques struggle: it makes risk visible to everyone. Executives see the barriers protecting the organization from its most critical hazards.
Operators see exactly which controls they own and why those controls matter. Auditors see where to focus testing. And when something goes wrong, the bow-tie provides the framework for understanding why.
For US organizations operating in high-hazard industries, including oil and gas, chemical manufacturing, healthcare, aviation, construction, and increasingly cybersecurity, the bow-tie has moved from a “nice to have” to a core component of operational risk management.
Its recognition in IEC/ISO 31010 gives it international credibility, and its simplicity gives it practical reach that few other techniques can match.
Start with your top risk. Build one bow-tie. Get the right people in the room. Identify the barriers that matter. Assign owners. Link KRIs. Monitor. Review. That single exercise will tell you more about your risk posture than a dozen static risk register entries ever could.
For more on building a comprehensive risk management program that incorporates bow-tie analysis alongside other assessment techniques, explore our overview of What Is Enterprise Risk Management.
Sources and Further Reading
1. IEC/ISO 31010:2019, Risk Assessment Techniques (supports ISO 31000:2018)
2. Wikipedia, Bow-Tie Diagram
3. Wolters Kluwer / CGE Risk Management Solutions, The Bowtie Method
4. Protecht Group, Risk Bow Tie and Root Cause Analysis
5. SynergenOG, Significance of Bowtie Diagrams in Risk Management
6. Prometheus Group, 5 Steps to Create a Comprehensive Bow Tie Analysis
7. Six Sigma Development Solutions, Bow-Tie Analysis: For Effective Risk Management
8. iFluids Engineering, Bow Tie Analysis: Hazard Identification and Risk Management
9. Bowtie Master, Bowtie Diagram Examples By Industry
10. UpGuard, Unpacking ISO 31010: Effective Risk Assessment Techniques
Related Articles on Risk Publishing
Five Steps of the Risk Management Process
COSO ERM vs ISO 31000 Risk Management Standards
How to Perform a Business Impact Analysis
Enterprise Risk Management Key Risk Indicators
Cyber Security Key Risk Indicators Examples
How to Use a Key Risk Indicators Dashboard
Enterprise Risk Management Framework
What Is Enterprise Risk Management
Scenario Based Risk Assessment
Business Continuity Risk Assessment
Have questions about implementing bow-tie analysis in your organization? Drop a comment below or contact Risk Publishing for consulting support in Enterprise Risk Management, Business Continuity Management, and Project Management.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.