What Is a Bow-Tie Risk Analysis? Simple Example for Non-Engineers

On November 15, 2013, attackers broke into Target Corporation’s network using credentials stolen from Fazio Mechanical Services, a small HVAC vendor in Sharpsburg, Pennsylvania.

The phishing campaign that captured those credentials had run for at least two months prior. By December 15, BlackPOS malware on Target’s point-of-sale systems had exfiltrated payment data from 40 million card transactions plus 70 million PII records across 1,797 US stores. The $292 million multi-state settlement landed in May 2017. CEO Gregg Steinhafel resigned on May 5, 2014. CIO Beth Jacob resigned two months earlier, on March 5, 2014, becoming one of the first US executives to lose her job over a cyber breach.

The Practitioner Cheat Sheet on Bow-Tie Risk Analysis
A bow-tie risk analysis is a single-page diagram that shows how a hazard turns into a loss event and what controls sit on either side of that event. The left side shows threats and preventive controls; the center shows the loss-of-control moment (the top event); the right side shows recovery controls and consequences. The shape of the diagram looks like a bow-tie.
Target’s 2013 breach is the cleanest non-engineering example available. Attackers stole credentials from Fazio Mechanical, a small HVAC vendor, on November 15, 2013, then moved laterally to Target’s point-of-sale systems. From November 27 to December 15, BlackPOS malware captured payment data from 40 million card transactions across 1,797 stores. The $292 million settlement with 47 state attorneys general landed in May 2017.
Bow-tie risk analysis is a recognized risk-assessment technique under ISO/IEC 31010:2019, the international standard that catalogs risk-assessment methods supporting ISO 31000. The method originated at Imperial Chemical Industries in the late 1970s and Royal Dutch Shell formalized it in the 1990s after the 1988 Piper Alpha disaster.
A complete bow-tie risk analysis carries six parts: hazard, threats, preventive controls, top event, recovery controls, and consequences. Each control gets a named owner and an effectiveness rating, and each branch can carry escalation factors that explain how a control might fail.
The method is now used outside process safety — at US banks (cyber risk, third-party risk), at hospitals (patient safety), at airlines (operational risk), and at SaaS companies (service availability). Bow-tie risk analysis works anywhere the analyst needs to show a board both prevention and recovery in a single visual.
Build a bow-tie risk analysis in six steps: pick the hazard, name the top event, list threats on the left, list consequences on the right, fill in preventive and recovery controls between, then validate with a tabletop. One bow-tie typically covers one top event; a mature risk register links dozens of bow-ties to top-level enterprise risks.
The diagram is the artifact, not the goal. The goal is a conversation between operations, risk, audit, and the board about which barriers actually work. A bow-tie that ships every control as Yes without evidence is decorative; a bow-tie that names two failing barriers per top event is the one that drives change.

Target became the textbook business school case in cyber risk management. Cyber-risk governance modules at executive education programs across the US now use some version of the Target story as the lead example. The case is the cleanest single illustration of how bow-tie thinking would have changed the outcome. The story also became the cleanest example of a bow-tie risk analysis that any non-engineer can follow. This walkthrough explains the bow-tie diagram, names each of its six parts, maps the Target breach onto it, and shows how to build one yourself. No process-safety background required. Our cybersecurity risk management page anchors the broader cyber risk frame.

What a Bow-Tie Risk Analysis Actually Shows (No Engineering Background Required)

A bow-tie risk analysis is a single-page picture showing one hazard, one loss-of-control moment, and the controls that either prevent the loss or limit the damage after it happens.

The picture looks like a bow-tie because the left side fans out into threats while the right side fans out into consequences, meeting at a narrow center where the top event sits. The bow-tie risk analysis is qualitative by default.

It does not require math, probability distributions, or fault trees. A non-engineer can read one in five minutes and pick out which controls are weak. The output usually fits on a single page, which is why audit committees ask for them.

A Bow-Tie Risk Analysis at a Plain-English Glance

On the left side of any bow-tie risk analysis sits a list of threats that could push the institution toward a loss event. In the center sits the top event itself. On the right sits a list of consequences that follow if the top event happens.

Between the threats and the top event are preventive controls. Between the top event and the consequences are recovery controls. The diagram fits on one page, which is what makes the format work for board-level conversations.

Where Bow-Tie Risk Analysis Came From (Process Safety to Cyber)

The bow-tie risk analysis method originated at Imperial Chemical Industries in the late 1970s. It took off in process safety after the 1988 Piper Alpha disaster killed 167 workers on a North Sea oil platform.

The Cullen Inquiry recommended visual control mapping; Royal Dutch Shell developed bow-tie software in the 1990s. Cyber, healthcare, and SaaS picked the method up after 2010. Figure 1. The generic anatomy of a bow-tie risk analysis. Threats fan in from the left, consequences fan out to the right, with the top event in the center.

Bow-Tie Risk Analysis Anatomy: The Five Parts Every Diagram Has

Five parts make every bow-tie risk analysis diagram readable. Each part has a defined role and a defined position.

The labels vary slightly across CCPS, ISO 31010, and corporate practice, but the structure is consistent enough that an audit committee can read any bow-tie regardless of which template the team used.

Left Side of the Bow-Tie: Threats and Preventive Controls

Threats sit on the far left of every bow-tie risk analysis as labeled boxes, one threat per box. Between each threat and the top event sit one or more preventive controls drawn as vertical bars.

Each bar is one barrier between the threat and the loss event. The bow-tie shows the chain visually: threat to control to control to top event.

Center of the Bow-Tie: The Top Event

The top event sits in the middle of the bow-tie risk analysis as the loss-of-control moment. Picking the right top event is the hardest part of building the diagram.

The top event should be the moment after which damage has already begun: the malware is on the POS, the oil is in the water, the wrong drug has been administered.

Set the top event too early and the diagram is pointless. Set it too late and the preventive side becomes empty. The discipline of naming the loss-of-control moment precisely is the single biggest determinant of a useful bow-tie.

Right Side of the Bow-Tie: Consequences and Recovery Controls

Consequences sit on the far right as labeled boxes, one consequence per box. Between the top event and each consequence sit recovery controls drawn as vertical bars.

These barriers limit damage after the loss has begun. In a cyber bow-tie risk analysis the recovery controls are the IR plan, customer notification, cyber insurance, and forensic counsel. Our essential steps of incident response page walks the response side.

Escalation Factors on Every Bow-Tie Branch

Each control bar in a bow-tie risk analysis can carry escalation factors, the conditions that cause the control to fail. A vendor MFA control might fail when SMS-based codes are intercepted.

A network segmentation control might fail when admin paths bypass the segmentation. Escalation factors hang below the relevant control bar as smaller boxes and force the analyst to name the failure modes explicitly.

Simple Example: Bow-Tie Risk Analysis for a Corporate Data Breach

The Target 2013 breach is the case to learn from. The full bow-tie risk analysis fits on a single page. Each box and bar in the diagram maps to a specific element of the actual breach.

The diagram makes visible what every postmortem report concluded: the controls that should have stopped the breach existed but were not working. Figure 2. The Target 2013 breach mapped onto a bow-tie risk analysis. Each of the three failed preventive controls is one of the named gaps in the Verizon and Krebs postmortems.

Setting the Hazard for a Corporate Data Breach Bow-Tie

The hazard at Target was the customer payment card data flowing through 1,797 store point-of-sale systems. The hazard is not the breach; the hazard is the thing the institution wants to keep under control. Identifying the hazard correctly is step one in any bow-tie risk analysis.

Naming the Top Event for the Target Bow-Tie

The top event at Target was BlackPOS malware running on the POS systems. That is the loss-of-control moment. Before BlackPOS ran on the POS, the breach had not yet caused customer harm.

After BlackPOS ran, customer data was being captured continuously. The top event is the right side of the timer the recovery controls race against. Every minute past the top event added more cards to the loss.

Listing Threats Across the Bow-Tie Left Side

Three threats sat on the left side of the Target bow-tie risk analysis. Phishing of the HVAC vendor (Fazio Mechanical) that yielded the initial credentials. Weak network segmentation that let those credentials reach the POS environment.

No anomaly detection on POS traffic that would have flagged the BlackPOS command-and-control callbacks. All three threats existed at the time of the breach.

All three preventive barriers also existed, at least on paper. The diagram makes visible what the postmortem confirmed: none of the three barriers were operating effectively.

Listing Consequences Across the Bow-Tie Right Side

Three consequences sat on the right side of the Target bow-tie. The data loss itself: 40 million payment cards plus 70 million PII records.

The financial loss: the $292 million multi-state settlement plus an estimated $300 million in direct breach costs. The leadership loss: CEO Gregg Steinhafel and CIO Beth Jacob both resigned in 2014.

Filling in Preventive and Recovery Controls on the Bow-Tie

The preventive controls between threats and top event on the Target bow-tie should have been vendor MFA plus phishing training, zero-trust network segmentation, and EDR on POS combined with a working SIEM.

The recovery controls between top event and consequences should have been an IR plan with a kill switch, 24-hour customer notification, and pre-arranged cyber insurance and IR counsel. The bow-tie names which barriers were absent and which were present but failing.

How to Read a Bow-Tie Risk Analysis Diagram in Five Minutes

An audit committee member with no risk background can read a bow-tie risk analysis in five minutes by following a fixed scan order.

The scan moves from the top event outward, then from threats to consequences. After five minutes the reader should be able to name which controls are strongest and which are absent.

Step	What to Look At
1. Read the top event	Find the box in the middle. Confirm the loss-of-control event makes sense for the hazard named on the diagram.
2. Scan threats	Read the boxes on the left. Confirm the threats list is plausible and complete. Note any obvious threat that is missing.
3. Inspect preventive controls	Look at the vertical bars between threats and top event. Each bar should be a named, owned, testable barrier — not a wish.
4. Scan consequences	Read the boxes on the right. Confirm the consequences are stated in dollars, people affected, or regulator action — not in vague language.
5. Inspect recovery controls	Look at the vertical bars between top event and consequences. Note any consequence that does not have at least one recovery barrier.

How to Build a Bow-Tie Risk Analysis in Six Steps

Building one bow-tie risk analysis is a half-day workshop for a non-engineer team. The output is a single-page diagram plus a one-page narrative.

Six steps run in order, and none of them require a process-safety background. Our approaches and tools for risk identification page pairs with the bow-tie method for upstream identification work.

The bow-tie is most effective when the risk has already been identified and the question is which controls stand between the threat and the loss.

Step 1: Pick the Hazard for the Bow-Tie Risk Analysis

Pick one hazard the bow-tie will protect. Customer payment data, patient safety, plant uptime, fund liquidity, a critical API. The hazard is the thing the institution will lose control of if nothing else works.

Write it down at the top of the page. One bow-tie covers one hazard, not five. Bundling hazards is the most common reason a first bow-tie ends up unreadable.

Step 2: Define the Top Event in the Bow-Tie

Name the loss-of-control moment for this hazard. The top event is the precise point at which the institution has begun losing the hazard. Specificity is the discipline here.

For Target it was BlackPOS running on the POS. For a hospital it might be wrong-patient drug administration. For an airline it might be wing fuel leak on a moving aircraft. The verb and the object both matter, and vague top events produce vague bow-ties.

Step 3: Map Threats Onto the Bow-Tie Left Side

List three to seven threats that could cause the top event. Each threat is one distinct path to loss of control. The threats should be specific enough that an outsider could read them and ask which one happened in any postmortem.

Phishing is a threat. Insider misuse is a threat. Bad luck is not a threat, and neither is operational risk written at that level of abstraction. The vagueness test catches lazy threat naming early.

Step 4: Map Consequences Onto the Bow-Tie Right Side

List three to seven consequences that follow if recovery controls also fail. Each consequence is one type of damage. State each consequence in concrete terms: dollars, people affected, regulator actions, public disclosures. Vague consequences hide poor analysis.

Step 5: Add Preventive and Recovery Controls

Between each threat and the top event, name the preventive controls. Between the top event and each consequence, name the recovery controls.

Each control gets an owner and an effectiveness rating. Controls without owners are decoration. Controls without effectiveness ratings are aspiration. Our how to mitigate risk page covers the upstream classification work that feeds this step.

Step 6: Validate the Bow-Tie With a Tabletop

Run a tabletop exercise against the bow-tie. Pick one threat. Walk it through every preventive control and ask what fails. Walk the top event into recovery controls and ask which works.

The tabletop tests the diagram against operational reality. Bow-ties that survive one tabletop become the basis for board reporting. Our RCSA risk management page carries the self-assessment cadence.

Standards Behind Bow-Tie Risk Analysis (ISO 31010, CCPS)

Bow-tie risk analysis is a recognized risk-assessment technique inside the international standards. The method has institutional weight beyond consultant preference. Three standards bodies and one industry association anchor the practice.

ISO 31010:2019 and the Bow-Tie Risk Analysis Method

ISO/IEC 31010:2019, the international standard for risk assessment techniques, lists bow-tie analysis among the named methods supporting ISO 31000.

The standard describes the bow-tie as a graphical way to depict pathways from threats through events to consequences, with barriers between them. Auditors who reference ISO 31000 know what a bow-tie is.

CCPS and the American Petroleum Institute Using Bow-Tie

The Center for Chemical Process Safety, part of the American Institute of Chemical Engineers, published Bow Ties in Risk Management in 2018 with the Energy Institute.

The book formalized bow-tie practice for process industries. The American Petroleum Institute and the UK Health and Safety Executive use the same conventions. Figure 3. How bow-tie risk analysis compares to FMEA, HAZOP, fault tree analysis, the risk register, and the 5×5 heat map across seven practical dimensions.

Frequently Asked Questions About Bow-Tie Risk Analysis

Common Bow-Tie Risk Analysis Mistakes (Pitfalls Table)

Seven patterns surface repeatedly when bow-tie risk analysis workshops go wrong. The table captures the recurring miss, the root cause, and the remedy that closes the gap. None of the patterns are unique to one industry; cyber, healthcare, and process safety all run into the same problems.

Pitfall	Root Cause	Remedy
Top event set too early or too late	Workshop confused the top event with a threat or a consequence	Top event must be the loss-of-control moment. Walk a real or hypothetical incident chronologically; the top event is the point where damage has begun
Preventive controls listed without owners	Workshop produced a wish list rather than a control inventory	Every control bar names a person and a system. Controls without owners get removed or marked as gaps
Consequences stated vaguely (reputational damage, regulatory action)	Workshop avoided putting numbers on outcomes	Every consequence states dollars, people affected, days of downtime, regulator name, or specific public disclosure
Bow-tie drawn but never tabletopped	Diagram completed in a workshop without follow-up testing	Schedule one tabletop per bow-tie within 30 days of creation; capture which controls failed in the exercise
Escalation factors ignored	Team treated controls as binary working / not working	Each critical control gets at least one named escalation factor explaining how it could fail
Bow-tie never linked to the risk register	Diagram lives in a workshop deck, not the GRC platform	Each register entry for a top-priority risk links to its bow-tie; bow-ties update on the same cadence
Diagram too crowded to read in five minutes	Workshop tried to fit a department-wide risk inventory on one bow-tie	One bow-tie covers one top event. Multiple bow-ties cover multiple events. Resist the urge to combine

Looking Ahead: Bow-Tie Risk Analysis in 2026-2027

Three forces will shape bow-tie risk analysis at US enterprises between 2026 and 2027. The first is cyber risk adoption. CISOs at US banks, healthcare systems, and SaaS firms now use bow-tie diagrams in board reporting because the format communicates faster than a heat map. Our cyber security risk management framework page anchors the cyber side. The second force is GRC platform integration. Tools like Archer, OneTrust, ServiceNow GRC, and Resolver now embed bow-tie templates that auto-populate from the risk register and control inventory. The diagram is no longer drawn from scratch in each workshop; the team edits a generated bow-tie. Time to first publishable diagram has dropped from days to hours. The third force is regulatory expectation. The SEC’s December 2023 cybersecurity 8-K rule, the FDA’s 2024 quality system regulation update, and the FRB’s stress-test guidance all favor visual control mapping in board materials. Bow-tie diagrams are increasingly the visual that examiners reach for. Our guide to audit risk assessment pairs with the bow-tie for the audit-committee conversation. The US institution that adopts bow-tie risk analysis for its top 10 enterprise risks in 2026, links each diagram to the risk register, and tabletops each one within 30 days of publication is the institution that absorbs all three forces with the smallest GRC rewrite. The diagram is the visible output. The discipline behind it (named owners, dated tabletops, evidence-backed control effectiveness) carries the program forward.

Infographic: The Six Parts of a Bow-Tie Risk Analysis

Figure 4. The six parts of a bow-tie risk analysis explained for non-engineers — hazard, threats, preventive controls, top event, recovery controls, and consequences.

Next Steps With Your Bow-Tie Risk Analysis

Risk Publishing helps US enterprises run bow-tie risk analysis workshops on cyber, third-party, and operational top events, then link the output to the enterprise risk register the audit committee reads quarterly. Review the advisory services page to see how the engagement runs, and contact the practice when bow-tie analysis is the next item on the GRC roadmap.