Why most risk assessments don't work

Before we get to bowtie diagrams, it's worth asking why so many risk assessments end up gathering dust.

The answer is usually one of two things: they're either too complicated โ€” rows of numbers in a spreadsheet that only the person who built them can interpret โ€” or too vague โ€” a list of risks with no structure around what causes them or what happens if they occur.

Either way, the result is the same. Nobody reads them, nobody acts on them, and when something goes wrong, the assessment was no help at all.

Bowtie diagrams solve both problems.

What is a bowtie diagram?

A bowtie diagram is a visual tool that maps out a risk from its causes to its consequences โ€” with your controls shown in between.

The name comes from its shape. Picture a bowtie:

Control A Control B Control C Control D Control E Control F Threat 1 Threat 2 Threat 3 RISK EVENT Impact 1 Impact 2 Impact 3 THREATS PREVENTION RISK EVENT MITIGATION CONSEQUENCES

In one diagram, you can see the full picture of a risk: what triggers it, what stops it, and what you'd be dealing with if it happened anyway.

The knot in the centre is the risk event โ€” the specific thing you're trying to prevent. The left side shows the threats that could cause it. The right side shows the consequences if it occurs. The barriers on each side are your controls.

A simple real-world example

Let's say you're a small business owner and one of your risks is losing customer data.

Example โ€” Customer data breach

Awareness training 2FA Software updates Incident response Legal team Cyber insurance Phishing email clicked by staff Weak passwords reused credentials Unpatched software vulnerability Unauthorised access to customer data Customer data exposed Regulatory fine GDPR Reputational damage THREATS PREVENTION RISK EVENT MITIGATION CONSEQUENCES

Now you have a complete picture of one risk on a single page. Your board can understand it. Your team can act on it. And you can immediately see the gaps โ€” if you have no controls on the consequence side, you're prepared to prevent the breach but completely unprepared for when it happens anyway.

What makes bowtie diagrams effective

It communicates instantly

Most risk documentation is built for the person who wrote it. A bowtie diagram is built for everyone else. The structure is intuitive โ€” threats flow in from the left, consequences flow out to the right, and controls sit visibly in between. A CEO and a site worker can look at the same diagram and reach the same understanding. That shared clarity is rare in risk management, and genuinely valuable.

It shows the whole story, not just a rating

A risk score tells you how worried to be. A bowtie diagram tells you why โ€” and what you're doing about it. By capturing causes and consequences together, teams move from abstract ratings to a concrete picture of how a risk actually unfolds. That shift from passive awareness to active understanding is where real risk management happens.

It makes control gaps impossible to hide

When controls are listed in a spreadsheet, gaps are easy to overlook. When they're mapped visually between threats and consequences, a missing barrier is immediately obvious โ€” an unprotected line staring back at you. The bowtie format turns a theoretical exercise into a practical audit of whether your defences are actually in place.

It works across any risk, any sector

The bowtie structure is content-agnostic. The same diagram format that maps a fire risk on a construction site maps a data breach in a financial institution or a medication error in a hospital. Organisations that operate across multiple risk domains โ€” or need a consistent framework across teams โ€” find the bowtie model naturally adaptable without losing rigour.

It stands up to regulatory scrutiny

Boards, auditors and regulators don't just want to know that risks have been identified โ€” they want evidence of structured thinking about causes, consequences and controls. The bowtie format produces exactly that. It demonstrates that risk management is methodical and defensible, not just a list of things that could go wrong.

Common questions

Is a bowtie diagram the same as a risk matrix?

No โ€” they're complementary tools. A risk matrix rates risks by likelihood and severity. A bowtie diagram explains the structure of a single risk in detail. Many organisations use both: the matrix to prioritise which risks to focus on, and bowtie diagrams to analyse the high-priority ones in depth.

Do I need to be a risk professional to use bowtie diagrams?

No. Bowtie diagrams were designed to make complex risk analysis accessible to everyone. The structure itself guides you through the thinking. Most people complete their first bowtie in under 30 minutes.

How many bowtie diagrams do I need?

Start with your top three to five risks โ€” the ones that would cause the most damage if they occurred. You don't need a bowtie for every risk on your register, just the ones that warrant a deeper look.

Are bowtie diagrams compliant with risk standards?

Yes. Bowtie methodology is recognised within ISO 31000 (risk management), IEC 61511 (functional safety), and other major risk frameworks. They're widely accepted for regulatory, governance and audit purposes.

Can I build a bowtie diagram for free?

Yes. A basic bowtie diagram can be drawn by hand, in a presentation tool, or using dedicated bowtie software. Most dedicated tools offer a free tier that covers the full diagram structure โ€” threats, controls, risk event, and consequences โ€” with export options for sharing or reporting.

Summary

A bowtie diagram is a structured way to think through a risk completely โ€” from what causes it, to what stops it, to what happens if those controls fail. That structure is what makes it more useful than a risk rating or a spreadsheet row: it captures the logic of a risk, not just its label.

The method is well-established, works across any industry, and is accessible to anyone willing to think carefully about a single risk event. Start with your most significant risk, map it out, and see what the diagram reveals.