Founding partner program — applications close 30 June 2026. Read the brief →
Back to InsightsRisk Intelligence

If you can't draw your top 5 risks as bow-ties, you don't know your risks

Norrsent Editor6 min read
If you can't draw your top 5 risks as bow-ties, you don't know your risks — Norrsent insight

Your risk register arrives as a spreadsheet. Twenty rows, three columns: risk title, inherent score, residual score. Everything is red or amber. The narrative says controls are "in place". You approve it. You have no idea what you just approved.

A heatmap is a list with traffic lights. Bow-tie analysis is a risk model. It shows the causal chain from threat to consequence, with every control positioned where it acts. Oil and gas uses it. Aviation uses it. Pharma uses it. The rest of the regulated economy mostly does not. That gap explains why so many firms cannot answer the first question a regulator asks after an incident: what was supposed to stop this?

The shape of the thing

A bow-tie diagram has one central event: the thing you do not want to happen. On the left, the threats. On the right, the consequences. Between threat and event sit preventive controls. Between event and consequence sit mitigative controls.

The diagram looks like a bow-tie laid flat. Threats funnel in from the left. Consequences fan out to the right. Controls sit on the lines, blocking or reducing the path.

Example: the central event is "loss of primary containment at offshore hydrogen production platform". Threats on the left include corrosion under insulation, overpressure from process upset, dropped object impact during crane operations, subsea pipeline integrity failure, or simultaneous operations creating ignition source. Preventive controls include ultrasonic thickness monitoring, pressure relief valve testing, lift plan approval process, in-line inspection pig runs, or permit-to-work system. If the event happens anyway, consequences include fatalities, environmental discharge, production shutdown, regulatory enforcement, or loss of offtake contract. Mitigative controls include gas detection and ESD system, mustering and evacuation procedure, oil spill response contractor, incident investigation protocol, or business interruption insurance.

Every control has a place. If you cannot say which threat a control prevents or which consequence it reduces, the control does not belong in the model. If a control appears twice, you are double-counting. If a threat has no control, you see the gap immediately.

That clarity is why safety-critical industries adopted bow-tie decades ago. A heatmap can hide a missing control behind a residual score. A bow-tie cannot.

Why the rest of the economy resists it

The standard objection is that operational risks in most sectors are not process-safety risks. True enough. But NIS2 for energy operators is a safety discipline. So is third-party risk under the EU Critical Entities Resilience Directive. Any scenario where a single failure can cascade into systemic harm is a safety discipline.

The real reason is inertia. Risk teams learned heatmaps in the 2000s. Heatmaps fit in PowerPoint. Bow-tie requires a different conversation. You must say what stops this from happening and whether it works.

That conversation is harder because it exposes assumptions. A heatmap lets you say "cyber risk is high, we have controls". A bow-tie forces you to say "OT ransomware is a threat, network segmentation is the control, segmentation is implemented on 14 of 19 substations, the gap is these legacy SCADA systems". One of those statements can be audited. The other cannot.

Two examples

Take a transmission system operator under Ofgem's operational resilience framework. The top risk on the register is "failure of critical IT systems leading to grid instability". Inherent: red. Residual: amber. Controls: "IT resilience programme, backup systems, incident response". What does that tell the board? Nothing.

Redraw it as a bow-tie. Central event: loss of SCADA visibility across the transmission network for more than 15 minutes. Threats: ransomware via phishing at control centre, hardware failure in primary historian, software bug in dispatch optimisation algorithm, DDoS attack on external API used by balancing mechanism, or insider error during system upgrade. Preventive controls: email filtering with USB lockdown, redundant historian with hot standby, pre-production testing environment, rate limiting with IP allowlist on API, or change freeze during peak demand periods. Consequences: inability to balance supply with demand, cascade tripping of generators, voltage excursion damaging industrial customers, regulatory breach under Grid Code, or political scrutiny from DESNZ. Mitigative controls: fallback to phone dispatch, manual load shedding procedure, customer communication protocol, incident log for Ofgem, or media handling plan.

Now the board can ask: what is the failover time for the historian? Has the manual procedure been tested in the last 12 months? Who approves changes during winter? Those are the questions that matter. A heatmap never surfaces them.

Second example: an integrated oil major operating in the North Sea under OPRED regulations. Top risk: "major accident event at offshore installation". Inherent: red. Residual: amber. Controls: "safety management system, competence assurance, asset integrity programme". Again, nothing actionable.

Bow-tie version. Central event: hydrocarbon release leading to fire or explosion. Threats: corrosion of topsides pipework, human error during manual valve operation, loss of power to ESD system, simultaneous operations creating ignition source, or fatigue crack in pressure vessel. Preventive controls: risk-based inspection programme using thickness data, valve status indication in control room, UPS with backup generator for safety-critical systems, permit-to-work with ignition risk assessment, or fitness-for-service assessment using fracture mechanics. Consequences: fatalities, asset total loss, environmental discharge breaching OSPAR limits, HSE enforcement including potential corporate manslaughter, or suspension of other operated assets pending investigation. Mitigative controls: TR2 fire and gas detection with automatic shutdown, temporary refuge with 18-hour endurance, OPRC Tier 3 oil spill contractor, crisis management team activation, or legal privilege protocol for investigation.

The board now sees that corrosion management is the critical preventive barrier. They can ask: what is the backlog of overdue inspections? What happens if we find thickness below minimum during the next shutdown? Do we have the budget to replace it? A heatmap gives them a red square. A bow-tie gives them a decision.

What it takes to embed it

Bow-tie is a working model. That means three things.

First, the diagram must be maintained. When a new threat emerges, it goes on the left. When a control is retired, it comes off the line. When a consequence materialises at another operator (Buncefield in 2005, Texas City in 2005, Deepwater Horizon in 2010) you check whether your mitigations would have worked. This is how the model stays true.

Second, the model must be accessible. In the register, where the board can see it. Where internal audit can test it. Where the regulator can read it during supervision. Bow-tie only works if it is the single version of the risk.

Third, the board must ask bow-tie questions. What stops this? Does it work? What happens if it fails? If the risk team cannot answer those questions by pointing to a control on the diagram, the answer is "we do not know". That is the answer a heatmap hides.

The gap is the point

Bow-tie makes ignorance visible. If you cannot draw the causal chain from threat to consequence, with every control in its place, you do not have a risk model. You have a list of things you are worried about.

That is fine for a startup. Energy operators with critical infrastructure designation require more. Aviation learned this after accidents. Pharma learned it after recalls. Oil and gas learned it after explosions. The rest of the regulated economy is learning it now, one enforcement action at a time.

The question is whether your board learns it before or after the event.

Most firms will wait until after. A few will act now. The ones that draw the bow-tie now are the ones that can explain, when the regulator asks, exactly what was supposed to stop it and why it failed. That explanation is the difference between a manageable incident and a career-ending failure.

If you cannot draw your top five risks as bow-ties, you do not know your risks. You know their names. That is different.

Sectors:Energy