Bowtie Assessments: The Fashionable Approach to Risk Management
Bowtie risk assessments are being used more frequently by organizations to gain insights from across the enterprise to reveal the causes and effects of risk within your organization. Deeper insights gained from Bowtie risk assessments help strengthen operations and manage risks.
You might be wondering two things right now. First, how do I perform a Bowtie risk assessment? And secondly, why is it called a bow tie risk assessment? When we answer the first question with an example, the second question will automatically be addressed.
Let’s assume you are a risk manager in a manufacturing organization and dealing with a risk like “Inadequate Supply”. If we poll the organization on the causes of inadequate supply, we might get a list that looks like the following:
- Poor sales forecast
- Too few parts to make products
- Too many finished goods that did not pass inspection
- Supply in the wrong distribution channels
- Cyber attack, which shut down plant
If we poll the organization again and ask about the impacts of “Inadequate Supply”, we might get a list that looks like this:
- Low customer satisfaction
- Increase in competition
- Cancelled orders
- Demoralized sales force
- Lower revenue
When we relate these causes and impacts it looks like this:
As seen above, the many-to-one-to-many grouping now looks like a bowtie.
With information like this, the organization can now more effectively examine the causes and the leading indicators of these causes. These indicators can also be viewed as Key Risk Indicators. At the same time, the organization now has greater insight to the impact of risks. These impacts can be measured showing the overall impact of risk within your organization.
Bow tie assessments are just one of the many ways to measure and better manage risk in your organization.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.
Here are five webinar highlights on NERC CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program.