Where does ISO 31000 reference bow-tie analysis?

ISO 31000:2018 doesn't mandate bow-tie specifically — it's framework-agnostic. Bow-tie is described in detail in IEC 31010:2019 (Risk assessment techniques), Annex B.6, as one of the assessment techniques compatible with the ISO 31000 framework.

When is bow-tie wrong for the job?

Bow-tie suits single-event analysis where causes and consequences are reasonably enumerable. For systemic, network-level risks (interdependent infrastructure, cascading failures across business units), additional techniques — fault trees, network-effect analysis, scenario modelling — complement rather than replace bow-tie.

How does the audit trail interact with the bow-tie?

Each control in the bow-tie carries its own test schedule and evidence record. Auditors trace from a consequence back through mitigation, the event, preventive controls, and into the original threat — every step signed and timestamped. The bow-tie isn't a drawing; it's a query.

Bow-tie analysis — Norrsent

What it is

Bow-tie analysis is a structured way of visualising a risk in a single diagram. The 'event' sits in the centre — the risk you're analysing — with causes (threats) on the left and consequences on the right. Between each side and the event, controls are mapped: preventive controls reduce the chance the event happens; mitigative controls reduce the impact when it does. The result is a single, scannable picture of one risk that auditors, regulators, executives, and operational teams can read without translation.

Why it matters

Most risk registers are tabular: rows of risks with severity scores, mitigation owners, and review dates. The format obscures relationships. A risk register with twelve rows about 'supply chain' tells you twelve things; a bow-tie of one supply-chain event shows you which threats matter, which controls are doing work, which controls are theatrical, and what residual exposure remains. For complex enterprise risks — anything multi-causal with cascading consequences — the bow-tie is the format that makes ownership and gaps visible.

How Norrsent handles it

On Norrsent, every risk record produces this shape automatically. Causes link to the canonical threat library; controls link to the controls module; consequences link to incidents (when they materialise) and to the financial, regulatory, and reputational lenses being used. Click any element of the bow-tie and you're in the underlying record — no separate diagramming tool, no static export.

Risk Management module

Common questions

Where does ISO 31000 reference bow-tie analysis?: ISO 31000:2018 doesn't mandate bow-tie specifically — it's framework-agnostic. Bow-tie is described in detail in IEC 31010:2019 (Risk assessment techniques), Annex B.6, as one of the assessment techniques compatible with the ISO 31000 framework.
When is bow-tie wrong for the job?: Bow-tie suits single-event analysis where causes and consequences are reasonably enumerable. For systemic, network-level risks (interdependent infrastructure, cascading failures across business units), additional techniques — fault trees, network-effect analysis, scenario modelling — complement rather than replace bow-tie.
How does the audit trail interact with the bow-tie?: Each control in the bow-tie carries its own test schedule and evidence record. Auditors trace from a consequence back through mitigation, the event, preventive controls, and into the original threat — every step signed and timestamped. The bow-tie isn't a drawing; it's a query.

Bow-tie analysis

What it is

Why it matters

How Norrsent handles it

Common questions

Related terms

ISO 31000:2018

Operating record

Double materiality

Bow-tie analysis

What it is

Why it matters

How Norrsent handles it

Common questions

Related terms

ISO 31000:2018→

Operating record→

Double materiality→

ISO 31000:2018

Operating record

Double materiality