Bow tie

Question 1

Which of the following can be revealed by the Bow-tie method of analysing a risk?

1. Risk attachment points.
2. Types of damage.
3. Risk classification used.
4. Suitable controls.

Answer 1

Options 1, 2 and 4 are correct. In the bow-tie diagram from the box “Risk management and the bow-tie” [Hopkin, p. 30] we can see examples of expected impacts (e.g. asset destruction, smoke inhalation) that indicate types of damage (e.g. destruction, inhalation) and also risk attachment points (affected elements). We can also see in that diagram categories of risk controls.

Option 3 is wrong. The question is about analysing a risk, meaning a certain risk, not risk in general, so we can’t have risk categories (e.g. strategic, tactical, operational, compliance) in the left side of the bow-tie, to allow us to figure out the risk classification system.