In this on-demand webinar you’ll learn about the fundamentals of Bowtie modeling, how it fits into broader enterprise and operational risk management workflows, and see how organizations are using it to support everything from control design to executive reporting. Learn how to break down a parent risk into child risks, consequences, and controls using the Bowtie method. Identify where Bowtie diagrams can add the most value in your ERM processes. Determine how to use visual models to communicate risks and controls more effectively with stakeholders. Bowtie modeling is a clear, compelling way to visualize how risks unfold—connecting child risks, consequences, and controls in a single, intuitive diagram. It complements traditional risk assessments by helping to pinpoint gaps, prioritize mitigation efforts, and communicate risk in a format that resonates with both technical and non-technical audiences. This webinar features Origami Risk’s Jon Schulz, who is joined by Carol Williams of Strategic Decision Solutions. Whether you’re new to the method or looking to sharpen your approach, you’ll walk away with practical insights to apply Bowtie modeling with confidence. Hello, everyone. This is Melissa Lentz, the director of continuing education at OCEG. I’d like to welcome you to our webcast today during which we will present, visualize risks, strengthen controls, and communicate with clarity, the story of bow tie. Bow tie modeling is a clear, compelling way to visualize how risks unfold, connecting child risks, consequences, and controls in a single intuitive diagram. It complements traditional risk assessments by helping to pinpoint gaps, prioritize mitigation efforts, and communicate risk in a format that resonates with both technical and nontechnical audiences. In this webinar, John Schulz of Origami Risk will be joined by Carol Williams of Strategic Decision Solutions to walk through the fundamentals of bow tie modeling, show how it fits into broader enterprise and operational risk management workflows, and share examples of how organizations are using it today to support everything from control design to executive reporting. Whether you’re new to the method or looking to sharpen your approach, you’ll walk away with practical insights to apply bow tie modeling with confidence. But before we start, I’d like to take a minute to go over a few housekeeping notes. First, regarding continuing education credit. We provide NASPA approved CPE credit to you for participation in live webinars if you have an OSEG All Access Pass, which is a pro membership, which you can purchase individually or as part of a company team membership. The All Access Pass includes many benefits in addition to CPE credit for webcasts, such as access to all OSEG resources and on demand education series. So if you don’t already have a pass, I would encourage you to check it out on the OSEG site. If you do have an all access pass and would like a certificate of completion for CPE for this event, please be sure to stay with us for the entire hour and answer at least three of the polls offered today through the polling function in our webinar platform. These are requirements for receiving CPE credit for this event. And please note that certificates of completion for CPE credit are available only for live events. They are not available for viewing archived webinars. Additionally, if you need CPE credit only for OSEG certifications, your webinar attendance will be automatically tracked in your certification dashboard on the OSEG site. You will not need to upload your certificates of completion for OSEG certifications. Second, regarding the slide deck and recording from this webcast. The reminder email you received includes a link to the slide deck for this event. After the webinar, you will receive a follow-up email, which includes the link to the slide deck and the replay, which will be available for about one week. We will also have the recording of this event posted on the OSEG website. Just log in to the site, go to the resources tab, select webinar recordings, and then this webcast. Anyone with an OSEG also access pass may view this recording. Third, regarding our audience feedback. Please feel free to submit your questions during our event today. If our presenters do not answer your question directly during the webinar, they will be able to respond to you via email after the event. Additionally, we value your opinions and encourage you to submit the evaluation offered after the webinar. Fourth, regarding upcoming events and activities. Please watch your email for announcements from OSEG about other upcoming webinars. You can view information about these upcoming webcasts on the OSEG site. So today, we will address the following learning objectives. We will learn how to break down a parent risk into child risks, consequences, and controls using the bow tie method, identify where bow tie diagrams can add the most value in your processes, and determine how to use visual models to communicate risks and controls more effectively with stakeholders. But before we hand over the presentation to our speakers, we’d like to offer our first poll. So again, if you are interested in receiving CPE credit for this event, please answer at least three of the polls offered today by responding in the poll panel on your screen. We will email certificates completion for this webinar in a day or two to all participants who meet all the criteria for CPE credit. The first poll question is, do you have an OSEG All Access Pass, which is a paid membership that will enable you to receive CPE credit for this event? Your options here are, yes, I have an OSEG all access pass that will enable me to receive a certificate of completion for this event if I attend the entire meeting and answer at least three polls, or no, I do not have an all access pass, so I understand I will not receive CPE credit for this event. So as you answer this poll, I’d like to hand over the presentation to our speakers to begin our discussion today. Thank you, Melissa. And again, as a reminder, thank you for joining Visualize Risks, Strength and Controls, and Communicate with Clarity, the story of Bowtie. My name is John Schultz, and I am the GRC senior market strategy lead here at Origami Risk. My responsibility is overseeing the go to market strategy and what we decide to put into our GRC solution here at Origami. And I have with me Carol Williams. Carol? Hi, everyone. I’m Carol Williams, CEO and principal consultant at Strategic Decision Solutions, an enterprise risk management consulting firm specializing in helping the insurance industry transform from a obligation into a competitive advantage. Thanks for having me. Thanks, Carol. As we look at our agenda for today, it’s fairly simple. We’re gonna go through four different steps of the what, the why, the when, and the how of Bowtie, giving us the ability really to see all aspects of what Bowtie is, why you may use it, when is it most appropriate to use it, and how should you apply this method. As we look at, the next slide here, what is bow tie? Really, bow tie model is named for the distinctive shape. As you can see here, it looks like a bowtie. It’s big on the left. It’s big on the right. It has kind of that knot in the middle. That knot really represents that risk event. Or and on the left hand side, you’ll see threats and causes or triggers that could potentially trigger that event. On the right hand side, you’ll see, the consequences. And then in between, you’ll see preventative controls placed on the left hand side for the threats and the top event, while mitigating controls are shown between the top event and the consequences on the right. This is an opportunity to think about, what that shape looks like and all the things that might impact that event. Carol, is there anything you’d like to add to the, what here? Absolutely. So everyone is part of the We always have to think about terminology and labels, but every company has different names that resonate better within their culture. So while we have these five labels across the top, you will see differing terms used in this webinar because various organizations use them differently. But keep in mind that they the concepts are still the same throughout the bow tie. Thanks, Carol. As we look at, another view, so as Carol was saying, there’s really, kind of multiple ways that the bow tie can be represented in terms of names. But in the end, there is that centralized event. There are the triggers on the left hand side. There are the consequences on the right hand side. This is an example of what the bow tie looks like in our origami solution. So, again, you’ll see very similar to that basic graphic that we showed before. But you can see you can actually bring in the risks and the controls right from the system. So it just gives you a way to click in and see all of those things that are connected in an active visual way. And I’d just like to show you another example of what bowtie can look like, especially in an active system. And, John, before you move on, one of the things that I would really like to highlight to people is even if you’re not using a system, Bowtie is a great tool to facilitate a conversation with the business. This is something that nontechnical people can really dive into because they can understand the concepts within it. And so it can really drive some great conversation. That’s a great point. Thanks, Carol. Alright. So with that said, that brings us to our next poll question, poll number two. Are you using bow tie modeling today? Option one, yes. We are using bow tie modeling extensively. Two, yes. We’re using bow tie modeling in certain situations. Three, yes. We are using bow tie modeling, but infrequently. Four, no, I knew about bow tie modeling but I’ve never tried it. Five, no, I don’t know about bow tie modeling before this webinar. So we’ll give you a minute to respond. And with that, we’ll move keep moving on as we continue the presentation. So what should we use? Why should we use bowtie? And and, Carol, why don’t you kind of give us some examples examples of how you’ve seen your clients use bow tie and why they benefit from it? Yeah. Absolutely. So bow tie is, to go back to that comment I was making earlier, really helps clarify some great risk conversations when you’re bringing the business in to break down a risk. There are so many risks within an organization that can seem very complex at first blush. So wanting to break it down to truly understand what’s in place, how what are we doing to address this risk, how can we know what those triggers are, the root cause, whatever you wanna call it over on the far left. But understanding those can help you identify the best mitigations for that risk. So even if you realize we don’t have a lot in place right now, can help break down that conversation, bring in people from the business, or people who are and when we say nontechnical, this is not when we when we mean that, it’s also not IT people. These are business people that can really utilize this tool to break it down and facilitate that. It also helps with the assessment of it as you are trying to truly measure what the the consequences of that risk is. Seeing all of this laid out helps you really drill down as part of that assessment process. Great. Thanks. As we think about other reasons why, you know, really that that clarifying of complex risk scenarios, I think, is one key area that many companies really think about. Hey. This is an opportunity for me to use bowtie. As Carol mentioned, this is really a a a situation where you can use this model to communicate with others in the business. And, like Carol said, nontechnical or potentially even, like, nonrisk experts. Sometimes they you know, a business person who’s working every day might feel a little intimidated by having that risk conversation or that risk professional. They might use terms that they’re unfamiliar with. They might come in and and feel like, oh, I’m getting audited or I’m getting scrutinized or or told to do something differently. And and the ability to kind of show the bow tie in front of them, know, can be a good way for them to get comfortable and understand really how they can benefit from the bow tie and feel really comfortable in just common language seeing that bow tie right in front of them. Think the other thing oh, go ahead. I was gonna sorry. I was gonna jump in on one of those points that you just made. In bringing in the business, one of the things that I really like about this is being able to break down your pre event versus your post event controls and your mitigations. A lot of times, people just start rattling off a list of all the things they’re doing about a risk, but being able to bucket them into pre event pre event versus post event can really help clarify where the company has been focusing their time and efforts on when when it comes to managing that risk. So maybe they’ve done a lot on the pre event, but you know what? They realized that we don’t have anything in the post event, so we need to have at least something to help us if and when the risk does occur. So being able to clarify the roles of different controls will be extremely helpful during this conversation. Great point. And that actually leads me into what I was going to say, which is kind of the other piece that that we see really as, you know, a big reason why you should use bowtie is to improve that cross functional alignment. So like I said, you get comfort with, you know, nonrisk professionals in terms of what’s out there and and visualizing it. But like Carol’s saying with the the pre and the post event, really, opportunity for you to think cross functionally, the bow tie can really help visualize that. It’s all of your risks or triggers and your consequences and, you know, kind of those mitigating controls. But oftentimes, if you think about all the things that could happen in a risk event, that’s not just impacting one person. That’s likely impacting many people, potentially many business units. And that cross functional alignment of a bow tie really brings that all together because you see all the risks. You see all the consequences that apply to multiple business units, multiple parts of the business. And now this is a way for you to say, see, this event not only impacts you in finance, but it might impact you in operations or HR or wherever that may be. So, you know, really, that cross functional alignment and viewpoint is also another key reason why people consider using bowtie. And to that point, John, I would actually I’m gonna expand on that point to say if you need to bring in people from the controls piece and the mitigations to realize while this risk may be in one specific business area, you’ve got controls that may be happening in another area. And a lot of times, you know, that second area has no idea that something they’re doing is actually also addressing a risk for another business area. So it brings visibility to the interconnectiveness of risk and risk related things going on within the company, it brings it highlights that visibility across the company. Yeah. And and to your mention of controls, I think, you know, another thing that Bowtie really does well and and why you should consider using Bowtie is it does bring in that control aspect, and it does visualize what are the things that that your company has in place to hopefully mitigate those consequences or potentially even mitigate those triggers or risks from influencing your vet to begin with. So, you know, in many bow ties, you will see the control that’s in place. If that control has been tested as part of your your active risk program, you may be able to see the control effectiveness, and that’s something you might see from a system like Origami where that control does actually have some effectiveness details around it. So you can see, is this control effective or not? If it’s not, maybe that means that there’s a increased likelihood that that consequence could happen. But this also really does help if you’re involved in an audit or a compliance review as well because now those controls that are in place, you can see the effectiveness, you can see the potential events, and you can have that direct conversation with your auditor or your compliance manager and say, see, these are all the things we’re doing that we believe help mitigate these large events that could potentially happen. Completely agree. One of the one of the elements before we keep moving on is I wanna focus quickly on that the what if and the scenario planning piece because especially for emerging risks, a lot of times those are very nebulous for companies because they are emerging, which means there isn’t a full profile of a risk, and there hasn’t been a lot of research. All you know is there’s this trend that’s going on either outside of the company or inside of the company. And so a bow tie will really help break down that information and help the the company, the organization truly understand, okay, so I see this is happening. Maybe we don’t have a lot of things that are pre event because it is emerging. We weren’t this isn’t a mature risk that we know a lot about, but there is something that we can do to respond to it right now. So what can we do? And it can help break down that conversation a little bit better and seeing the triggers, even if there is nothing in the pre event controls piece, you can lay out all the triggers for an emerging risk and understand the consequences to the organization if this emerging risk were to happen, and it really starts the conversation there instead of it just being a line item on a list of emerging risks. Great. As we move on, I think those are some really great unique ways to think about how and why you’d use Bowtie. But as we look at kind of six key benefits, we really see them as the ability to simplify, visualize, identify gaps, collaborate, communicate, and efficiency. Carol, would you mind talking a little bit about kind of how it simplifies things when you use a bow tie? Absolutely. A lot of times when you talk about a risk, there’s just this laundry list of all the things that are related to it. There’s maybe six words that are used to describe a risk. It’s not as simple as that. But to break it all down, it doesn’t need to be a paragraph to start describing the risk either. A lot of times when you have to put things into the visualization, it makes you it forces you into simplifying how the information is broken down so that others can very easily grasp all of the information around it in a very short amount of time. So, this is one of those benefits. The visualization supports the simplification. Not that it’s dumbing it down or anything like that. It is truly forcing you into brief words that are very descriptive to get to your point very quickly. Yeah. That’s a great point. I think the other key thing here is that, like, and hopefully should really make it clear to to anyone involved in the bow tie process, really, the the cause and the effect and being able to see kind of that left hand side of a trigger all the way through the event and ultimately what those potential consequences may be, making it hyper clear. Hey. If this event happens, these are some things that could cause it to happen, and this is ultimately what it could do to impact our business. And in fact, I would even say that doing the bow tie would help you create a really clear risk statement to be able to use when communicating about the the risk going forward because we have cause and effect, and that is definitely how I advocate in writing about a risk statement for everybody. So you very clearly understand risk, the control, the cause and the effect. Great. Point two, visualize. For for me, I really see, you know, bow tie as, I mean, obviously, a very strong visual tool. The point of a bow tie is really to put that in place and be able to see kind of the the the triggers through the consequences, and you’ll see kind of that potentially full risk landscape really all the way from the threats to the controls to the potential impacts in a single, hopefully, intuitive diagram. I think as it’s right in your face, it gives you that ability to see kind of all those components in one aspect. But, also, really, like, hopefully, you know, you kinda use that interactive nature to then say, oh, okay. Like, we have gaps or we’re strongly supported here. We’re in good shape and facilitate that conversation. As we think about identifying gaps, Carol, do you wanna talk to us about where you see your clients identifying gaps through the bow tie process? Absolutely. The gaps can come from a couple different areas. One, like we’ve already talked about in identifying gaps in your controls and mitigations. I also see this as identifying gaps in knowledge around a risk. So maybe you have a one group of people in talking about it, and they are truly not grasping all of the consequences. And you as the risk professional, the practitioner leading this conversation, you’re thinking to yourself, I know that there’s more to this. And so it identifies that knowledge gap and allows you gives you an entry into bringing more people into the conversation where the business can truly grasp. Oh, wow. This is bigger than what we thought it was. It also helps identify those risks that are truly enterprise level risks and not a siloed operational risk. Yeah. Okay. Great. Next, we have collaborate and communicate, and I’m gonna kinda talk about these together because I do think the collaboration, the communication kinda go hand in hand. I think one thing the bow tie does is it really helps strengthen the language that you use around risk, creating a a common set of languages, and really a conversation that makes it easy to work as a team to ultimately think about the risks and the consequences. This should enable a more productive discussion. If you think about risks, compliance, operation, and business unit all working together, they’re working off of the same model with the same language, really thinking about, you know, altogether, how do we make sure that this event, you know, doesn’t impact us as strongly as it potentially could. Also, really, the communication, the conversation side should be more efficient as you think about the use of controls and mitigation. A single control, a single trigger, but that trigger may cause multiple events. So it really allows you to see all the components of the bow tie, that control, and the ability for it to understand how that might impact multiple events. And then last, I’ll I’ll just say, it really helps with the the presentation of risk information in a visual way, making it easier, especially for senior leaders to understand and to engage with. And, ultimately, we think act upon those key insights as they’re able to see, okay. Here’s the event. Here’s the things that could trigger that event. And if that event does happen, here are the consequences and what we need to do to be prepared for those. I think that should that collaboration and communication piece, should just make it super easy. And with that, the last one is efficiency. Carol, do you mind talking about efficiency when using Bowtie? To me, it ties really well into that communication and collaboration because it does allow your discussions to be more efficient, not just around the actual bow tie conversation, but for the rest of your risk assessment process and as you’re analyzing risks. This is really going to help be efficient in, okay. It’s time to assess this risk, but now you’re not having to rehash all of the information about the risk. You have the bow tie. You can provide it to everybody that’s part of that conversation, and they get it very clearly without taking twenty minutes to talk about the risk again. Great. Alright. With that being said, now we know the why. Let’s move on to the when. When should we use bow tie modeling? We really call out, five key points here as to when should use bow tie modeling. The first one is is when you want to identify a critical failure point or dependency in a process or system. So maybe this has happened to you, or maybe you want to actually do some testing to identify, do you have critical failure points? Really, the thought here is to start with a high impact or high visibility risk. This allows you to think about something that that could have a major impact on your organization. If you’re doing this for the first time, it might allow you to kind of test out the framework and really get familiar with, hey. What are the things that, you know, could trigger this event? And if it does get triggered, do we have controls in place that will minimize that risk from impacting us? And, oh, okay. That risk did happen. Now what controls do we have in place that that help minimize the consequences that could come out of that risk? And so this can be impactful for both those new to bowtie and those experienced in it, really allowing them to think about kind of that biggest risk that that really everyone in the organization can be familiar with, and it it might be an an easy way for them to kind of move their self in. The next one, Carol, do you wanna talk about, the next, when? Absolutely. And this is one of my favorite points, actually, on this one because I’m a big fan of risk based vendor management. So when it comes to this, to make sure that you are truly understanding the risks associated with either a specific service or a specific vendor or partner that your organization has, you need to see exactly what that vendor and the contract with that vendor, that relationship, how it could impact the company if that vendor was not able to provide the services at the level that they are contracted to provide. What could be the the potential triggers for that so that you can use that as your monitoring on your relationship with the with them to ensure maybe it goes into your SLAs as part of your contract with them, but to also understand the consequences. How bad could this you know, how badly could this really impact our organization? What do we need to do about it? But it really helps you manage the relationship with that vendor that much better if you realize the consequences and the extensiveness or not of that specific risk event that you’re talking about. And it could be in relation to either data that they have access to, services that they are providing, or the the extensiveness on which you are relying on one vendor to be able to operate in your day to day business. Great. Third, the third one I like to think about is when you want to evaluate the controls that you currently have in place. And many times, you know, organizations have risk and control programs, and they may have those controls in place for a specific reason. And they’re used to looking at those from a what’s the risk? What’s the control that mitigates those? And that’s a really great view from a a, you know, a totality perspective. But one way to really kinda then put your controls through paces is to be able to say, let’s look at it through a bow tie diagram. Let’s think about those large events, that top risk event that could impact the organization. And then let’s look at all those consequences and really see, do we have controls in place that really help mitigate the triggers to actually allow the event to happen and put in place to ultimately reduce the consequences if that event does happen. The bow tie then is a really clear visual way to say, do all those controls exist for this particular event? And it’s just a different lens that you look at your controls through to be able to say, yes. We have them. Or, like, more extensively on the more mature side, you might say, well, we do have controls, but, honestly, they’re pretty weak. Like, we’ve we’ve done some testing, and they have work to do where they’ve tested poorly. And now that we look at it from an event standpoint, we can see all the controls that tie to that and say, you know, actually, Waymy, we’re not as strong as we once thought we were because we were just looking at the controls in totality versus against a specific event. Moving on, Claire or, Carol, do you wanna talk about, kind of how you use this to stress test or kind of the hyper hypothetical scenarios? Absolutely. Because a lot of times we are trying to figure out strategy within our organization, we want risk to be incorporated into the decision making process, which means leadership is having to make decisions. There’s a lot of hypothetical elements that are going along with that, and so in order to better inform that decision making process, you can test it out. Let’s look and see. If if this were to happen, what would we need to be looking at? So what are your triggers that are here? And being able to compare those two, what are the assumptions that we made? Or are we making around our ability to achieve X goal? And to see, oh, wow. Well, our assumptions and the triggers, they’re really aligned, and we did not think about the fact that this trigger is really possible. So this assumption is faulty, and we need to go back and reevaluate this possibility of our ability to achieve a specific goal. But also on the consequences, especially with black swans, knowing they are a extremely low probability of occurring, but an extremely high impact, being able to really focus on you know, it’s not about the prevention because the probability is already so low. It’s more about the response and identifying how are we going to respond if this happens, being able to break it all out. Great. The last one I’ll talk about here is, you know, the ability to visualize models, to use them for social awareness. And I guess, you know, from my past experience, you know, many times, risk professionals really can think truly about, hey. I’m gonna assess the control. I’m gonna assess the risk. I’m gonna do some testing. But I think the the one underrated aspect of a risk professional’s job is really the ability to influence the organization, influence nonrisk professionals, really helping them think about what are the risks that could impact you and your job day to day, How can we help you be more effective, ultimately help you meet those corporate strategic goals? And I think bow tie modeling is one of those ways that you can really be that advocate for risk to raise awareness. As you’re going through this process, like we’ve talked about earlier, it is collaborative. It does improve communication. But this also makes it super visually easy to understand the risks right in the middle. All the things that could impact it or could go wrong are on each side of it, and it makes it easy for someone to comprehend. And I think this is a tool that you can use to say, hey. Here’s the risk. Here’s what could go wrong. Let’s talk about how we minimize that. And it really gets down to what are those actions that you could take in the business without it kinda getting muddied too much with, you know, common risk language that might confuse people. And I think this is a tool that you can really use to be, persuasive in your risk role. And to that point, John, as, I know we’re gonna keep moving on. To that point, I do wanna say, as the business, is working with risk, we need to make sure as the risk practitioners that we are speaking more in business terms than we are in risk terms. This is a great tool to facilitate that because you don’t have to use risk terminology. You can use more, you know, what are the triggers? That is not a risk term. That is what could make this risk occur? What should we be looking for? Those types of questions to really drive that engagement across the business. Yeah. Great points. Alright. We’re gonna keep moving on. We’re gonna look at the how. How is bow tie modeling used? Here, this is a visualized slide. It’s it’s pretty simplistic. We’re gonna kinda talk through what this means, but, think of it this way. The chief risk officer is preparing for a quarterly board meeting and needs a rep to report to the organization the top risks, things like cyber threats, supply chain disruption, regulatory compliance failures. And this might sound familiar to you, but historically, this chief risk officer has struggled with text heavy reports that don’t resonate with nonrisk executives, heat maps that don’t highlight the connection between the risks and the controls efficiently. With Bowtie, really, board can now see in one model the relationship between the cause of the risk, the controls, the potential consequences, making it immediately clear where there are strong defenses and where there are gaps that remain in terms of protecting that particular risk. Carol, as you think about kind of the visualization, trying to just simplify kind of the day to day of someone like a chief risk officer and how bowtie modeling can impact them. Anything else you’d add to that visual? It’s a because yes. Absolutely. Because when we think about it, the bowtie is so business friendly. There’s no reason why this information can’t actually also be included within the business report out to the board. It’s very straightforward and allows them to say this is what we’re trying to achieve, and we’ve identified these risks and this is how we’re prepared to address these risks, making us confident in our ability to achieve the goal that we’re setting forth here. It really simplifies that that conversation to the board and gives them the level of assurance that they need that management is on top of the risks. Yeah. I think that’s a great point because the other thing is is that, you know, many organizations are sharing out their top risks with their board, and oftentimes, it’s a here’s our set of top risks. Here’s a statement about what the risk is. Here’s how effective we think it is, or here’s how we think we’re managing it. And I think something like the bow tie can very easily say, here’s the risk. Here are all the things that we’ve thought could impact it and the potential consequences and those activities, the controls that we are doing to ultimately reduce that from impacting us, but ultimately then reducing the impact that it may have on us after. And I think that’s just another way that, again, kind of speaking to the nonrisk professional, not all your board members may have that risk expertise, and this is a way for you to hopefully simplify that visualization and talk about those activities that you’re doing against that that main risk event. Especially when it’s guaranteed that your board members most likely don’t have risk background. Right. They’re they’re from the business or from the public. So definitely making sure that we’re able to communicate in a clear and effective way. Great points. Alright. We are gonna move on to our next poll question. Poll number three, where are you most interested in adopting bow tie modeling? One, prepping for board meetings or executive presentations. Two, as part of business continuity planning. Three, during third party risk assessments, four, for internal control gap analysis, five, highlighting and analyzing emerging risks, Six, during strategic planning conversations. Seven, in another place, share specifics in the chat, as you see fit. Carol, I’m curious if you could just pick one or two of these and talk about kind of where you’ve seen people having success, you know, implementing bowtie across any of these. Obviously, lots of great opportunity to use bow tie in different ways, but I’m curious if you can just talk about kind of a a real life example of how one of these has impacted your client. Yeah. Absolutely. Well, I’ve actually already hinted at them earlier, so they’re probably not gonna be a surprise, but I’m gonna go ahead and talk about them anyway. The first one is going to be that emerging risk. A lot of organizations create a list of risks that are going out to their management, their board of saying, hey, these are the things. You guys need to be aware of them, and the management’s kind of, okay, so what? Well, the bow tie really helps dig deeper into that and gives them that awareness of, okay, now I see how it can impact our organization, not just exist out there in the in the ether. So that is specifically one way that the emerging risks and bowtie have worked extremely well together. It also gives you a tool for monitoring because now you understand root cause. You understand those triggers. So now you know exactly what you need to be keeping your eye on. Great. So continuing with the how of Bowtie, how does Bowtie modeling fit into your existing program and workflow? So you may be thinking, hey. I I have a a a risk program. I’ve never really used Bowtie. How could this work for me? We kind of have three examples here of of how you could fit it into your existing program, and we’ll talk a little bit more about it on the next slide as well. But, you know, as we think about this first one here, tackling emerging risk, and I think Carol has hit on this, obviously, a lot just kind of even, you know, in in those last comments. But, really, bowtie can be used to think about those emerging risks. So what are the things that could happen? What are you not yet managing against? If those did happen, what are the consequences? Second is that third party risk assessment. As we talked a little bit about on the previous slide, that that third party risk assessment also is another place where you can introduce. You’re working probably with hundreds or or maybe even more, third parties, and the ability to think about the risks and how those third parties are included is just another way that you can utilize that bow tie from a different angle. And then last, strategic planning. Again, really, if you think about a risk management program, especially an enterprise risk management program, really, that is all about strategic planning, how you identify your goals and objectives, how you make sure that your organization is set to actually deliver against those strategic objectives? And the bow tie can really help you think through that strategic planning process as you lay out kind of those key risks that could potentially prevent you from meeting those overall objectives and goals. Anything you’d add here, Carol? I know we kind of touched on some of them in the next slide too. Yeah. It’s okay. So I’ve already hinted, like I mentioned earlier, about how you can use Bowtie in both of these cases, but to really dig deeper because I will say that my love of does tie back to strategic planning and being mindful of what are the company’s goals and objectives. So, from a strategic planning, it is all about us increasing our management’s confidence in their ability to achieve the objective. Using bowtie gives them a tool to truly understand what could potentially get in their way. But to be honest, one thing that we haven’t really touched on a lot is it could also potentially show them some opportunities. What could trigger an opportunity to show up, and then the consequences could be positive consequences to the organization. So if we don’t always think about it in the negative, but we think about it in the positive, you could be highlighting some things just based on having these risk the, quote, risk conversations and seeing opportunities evolve out of that as well, really fueling and providing that insight to leadership as they’re doing their planning. Great. Let’s keep moving on, and we’ll talk next about how can bow tie modeling trip you up. So, obviously, there’s lots of benefits, but there might be situations where bow tie modeling could could trip you up or or confuse you. Carol, do you wanna talk about kind of misclassification of barriers and and and one way that that could trip you up from bow tie? Yeah. Absolutely. So when you think about using a bow tie, it does mean that you need to be very clear about triggers, about consequences, and not put wrong things in there. Make sure that what you’re putting in there is a trigger. Make sure what you are putting in is a true consequence because there’s a lot of times when you go back and you have deeper conversation, you start picking it apart, you realize, wait, that’s not really a consequence. That’s actually just something else. So really making sure that you’re clear about the information that’s being included is going to be very specific. Wanting to make sure that training is so broad, but there’s other elements around training isn’t really a barrier. Right? That should be a facilitator of something. So let’s make sure that we’re properly identifying the information that’s going in there. Great. I’ll talk about the next one, which is oversimplification. I think this is another risk with bow tie diagrams is that, especially initially, you may think of you may tend to oversimplify complex risk scenarios. There are lots of things going on. There are lots of important interdependencies or systematic risks that might be overlooked. You might just say, oh, you know, this is this is really basic. Like, you you know, I have a breach. The the things that’s gonna cause a breach are that, you know, we have poor information security practices. And if that does happen, like, we’re gonna have to pay fines. And, you know, you kind of oversimplify without thinking about all those other things that could actually, you know, trigger that event or could be outcomes of if that event happens. And you get kind of narrowly focused on on one area. So I think that’s another thing to consider. Carol, do you wanna talk about limited focus? Yeah. Absolutely. Because to be honest, it really goes back to some of that oversimplification, but the reality is that you a a bow tie is only meant for a single risk event. And so what a lot of people do is they focus on we’re just gonna use bow ties for us to analyze without to the exclusion of all other analysis tools, and you can’t do that. Cannot do that because there’s so many interconnected risks and triggers and and controls that if you use bow tie to the exclusion of everything else, you miss the connections between it. So you need to make sure that you recognize if this risk event happens, this risk event could be a trigger for another risk, and just looking at a single bow tie, you miss that connection. So make sure that you’re keeping your eyes and ears open for other tools and keeping an open mind around there’s other things and other ways to visualize. Bow tie is not the only visualization. That’s a great point. Yep. Sometimes, like you said, it is easy to say, oh, this is such a great tool. Let’s just, you know, keep using it. And sometimes it does lead to overreliance. Next, I’m gonna talk about incomplete and ineffective barriers. So barriers are sometimes included without ensuring they are effective, independent, or auditable. So thinking about, you know, really making sure that, you know, they they are an independent viewpoint. And, ultimately, at the end of the day, this can undermine your rebel reliability of the model and may lead to unmanaged risks. So at the same time, you’re you’re you’re kind of not thinking about all the components together. And, really, it it kind of leads to you potentially missing things that you might need to be considering. Can you talk about the the time consuming nature of bow tie? It makes it look really simple here, Carol, but but I think there are some situations where it can be really time consuming. Can you talk about that? Absolutely. I’ve actually had a conversation with a company who had probably thirty bow ties. And they were saying it is it takes up so much time to manage all of these and to try to keep them up to date because risks are ever evolving, an organization is ever evolving. So trying to keep them up to date ends up consuming so much of your time. That’s why you do have to be kinda choosy about when you’re gonna use it and be mindful of that time frame, maybe even allocating certain bow ties to other people within the business as their responsibility to maintain, not risk. So, they are definitely time consuming. That is when software can be helpful in that management of data. I’m a big proponent of managing data within the risk space. A lot of times we lose sight of that. This is one of those pieces. So when you update a control, making sure that update to a control goes everywhere where that control is being used. That could be an example of when having software to help you will be helpful. Great point. And that’s actually one of the main reasons why Origami decided to introduce Bowtie into our software is to be able to say, let’s make this easier for our our clients, our customers to be able to say, hey. We we want to be able to do bow tie. We already have the data in your system. There’s maybe already many connection points. Let’s make this simplified by having it software driven and being able to point and click and keep it hopefully up to date much easier. The last thing I oh, go ahead. Oh, sorry. I was just gonna say, and if you are resource constrained within your organization and and you don’t have software, keep in mind that there are sometimes when you use them and you don’t need to maintain them. They are a one time analysis piece, help you understand it, and then you don’t need to maintain it. It it was truly meant to be a tool to move on to the next the next step. That’s a great point. Great point. The last thing I’ll talk about here is subjectivity. Sometimes you can get tripped up when you’re your subjectivity of your control assessment. So the issue here is you could be evaluating control effectiveness of any barriers, and that’s often subjective. So you are probably doing some testing, but there is some subjective nature as to the effectiveness of those controls. And it can lead to inconsistent risk assessment or decision making as really maybe you’re you’re you’re more or less confident that you should be in those particular controls and and ultimately leading to a false sense of of how you’re protecting yourself against that particular risk. Alright, Carol. Let’s kind of wrap up here. We’re getting we kind of hit on all the key points. We got through the how. Let’s talk about the big picture. Do you wanna talk here about kind of what are those kind of four key takeaways that we should have from the conversation today? Absolutely. Be intentional about when and how to use bowtie, Strictly from a resource perspective, in the main maintaining of it, is it purpose fit for the kind of conversation that you’re having. It’s not just a, oh, I’ve got bow tie in my back pocket. I’m gonna pull it out in this conversation. Be intentional about that planning and make sure that you’re prepared. If it is a conversation that does need to keep it maintained, you are prepared to maintain it. That would be my first big picture. If I had if I had to take away, that would be my first one. Be intentional. Yeah. I’ll say the second one here, consistency is is you know, we we say consistency is key for usefulness. Consistency really is important here. You need to make sure that you’re using the same methodology. You’re thinking about, the risks kind of at a similar level. You’re thinking about all the things that could impact and go wrong and making sure that you’re using that same key keen eye. I think the consistency is really gonna allow you to make sure that you benefit the most from the bow tie model. And I think that, you know, it’s gonna allow you also to kind of move into the the use of of bow tie modeling in a much more effective way. Do you wanna talk about keeping your audience in mind, Carol? Absolutely. Keeping your audience in mind, I cannot emphasize this point enough because this is all about what we should be doing as communication. There is an element of it that is more of an art than a science, and this is one of them, communication. So, there are some people who are visual learners versus auditory learners, people who appreciate text more than graphics. So always keeping in mind who the people are that are receiving the information that you are presenting is very important, but most people drive towards visuals, not heavy text. Because in today’s world with limited attention spans and getting shorter and shorter every year, seems like Something that is easy to grasp in just a few seconds by reading through it is a lot simpler than reading through a paragraph or a slide that’s very heavy in text. But it’s also about the audience and their role. The objective owner within the business or someone on the front line is way different than your senior leadership and your board. So making sure that you are communicating the right level of information to the right people in how you’re communicating. Great points. And I think that that brings us to the last point here, which is bring the right people to the table, and and this really should improve your accuracy and completeness of the bowtie. As we discussed, really, the goal here for bowtie is to to to really be collaborative, to really think about all those things that could impact risk. And this is gonna require you to make sure that you are bringing people from different parts of the business. But the key here is bringing those right people. Who are the people that understand the consequences of that risk and the impact that should have in place? So making sure that you’re bringing those right people that can speak to that and add a level of detail that’s necessary is kind of the last key big picture point. I’m gonna actually add on one quick thing, John, to that, and that is in the role of risk management, that is what we have that privilege to be able to see as cross functional across the entire organization. So while the business may be in their silo, we should not be in that silo. We should be above the silo, able to see above the big a big picture, and bring people to the right to the table that the business may not be aware needs to be at the table. Great point. Alright. Well, very great conversation, Carol. I’m gonna wrap us up with our last poll question, poll number four. Are you interested in learning more? One, yes. I would love to know more about Origami’s risk bowtie modeling solution. Two, yes. I would love to talk to Carol about implementing bowtie or other best practices as part of our risk assessment. Three, yes. I would love to hear from both Origami risk and strategic decision solutions about bow tie modeling. Four, no. I’m good for now, but maybe in the future. With that said, we’re gonna use our last few minutes here to get into q and a. I have a couple, questions here that have been triggered up. If you have other questions, please, feel free to provide those in the chat. First question, Carol, is what types of risks or industries is bow tie modeling best suited for? All industries. That’s the best answer. So I completely am a full believer that this is not a tool that is specific to any one industry or even one sector or one geography. It applies to every single and can be used by every single organization. Now, I will say to go back to some of our earlier points that there are certain types of risks that may be lend itself to being better used by the bow tie, those that are more complex that need to get broken down, that’s fine. But industry wide, doesn’t matter. Yeah. I would agree. I I I it’s definitely an industry agnostic tool that can be used for for, you know, any types of risk. One thing that we’ve seen in our business is that, you know, those companies that are in high hazard industries where safety, compliance, operational continuity tend to be, you know, very critical to their business. You know, things like oil and gas, health care, construction or manufacturing. Those industries tend to be more interested in bow tie because I think they place a really high reliance on, you you know, keeping their people safe or really keeping their business, you know, continued. And so they have a it feels like even a more vested interest in what bow tie modeling can bring. But I think to your point, there’s really no one industry that can’t benefit from from bowtie. Agree. Alright. Let’s question number two here. How do you decide what the top event is or the top risk? Should, like, which how do you know what you should put into that center knot of the bow tie? It’s an action. That’s the best way to put it. It is something that you can see happen. It’s not a description of data breach, right? It is, we’ve lost our data, or the data has been ransomed, but I would go with, we’ve lost our we’ve lost access to our data. Now, the the concept you know, the the ways that they get there of data loss can be it’s been ransomed, it’s been stolen, it’s been deleted, because it doesn’t have to be a data breach that you lose access to your data. It could be our database administrator accidentally wiped our database. Makes sense. So understanding those different pieces, but the action is definitely what needs to be your event. Yeah. The other thing that we like to think about here is a good way to think about kind of that that top event is make sure it’s specific, make sure it’s observable, make sure it’s actionable, really helping anchor that entire diagram. All of those things kind of, allow you to think about something that’s that’s very tangible, but also make sure it’s kind of neutral in tone. Right? You don’t want it to be a cause or a consequence. Like, you you really want it to be kind of very clear and anchored. With that said, I I I’ll I’ll wrap it up there. If you have other questions and answers, those will be directed back to Carol and I, and we can provide direct responses to those. You’ll see up on the screen contact information for both Carol and I. Feel free to connect with us on LinkedIn. We are also providing the website here for strategic decisions at origami risk. If you wanna go out to our website, read more about bow tie modeling, read any of the other, you know, blogs or, you know, educational information that we have out there. We’d really look forward to, you know, continued communication and interaction with you. But with that said, I’d thank you for your time. Thank you, Carol, for joining me today, and I will pass it back to Melissa at OSEG. Great. Thanks, John. I’d like to thank both John and Carol for joining us today to walk through the fundamentals of bow tie modeling. And to our audience, we’d love to have you join us for other upcoming OSEG webinars. Please watch out for emails from OSEG regarding these future events. This concludes our webcast today. Thank you all for joining us.
Webinar Introducing Origami Risk’s New Insurance Program Management: From Disconnected Workflows to a Single System of Record