Continuity Planning with the Bowtie Method

Robert A. Sibik


November 1, 2018

bowtie method business continuity

Many organizations make the mistake of treating risk management and business continuity as different programs. Rather, to be optimally effective, the two must be combined and aligned. Business continuity traditionally starts with a business impact assessment, but many companies fail to go beyond that, making no tactical plan or strategic decisions on how to reduce impact once they have identified what could go wrong. The risk management process has been more mature, identifying various ways to treat problems, assigning it to someone, and trying to reduce the likelihood of the event occurring, but not necessarily doing much to reduce the impact of the event itself.

Organizations must move beyond the simple goals of creating business continuity plans or demonstrating compliance using legacy tools for business continuity/disaster recovery and governance, risk management and compliance. Those approaches incorrectly move the focus to “do we have our plans done?” or the checklist mentality of “did we pass the audit?”

In addition to legacy approaches, benchmarking must be avoided because it can provide misleading conclusions about acceptable risk and appropriate investment, and may create a false sense of having a competitive advantage over others in the industry. Even organizations in the same industry should have their own ideas about what constitutes risk because risks are driven by business strategy, process, how they support customers or constituents, what they do, and how they do it.

Take the retail industry for example. Two organizations may sell the same basic product—clothing—but one sells luxury brands and the other sells value brands. The latter store’s business processes and strategies will focus on discounts and sales as well as efficiencies in stocking and logistics. While the former will focus on personalized service and in-store amenities for shoppers. These two stores may exist in the same industry and sell the same thing, but they have vastly different types of merchandise, prices and clientele, which means their value proposition and business risks will look very different from each other.

These two organizations will also have very different needs when it comes to managing risk and working through disruptions. In the event of a disaster, the luxury clothing store might focus direct communications and outreach to assure their customer base they can still expect a high level of personal service, while the discount clothing store might be more concerned with maintaining their inventory database. Rather than simply relying on generic industry standards, it is critical for individual organizations to create a business continuity and risk management program that is specific to their own needs and processes.

Organizations must understand their acceptable risk tolerances and map those risks to their business processes and/or assets, measuring them based on how much the business would be impacted if a process is disrupted or an asset is compromised. By determining what risks are acceptable and what processes create a risk by being aligned to an important asset or resource, leadership can make rational decisions on the appropriate level of investment in prevention, detection, resilience or planning.

Creating an Integrated Approach

Organizations can effectively combine business continuity and risk management practices using a simple framework like the bowtie model.

Based on the preferred neckwear of high school science teachers and Winston Churchill, the bowtie model uses the left half of the bow to represent proactive controls used to mitigate the likelihood of risk events and the right half to represent reactive measures to mitigate the impact. The middle—the knot—represents a disaster event like a disruption of IT services, a warehouse fire, a workforce shortage or a supplier going out of business.

To use this model, first determine the probable disruptions to your organization through analysis of your business’s processes. Then determine the likelihood and possible causes of each disruption (the left part of the bowtie), as well as mitigation and response planning measures that can be taken on the left side to reduce the likelihood or impact of the disruption should it occur (the right part of the bowtie).

Consider as an example the disruptive event of a building fire—the “knot” in this case. How likely is it? Was the building built in the 1800s and made of flammable materials like wood, or is it newer steel construction? Are there other businesses in the same building that would create a higher risk of fire, such as a restaurant? Do employees who smoke appropriately dispose of cigarettes in the right receptacle?

Then, identify the measures that could reduce the likelihood or impact of a building fire, such as ensuring water sources and fire extinguishers are present throughout the building, testing sprinkler systems, having an alternate workspace to move to if part or all of the office is damaged, and so on.

The mitigation measures are especially key here, as they are not always captured in traditional insurance- and compliance-minded risk assessments. Understanding mitigation measures as well as the likelihood of risk events can change perspectives on how much risk an organization can take because the organization will then understand what its business continuity and response capabilities are. Mitigation provisions like being ready to move to an alternate workspace are more realistic than trying to prevent events entirely. At some point, you can accept the risk because you know how to address the impact.

A Winning Combination

Where risk management struggles is where business continuity can shine: understanding what creates shareholder value, what makes an organization unique in its industry among its competitors or peers, and how it distinguishes itself. At the same time, risk management brings a new perspective to the idea of business continuity by focusing on types of disruptions, their likelihood, and their prevention or mitigation.

To create a panoramic view of potential harm to an organization, businesses must merge the concepts of business resilience (dependencies, impacts, incident management and recovery) and risk management (assessment, controls and effectiveness) and optimize them. Bringing the two views together and performing holistic dependency mapping of the entire ecosystem allows an organization to treat risk management and business continuity as a single operational process, combining data to create actionable intelligence (based on the “information foundation” that has been created about operational impacts that may result from a wide variety of disruptions) to empower decisive actions and positive results.

By using the bowtie method to create this holistic view, organizations ensure they understand the potential impacts of various disruptions, are taking steps to mitigate the possibilities of disasters, and have prepared their responses should disasters strike.
Robert A. Sibik is senior vice president at Fusion Risk Management.