I was speaking with a peer recently about the value of bow-tie diagrams and how they allow you to separate controls from mitigations and it became obvious I was using these terms in a way that needed to be explained.
Barrier model risk methods developed in the safety and reliability world where a hazard was defined either as a source of danger to an asset we want to protect or a trigger of an undesirable event or accident we want to avoid. The barriers could be technical, operational or organisational and should be independent of each other. The barriers are either proactive or reactive depending where they sit in the accident sequence.
“On the most basic level, the function of a barrier is either to prevent an action from taking place, or protect the system and the people in it from the consequences.” Erik Hollnagel, 1999 [PDF]
A bow-tie diagram is a more complicated barrier analysis visualisation that combines a fault tree (on the left) showing how a particular risk scenario may occur and an event tree (on the right) showing the likely consequences of the risk scenario should it occur.
The left-hand barriers between the sources of the risk scenario and the scenario occurring are preventative and proactive Controls. The right-hand barriers between the risk scenario and the consequences are reactive Mitigations that limit or reduce consequences once an event has occurred.
There is a real benefit from stepping out of the more limited ‘Risk & Control’ lens often inherent in risk registers and moving to a more descriptive ‘Source -> Event -> Control -> Scenario -> Mitigation ->Consequence’ lens. It means that not only can we highlight likely interdependencies between the various Source -> Event -> Consequence triples that underpin each risk statement but also the interdependencies between various controls and mitigations as they affect multiple risks in the environment.
Especially valuable is identifying risk scenarios that have appropriate controls focused on reducing the probability of the risk scenario but may be weak on mitigations or the converse where a new risk in the environment has few controls targeting it but is still covered by existing mitigations.