Coming out of the summer break we already had several very interesting sessions in our product team and with customers. We discussed approaches and capabilities for GRC platforms. So I suddenly felt the need to draw for myself a new overview how everything belongs together. There will be some new things that need to be fitted into the picture.
.png)
Where we still see room for improvement is the way how risks are identified - still the main driver is the one or other regulatory issue. This approach invariably leads to the question: "What control library should I use?" I try to encourage to break down business objectives first to identify the risks that are really endangering the success of a company - that may be but also not be regulatory risk.
One of the new things I had to fit into the picture is Bow Tie Modeling. With the next ARIS service release we expanded our modeling methodology to support this approach which allows to analyze a risk scenario in depth without loosing yourself in too much detail. Especially in risk intensive businesses like energy providers this risk analysis and description methodology has become more and more popular. The success of this diagram lies in its clear structure and simplicity which is easy for the non-specialist to understand, but still has sufficient depth for an expert discussion. The basic idea is to combine the cause (threats) with the consequence via the risk event. The diagrams main strength lies in scenarios where clear, independent paths lead to the occurrence of a risk event or consequence. They focus on controls to be established and thus form the basis for actively managing the risk situation.
I made a small example to show you how it could look like:
I'm convinced that Bow Tie modeling will offer our customers risk officers a great new way to make their risk scenarios understood by management.
As usual I appreciate any ideas and comments on this - we will elaborate on some other "new things" in the next weeks.
Hi Martin!
Thank you for your post on this topic. I am really interrested in this model, as it would perfectly fit some of my needs. I have a concern though, how would you best link this type of model with a process, like a monitoring process of installation for instance?
Maitrey, of course those two diagrams are related and both assigned to a risk but hey are not replaceable.
The bow tie goes into detail explaining the cause and effect situation of a complex risk scenario, the BCD defines the relationship between a risk and its mitigating controls and furthermore defines how a given control should be tested/assessed. Thus the BCD gives direct input to the workflows of ARIS Risk & Compliance Manager while the bow tie is more on a descriptive level.
Hope that helps.
Cheers, Martin
