Attaching measures

Measures are the barriers that either prevent risks from occurring or limit their impact. In the bow-tie, you attach them directly to connection lines. Access the bow-tie view from the Bow-tie tab on any risk detail page.

Prevention and mitigation

Where you place a measure determines its role. Measures on the left side prevent the risk from happening. Measures on the right side reduce the damage if it does.

Prevention measures

Attach to Cause to Risk connections. Click on the connection line between a cause and the risk event, then select "Add Measure" to attach a preventive barrier.

Goal: Reduce the probability of the risk occurring.

Mitigation measures

Attach to Risk to Effect connections. Click on the connection line between the risk event and an effect, then select "Add Measure" to attach a mitigation barrier.

Goal: Reduce the impact if the risk occurs.

How to attach a measure

Connection-based attachment

  1. 1Click on the connection line between a cause and the risk (prevention) or between the risk and an effect (mitigation).
  2. 2Select "Add Measure" from the context menu.
  3. 3Fill in the measure details: title, owner, due date, status, and effectiveness rating.
  4. 4The measure appears as a barrier on that connection line in the diagram.

Measure properties

Every measure has five properties. Fill them in when you create the measure, then update them as implementation progresses.

TitleName of the measure or action
OwnerPerson responsible for implementation
Due DateTarget completion date
StatusNot Started, In Progress, Complete
EffectivenessHow effective the measure is at reducing risk (High, Medium, Low)

Example: data breach with measures

Here is a complete bow-tie for a data breach risk. Prevention measures sit on the left between causes and the risk event. Mitigation measures sit on the right between the risk event and effects.

Prevention Measures
Mitigation Measures
Phishing Attack
Security Training
Email Filtering
Unpatched Software
Patch Management
Lost Device
Device Encryption
Remote Wipe
Risk
DATA BREACH
Incident Response
Financial Loss
PR Crisis Plan
Reputation Damage
Legal Counsel
Legal Liability

Prevention measures (left side)

  • Security awareness training reduces likelihood of successful phishing.
  • Automated patch management reduces the vulnerability window.
  • Device encryption protects data on lost devices.
  • Remote wipe policy enables rapid response to device loss.

Mitigation measures (right side)

  • Incident response plan ensures rapid, coordinated response.
  • PR crisis plan protects reputation through communication.
  • Legal counsel manages liability and compliance.
  • Cyber insurance transfers financial impact.

Practical example: supply chain disruption

This bow-tie shows a supply chain disruption risk with prevention and mitigation measures on both sides. Notice how each connection line has at least one barrier.

Prevention Measures
Mitigation Measures
Supplier Bankruptcy
Supplier Monitoring
Multiple Sources
Natural Disaster
Geographic Diversity
BCP Plans
Quality Issues
Incoming Inspection
Supplier Audits
Risk
SUPPLY CHAIN
DISRUPTION
Safety Stock
Alt Suppliers
Production Delays
Insurance
Force Majeure
Revenue Loss
Recall Plan
Customer Comms
Reputation Damage

Prevention measures in action

  • Supplier monitoring: early warning of financial issues.
  • Multiple sources: no single point of failure.
  • Geographic diversity: protects against regional disasters.
  • Incoming inspection: catches quality issues early.

Mitigation measures in action

  • Safety stock: buffer against short-term disruption.
  • Alternative suppliers: quick switch capability.
  • Insurance: financial protection.
  • Customer communication: protects relationships.

See also

Causes & effectsAction register