Visualizing Risk with Bowtie

Pretty good group here. Hello, everyone, and welcome. We’re so glad you could join us today. I’m John Schultz, senior market strategy lead for our GRC practice here at Origami Risk, and I’m joined here by Josh. Hi, everyone. I’m Josh Newsome, a principal sales solution architect, out of our GRC practice. Really excited on this discussion today. I work really closely with our sales service and product teams, and I think you’ll be excited to see our bowtie functionality. Great. Thanks, Josh. Before we jump in, just a couple housekeeping notes. First, we will have some time at the end of the solution showcase today to answer a few questions. So please drop those questions in the q and a box. If you want to, anonymize yourself, that would be great. That way, if we don’t get to the questions, we can follow-up with you directly. If that makes you uncomfortable asking questions, we understand. You can you can still do it anonymous. But if you make it available, then we can follow-up. If we don’t get through those, just drop those questions right into the q and a box, and we can follow-up. Also, we’re recording today’s session, and we’ll be sending it out in a couple days, so you can, follow-up, share it with your colleagues, etcetera. So we move on the next slide. With that out of the way, I’ll just really talk about, like, how excited I really am about, bow tie and spending really the next fifteen to twenty minutes walking you through, ultimately, what we think is one of the most visual and versatile tools to risk management, and that’s the the bow tie modeling that we’ll be showing here. Yeah. And and and, John, you know, for for our audience here, think whether you’re new to bow tie diagrams or just looking for a way to build out and use them, Our goal is that during this session, we’re gonna show you, you know, what the bow tie is, how how does it simplify complex risks, how does it support clear communication, how does it improve your risk and control strategy. Ultimately, you know, what’s the right way to use this tool? How should you be having a discussion? What efficiencies does it bring to maybe the way that you view risk within your organization regardless of which end of the maturity curve you you ultimately live on today? That sounds great. To that point, one of the other things we will touch on is when and why to use bowtie modeling. We’ll share some best practices, highlight key benefits that you can take back to your team. With that, I think, let’s just jump right into it. People can see the bowtie tool. Let’s go ahead and get started by diving directly into the tool. As I load the org on the platform, it’s important to note that I’ll begin this process directly in our risk register. From this risk register, I need to toggle to our top event or parent risk as part of this process. So in this scenario, I’ll take us to a cybersecurity breach due to a phishing attack, and this will be the source for the build out of our bow tie. Now as I land on my risk, of course, I’m presented with the most recent score rating of this particular risk and all of the other underlying information that we track on this particular risk. But in this scenario, I’m gonna go ahead and click on our connections toggle button, which is going to take us to a few of our visualizations. It starts by breaking out all of the underlying elements that are linked to this particular risk, things like consequences, action plans, regulations, risks. As I move beyond all of the connected elements of this particular risk, I’ll talk we’ll do our bowtie functionality. And what this bow tie functionality is going to do is represent all of the elements of of this bow tie you’ve established. As this bow tie opens up, it’s probably a good chance to just level set and define the elements of a bow tie. On the left side, we’re presented with the threats. These are ultimately the source cause of the top event or risk. So in this scenario, our primary risk being cybersecurity breach due to the phishing attack. We know the source of this might be the use or of of weak or reused passwords by employees or perhaps using outdated software and systems. As we move left to right, then we’re presented with what are our preventative and our mitigating controls. And then to the far right of our bow tie are consequences. Consequences ultimately represent what’s the result from the top event or risk if that were to occur. I’d suggest that the biggest question that we feel is what’s the differentiation between preventative and mitigating controls? Simply put, the preventative control represents what’s being done to ensure that the threat doesn’t occur. While the mitigating control on the right side of our bow tie is meant to represent, you know, an attempt to prevent the consequence from occurring. Now it’s nice to be able to see what a bow tie looks like in a in a polished sort of finalized state, but this assumes that you’ve already done this work. Let’s take a look at a different example where we can talk about how we build out this bow tie from scratch or earlier parts of this process. So I’ll take a look at a separate risk. In this case, a workplace injury due to inadequate ergonomics. So, again, in this case, I’ll take us to our connections button, and then I’ll toggle her to our bow tie. And here, we have a partially filled out bow tie. So all we’re seeing in this scenario is what do we think the the threats are. So, potentially, high workload and repetitive tasks or lack of employee awareness down to the the consequence on the right side, which is perhaps a workers’ comp claim and increased absenteeism and reduced productivity. So let’s start with how do we define what those preventative controls are. So go ahead and click the plus button on our preventative controls, and the system is going to ask me which is the parent threat or risk that I need to define. So in this case, we’ll say it’s a high workload and repetitive tasks. So the system’s gonna give me two options here. One, to select from a control that already exists within the platform or to create a a new control. Now in this particular scenario, we’re gonna build out a new control because I don’t have documented controls. I’m using the bowtie to basically build out the scenario from cradle to grave. So I’ll start by adding a new control. And for that high workload and repetitive test, let’s go ahead and say that, you know, maybe a preventative control in here would be to implement a job rotation to reduce repetitive strain. So in this scenario, we’ll go ahead and enter that in as a control name, and we’ll go ahead and save this particular form. As we do so, this bow tie will go ahead and and document that preventative control to this relevant risk. Now the same exercise can take place on the right side of the screen relative to our consequences. So if I were to take a look at our workers’ compensation claims and legal exposure, I might ask myself, how how would we mitigate this control of after the event actually occurs? Mitigate the risk to the business. So in this case, maybe we have a couple of different mitigating controls. And maybe the first is that we have some sort of reporting claims management process. So to document this, we’ll go ahead and click the button the plus button on our mitigation controls. And the system, of course, is gonna say which which consequence is this reflective upon. So we’ll pick our workers’ compensation, and we’ll click select. And much like we did before, we could define whether this control is going to be something that we select from our existing library of controls or whether it’s something that we create new. In this case, I’ll go ahead and document our clear injury reporting and claims management process, and I’ll save changes. Now if I wanted to add another control to our due to our increased absenteeism and reduced productivity, perhaps we’ll add another mitigating control here. And maybe something in place could be something like flexible work arrangements and time off policies. So in this scenario, I’ll go ahead and add another mitigating control. We’ll use increased absenteeism, create a new control, and insert that text here. Now we can start to see the building blocks of what a bow tie might tend to look like. Awesome. Thanks, Josh. I think one thing that really excites me the most about bow tie is really just how visually, appealing it is. It really shows that direct connection via a picture. You know, oftentimes, risk controls, it’s all kinda buried under layers of information that you’re kinda drilling into. And with the bowtie, you can really immediately see and understand, and really use that information, hopefully, to drive conversations, reports, risk assessments, and workshops with, those stakeholders that you’re interacting with. Yeah. Exactly, John. You know, I think this becomes especially powerful when we’re reviewing things like scenarios, you know, what are scenarios, prepping board materials, or even identifying where you have weak or missing controls. And and and to the point that you made before, I think it really facilitates better conversations. At the end of the day, a bow tie bow tie diagram really becomes almost the equivalent of a common language between risk, compliance, legal, and even, like, our operational teams. We often find that we get, you know, fewer debates and more tangible discussions about what happens next or or where are we exposed, what controls are actually working, as part of this process. For sure. Let’s talk next just about, really three proven ways that teams can use bow tie modeling in practice. We think about the first one, clarifying complex risk scenarios. Really, if you think about when you’re dealing with risks that involve multiple inputs and outcomes, Botai can really help you organize your thoughts, break it down visually, and be able to see it right in front of you. You’re not having to kind of just think through your head all all of this connects. You see it right in front of you. Second is communicating across different audiences. I think this is especially important if you think about nonrisk professionals. You know, oftentimes, you work with the business and, you know, you’re saying things or or using terms, they’re like, I don’t know what you’re saying. Like, that’s too, like, risk terminology for me. But, you know, really, the bow tie allows you to to bring in a common language. If you’re preparing for a board meeting, you’re talking to legal, you know, one of your ops team, really that frontline staff, bow tie diagram really just easily translates for them. It’s right in front. You kind of see the left hand side, you know, and kind of what feeds in. Then you can go to the right side, like, those con potential consequences and how you’re mitigating those. Just really visually easy to see and understand. And last is that, you know, the ability to facilitate planning scenarios, really thinking about the what ifs. And again, this is another great power of bow tie is really thinking about that what if. You can ask what happens if these control fails? Well, then you you really understand the potential consequence, and is there anything more that you should do and really kind of, again, benefit from that immediate visual impact? Right, John. You know, there’s definitely many different areas, you know, where Bowtie can benefit our risk teams and beyond. Let’s go ahead and, you know, take a quick look and back into the tool to see more of that what if analysis and scenario planning piece, very briefly. What’s great about this is this really plays into what if scenarios. Right? So as I build out this bow tie, I’m gonna be thinking about what are the what are the causes and what are the consequences of the parent risk event. And I look at what if scenarios in a couple of different ways. One, I might be asking myself the question, you know, what if a specific control fails? Well, if our preventative control fails and we have this parent risk, then we know that we have the potential for a consequence to occur. The second question you might ask yourself is, what if the consequence is worse than expected? So this enables for planning, you know, worst case outcomes and stress testing even things like your business continuity plans. So even as we go through the risk assessment process, the consequence yields secondary type of effort, you know, within the platform. And then finally, you know, what if our residual risk is higher due to control fatigue, you know, obsolescence, or ineffectiveness? So one of the big questions that you’re gonna be asking yourself as you try to document, you know, what are the controls that prevent the event from occurring, or what are the ones that help you recover from the event are? How well do those controls actually work? Control is only as good as how effective it is at the end of the day. Now I I think when we think about traditional risk management, most folks tend to think about what are the preventative controls. What are the things that make this event not occur? And not enough emphasis is put on what are the mitigating controls would help which help us ultimately recover from that event or lessen the impact to the organization. So as we close out the demo portion of this discussion, you know, our bowtie solution brings clarity and control to even the most complex risk scenarios. You know, bridging the gap between risk identification, control mapping, and executive level communication. So whether you’re just beginning to formalize your program or advancing towards a fully integrated risk strategy, this bowtie tool really scales to meet your maturity level. You may have a very robust system and program and be ready to implement bowtie. You may also be using bowtie very early in the new maturity curve to help you build out these controls. You know you’re doing something to mitigate risk today, but you haven’t given it the proper thought or documentation to identify what those things are and how well you’re doing that. Thanks so much, Josh. Really think that’s, such a great way to dive deep into the con into controls, have that control conversation. Like you said, it really can be used both for the more mature program and the the program that is looking to mature. So I really think that that’s a great opportunity on both sides of the maturity journey. But before we jump into our q and a, I guess, one last thing, Josh, can we just take a couple minutes to summarize the benefits of bowtie that we’ve seen today? Yeah. Absolutely, John. You know, so so out of the gate, right, simplifying complex risk landscapes. This process doesn’t need to be complicated. How do we use these tools to understand our preventative and our mitigating controls and, frankly, other ends of the spectrum, what causes that risk event, and what are ultimately the the the effects of that at the end of the day. It also allows us to visualize relationships, I I think, in a better way between our risks and our controls and our consequences. Oftentimes, we think of this from a from more of a siloed perspective, IV risk, but I don’t understand all of the upstream and downstream effects of that particular risk. And I think that brings this, your visualization, together a bit better. Also, I think we can quickly and easily identify gaps where our controls are weak, missing, or overloaded. When we think about a risk assessment or star risk identification, I think there’s opportunity for improvement to figure out where are those controls not operating as we would like them to. And if they don’t, what are the ultimate outcomes or effects to the business? What’s that leftover residual risk? There’s opportunity to collaborate better across business units and risk owners. So I think I talked about how do we communicate? How do we start this conversation? I think it’s an understated benefit of bow ties. How do you actually have these meetings and talk about the preventative and mitigating outcomes to the business? And that sort of feeds into the last one. Right? You’re communicating clearly with our executives, auditors, and non risk functions. So being able to take this information and share it with teams that help make decisions. Right? We know one of the biggest outcomes of a risk program is how does this enable us to make better decisions within our program, and I think this is a tool that supports that process. Yeah. I mean, I like to think about it really as transforming risk management from a static documentation exercise into something that really is more visual and and drives understanding and action. I think it just makes it so much easier to see it in front of you, and it’s not really all about just documenting. It’s about seeing those opportunities and doing something about them. Yeah. Exactly, John. So as we started near the end of the session today, you know, we’re about to open it up for questions to the group. So if you’re able, please make sure that you drop your questions into the questions and answer box within the tool. If you’d like to see more or explore how or how we risk and enhance your risk and controls management using this bow tie functionality or anything around the risk programs, please complete the short survey following the webinar. That helps us and allows us to be able to, you know, contact with you to schedule a personalized demo on these features that you saw today. Another question I have for you from Andrea. How do you recommend prioritizing which risks to model with Bowtie? Yeah. That’s a that’s a that’s a really good question. And I, you know, I think what I’d recommend is starting with your critical risks first. Right? So especially if you’re already having conversations or workshops running for certain areas, you think about your traditional risk reporting. You have a heat map with your top ten risks or or something of the sort to to your, risk board leadership or committees. So I think it’s easy to say to start with your critical risks first. I’d also argue that it’s a really great risk builder on the other end of the spectrum. So we find a lot of clients today, they’re asking questions of how do I get started in this process? We think we know our risk, but we don’t necessarily know all of the things that we’re doing with our preventative or mitigating controls. In fact, they’re not even identifying them as preventative or mitigating controls. So I think it I I think at the top end of the spectrum, it’s your critical risk. At the bottom end, it as a tool to help you start to build out those registers and and really create that risk presence within the business. Great. Thanks. Here’s another good one. How does this integrate with the rest of our risk and control data? Yeah. So the great thing about what you saw on Origami, you know, today, with the way that we manage the bowtie tool is that you could you could not only model your key risks, but the risk and controls and connections that you add, are are available across, every part of the ultimately, every part of the platform. So as long as you’re managing your risk and you wanna document your controls, this is ultimately available to you. And this is also, whether you’re managing these as pure risks or things like threats and hazards, the these are also compatible with, with that type of functionality as well. Awesome. Well, looks like that wraps up all of our questions for today. Thanks so much for joining. Just wanted to remember that if you didn’t get your questions out or answered, we will have a follow-up email, so you can get your questions answered then. Also, you can always follow-up with, your account manager, and they can help get you, in contact with the right information. Yep. Absolutely. And then, obviously, one last shameful plug, obviously, for the survey at the end. If you are interested in further discussions, you know, please fill that out, and our team is happy to have a conversation with you. We appreciate everybody’s time today.