What a Bow-Tie Diagram Actually Tells You

The Cascade No One Mapped

Lehman Brothers did not fail because of credit risk. It did not fail because of liquidity risk, or market risk, or operational risk. It failed because all of them crystallised simultaneously, each amplifying the others in a chain reaction that no individual risk assessment had captured.[1]

The mortgage-backed securities were in the credit risk inventory. Leverage was monitored. Liquidity was reported. Counterparty exposure was tracked. But each was assessed individually, in its own silo, using its own models, reported to its own committee. No one had mapped the causal chains between them. The result was $639 billion in assets at bankruptcy filing, a 30:1 leverage ratio, and the largest bankruptcy in American history.

The information was available. What was missing was the methodology to connect it. That is what a bow-tie diagram is for.

The Problem with Most Bow-Ties

If you have worked in risk management for more than a year, you have probably seen a bow-tie diagram. Causes on the left, a risk event in the centre, consequences on the right, with some controls drawn as vertical bars across the pathways. ISO 31010 catalogues bow-tie analysis as a standard risk assessment technique.[2] It is taught in every risk management certification. And in most banks, it is either not used at all or used badly.

The failures fall into two categories.

Too simplistic. The bow-tie is drawn at a desk by a risk analyst who has never spoken to the people who actually manage the risk. The causes are generic — "market downturn," "system failure," "human error." The controls are listed as present. Their effectiveness is assumed. The diagram looks professional, gets filed, and tells the Board nothing it didn't already know. This is compliance theatre with better graphics.

Too complex. The bow-tie attempts to capture every possible cause, every control, every consequence for a broadly defined risk. The result is a wall-sized diagram that no one reads, no one updates, and no Board member can interpret in the five minutes they have before the next agenda item. It becomes wallpaper.

Both failures share the same root cause: the bow-tie is treated as a documentation exercise rather than an analytical tool. The question is not whether the diagram looks complete. The question is whether it tells you something you didn't already know about how the risk works.

The Three Things a Useful Bow-Tie Shows

A well-constructed bow-tie answers three questions for the reader — whether that reader is a risk practitioner designing controls or a Board member reviewing the institution's principal risk report:

What could cause this? The specific causal pathways, not categories.
What is supposed to stop it — and what could make those stops fail? The controls and their vulnerabilities.
If it happens, what are the consequences — and what limits the damage? The full range of impacts and recovery mechanisms.

That second point — what could make the controls fail — is what separates a useful bow-tie from a decorative one. It is called the escalation factor layer, and most implementations either omit it entirely or treat it as an afterthought.

Escalation factors: the layer that matters most

A credit limit is a preventive barrier. But if the limit can be overridden by a single individual without independent approval, that override authority is an escalation factor. A collateral requirement is a preventive barrier. But if the collateral is correlated with the underlying exposure — as it was in many pre-2008 structured products — that correlation is an escalation factor.[3]

Escalation factors force the institution to examine not just whether controls exist, but whether the conditions under which those controls would fail have been identified and addressed. Without this layer, a bow-tie is simply a risk-and-control register in a different shape.

What Lehman's bow-tie would have revealed

Consider what a bow-tie analysis of Lehman's credit concentration risk would have made visible. On the left side, the causes: mortgage market deterioration, mark-to-market accounting requirements on illiquid positions, a leverage ratio creating a thin capital buffer. The preventive barriers: position limits, VaR monitoring, stress testing, capital adequacy reporting.[4]

Now the escalation factors. Repo 105 transactions were temporarily removing $50 billion in assets from the balance sheet at each quarter-end — a mechanism that actively undermined the capital adequacy barrier by concealing the true leverage ratio. The escalation control — independent verification of reported leverage — was absent.

On the right side, the consequences would cascade across every dimension: financial (direct losses on $85 billion in RMBS), regulatory (capital adequacy breach, supervisory intervention), reputational (counterparty confidence collapse), and operational (inability to roll short-term funding). The mitigating barriers — access to Federal Reserve facilities, potential acquisition by a stronger institution — would have been assessed as uncertain at best.

The bow-tie would have made visible what individual risk assessments concealed: the causal chain from credit concentration through leverage to liquidity to institutional collapse was not a remote scenario. It was a mapped pathway with identified control gaps. None of this required information that was unavailable. The positions were known. The leverage was reported. The Repo 105 transactions were documented. What was missing was the systematic methodology to connect these individually known facts into a coherent picture.

AIG: what the right side reveals

The left side of a bow-tie maps causes and prevention. The right side maps what happens when prevention fails. AIG's credit default swap portfolio illustrates why the right side matters as much as the left.

AIG knew it was selling CDS. The counterparties were documented. The notional exposure was calculable. The failure was single-dimensional assessment: one score, calibrated to benign historical data, producing a near-zero risk rating for what turned out to be the largest risk event in insurance history.[5]

A bow-tie built with a four-dimensional consequence framework — financial, regulatory, reputational, and operational impacts — would have shown a different picture. The regulatory dimension alone (collateral call triggers upon ratings downgrade, potential government intervention) would have scored at least Major. The reputational dimension would have scored Extreme. The controls against a systemic CDS crystallisation scenario were effectively non-existent: no hedging programme, no collateral reserve adequate for a mass downgrade, no pre-positioned liquidity for collateral calls at scale. And the speed-of-onset was immediate — triggered by ratings action, not by actual defaults.

The $85 billion Federal Reserve bailout that followed was not a failure of risk identification. It was a failure of risk architecture — no one had mapped the full consequence chain through all four dimensions. A bow-tie would have forced that mapping.

What Good Looks Like

A bow-tie is not for every risk. It is resource-intensive. Each diagram requires facilitated sessions with risk owners, control owners, and relevant specialists. You do not build one from a desk. The methodology requires bow-ties for the institution's five to ten most critical risks — typically those identified as propagation nodes in the risk interaction matrix or that received extreme ratings on any assessment dimension.[6]

Build from facilitated sessions, not desk analysis

The content of a bow-tie comes from the people who understand the risk: traders, operations managers, technology specialists, compliance officers, and risk analysts. The Risk Identification Lead facilitates, using structured prompts that mirror the SWIFT methodology — systematic coverage, challenge encouraged, dissent drawn out.[7]

This matters because the most valuable contributions often come from the quietest participants. When a risk is identified, the facilitator should ask: Who disagrees? What am I missing? What is the alternative view? Managing dominant voices and drawing out dissent is the craft that separates a process that works from one that merely exists on paper.

Define the risk event precisely

The risk event sits at the centre of the diagram. It must be defined precisely — not "credit risk" but "counterparty default on OTC derivative portfolio exceeding $500 million net exposure." Precision matters because the causes and consequences change depending on how the event is specified. A vaguely defined centre produces vague causes, vague controls, and a diagram that communicates nothing useful.

Map four-dimensional consequences

On the right side, every consequence should be assessed across four dimensions: financial, regulatory, reputational, and customer/operational. This prevents the single-dimensional scoring failure seen at AIG and elsewhere. A major counterparty default has regulatory consequences (reporting obligations, supervisory attention, potential enforcement action), reputational consequences (market confidence, counterparty willingness to trade), and operational consequences (service disruption if the counterparty provides critical services) — not just a loss figure.

Keep them alive

Bow-tie diagrams for the top risks must be maintained as living documents, with barriers and escalation factors reassessed as controls change. The risk profile for each material risk references the bow-tie, recording the date of the most recent review, the key findings, and any barrier weaknesses identified. A bow-tie drawn once and filed is worth less than no bow-tie at all, because it creates false confidence that causal analysis has been done.[8]

Why the Board Needs This

A heatmap plots individual risks as points on a two-dimensional grid. It does not show how controls fail. It does not show cascade pathways. It does not show whether the institution's assessment of a risk is based on ten years of loss data or one person's guess in a workshop.

A bow-tie serves a dual purpose. For risk practitioners, it provides the granular causal analysis that informs control design and testing. For the Board, it provides a visual summary that communicates the full risk architecture of a critical risk in a single page. A Board member looking at a well-constructed bow-tie can immediately see what could cause the risk event, what is supposed to prevent it, what could make those preventive controls fail, what happens if prevention fails, and what limits the damage.

That is more information than any heatmap has ever communicated. And it is the information the Board actually needs to challenge whether the institution's controls are adequate — which is, after all, what governance requires.[9]

What To Do Monday Morning

Pick one risk. Choose the single risk your institution worries about most. Not the full inventory — one risk. Build the first bow-tie for that risk as a pilot. The Lehman and AIG examples above give you the structure.
Define the centre precisely. Write the risk event as a specific scenario, not a category. "Counterparty default on OTC derivatives exceeding $500m net exposure" works. "Credit risk" does not. If you cannot define the centre in one sentence, the scope is too broad.
Facilitate, don't delegate. Convene a two-hour session with the risk owner, the relevant control owners, and at least one dissenting voice — someone who sees the risk differently. Do not assign the bow-tie to an analyst working alone at a desk. The value is in the conversation, not the diagram.
Insist on escalation factors. For every preventive barrier on the left side, ask: under what conditions does this control fail? If the answer is "it doesn't fail," you have not asked the right people. Every control has failure conditions. A credit limit fails when overrides are permitted. Collateral fails when it is correlated with the exposure. VaR fails when the model assumptions no longer hold. Map these explicitly.
Present it to the Board. Take the completed bow-tie for your most critical risk and present it alongside your existing heatmap. Ask Board members which format tells them more about the risk. The answer will make the case for you.

Sources & References

Valukas, A., Report of the Examiner, In re Lehman Brothers Holdings Inc., U.S. Bankruptcy Court, Southern District of New York, March 2010. Volumes 1 and 3 detail the interconnection of credit, leverage, and liquidity risks and the Repo 105 programme.
ISO 31010:2019, Risk management — Risk assessment techniques, Section B.21 (Bow tie analysis), pp. 81–84.
Financial Crisis Inquiry Commission, The Financial Crisis Inquiry Report, January 2011. Extensively documents collateral correlation failures across structured products and the breakdown of preventive controls at multiple institutions.
Lehman Brothers held $85 billion in RMBS and a $111 billion total real estate portfolio at a 30:1 leverage ratio, with Repo 105 transactions temporarily removing $50 billion in assets from the balance sheet at each quarter-end. See Valukas Report, Volume 3.
AIG Financial Products had written credit default swaps with a notional value exceeding $500 billion. The $85 billion Federal Reserve bailout followed ratings downgrades that triggered collateral calls the firm could not meet. See FCIC Report, Chapter 19.
ISO 31000:2018, Risk management — Guidelines, Section 6.4.3: requires consideration of "knock-on effects of particular consequences, including cascade and cumulative effects" — the analytical work that bow-tie diagrams formalise.
ISO 31010:2019, Annex B.7 (SWIFT — Structured What-If Technique). SWIFT provides the facilitated questioning methodology that feeds bow-tie construction.
ISO 31010:2019, Section 4.7 (Documentation): requires that risk assessment outputs be maintained and updated as context changes, with the basis for assessments transparently recorded.
BCBS, Corporate Governance Principles for Banks (BCBS 328), July 2015, Principle 7: the Board must receive sufficient information to understand the bank's risk profile, including risk identification outputs, and must be able to challenge management's risk assessments.