Attaching measures

Measures are the barriers that either prevent risks from occurring or limit their impact. In the bow-tie, you attach them directly to connection lines. Access the bow-tie view from the Bow-tie tab on any risk detail page.

Prevention and mitigation

Where you place a measure determines its role. Measures on the left side prevent the risk from happening. Measures on the right side reduce the damage if it does.

Prevention measures

Attach to Cause to Risk connections. Click the + Add measure button on the line between a cause and the risk event to attach a preventive barrier.

Goal: Reduce the probability of the risk occurring.

Mitigation measures

Attach to Risk to Effect connections. Click the + Add measure button on the line between the risk event and an effect to attach a mitigation barrier.

Goal: Reduce the impact if the risk occurs.

How to attach a measure

Connection-based attachment

  1. 1Locate the connection line between a cause and the risk (prevention) or between the risk and an effect (mitigation).
  2. 2Click the + Add measure pill button on that line. Lines with existing measures also show a compact + icon you can click to add another.
  3. 3Fill in the measure details in the modal: title, owner, due date, status, and expected effectiveness.
  4. 4Save to attach the measure. It appears as a barrier on that connection line in the diagram.

Measure properties

Every measure has five properties. Fill them in when you create the measure, then update them as implementation progresses.

TitleName of the measure or action
OwnerPerson responsible for implementation
Due DateTarget completion date
StatusOpen or Closed (use the Progress slider for in-flight work)
EffectivenessExpected risk reduction (0–100%) when the measure is fully implemented

Example: data breach with measures

Here is a complete bow-tie for a data breach risk. Prevention measures sit on the left between causes and the risk event. Mitigation measures sit on the right between the risk event and effects.

Prevention Measures
Mitigation Measures
Phishing Attack
Security Training
Email Filtering
Unpatched Software
Patch Management
Lost Device
Device Encryption
Remote Wipe
Risk
DATA BREACH
Incident Response
Financial Loss
PR Crisis Plan
Reputation Damage
Legal Counsel
Legal Liability

Prevention measures (left side)

  • Security awareness training reduces likelihood of successful phishing.
  • Automated patch management reduces the vulnerability window.
  • Device encryption protects data on lost devices.
  • Remote wipe policy enables rapid response to device loss.

Mitigation measures (right side)

  • Incident response plan ensures rapid, coordinated response.
  • PR crisis plan protects reputation through communication.
  • Legal counsel manages liability and compliance.
  • Cyber insurance transfers financial impact.

Practical example: supply chain disruption

This bow-tie shows a supply chain disruption risk with prevention and mitigation measures on both sides. Notice how each connection line has at least one barrier.

Prevention Measures
Mitigation Measures
Supplier Bankruptcy
Supplier Monitoring
Multiple Sources
Natural Disaster
Geographic Diversity
BCP Plans
Quality Issues
Incoming Inspection
Supplier Audits
Risk
SUPPLY CHAIN
DISRUPTION
Safety Stock
Alt Suppliers
Production Delays
Insurance
Force Majeure
Revenue Loss
Recall Plan
Customer Comms
Reputation Damage

Prevention measures in action

  • Supplier monitoring: early warning of financial issues.
  • Multiple sources: no single point of failure.
  • Geographic diversity: protects against regional disasters.
  • Incoming inspection: catches quality issues early.

Mitigation measures in action

  • Safety stock: buffer against short-term disruption.
  • Alternative suppliers: quick switch capability.
  • Insurance: financial protection.
  • Customer communication: protects relationships.

See also

Causes & effectsMeasure register