top of page

Mapping KPI, KRI, and KCI to the Bowtie Risk Model

Updated: Sep 22

A Guide to Evaluating Risk Performance and Effectiveness

Mapping KPI, KRI, and KCI to the Bowtie Risk Model
Mapping KPI, KRI, and KCI to the Bowtie Risk Model


To proactively contend with risks associated with meeting obligations, companies rely on Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and Key Control Indicators (KCIs). Integrating these essential metrics into the Bowtie Risk Model offers a powerful framework for evaluating their performance and effectiveness.

This article will delve into the process of mapping KPIs, KRIs, and KCIs to the Bowtie Risk Model to optimize risk management strategies and enhance overall performance.

Understanding the Bowtie Risk Model

The Bowtie Risk Model is a visual and qualitative risk analysis tool that provides a clear and comprehensive representation of risk scenarios. It consists of several key components:

  • Hazard: The potential source of harm or adverse event that may lead to unwanted consequences.

  • Threats: Specific events or circumstances that can trigger the hazard and escalate the risk.

  • Top Event: The central risk event that occurs when the hazard is triggered by a threat.

  • Consequences: The potential outcomes and impacts resulting from the top event.

  • Preventative Barriers: Measures in place to prevent the hazard from being triggered.

  • Mitigative Barriers: Measures aimed at reducing the severity of consequences if the top event occurs.

Mapping KPI, KRI, and KCI to the Bowtie Risk Model

  1. Identify Relevant Metrics: Start by identifying the most relevant KPIs, KRIs, and KCIs for the specific risk scenario. These indicators should align with the organization's objectives, risk appetite, and regulatory requirements.

  2. Align KPIs with Consequences: Map the KPIs to the potential consequences of the top event. For example, if one of the consequences is a financial loss, the relevant financial KPIs could include impacts to revenue growth, cost control, or profitability.

  3. Map KRIs to Threats: Associate the KRIs with the identified threats in the Bowtie Risk Model. KRIs should act as early warning signals to detect potential threats before they escalate into top events. For instance, if one of the threats is a cybersecurity breach, relevant KRIs could include the number of unauthorized access attempts or malware detection rate.

  4. Connect KCIs to Barriers: Link the KCIs to the preventative and mitigative barriers in the Bowtie Risk Model. KCIs serve as indicators of the effectiveness of the control measures put in place to prevent and mitigate risks. If one of the preventative barriers involves employee training, relevant KCIs could include the percentage of employees who have completed the training or the number of observed near misses.

Evaluating Performance and Effectiveness

Once the mapping of KPIs, KRIs, and KCIs to the Bowtie Risk Model is complete, organizations can evaluate their performance and effectiveness in risk management through the following steps:

  • Data Collection: Gather relevant data for each indicator from various sources such as performance reports, risk assessments, incident logs, and compliance audits.

  • Data Analysis: Analyze the collected data to assess the performance of KPIs, the trends in KRIs, and the effectiveness of KCIs in meeting the objectives and mitigating risks.

  • Benchmarking: Compare the performance of KPIs, KRIs, and KCIs against established benchmarks or industry standards to gain insights into how well the organization is managing risks relative to its peers.

  • Continuous Improvement: Identify areas where KPIs, KRIs, and KCIs fall short of expectations and use this information to develop targeted improvement strategies. Regularly update and refine the Bowtie Risk Model and associated indicators to stay aligned with changing business conditions and risk profiles.


Integrating Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and Key Control Indicators (KCIs) into the Bowtie Risk Model presents organizations with a robust framework to evaluate risk management performance and effectiveness. By mapping these indicators to the relevant components of the Bowtie model, companies can gain valuable insights into their risk landscape, identify potential weaknesses, and enhance their risk management strategies. This proactive approach ensures that organizations are well-prepared to navigate uncertainties, minimize threats, and achieve sustainable success in an ever-evolving business environment.

bottom of page