Skip to content

Top-down or bottom-up risk management: Why not both?

A prospective customer recently asked us how we thought about enterprise risk management – in particular, whether our software took a top-down approach to ERM, or considered a more silo-first bottom-up approach. But why not both? Everyone is a risk manager, and we should enable everyone in the organisation to contribute to effective risk management.

In this blog we explore:

  • The difference between top-down and bottom-up approaches to risk management
  • How they can be joined together
  • How effective tools enable you to do both

Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now

The top-down approach

Usually we’d expect ERM to focus on top-down. The clue is in the ‘E’ – it’s about the enterprise. This can range from single entities operating alone, to multi-entity groups across a region, to global conglomerates. The purpose of ERM is to manage risks to the enterprise as a whole. This is typically supported by the following elements:

  • Considers the strategy and top objectives of the organisation
  • Considers strategic and operational risks that affect those objectives
  • Defines the risk appetite or acceptable amount of risk in pursuit of those objectives
  • Has a centralised risk function and framework to enable the organisation to continuously monitor and assess its key risks, identify emerging threats, and allocate resources appropriately

The key to the top-down approach is tone at the top. If there isn’t sufficient buy-in at the executive level, then a complete enterprise view of risk may not be achieved, potentially leading to critical risks slipping through cracks in the silos.

The bottom-up approach

This approach prioritises risk management practices from an operational level, within an individual business unit or department. Risk assessments only consider the objectives to the business unit, or perhaps organisational objectives to the extent that they are relevant to the business unit. Even where all business units are following the same process, if they are only considering risks within their own business unit, it doesn’t take into account the entire picture.

If we start from the bottom and start our way up, we can aggregate risk assessments and data if common practices are applied. This may help identify some common risks, or trends over time, across the organisation. If done effectively enough, it may even enable benchmarking, allowing effective controls or approaches to be adopted elsewhere in the organisation.

The biggest negative of the bottom-up approach is that, by its nature, it usually ignores strategic risks altogether. There may also be some operational risks that may also be overlooked, particularly if business services your customers rely on are supported by multiple business units. It may lead to systemic risks that are identified but largely ignored as the effect on any individual business unit might be considered insignificant (or somebody else’s problem).

How they can be joined together

Going back to the original question of whether to adopt a top-down or bottom-up approach, ideally you adopt the best of both worlds. This leverages the capability and capacity of your people to think about objectives and risks appropriate to their role in the organisation, and either escalate information upwards or cascade information downwards.

Cascading objectives and risks

ERM considers risks to the organisation’s top objectives. Depending on the size and structure of the organisation, those objectives may then be cascaded down further into the organisation, whether to individual entities within a group, or down to divisional or business unit level. When risks to those cascaded objectives are identified and assessed, they are intrinsically linked to the enterprise objectives.

Common risk taxonomies, and risk appetite categories

Risks may be identified at the enterprise level but have different implications across different parts of the organisation. Having a centralised risk taxonomy and common risk appetite categories can allow business units to consider their specific risks, but then link them to the bigger picture.

A lack of a risk taxonomy can result in similar risks across the organisation being captured with different names, or even capturing issues that aren’t really risks.

Cascading metrics

Risk metrics with thresholds are a great way to monitor risks for change over time and that they remain within the organisation’s appetite. This can be applied with a pure bottom-up approach, where metrics are defined for each business unit independently. This can lead to completely different metrics across business units for similar risks. Even for similar metrics, the definition for how it is captured may still differ.

If key risk indicators are defined at the enterprise level, these can then be cascaded down and adapted to individual business units. A common approach then allows the same metric to be captured for each business unit, as well as enabling an aggregated view. This can highlight whether there are systemic issues that need to be considered by Executive or the board, or isolated issues that can be addressed by management.

This can be supported by the more ‘bottom-up’ approach of monitoring metrics specific to a business unit’s objectives and risks, where more flexibility can be afforded.

Speak-up culture

People on the frontline are often the first to identify evolving risks, issues, or control weaknesses that can escalate into larger issues if they are not managed. Sometimes those people don’t understand the full implications of those issues. A strong bottom-up reporting process, enabled by the appropriate speak up culture, allows all staff to report these issues. They can then be escalated to someone who can view those issues (individually or as trends) to consider how they might impact the bigger picture.

Conclusions and next steps for your organisation

A dynamic risk profile helps bring both the top-down and bottom-up approaches together. It considers the whole range of range processes that you might employ: risk assessments, controls assurance, key risk indicators, incident data, and more. This is an important design feature of our Protecht ERM software, where it is referred to as Risk In Motion.

By using risk taxonomies and common language, risk teams operating at the enterprise level can review risks in the aggregate, and review them at different levels of the organisation, including drilling down into individual business units to see how they are contributing to the overall risk profile. At the other end of the spectrum, as risk data is updated in real-time at the business unit level, it is reflected in a change to the overall risk profile – thus dynamic.

To find out more about Protecht’s views on enterprise risk management and on enterprise versus siloed approaches, download our free Enterprise risk management: What does it actually mean to manage risk effectively across the enterprise? eBook. The eBook explains how ERM provides you with a greater level of consistency in managing risk, and as a result, a greater level of understanding and resulting engagement from your staff.

Download it now to get a comprehensive view of what true enterprise risk management is, and how it addresses the inherent problems in the traditional, siloed non-enterprise approach:

Find out more

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.