Introduction
Over the years that I was involved in Risk Management, I have been fortunate to serve on several high-level Risk and Strategy committees, from Government, Corporate, Non-Profit and most of all, Academical institutions (Various Universities).
During one of these Tertiary Committees, one of the Professors heading up Risk Management for this elite Tertiary Institution, specifically tasked with Governance and Risk on Master of Business Administration (MBA) level, engaged me, as an Industry expert regarding the following Question:
- Which approach will you implement to drives a business, Operational Risk or Strategic Risk?
From my point of view, this is a very easy question to answer, as strategy setting is my Forte. But for the audience around the table, this was a rather trick question.
I want to answer this by:
- defining the two approaches,
- detailing the key characteristics of each approach
- implementation considerations
- case study examples of each approach and
- my short answer to the Professor and Committee.
Defining the two strategies of ERM
In the context of Enterprise Risk Management (ERM), particularly under the guidance of ISO 31000:2018, the Top-Down and Bottom-Up approaches refer to different strategies for identifying, assessing, and managing risks within an organization.
Top-Down Approach
Definition: The Top-Down approach in ERM involves senior management and the board of directors setting the tone and direction for risk management.
This approach starts at the highest level of the organization, with strategic objectives and key risks being identified by top management.
The focus is on aligning risk management with the overall corporate strategy and ensuring that risk governance and oversight are effectively integrated into the decision-making processes.
Bottom-Up Approach
Definition: The Bottom-Up approach in ERM involves the identification and management of risks starting from the operational level and moving upwards.
Employees at all levels are encouraged to identify and report risks, which are then aggregated and assessed at higher management levels.
This approach fosters a risk-aware culture and ensures that detailed, operational risks are captured and managed effectively.
Key Characteristics of each Approach
Key Characteristics: Top-Down Approach
- Strategic Alignment: Ensures that risk management aligns with the organization's strategic goals and objectives.
- High-Level Oversight: Involves senior leadership in setting risk appetite and tolerance levels.
- Centralized Decision-Making: Central control over risk management processes and practices.
Key Characteristics: Bottom-Up Approach
- Detailed Risk Identification: Captures risks at the operational level, including those that may not be visible to top management.
- Employee Involvement: Encourages input from all levels of the organization, promoting a risk-aware culture.
- Decentralized Risk Management: Local or departmental risk owners manage specific risks.
Implementation Considerations
Top-Down Approach
- Suitable for organizations with a strong centralized leadership and clear strategic objectives. It ensures strategic risks are managed in alignment with corporate goals but may overlook detailed operational risks.
Bottom-Up Approach
- Effective in organizations with a strong operational focus and a need for detailed risk management. It captures a wide range of risks but may lack strategic alignment if not properly integrated with top-level oversight.
Case Study Example
Top-Down Approach
A large multinational corporation in the financial services industry adopts a Top-Down approach to ERM. The board of directors and senior executives identify key strategic risks, such as market volatility and regulatory changes.
They establish a risk management framework, including policies, procedures, and risk appetite statements.
This approach ensures that all business units align their risk management practices with the corporate strategy and that critical risks are reported and monitored at the highest levels.
Bottoms-Up Approach
A manufacturing company with multiple production plants adopts a Bottom-Up approach to ERM.
Employees in each plant are trained to identify risks related to safety, equipment maintenance, and supply chain disruptions. These risks are reported to plant managers, who assess and prioritize them.
The aggregated risk information is then communicated to corporate management, who incorporate it into the broader risk management strategy.
This approach ensures that specific operational risks are managed locally, while still providing comprehensive risk oversight at the corporate level.
My personal example
For seven (7) years I was part of one of the biggest projects globally at the specific time. This project was multifaceted and super diverse in the various disciplines, from the construction phase, to starting up the operations phase what we have constructed, to the full out operating and maintenance of the system for the next 25 years.
During the setting up of the Operating Company, the CEO recruited and appointed experts in their respective field as per the planned Human Resource Plan (HRP) submitted to the Client. The settling in phase occurred and during these 12-18 months, each of these Executives ran their own departments, individually and with their own objectives, to set up their own Departments.
During the period the CEO and the Board were finding their feet, and to be honest, the CEO were very slow out of the blocks with leading the company. During this time, the CEO and the Board was busy debating, reviewing and at the end approving the Company Objectives, or Strategic Objectives.
In the meantime, we as the Executives, were running everything with our own half-baked objectives, based on the Executives knowledgebase.
Then the inevitable happened. The closer we got to the opening of the Operational phase, the more the Executives were shuffling for positions. Whose department is the most important. The Operations Department is the Core business of the Operating Company, and the Maintenance Department must keep Operations going. But then there are Human Resources, Supply Chain Management, Information Management and specifically in this example the Safety Department. This department was responsible to obtain the Licence to Operate from the Registrar and without the Licence to Operate, nothing will happen.
And there we are. The Safety Department thought they were the most important as they are in charge of the Operating Licence. But back at the ranch, he was just a spoke in the big wheel of the Company.
Reply to the Question
Any organisation starts with their strategy setting, thus, vision, mission, SWOT Analysis, PESTEL Analysis and from here, developing the Strategic Objectives (SO).
Risk is defined in terms of ISO 31073:2022 as:
- effect of uncertainty (3.1.3) on objectives (3.1.2)
From the above, the Top-Down Approach / Strategic Approach is the critical path to providing a route map for the company to achieve its strategic objectives. This is driving and creating success. Thus, every resource employed shall (requirement) adopt the SO and make it part of their performance management.
To drive a premise that Operational Risk Management (ORM), in the absence of Enterprise Risk Management (ERM), driving the objectives of a company, is creating islands and silos within the company and each of the resources are pulling in their own direction.
Conclusion
Both approaches have their merits, and many organizations use a combination of the two to achieve a comprehensive risk management strategy. This hybrid approach ensures that strategic and operational risks are managed effectively across all levels of the organization.
In my Case study, even on an Executive level, you cannot work without Strategic Objectives. Everyone needs to be on the same page, and that page must be driven by the Company Leadership. On this level I have first-hand experienced the wrongful authority taken and this will happen on each and every level below.
The Operational Risk Management (ORM) approach can only be implemented with clear and defined Strategic Objectives (SO) as embedded in the Enterprise Risk Management (ERM) Approach.
The tail (Operational Risk Management (ORM)) must never be allowed to wag the Dog (Company Strategy).