Risk management from top to bottom and back again!

Operational risk management has long been considered a process that requires businesses to simply review their risks through a series of management workshops.  The risks are then assessed for relative consequence and likelihood, or some similar measure, and then appropriate controls are documented.   Management then document any residual control weaknesses and any action plans to close these weaknesses, or alternatively a process to accept the residual risk position.  Finally, relevant key risk indicators are developed to monitor the risks and their current status.

As I stated, simple really.

Except for one major failing in this approach.  It neglects the risks associated with the operation of complex individual processes, which can each individually impact the organisations performance.  The complexity with operational risk management is that concentrating on management’s understanding of the risks (being the top-down view) can inherently limit the true depth of risks that exist.  Almost every day you read about an organisation that has some form of failing, generally these failings are not due to some significant top-down risk, but rather an individual step in the process failing.

Mature organisations have a risk management process that considers both the top-down and bottom-up risk assessments.

The top-down process is performed through the standard management workshop process, with a focus on those risks that “keep management awake at night” and thereby align more with the strategic objectives of the organisation.

The bottom-up process is best performed through first documenting your end-to-end business processes using some form of process flowcharting and documentation tool.  From here, the business process owners, with the process executors should be engaged to document the risks associated with each step in the process.  The risks should then be assessed using a standard risk assessment framework such as consequence and likelihood.  Clearly, in the bottom-up process the levels should be calibrated to the importance of the process being assessed, bot the organisation as a whole.  Then the controls should be identified that match the risk being mitigated.  Interestingly, when you perform this type of bottom-up analysis you will find that perhaps some of the controls you have previously thought are critical, are actually not as critical in the process in terms of the real risk.  From here, key risk indicators, or metrics, should be developed which can be monitored by management.

The next step is to then reconcile the top-down and bottom-up risks and identify where unexpected bottom-up risks are not included in strategic, overall risks, and of course vice-versa.

Organisations that successfully perform both the top-down and then bottom-up analysis will find that they better understand their risks across the organisation and also where they perhaps can create efficiency improvements, and even strategic advantage.  Risk management is not about the process but rather the outcome for the organisation so it can achieve its strategic goals through solid business management.


Scott North has extensive experience in enterprise risk management, internal audit, operational risk and compliance, risk strategy, scenario planning, technology risk, technology business analysis, systems design, financial accounting, and management accounting. Scott is a Fellow of the Australian Institute of Chartered Accountants with a Masters Degree from the University of Melbourne in Business and Information Technology. Scott is also a Fellow of the University of Melbourne.

Read More

Related Articles

How to Ensure Your Sustainability Strategy Stays Clean

As we embrace the shift towards a greener economy, sustainability products are on the rise. However, with this growth, we've also seen an increase...

The Future of Australia’s Financial Services Industry: Embracing the Financial Accountability Regime

APRA and ASIC Spearhead a Revolutionary Change in the Financial Sector Introduction Today marks a significant milestone for the Australian financial services industry as the Australian...

Effective Risk Committees

Every Risk Moment Matters