The approach and focus of risk management at many firms – small and large – often swings between looking at top-down, enterprise-wide, strategic risks to looking at more micro, bottom-up identified risks.
Sometimes organizations only focus on bottom-up risks. Extensive reporting may be produced detailing very specific risk categories such as workplace health and safety or regulatory compliance. The focus of discussions at the board or executive table can often be exclusively on these risks.
In other organizations, there may only be a focus on strategic risks. This is on the assumption that other business risks – be they financial or operational – are well managed and don’t present a threat to the financial or business success of the organization.
Both approaches have their place in a well-defined and documented risk management framework or strategy. It is essential to adopt both a top-down and bottom-up approach. Organizations need to devote time and resources to periodically undertaking risk assessments and reviews using both techniques.
The most effective way to undertake a comprehensive risk identification and assessment exercise is as follows:
- Start with the bottom-up exercise first. Leverage off any existing management reporting or analysis to assist this
- Identify the key ‘subject matter’ experts within the organization to assist provide insights into existing, known risks
- Build up a profile of business risks from workshops with those closest to the business. Don’t neglect to ask for their insights into strategic and emerging risks also
- Undertake an executive management or board workshop to supplement the bottom-up process. Sometimes it is best not to share the outputs of the bottom-up process, initially. Doing this can often distract workshop participants at this level and may constrain their thinking to known risks
- Finally, consolidate the outputs to build out a rich tapestry of bottom-up and top-down risks in a true enterprise risk profile
The 52 Risks® framework provides a framework for all sizes of enterprises to complete this work. With all 52 Risks® on one page, directors and management can seek to identify and then consider the business risks their organization will face. The Mapping Template goes one step further providing a template to document the relevant risks. It can be deployed to capture comments on the risks, assign responsibility, and develop action plans. Check out the Resources Center at 52 Risks® for the free documentation.
