GRC Catalyst
GRC Catalyst
  • Home
  • About Us
    • Who we are
    • Our Founder
    • Our Mission
    • FAQ
  • Sectors
  • Services
  • Careers
  • Insights
  • Contacts
HomeComplianceRisk Management: the top-down, bottom-up dichotomy

Risk Management: the top-down, bottom-up dichotomy

  • September 20, 2025
  • Posted by: Pamela
  • Categories: Compliance, Governance, Risk Management
No Comments
A Textbook Risk Programme with Practical Gaps

I’m currently working with an organisation who have an established operational risk management programme. They have functional risk registers which are updated on a regular basis. They have project risk and issue registers for their key change programmes. They produce a consolidated 5×5 risk matrix of the top scoring risks for escalation through governance. It all sounds good! On paper, their risk programme was textbook. In practice, the Audit & Risk Committee (ARC) was struggling to understand the key risks facing the organisation and whether these were being managed effectively. Additionally, the Board adopted a hands-off position on risk, delegating oversight entirely to the ARC and excluding risk as a standing item on its own agenda.

So, what are the key issues here?

There are seven critical shortcomings in this organisation’s current risk management approach:

  • Board accountability: Boards are ultimately responsible for risk management as they hold fiduciary responsibility for long-term success of an organisation. They can delegate oversight to committees, but they cannot delegate ownership, especially of the principal risks that impact strategic objectives.
  • Aggregation does not equal strategic insight: the 5×5 matrix consolidates the high-scoring operational risks, but does not necessarily highlight the principal risks, those that impact the strategic objectives, reputation, or long-term viability of the organisation. The ARC were seeing severity, but not strategic relevance.
  • The strategic framing was missing: when risks are presented in technical or functional language rather than in terms of strategic ARC concerns, it creates a communication gap between operational teams and governance bodies.
  • Silo working: functional and project risk registers were well-maintained but separate. There was no narrative connecting these risks to the organisation’s strategic priorities. The ARC could not tell whether risks were being managed holistically or in isolation.
  • Escalation by score, not significance: escalating risks based solely on score (impact x likelihood) could miss emerging risks where the risk changes with time. It may also miss systemic risks where the cumulative effect of many low-scoring risks has a higher impact than each risk individually. The approach obscures interdependencies.
  • No defined risk appetite: without a clear, Board-owned, risk appetite framework, it becomes hard to assess whether the current risks are within tolerance, or whether the proposed mitigation measures are proportionate. The ARC lacked a yardstick for evaluating effectiveness.
  • Reporting mechanisms: if the escalation process is rigid or punitive, teams may under-report or sanitise risks. Or they may see the escalation process as a way of petitioning for additional budget and over-score the risks to draw attention. In this organisation, there were a significant number of “very high” or “red” risks relating to facility improvement where the Executive team had already decided to conduct reactive maintenance rather than wholesale replacement. The same risks were reported to the ARC, without change, every quarter to flag the operational concern but with no expectation that any action would be taken.
Divergent Risk Perspectives: ARC vs. Functions

Audit & Risk Committees are focused on enterprise risk management. They need to see strategic risks, often termed principal risks. They need high-level summaries, they need to understand trends, and how the principal risks align with the risk appetite. They want to see dashboards, heatmaps, and descriptive text.

Functions and departments are focused operational and tactical risk management. They need to define the detailed controls in place to manage risks, they need to develop mitigation plans, and to review any incidents or issues. They need to develop risk registers, supported by SOPs and training.

The key to satisfying all requirements is to integrate these top-down and bottom-up processes through an enterprise risk management framework. Misalignment of governance and operational requirements can lead to blind spots, siloed responses, or focusing on the wrong risks.

Overview

Top-down Risk Management – Strategic Oversight

Top-down risk management needs to be led by the Board and Executive teams. Its purpose is to enable informed decision making and resource prioritisation. It sets the cultural expectations for risk management and drives ethical conduct.

Bottom-Up Risk Management – Operational Management

Bottom-up risk management is led by business units, compliance teams, and frontline staff. Its purpose is to manage the day-to-day risks that affect delivery, safety, quality, and compliance. It surfaces operational risks, supports real-time mitigation, and raises risk awareness in the organisation.
The Need for Integration: Bridging Top-Down and Bottom-Up

Enterprise risk management (ERM) is a structured, organisation-wide, approach to risk identification, assessment, management, and monitoring. It is focused on risks that could impact the delivery of strategic objectives. It enables leadership to balance risk and opportunity to deliver long-term value.

Top-down and bottom-up risk management are the two pillars of an enterprise risk management system. They ensure that risk is aligned strategically whilst also being grounded in operations. This creates a dynamic, organisation-wide view of risk exposure, resilience, and opportunity.

Bridging the divide between top-down and bottom-up risk management requires a defined integration strategy. There are a number of key levers which can be used to strengthen enterprise risk management:

  • Risk aggregation – establish common taxonomies and scoring matrices that allow operational and project risks to be rolled up into strategic themes. Categorising risks by strategic themes or impact area supports aggregation and facilitates ARC reporting. The concept of parent-child risks, or sub-risks, can also help build clarity.
  • Communication – ensure the principal risks, set by the Board, are clearly communicated to risk owners within the organisation. Put feedback loops in place that ensure bottom-up insights informs top-down strategy, and vice versa.
  • Technology – introduce systems and platforms that support both bottom-up and top-down reporting and workflows. As a minimum, break down the silos. Ensure visibility of operational risk registers across the organisation and have regular risk discussions at Executive level with input from all functions.
  • Transparency – encourage upward escalation and reporting without fear, and downward communication in easy-to-understand language without jargon and management-speak.

The organisation mentioned at the start of this article have a strong bottom-up risk management programme and are currently working on improving their top-down process. They’re identifying their principal risks and starting a discussion about risk appetite. This will take time, but by recognising the gaps, they have made the first step on the journey to enterprise risk management.

Enterprise risk management is a dialogue. Is your organisation ready to listen?

Our Services

At GRC Catalyst, we can help you to embed Enterprise Risk Management, integrating strategic oversight with operational insight. This way you can ensure that principal risks are clearly framed for Boards and Audit & Risk Committees, and operational risks are actively managed across functions. We have a range of tools and frameworks to support top-down and bottom-up integration, and templates and dashboards for risk reporting at all levels in the organisation.

Disclosure

Please note – the concepts and ideas in this article are mine or have been referenced; I developed the body of the text and conducted the final editorial check. I used AI as a tool for research, to improve the flow and grammar of the article, and to check for factual inaccuracies.

Need Data Protection advice?

GRC Catalyst can support you by strengthening data protection, translating GDPR and sector-specific requirements into frameworks that work for you.

How can we help you?

Contact us by e-mail or telephone, or fill in our on-line form

contacts

Need tailored GRC support? We’re here to help

Let’s shape something impactful together.

Whether you’re exploring flexible compliance support or refining governance frameworks, we’re here to co-create solutions that fit. Reach out – your next step starts here.

Get started

GRC Catalyst helps life sciences and healthcare organisations simplify governance and compliance to scale impact.

We offer flexible, outcome-driven support that adapts to your needs.

Useful Links

Home Page
About Us
Services
Sectors
Contact Us
Terms & Conditions
Privacy Notice
Our Mission

Insights

Read our latest Blogs
What us GRC ?
Risk Management

©2025 GRC Catalyst Ltd - All Rights Reserved