Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.
These two approaches are used in management but it is useful for risk managers to specify which one will lead to a better result, but its a debate.
This is a very interesting question. On one hand, bottom-up approach could completely consume all resources and take all your time, on the other hand it it would represent the clearest the most precise picture of the risk and could be completely quantified.
Bottom-up approach is used rarely these days if ever. But it may have its valid place some place where a tight control over spending is needed, like in government organizations. It is feasible if the discipline in the organization is high and it is possible to systematically collect risk data from the lowest levels of the organization.
On the other hand, for-profit organizations cannot afford to spend that much time and resources to conduct bottom-up risk assessment. So they have to manage risk specific to the business objectives and possible threats to their achievement.
Sometimes it is possible to combine the two approaches. Risk Assessment starts from the top accoding to the business objectives; and when the risk awareness among the personnel riches mature level, then it is possible to rely on self assessments conducted bottom-up to perform continuous risk monitoring after a year or two.
At any rate, a good judgment is needed when selecting initial and subsequent methods, especially if the risk management budget is tight, business objectives are agressive and risk appetite is high.
1. Which one to use is not something that can get answered through a survey or on a debate. This is so because, risk management is always set on a scope. That scope can be the vision of a company or the objectives of a project or the goals of a service operation (This is not an exhaustive list).
2. The management culture also plays an important role in determining which risk management would be successful.
3. Bottom up approach is successful where high service orientation exists. For example, public services. Anything affecting the normal person utilizing the service can be taken up as a risk or threat towards the governing team.
It is should use bottom up approach because a organisation need to identify risk in following level:
Level1: Process Level
Level2: Project/Department Level
Level3: Vertical/Functional Level
Level4: Business Unit Level
Level5: Organisation Level
All risk cannot be treated only top10 or15 risk can be treated at a time. Treatment of most risk need financial approval from top management.