4.1 Top down v. bottom up
All organisations will need to decide to what degree their risk register is derived from senior management ‘top down’ activity or from working level ‘bottom up’ activity. In reality, any risk register will be influenced by both. Some risks will be recognised at the working level of the organisation and may need senior management involvement to bring together the generic risk theme faced by the organisation, while other risks may be recognised at the top of the organisation and be mandated or otherwise directed down through the organisation. Organisational risk structures must allow for both approaches to be successful.