Building Risk Management Culture: which one is more effective, the top-down or the bottom-up approach?

//Building Risk Management Culture: which one is more effective, the top-down or the bottom-up approach?

Building Risk Management Culture: which one is more effective, the top-down or the bottom-up approach?

Penulis: Dr. Antonius Alijoyo

23 September 2021

The question above was posed by a director of a large company that operates in the Southeast Asian market region, and below are some thoughts that serve as a dialogic conversation rather than a definitive answer. In summary, both approaches have their own respective merits, issues, and challenges depending on the organization risk management maturity and whether we live in a country with a high or low-context culture. Since those two perspectives are dynamic, it will work better if both are used simultaneously through a spectrum of a journey that determines a balance of intensity and extensivity of the two approaches toward the goals of an organization. Below are some’s suggestions that are based on those two perspectives.

Consideration based on risk management maturity level

According to ERMA ISO 31000 RM, there are five levels of risk management maturity: initial, repeatable, defined, managed, and optimized. The higher the maturity level of an organization is, the more effective is the implementation of risk management. This risk management maturity is characterized by the depth of the following attributes: Risk management framework, risk management process, management process, performance management, risk culture, and resilience and sustainability. In a circumstance where risk culture is rather low or weak (within the level of initial, repeatable, and defined), the suggestion would be more on the top-bottom approach. Whereas, in a circumstance where risk culture is high or strong (within the level of managed and optimized), the bottom-up approach might work more effectively. Based on these assumptions, the following figures illustrate the spectrum of such use:

Figure 1: the connection between the risk management maturity level and the top-bottom or the bottom-up approach:

Figure 1

Note: The figure suggests the top-bottom approach when the risk management maturity at lower scale and gradually to the bottom-up approach at higher scale.

Consideration based on the context-cultures

The terminology of “high-context culture” and “low-context culture” was coined by Edward T. Hall in 1976, in his book, Beyond Culture. Hall utilized the terms as a way to define culture based on how their respective members communicate with one another. As such, each culture can be identified as being either a high-context or a low-context culture.

High-context cultures consist of societies or groups of people that have made connections over a long period and therefore communicate through the use of contextual elements that are not explicitly stated. That is to say, things such as body language, tone of voice, and even a person’s social status all hold deeper and specific meanings within a high-context culture. Words alone do not suffice when communicating. Common characteristics of high-context culture:

  • Verbal communication is less explicit and to-the-point
  • High use of non-verbal methods to communicate important information throughout a conversation (a hand gesture, facial expressions, tone of voice, etc.)
  • Context is more important than actual words used in a conversation
  • Comfortable standing in very close proximity to one another
  • High emphasis on interpersonal relationships
  • Strong sense of boundaries (accepted member vs. “outsider”)
  • High emphasis on authority and figures of authority (social hierarchy)
  • Trust must be established before any business transactions
  • Non-confrontational
  • Risk-averse

On the other hand, low-context cultures communicate information and converse more directly, mainly focusing on the importance of the words themselves as opposed to any unspoken understandings. As a result, low-context cultures typically do not rely on the use of contextual elements to convey a message. Instead, information is communicated much more explicitly and straightforward. Unlike those within a high-context culture, members of low-context cultures can also be defined as being individualistic. Where collectivism is at the forefront of high-context cultures, individualism is a defining trait of low-context cultures. Individual achievements and accomplishments are, therefore, valued much more than group accomplishments and members are generally expected to be independent of one another. As a result, things such as privacy and personal space are highly valued within a low-context culture as well. Common characteristics of low-context cultures are as follow:

  • Very rule-oriented as a culture (external rules)
  • High emphasis on logic and facts during the decision-making process
  • Words in verbal messages are direct, explicit, and meaningful
  • Less use of intuition and body language to communicate a message
  • Building long-term relationships are not as important as accomplishing tasks and goals
  • Knowledge is generally explicit, codified, and easily accessible and transferable
  • Very task-centered and solution-oriented
  • Individualistic
  • Productive conflicts encouraged
  • Risk is welcomed
  • Procedural

Based on the understanding of high-context and low-context cultures above, we might take a different approach in different circumstances. Under high-context culture, the top-bottom approach might work more effectively, whereby leaders’ behavior and attitude give a more meaningful invitation to build expected risk culture rather than written policies and regulations. Whereas, under low-context culture is vice versa as we could expect that the bottom-up might work more effectively. Based on these perspectives, the following figures illustrate the spectrum of such use:

Figure 2: the connection between the high-context and the low-context culture and the top-bottom approach or the bottom-up approach.

Figure 2

Note: The figure suggests the top-bottom approach under high-context culture and the bottom-up approach under low-context culture.

Matrix of Risk-Management Maturity (RMM) and Context-Culture (CC)

Based on the description above, a perceptual matrix might be useful in determining whether to adapt mostly the top-bottom approach or the bottom approach in creating and/or sustaining and/or improving the organization’s risk culture. Below is the illustration of such a matrix:

Figure 3: Matrix of the top-bottom and the bottom-up approach a continuum

Figure 3


  • Zone I : High-Maturity and Low-Context: This zone indicates that strong risk culture has been internalized and institutionalized throughout the organization naturally thus, risk-based decision-makings and actions have been well-practiced at all levels based on rules, policies, and regulations. Leadership existence, style, and behavior have less influence than the written policies and regulations applied. In such circumstances, the bottom-up approach would be more effective.
  • Zone II : High Maturity and High-Context: While both approaches are needed dynamically in this zone, the top-bottom approach might be more effective as it could produce a bigger impact at all levels of organization during the continuum of risk management implementation. Once risk culture has been grasped well, the dosage of the bottom-up approach could be increased as the self-enforcing risk behavior and attitude have been cemented through the legacy and daily practice which is pre dominantly based on rules, policies, and regulations.
  • Zone III : Low Maturity and high-context: This zone indicates that the organization has a weak risk culture as people barely using appropriate risk management in their day-to-day working activities. Despite adhering to the policies and regulations, people tend to mimic their leader’s behavior and attitude in making decisions and actions. In this circumstance, therefore, the top-bottom approach would be more effective
  • Zone IV : Low Maturity and Low-Context: While both approaches are needed dynamically in this zone, the bottom-up approach might be more effective once the standard, framework, and process of risk management have been well determined and initiated in the early stage by organization’s leaders and senior management. As such, it could be expected that self-enforcing risk behavior and attitude would be groomed naturally and even stronger along with the maturity of risk management implementation.

Since no country in the world is absolute high-context culture and neither is low-context culture, the mix of the top-bottom approach and the bottom-up approach are always needed in building a risk management culture. Therefore, a combined approach is required and that should be the agenda of the board and senior management to determine and continuously calibrate such a right balance of approaches in their respective circumstances toward the organization goals – based on their vision, mission, and values.

Dr. Antonius Alijoyo

Founder of Center for Studies in Governance, Risk Management, Compliance and Sustainability (

By |2021-09-24T11:04:11+07:00September 24th, 2021|artikel|Comments Off on Building Risk Management Culture: which one is more effective, the top-down or the bottom-up approach?

About the Author: