Risk escalation
Hello and welcome to this session. What I’m going to talk about today is risk escalation. Now, this seems to be something that is really, really misunderstood amongst the risk management fraternity, but certainly within organisations. There is a difference between risk reporting and risk escalation. I see it all the time in risk management plans in organisations where they say, “All high and extreme risks are to be escalated to senior management”. That’s not entirely true. Why would you actually escalate it? Because essentially the people down below could have the way with all, could have the delegations, could have everything at their disposal to actually manage that risk.
So instead of escalating it, what you should be doing is reporting and saying, “All right, we’ve identified a high or extreme risk, this is what we’re doing about it to actually mitigate that risk. We will keep you posted, we will keep you informed through reporting as to the progress to get our risk down to the target level.”
So there’s only a number of reasons that I would consider that you need to escalate a risk. First and foremost, if that risk is above your target level of risk and there is absolutely nothing else that you can do to reduce that to your target. It has to be escalated to the senior or to the level of management that has the authority and the accountability to sign off that they are willing to accept that risk on behalf of the organisation. Another reason to escalate a risk is when any treatments or any of the activities that you need to do around that risk are actually outside of the delegation of the original risk I know.
If the decision is taken not to spend the money on that, then once again, that risk is going to be accepted at a higher level than what the target level of the risk is and so it has to be signed off by the person with the right level of authority in the organisation. Even if that $100,000 is spent, it still needs to be escalated because that person may have that delegation whereas the risk I know doesn’t.
The other time that I see risk escalation as being appropriate is when you have a shared risk where it’s shared against with other functions of the organisation or it may be shared with external organisations and you can’t come to an agreement or they’re not playing nice together. What you may need to do is to escalate that particular risk up through the chain so that potentially those at the top of the organisation cannot add solutions. And we’re seeing this more and more and more as I’ve said in previous blogs, this shared risk where the risk goes across functional lines, it goes across organisational boundaries.
It’s very, very difficult for somebody sitting a low level of an organisation to actually manage that risk effectively and liaise with and deal with those organisations. Particularly when at their level people are saying, “Well, no, we’re not going to do that” or, “No, we’re not going to provide you that information”, so in those cases risk escalation might be an option to potentially deconflict that particular environment.
But they’re really the only times that I would see risk escalation as opposed to risk reporting. Do not confuse the two because they are absolutely different. Risk escalation means that you are basically transferring ownership of that risk and accountability for that risk up the chain, whereas reporting, you maintain the ownership and the accountability for that risk down below, but you’re just informing senior leadership of the current situation, so they can make risk informed decisions.
That’s all I’ve got for this particular session and as always, let’s be careful out there.