Risk management consultancy and training services

Call Us:

(+61) 400 666 142


Canberra ACT 2600

Risk escalation

Risk escalation

Hello and welcome to this session. What I’m going to talk about today is risk escalation. Now, this seems to be something that is really, really misunderstood amongst the risk management fraternity, but certainly within organisations. There is a difference between risk reporting and risk escalation. I see it all the time in risk management plans in organisations where they say, “All high and extreme risks are to be escalated to senior management”. That’s not entirely true. Why would you actually escalate it? Because essentially the people down below could have the way with all, could have the delegations, could have everything at their disposal to actually manage that risk.

So instead of escalating it, what you should be doing is reporting and saying, “All right, we’ve identified a high or extreme risk, this is what we’re doing about it to actually mitigate that risk. We will keep you posted, we will keep you informed through reporting as to the progress to get our risk down to the target level.”

So there’s only a number of reasons that I would consider that you need to escalate a risk. First and foremost, if that risk is above your target level of risk and there is absolutely nothing else that you can do to reduce that to your target. It has to be escalated to the senior or to the level of management that has the authority and the accountability to sign off that they are willing to accept that risk on behalf of the organisation. Another reason to escalate a risk is when any treatments or any of the activities that you need to do around that risk are actually outside of the delegation of the original risk I know.

If the decision is taken not to spend the money on that, then once again, that risk is going to be accepted at a higher level than what the target level of the risk is and so it has to be signed off by the person with the right level of authority in the organisation. Even if that $100,000 is spent, it still needs to be escalated because that person may have that delegation whereas the risk I know doesn’t.

The other time that I see risk escalation as being appropriate is when you have a shared risk where it’s shared against with other functions of the organisation or it may be shared with external organisations and you can’t come to an agreement or they’re not playing nice together. What you may need to do is to escalate that particular risk up through the chain so that potentially those at the top of the organisation cannot add solutions. And we’re seeing this more and more and more as I’ve said in previous blogs, this shared risk where the risk goes across functional lines, it goes across organisational boundaries.

It’s very, very difficult for somebody sitting a low level of an organisation to actually manage that risk effectively and liaise with and deal with those organisations. Particularly when at their level people are saying, “Well, no, we’re not going to do that” or, “No, we’re not going to provide you that information”, so in those cases risk escalation might be an option to potentially deconflict that particular environment.

But they’re really the only times that I would see risk escalation as opposed to risk reporting. Do not confuse the two because they are absolutely different. Risk escalation means that you are basically transferring ownership of that risk and accountability for that risk up the chain, whereas reporting, you maintain the ownership and the accountability for that risk down below, but you’re just informing senior leadership of the current situation, so they can make risk informed decisions.

That’s all I’ve got for this particular session and as always, let’s be careful out there.


Written by Rod Farrar

Rod is an accomplished risk consultant with extensive experience in the delivery of professional consultancy services to government, corporate and not-for-profit sectors. Rod takes every opportunity available to ensure his risk management knowledge remains at the ‘cutting edge’ of the discipline. Rod’s Risk Management expertise is highly sought after as is the insight he provides in his risk management training and workshop facilitation. Rod was recognised by the Risk Management Institution of Australia as the 2016 Risk Consultant of the Year and one of the first five Certified Chief Risk Officers in Australasia.