A managed approach to risk escalation is crucial for any organisation. At Imergo, we were approached by a client to design the components and approach for risk escalation and the principles of what we delivered are discussed here.
What is a risk escalation process?
In simple terms risk escalation is a structured approach to identifying, assessing, and managing risks that could impact your organisation. Think of it as a safety net that catches potential issues before they become full-blown crises or situations that could build up into something bigger and requires more resources and/or expertise to resolve. This process ensures that risks are handled at the appropriate level within the organisation, whether that’s by local staff, senior management, or even the board.
Why is it important?
Early identification and management: One of the biggest advantages of a formal risk escalation process is that it helps in the early identification of risks. By having a system in place, your team can spot potential issues before they accelerate or grow. This proactive approach allows you to manage risks more effectively, reducing the likelihood of them turning into major problems.
It’s unlikely that a basic risk register will be able to handle this an area that is discussed in another of blog on risk management [link to pitfalls of risk management blog].
Clear guidelines and responsibilities: A formal process provides clear guidelines on who is responsible for what. This means that everyone in the organisation knows their role when it comes to managing risks. Whether it’s local staff handling minor or routine issues or senior management stepping in for more significant risks, everyone knows what they need to do. This clarity helps in quick decision-making and ensures that no risk falls through the cracks.
Efficient use of resources: When risks are escalated appropriately, it ensures that the right people and resources are used to manage them. For example, if a risk can be handled by local staff, there’s no need to involve senior management, saving their time for more critical issues. Conversely, if a risk requires specialised expertise, it can be escalated to the appropriate level where those resources are available. This helps in managing risks more effectively and economically.
Improved communication and coordination: A formal risk escalation process promotes better communication and coordination within the organisation. When a risk is identified, the appropriate parties are notified, and an action plan is developed. This ensures that everyone is on the same page and working towards the same goal. Regular updates and reviews keep everyone informed about the status of the risk and the effectiveness of the mitigation measures.
Enhanced accountability: With a formal process in place, there’s a clear record of who is responsible for managing each risk. This accountability ensures that risks are taken seriously and managed effectively. It also provides a trail of documentation that can be useful for audits, reviews, and regulatory compliance.
Flexibility and adaptability: A good risk escalation process is not set in stone. It allows for flexibility and adaptability based on the specific circumstances of each risk. For example, if a risk has been effectively mitigated, it can be de-escalated to a lower level if appropriate. This dynamic approach ensures that risks are managed in the most appropriate and efficient manner.
How does it work?
Let’s break down the steps involved in a typical risk escalation process:
Step 1: Identify the risk: The first step is to identify the risk. This involves regular risk assessments, staff training, and monitoring of external factors that could pose a risk. The goal is to spot potential issues as early as possible.
Step 2: Assess the risk: Once a risk is identified, it needs to be assessed. This involves evaluating the likelihood of the risk occurring and its potential impact on the organisation. The risk owner should consider factors such as whether the risk exceeds the agreed risk appetite, if it requires external help to mitigate and if it has wider impacts beyond its immediate area.
Steps one and two can be found as a standard feature in most risk management approaches, although those that are less developed may lack the use of risk appetite to guide and inform assessment.
Step 3: Determine the level of escalation: Based on the assessment, the appropriate level of escalation is determined. This could range from local staff managing the risk to escalating it to the board. The level of escalation depends on the severity and complexity of the risk.
Step 4: Notify the appropriate parties: Once the level of escalation is determined, the appropriate parties are notified. This could include staff, managers, senior management, or the board. A new risk owner may be assigned, and an action plan is developed to address the risk.
Step 5: Develop and implement an action plan: The action plan should include specific steps to mitigate or manage the risk, assign risk ownership, and set a timeline for implementation. The plan should be communicated to all relevant parties and progress should be monitored regularly.
Step 6: Ongoing monitoring and review: The escalated risk should continue to be monitored by the new risk owner. Regular communication with the original risk owner ensures that any significant changes are noted, and the risk information is updated accordingly. If conditions allow, the risk can be de-escalated to a lower level and the de-escalation approach is covered later in this post.
Step 7: Review and evaluate the process: Finally, the effectiveness of the risk escalation process should be reviewed and evaluated regularly. This includes assessing whether risks are being identified and escalated appropriately and if the action plans are effective in mitigating or managing risks. Any necessary changes to the process should be made based on this review.
Some examples
To make this more relatable, let’s look at some examples:
Example 1: Local level risk management – Imagine a scenario where a local team identifies a risk which is considered minor and related to the implementation of new software. The risk is within the team’s capacity to manage, so they handle it by following routine procedures and protocols. There’s no need to escalate the risk further, and it is resolved at the local level.
Example 2: Senior level escalation – Consider a situation where a medium-severity risk is identified that requires additional resources and expertise. The local team escalates the risk to a director for further assessment. The director coordinates with other departments to manage the risk effectively, ensuring that it doesn’t escalate into a more significant issue.
Example 3: Group-wide coordination – A high level risk is identified that could impact multiple parts of the organisation. It is escalated to a central group ( including subject matter experts), which coordinates a group-wide responses. The group ensures that all relevant stakeholders are informed and that the risk is managed effectively across the entire organisation.
Example 4: Board involvement – Consider a critical risk that threatens the organisation’s mission, values, and strategic objectives. This risk is escalated to the Board for further assessment and management. The board convenes a meeting to address the risk, ensuring that significant changes to policies, procedures, or governance are made to mitigate the risk effectively.
The De-escalation element
Now, let’s talk about something equally important: the de-escalation element. Just as it’s crucial to know when and how to escalate a risk, it’s equally important to know when and how to de-escalate it. Here’s why:
Efficient resource allocation: Once a risk has been effectively mitigated, it makes sense to de-escalate it to a lower level. This frees up higher-level resources to focus on new or more critical risks. It ensures that an organisation is always using its resources in the most efficient way possible.
Empowering local teams: De-escalating a risk back to the local level can empower teams. It shows that they are trusted to manage the risk effectively, which can boost morale and encourage a proactive approach to risk management.
Continuous Improvement: The de-escalation process involves reviewing the risk to determine if it can be managed at a lower level. This review can provide valuable insights into what worked and what didn’t, contributing to continuous improvement in risk management practices.
How does risk de-escalation work?
Just like escalation, de-escalation follows a structured process:
Step 1: Periodic review – Periodically review the (escalated) risk to determine if it can be de-escalated. Consider the severity of the risk, the likelihood of it occurring, and the effectiveness of any mitigation measures that have been implemented.
Step 2: Assess sustainability – Evaluate whether passing the risk back down to a lower level is a sustainable decision. Ensure that the necessary capacities, capabilities, and resources are in place for the risk to be managed effectively at the lower level.
Step 3: Update policies and procedures – Ensure that any policies and procedures impacted by the de-escalation are updated, reviewed, or created in response. This ensures that the local team has the guidance they need to manage the risk effectively.
Step 4: Communicate the Decision – Once the appropriate level of de-escalation has been made.
Conclusion
In conclusion, a formal risk escalation process is essential for any organisation. It helps in the early identification and management of risks, provides clear guidelines and responsibilities, ensures efficient use of resources, promotes better communication and coordination, enhances accountability, and allows for flexibility and adaptability. By having a structured approach to managing risks, organisations can protect their operations, employees, clients, and stakeholders, ensuring long-term success and sustainability.
So, if your organisation doesn’t already have a formal risk escalation process in place, now is the time to implement one.
Richard Hollands is the owner of Imergo Limited a risk management consultancy.