Risk Escalation – A New Strategy


Risk Doctor Briefing

Dr David Hillson, PMI Fellow, HonFAPM, FIRM

The Risk Doctor Partnership

United Kingdom

Risk response strategies help us to focus our risk treatment efforts. With a small number of strategy options to choose between, deciding on a preferred strategy allows us to concentrate on developing specific actions to implement that strategy and manage the risk in the desired way.

Early on, when risk management was limited to addressing threats, we had four alternative strategies: Avoid (remove the threat completely), Transfer (find a third party who can manage the threat on our behalf), Reduce (make the probability and/or impact smaller), and Accept (take no proactive action, but prepare a contingency plan in case the threat occurs).

Later, when we realised that risk includes both threats and opportunities, four matching strategies were developed for opportunities: Exploit (ensure that the opportunity definitely occurs), Share (involve a third party in managing the opportunity), Enhance (increase the probability and/or impact), and Accept (no proactive action, but a contingency plan in case the opportunity occurs).

Recently an additional risk response strategy has been defined, which we can use if we identify a risk that does not affect our objectives, but that could affect some other part of the organisation. In these cases, it is important that the risk is passed on to the right owner to ensure that it is recognised, understood and managed appropriately. The risk response strategy that achieves this aim is Escalate.

To make risk escalation work, we need clear thresholds between the different levels in the organisation, so that everyone knows where each risk belongs, without confusion or ambiguity. Regardless of where a risk is identified, it needs to be managed at the right level, and this is defined by measurable thresholds based on the objectives which would be affected if the risk occurred. These thresholds can be expressed as financial impact, safety implications, regulatory compliance etc., and a risk is escalated to a higher level if its impact exceeds a threshold value.

Risks can be escalated from any level in an organisation to a higher level, but it is perhaps most useful for risks identified in projects. In a project risk context, risk escalation is used when a project team identifies a risk that does not belong within the scope of their project, because it would not affect any project objective, but it could affect someone else. This means it is not a project risk, so they could just forget about it, and hope that the right person will also find it. Clearly this is not a good idea, as the relevant person may never find the risk. Instead, risk escalation is used to pass the risk to the person or party who would be affected if the risk happened. This is true for both threats and opportunities.

Here are some examples of risk escalation in practice:


To read entire article, click here



About the Author

Dr. David Hillson

The Risk Doctor
United Kingdom



Dr David Hillson CMgr FRSA FIRM FCMI HonFAPM PMI-Fellow is The Risk Doctor (www.risk-doctor.com).  As an international risk consultant, David is recognised as a leading thinker and expert practitioner in risk management. He consults, writes and speaks widely on the topic and he has made several innovative contributions to the field. David’s motto is “Understand profoundly so you can explain simply”, ensuring that his work represents both sound thinking and practical application.

David Hillson has over 25 years’ experience in risk consulting and he has worked in more than 40 countries, providing support to clients in every major industry sector, including construction, mining, telecommunications, pharmaceutical, financial services, transport, fast-moving consumer goods, energy, IT, defence and government. David’s input includes strategic direction to organisations facing major risk challenges, as well as tactical advice on achieving value and competitive advantage from effectively managing risk.

David’s contributions to the risk discipline over many years have been recognised by a range of awards, including “Risk Personality of the Year” in 2010-11. He received both the PMI Fellow award and the PMI Distinguished Contribution Award from the Project Management Institute (PMI®) for his work in developing risk management. He is also an Honorary Fellow of the UK Association for Project Management (APM), where he has actively led risk developments for nearly 20 years. David Hillson is an active Fellow of the Institute of Risk Management (IRM), and he was elected a Fellow of the Royal Society of Arts (RSA) to contribute to its Risk Commission. He is also a Chartered Fellow of the Chartered Management Institute (CMI) and a Member of the Institute of Directors (IOD).

Dr Hillson can be contacted at [email protected].

To see other works previously published in the PM World Journal by Dr David Hillson, visit his author showcase at http://pmworldlibrary.net/authors/dr-david-hillson/