AI-Powered Project Management · Module 3 · Lesson 3 of 3

Escalation and the decision/risk packet

Defining escalation and when a risk or decision has outgrown its owner's authority, then closing this module by critiquing an AI-drafted risk register and options appraisal and assembling a risk register, a decision record and an escalation path into one decision/risk packet.

Lesson · 15–20 minutes · Text-first

By the end, you can

  • Define escalation, and identify when a risk or decision has exceeded the current owner's authority and needs a documented escalation to a higher level (PM-4).
  • Critique an AI-drafted risk register and options appraisal for missing owners, unverified probability or impact ratings, or a high-impact risk that was never escalated (PM-2, PM-4).
  • Assemble a risk register, a decision record and an escalation path into one decision/risk packet (PM-2, PM-4).

Before you start

This is Module 3, Lesson 3 of the AI-Powered Project Management course, and the last lesson before Module 4's work on meetings and status. It builds on Lesson 1's risk register and Lesson 2's decision record, and closes this module by assembling all three — a risk register, a decision record and an escalation path — into one document: a decision/risk packet.

Escalation: when a risk or decision outgrows its owner

Not every risk or decision belongs at the level where it was first spotted. APM's project management glossary defines escalation as "the process by which issues are drawn to the attention of a higher level of management." The glossary defines an issue itself as "a problem that is now breaching, or is about to breach, delegated tolerances for work on a project or programme," adding that issues "require support from the sponsor to agree a resolution." Put together: escalation is not a failure to cope, it is the mechanism a project uses when a risk has crossed from "the named owner can handle this" into "this needs a decision or resource only someone above the owner can authorise."

A risk owner who confirmed a supplier delay risk in Lesson 1 can usually absorb a short slip by adjusting the schedule themselves — that is inside their delegated tolerance. If the delay grows large enough to threaten the launch date itself, or the fix needs budget the owner doesn't control, the risk has breached that tolerance and needs to go up, with a clear statement of what's needed and by when. The mistake this lesson is guarding against isn't escalating too often — it's a risk owner quietly absorbing something that was never theirs to absorb, because nobody set the line clearly enough to notice it had been crossed.

Why an AI-drafted register or appraisal can miss the escalation line

An AI assistant asked to review a risk register or an options appraisal can readily flag which entries look most severe by their stated probability and impact ratings. It has no reliable way to know where your organisation's actual escalation line sits — what a specific sponsor considers within a project lead's authority to absorb, versus what genuinely needs their sign-off. The US National Institute of Standards and Technology's (NIST) AI Risk Management Framework's description of an AI system as something that "can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions" is exactly why a drafted "this looks high-risk" flag is a starting signal, not a verified call on whether escalation is actually required — that judgement depends on delegated authority the draft has no visibility into.

Raising something to a sponsor or governance board — asking for a decision, a budget release, or a schedule change only they can authorise — is itself the kind of high-impact action the Open Worldwide Application Security Project's (OWASP) guidance on excessive agency has in mind when it recommends that a human "approve high-impact actions before they are taken." Choosing to escalate, and what exactly to ask for, belongs with the named owner who has actually weighed the risk against their own authority, not with whichever draft first flagged it as severe.

Assembling the decision/risk packet

A decision/risk packet is not a new invention — it is what this module has been building one element at a time. It has three parts, and a packet missing any one of them is not complete, whatever else it contains:

AI can help draft a first pass at all three, the way this module's earlier lessons have shown. What makes the packet real is the same discipline this course has applied to every earlier artifact: a named owner checks, corrects and confirms each element — including which items actually need escalating — using knowledge the draft never had access to, before anyone treats the packet as ready to share upward.

  • A risk register — named risks, each with a stated probability, impact and owner, and a planned response (Lesson 1).
  • A decision record — the options considered, the option chosen, who chose it and why, for any decision the project has actually made (Lesson 2).
  • An escalation path — which risks or decisions have exceeded the current owner's authority, what's being asked of the higher level, and by when (this lesson).

A worked example: the brewery's taproom opening, four weeks on

The brewery owner from Lesson 1 is now two weeks from opening night. Her risk register, confirmed and updated since Lesson 1, flags the building inspection risk as high probability, high impact, after the inspector's office called to say the original inspection slot has been pushed back nine days, leaving almost no buffer before the planned launch date. Her decision record, from a supplier decision she made along the way, already documents choosing a slightly more expensive tap-equipment supplier over a cheaper one, because the cheaper supplier's delivery window overlapped too closely with launch week.

She checks the inspection risk against her own authority. A nine-day slip inside a six-week runway was something she could absorb by adjusting the internal fit-out schedule herself, well within what she can decide alone. A nine-day slip with only two weeks left is different: it now threatens the launch date itself, and pushing the date affects a signed venue-hire agreement with her landlord — a decision that isn't hers to make unilaterally. She escalates: she writes a short note to her landlord and her business partner (a silent investor with sign-off rights on major date changes) stating the risk, the inspector's new timeline, and the specific decision she needs from them within three days — confirm a one-week launch delay, or approve paying for an expedited inspection slot if one exists. She assembles her risk register, her supplier decision record and this escalation note into one packet before sending it, so both recipients see the full picture, not just the ask.

Accessibility notes

This lesson is text-first, with no images, audio, video or downloadable artifacts. The practice exercise's model answer sits behind a native disclosure control that is reachable and operable by keyboard and correctly announced by screen readers. The knowledge check uses native radio-button inputs with a visible question and options, and posts its result to a live status region so assistive technology announces the outcome without a page reload.

Practice

Build a decision/risk packet: a two-person events company's corporate conference

A two-person events company is producing a one-day corporate conference for a client, five weeks out. An AI assistant, asked to review their plan, returns a risk register with three entries — 'keynote speaker cancels — medium, medium, response: have a backup ready,' 'AV equipment fails — medium, medium, response: test beforehand,' 'venue capacity too small — low, low, response: monitor registrations' — with no owners named on any of them, and no decision record or escalation note anywhere in the plan.

  1. Assign a named owner to each of the three risks (you may invent plausible roles, such as 'the lead organiser' or 'the client-side contact'), and explain why an unowned risk entry is not yet complete under this module's definition.
  2. The company has just learned registrations have exceeded the venue's capacity by 15%. Using the escalation definition from this lesson, explain whether this is something the lead organiser can resolve alone or something that needs escalating, and to whom.
  3. The two-person team also has an unrecorded decision behind them: they chose a slightly more expensive AV supplier over a cheaper one after the cheaper supplier could not confirm same-day setup. Write a short decision record for this choice.
  4. Assemble your answers into a short decision/risk packet: the corrected risk register (with owners), the decision record, and the escalation note for the venue-capacity issue.
Compare with a bounded first version

Named owners: 'keynote speaker cancels' — owner: the lead organiser, since only they have the speaker relationship and a backup contact; 'AV equipment fails' — owner: the client-side contact or a dedicated AV lead, whoever is actually on-site and able to act during the event; 'venue capacity too small' — owner: the lead organiser, since venue decisions are theirs to manage. An unowned entry is incomplete because nobody is responsible for watching it or acting if it starts to happen — a risk register with only descriptions and generic ratings is a list, not a working register. The venue-capacity overrun is likely past what the lead organiser can resolve alone: it now affects the client's guests directly and may require an added cost (a larger room, an overflow arrangement) the organiser may not have authority to commit to without the client's agreement — this should be escalated to the client-side contact, with a clear ask (approve an overflow space, or cap registrations now) and a deadline, rather than quietly managed in-house. A decision record: 'Decision: use AV Supplier B, the more expensive option. Options considered: Supplier A (cheaper, could not confirm same-day setup before doors open), Supplier B (higher cost, confirmed same-day setup). Chosen by: the lead organiser. Reason: same-day setup certainty matters more than the cost difference given the one-day event has no buffer day for a failed setup.' A short packet: the risk register above with owners and ratings reconsidered against what the team actually knows, the AV supplier decision record, and an escalation note to the client stating the 15% overcapacity, what's being asked (approve overflow space or cap registrations), and a deadline for their answer.

Knowledge check

Try the idea

A project risk that a task owner has been managing alone grows large enough that fixing it needs budget the task owner does not control. What should happen next?
Low-stakes practice only. This does not score, block progress or create a learner record.

Sources and limits

This lesson synthesises the sources below into a practical learning model. It is not a security standard, legal advice or a guarantee that any particular agent design is safe.

  1. Project management glossaryAPM (Association for Project Management). Defines escalation as the process by which issues are drawn to the attention of a higher level of management, and an issue as a problem that is now breaching, or about to breach, delegated tolerances, requiring support from the sponsor to agree a resolution.
  2. AI Risk Management Framework 1.0NIST AI Resource Center. Frames an AI system as an engineered system that generates outputs such as predictions, recommendations or decisions — not a self-directing decision-maker.
  3. LLM06:2025 Excessive AgencyOWASP Gen AI Security Project. Recommends human-in-the-loop control requiring a person to approve high-impact actions before an LLM-connected system takes them.