Docaro

Incident Escalation Criteria Dataset In The United Kingdom

Created:
This dataset helps teams define when incidents should be escalated, improving response speed, consistency, and governance. It supports planning alongside the AI Generated Incident Response Plan for use in the United Kingdom.
Escalation trigger
Escalation threshold
Escalation destination
Record keeping notes
Legal or regulatory, Reputational, Customer or client impact
Suspected personal data breach
Any loss, alteration, unauthorised disclosure of, or access to personal data.
Incident manager
Senior management
External adviser
Breach log, facts, risk assessment, decision on ICO notification, affected data categories.
Legal or regulatory
ICO notification deadline risk
Personal data breach may be notifiable and 72-hour clock may have started.
Senior management
External adviser
Time discovered, notification assessment, reasons for delay, ICO submission draft.
Legal or regulatory, Customer or client impact, Reputational
High risk to individuals
Incident may cause identity theft, fraud, distress, discrimination, or financial loss.
Senior management
External adviser
Data subject risk assessment, communication plan, notification copies, mitigation steps.
Special category data exposure
Health, biometric, ethnic origin, political, religious, sexual orientation, or union data affected.
Senior management
External adviser
Affected categories, volume, containment evidence, legal basis review, notifications.
Criminal offence data exposure
Criminal convictions, offences, allegations, or related security measures are affected.
Senior management
External adviser
Affected records, safeguards, lawful basis, access logs, notification assessment.
Children or vulnerable individuals affected
Incident affects children, safeguarding data, care records, or vulnerable customers.
Senior management
External adviser
Safeguarding assessment, affected cohorts, communications approvals, support measures.
Legal or regulatory, Reputational, Customer or client impact, Operational
Large-scale personal data breach
Breach affects many individuals, multiple systems, or business-critical datasets.
Board or executive committee
External adviser
Population estimate, systems affected, timeline, command decisions, regulator updates.
Operational, Financial, Legal or regulatory, Reputational
Ransomware or extortion demand
Malware encrypts systems, steals data, or demands payment.
Board or executive committee
External adviser
Ransom note, indicators of compromise, backups status, legal advice, insurer notice.
Operational, Legal or regulatory, Reputational, Financial
Active cyber intrusion
Confirmed unauthorised access, privilege escalation, lateral movement, or persistence.
Incident manager
Senior management
External adviser
SIEM alerts, forensic images, access logs, containment actions, analyst notes.
Operational, Legal or regulatory, Reputational
Suspected nation-state activity
Indicators match advanced persistent threat tradecraft or national security concern.
Board or executive committee
External adviser
Threat intelligence, IOCs, forensic timeline, NCSC contact record, legal notes.
Operational, Financial, Customer or client impact
Critical system outage
Core service unavailable beyond agreed RTO or affecting critical processes.
Incident manager
Senior management
Start time, service status, RTO breach, workarounds, recovery actions.
Customer or client impact, Operational, Reputational, Financial
Customer-facing service outage
External users cannot access products, accounts, support, or paid services.
Incident manager
Senior management
Affected users, duration, status page updates, customer messages, SLA impact.
Customer or client impact, Reputational, Financial
Major customer impact
Incident affects key accounts, vulnerable customers, essential services, or high volumes.
Senior management
Customer list, impact analysis, account owner updates, compensation decisions.
Customer or client impact, Legal or regulatory, Reputational
Vulnerable customer harm risk
Incident may cause worse outcomes for customers in vulnerable circumstances.
Senior management
Customer vulnerability assessment, remediation, communications, support arrangements.
Legal or regulatory, Operational, Reputational, Customer or client impact
FCA material incident risk
FCA-regulated firm faces significant operational, cyber, conduct, or customer impact.
Senior management
External adviser
Materiality assessment, compliance advice, FCA notification draft, board updates.
Legal or regulatory, Operational, Customer or client impact, Financial
PRA-regulated service disruption
Important business service may exceed impact tolerance or threaten safety and soundness.
Board or executive committee
External adviser
Impact tolerance assessment, mapping evidence, regulator communications, decisions.
Operational, Legal or regulatory, Customer or client impact
Impact tolerance breach
Disruption approaches or exceeds maximum tolerable duration, volume, or harm metric.
Senior management
Board or executive committee
Tolerance metric, breach time, harm assessment, lessons learned, remediation plan.
Legal or regulatory, Operational, Financial, Customer or client impact
Major payment services incident
Incident materially affects payment services security, continuity, integrity, or availability.
Senior management
External adviser
FCA incident form data, customer impact, transaction volumes, root cause.
E-money service incident
E-money issuance, redemption, safeguarding, or account access is materially affected.
Senior management
External adviser
Customer balances affected, safeguarding impact, regulator notice, communications.
Financial, Operational, Reputational
Material financial loss
Actual or expected loss exceeds internal materiality or insurance deductible threshold.
Senior management
Loss estimate, assumptions, approvals, insurance notice, recovery actions.
Financial, Legal or regulatory, Reputational
Suspected fraud
Dishonest activity, payment diversion, false invoicing, or internal fraud suspected.
Senior management
External adviser
Transaction records, access logs, evidence preservation, Action Fraud reference.
Legal or regulatory, Financial, Reputational
Bribery or corruption concern
Improper payment, inducement, facilitation payment, kickback, or hospitality abuse suspected.
Senior management
Board or executive committee
External adviser
Allegation, evidence, persons involved, investigation plan, legal advice.
Money laundering suspicion
Knowledge or suspicion of money laundering or terrorist financing arises.
Senior management
External adviser
MLRO referral, SAR decision, consent request, transaction evidence, tipping-off controls.
Sanctions match or breach
Potential designated person match, frozen asset, prohibited dealing, or reportable breach.
Senior management
External adviser
Screening result, match rationale, asset freeze steps, OFSI report, legal advice.
Market abuse or inside information
Incident may involve inside information, unlawful disclosure, manipulation, or suspicious orders.
Board or executive committee
External adviser
Inside information assessment, insider list, disclosure decision, FCA communications.
Market disclosure risk
Incident may materially affect share price or require market announcement.
Board or executive committee
External adviser
Materiality analysis, announcement drafts, sponsor advice, board minutes.
Legal or regulatory, Operational, Reputational
Serious health and safety incident
Death, specified injury, dangerous occurrence, or serious work-related ill health.
Senior management
External adviser
Accident report, witness statements, RIDDOR submission, photos, corrective actions.
Legal or regulatory, Reputational, Operational
Fatality or life-threatening incident
Work-related death or life-threatening event may involve management failure.
Board or executive committee
External adviser
Scene preservation, police or HSE contact, legal privilege plan, board minutes.
Legal or regulatory, Reputational, Operational, Financial
Environmental incident
Pollution, spill, waste breach, habitat damage, or permit breach suspected.
Senior management
External adviser
Location, photos, spill logs, regulator contacts, remediation evidence.
Legal or regulatory, Reputational, Operational
Whistleblowing disclosure
Worker reports wrongdoing, legal breach, danger, concealment, or public interest concern.
Senior management
External adviser
Disclosure record, confidentiality steps, investigation plan, retaliation safeguards.
Discrimination or harassment allegation
Allegation involves protected characteristic, senior employee, systemic issue, or victimisation.
Senior management
External adviser
Complaint, witness notes, HR records, interim measures, investigation outcome.
Legal or regulatory, Customer or client impact, Reputational
Safeguarding concern
Concern involves abuse, neglect, exploitation, or risk to a child or adult at risk.
Senior management
External adviser
Concern form, referral record, decision rationale, confidentiality controls.
Supplier or third-party impact, Operational, Customer or client impact, Financial
Critical supplier failure
Supplier outage threatens critical process, customer service, data, or contractual duties.
Incident manager
Senior management
Supplier notices, SLA data, dependency map, alternative arrangements, credits.
Supplier or third-party impact, Operational, Customer or client impact
Cloud provider outage
Hosted services, data availability, backups, or security controls are materially affected.
Incident manager
Senior management
Provider status updates, ticket IDs, affected services, failover decisions.
Supplier or third-party impact, Legal or regulatory, Customer or client impact, Reputational
Third-party data breach
Processor, supplier, or partner reports breach involving organisation data.
Incident manager
Senior management
External adviser
Supplier notice, DPA terms, breach details, controller decisions, notifications.
Supplier or third-party impact, Legal or regulatory
Processor delayed breach notice
Processor delay may compromise controller 72-hour assessment or notification duties.
Senior management
External adviser
Notice time, supplier explanations, missing facts, escalation emails, contract review.
Legal or regulatory, Financial, Customer or client impact, Supplier or third-party impact
Contract notification deadline
Contract requires customer, supplier, lender, insurer, or partner notice within set time.
Senior management
External adviser
Relevant clauses, deadline tracker, notices sent, approvals, acknowledgements.
Financial, Legal or regulatory
Insurance notification risk
Incident may trigger cyber, liability, crime, D&O, property, or business interruption cover.
Senior management
External adviser
Policy terms, notice time, broker correspondence, consent to incur costs.
Reputational, Customer or client impact, Financial
Media or public attention
Journalist enquiry, viral post, public complaint, or likely press coverage arises.
Senior management
Board or executive committee
External adviser
Media enquiries, holding statements, approvals, monitoring screenshots, Q&A.
Reputational, Customer or client impact
Viral social media complaint
Complaint gains significant reach or alleges legal, safety, bias, or misconduct issue.
Incident manager
Senior management
Screenshots, URLs, engagement metrics, response approvals, customer contact log.
Legal or regulatory, Reputational, Operational
Senior executive implicated
Director, senior manager, SMF holder, or key person is involved or conflicted.
Board or executive committee
External adviser
Conflict assessment, governance minutes, independent investigation mandate, advice records.
Operational, Financial, Legal or regulatory, Reputational
Risk appetite breach
Incident exceeds board-approved risk appetite, tolerance, or key risk indicator threshold.
Board or executive committee
KRI breach, risk appetite metric, management response, board decision.
Operational, Customer or client impact, Financial
Business continuity activation
Normal operations cannot continue without BCP, alternate site, manual workaround, or crisis team.
Incident manager
Senior management
BCP activation time, decision maker, workarounds, staff communications, recovery status.
Operational, Financial, Customer or client impact
Disaster recovery activation
Production environment cannot be restored within RTO without DR plan execution.
Incident manager
Senior management
DR decision, RTO/RPO status, failover steps, validation results, rollback plan.
Backup or recovery failure
Backups unavailable, corrupted, encrypted, untested, or unable to meet RPO.
Incident manager
Senior management
Backup logs, restore tests, RPO gap, data loss estimate, remediation.
Operational, Legal or regulatory
Security logging failure
Critical logs are missing, tampered with, unavailable, or retention compromised.
Incident manager
Logging gap, affected systems, preservation steps, compensating evidence, remediation.
Operational, Legal or regulatory, Reputational
Privileged account compromise
Admin, root, domain, finance, HR, or production credentials are compromised.
Incident manager
Senior management
Account actions, access timeline, reset evidence, scope assessment, forensic notes.
Financial, Legal or regulatory, Reputational
Unauthorised payment or transfer
Payment sent to wrong, fraudulent, unauthorised, or altered bank details.
Senior management
External adviser
Payment details, bank contacts, recall attempts, fraud report, approvals.
Operational, Financial, Legal or regulatory, Reputational
Business email compromise
Email account compromise leads to invoice fraud, data exposure, or malicious messages.
Incident manager
Senior management
Mailbox logs, forwarding rules, sent items, payment impact, containment steps.
Operational, Legal or regulatory, Financial
Phishing campaign affecting staff
Multiple staff targeted or credentials entered, malware opened, or supplier spoofed.
Team lead
Incident manager
Email headers, recipient list, clicked users, blocked domains, awareness notice.
Operational, Financial, Reputational
Malware outbreak
Malware spreads beyond one endpoint or affects servers, backups, or credentials.
Incident manager
Senior management
Affected hosts, malware hashes, EDR alerts, isolation times, eradication evidence.
Operational, Customer or client impact, Reputational, Financial
Denial-of-service attack
Traffic attack degrades or prevents access to customer-facing or critical systems.
Incident manager
Senior management
Traffic metrics, provider tickets, mitigation steps, downtime, customer notices.
Operational, Legal or regulatory, Customer or client impact
Unauthorised production change
Unapproved code, configuration, infrastructure, or database change affects production.
Incident manager
Change record, commit history, approvers, rollback evidence, impact assessment.
Operational, Customer or client impact, Financial
Severe release defect
Release causes critical defect, data corruption, payment error, or service outage.
Incident manager
Senior management
Release notes, defect scope, rollback decision, customer impact, RCA.
Operational, Customer or client impact, Legal or regulatory, Financial
Data corruption or integrity issue
Records are inaccurate, corrupted, duplicated, deleted, or cannot be trusted.
Incident manager
Senior management
Affected datasets, correction plan, audit trail, validation results, customer impact.
Operational, Legal or regulatory, Customer or client impact
Accidental data deletion
Deletion affects regulated records, customer data, backups, or critical operations.
Incident manager
Deleted records, cause, restoration evidence, retention impact, breach assessment.
Legal or regulatory, Operational
Records retention failure
Required business, legal, audit, tax, employment, or regulated records are lost.
Senior management
External adviser
Record class, retention requirement, loss cause, recovery attempts, legal assessment.
Legal or regulatory, Financial, Operational
Tax reporting disruption
Incident may affect VAT, PAYE, corporation tax, customs, or statutory filing accuracy.
Senior management
External adviser
Affected filings, deadlines, estimates, HMRC correspondence, correction evidence.
Legal or regulatory, Financial, Reputational
Statutory filing disruption
Incident may prevent accurate or timely Companies House accounts or confirmation filing.
Senior management
External adviser
Deadline, affected filings, extension efforts, board approvals, submission evidence.
Financial, Legal or regulatory, Reputational
Solvency or going concern risk
Incident threatens liquidity, covenant compliance, payroll, solvency, or going concern status.
Board or executive committee
External adviser
Cash forecasts, creditor impact, board minutes, insolvency advice, mitigation plan.
Operational, Financial, Customer or client impact
Premises unavailable
Office, warehouse, plant, branch, or data centre cannot be safely accessed.
Incident manager
Senior management
Access restrictions, safety checks, landlord notices, alternative site plan, photos.
Operational, Customer or client impact, Supplier or third-party impact
Utilities or telecoms outage
Power, internet, telephony, water, or heating outage affects critical operations.
Incident manager
Provider status, fault references, affected sites, continuity measures, restoration time.
Operational, Customer or client impact
Critical staff unavailability
Absence, strike, illness, travel disruption, or key-person loss affects essential functions.
Team lead
Incident manager
Staffing levels, functions affected, rota changes, HR advice, continuity actions.
Operational, Customer or client impact, Reputational
Industrial action disruption
Strike, picketing, or work-to-rule may disrupt critical services or safety.
Senior management
External adviser
Union notices, contingency plan, customer impact, legal advice, communications.
Legal or regulatory, Customer or client impact, Reputational, Financial
Product safety issue
Product may be unsafe, defective, non-compliant, or require recall or warning.
Senior management
Board or executive committee
External adviser
Batch data, complaints, risk assessment, regulator contact, recall decision.
Food safety incident
Food may be unsafe, contaminated, mislabelled, allergen-risk, or require recall.
Senior management
External adviser
Batch traceability, risk assessment, FSA notification, recall notices, customer complaints.
Consumer rights breach
Incident may involve unfair terms, misleading practices, refunds, cancellation, or defective goods.
Senior management
External adviser
Customer complaints, terms, sales materials, refund decisions, legal assessment.
Legal or regulatory, Reputational, Customer or client impact
Misleading advertising complaint
Complaint alleges misleading, harmful, offensive, irresponsible, or non-compliant advertising.
Senior management
External adviser
Ad copy, substantiation, complaints, ASA correspondence, takedown decision.
Legal or regulatory, Financial, Reputational
Competition law concern
Price fixing, market sharing, bid rigging, resale pricing, or abuse concern arises.
Board or executive committee
External adviser
Evidence preservation, dawn raid readiness, legal advice, CMA contact record.
Intellectual property infringement
Incident involves unauthorised use, disclosure, copying, or loss of valuable IP.
Senior management
External adviser
IP asset, evidence, access logs, takedown notices, legal advice.
Legal or regulatory, Financial, Reputational, Customer or client impact
Confidential information leak
Trade secrets, pricing, bids, strategy, source code, or client confidential data leaked.
Senior management
External adviser
Leaked material, recipients, NDAs, containment steps, takedown actions.
Legal or regulatory, Reputational, Financial
Legal privilege risk
Investigation may involve litigation, regulator enforcement, criminal liability, or sensitive advice.
External adviser
Senior management
Privilege protocol, counsel instructions, document labels, distribution limits.
Legal or regulatory, Financial, Reputational
Threatened litigation or claim
Letter before claim, injunction threat, group claim, or material dispute arises.
Senior management
External adviser
Claim correspondence, evidence hold, chronology, insurance notice, legal advice.
Legal or regulatory, Reputational, Operational
Law enforcement enquiry
Police, NCA, SFO, HMRC, or other authority requests information or attends site.
Senior management
External adviser
Officer details, warrant or request, documents provided, legal advice, chain of custody.
Legal or regulatory, Reputational, Financial
Regulator enquiry or investigation
Regulator requests information, opens investigation, threatens enforcement, or visits premises.
Board or executive committee
External adviser
Request, deadlines, responses, document hold, regulator communications, advice.
Legal or regulatory, Reputational, Operational
Search warrant or dawn raid
Authority arrives with warrant, inspection powers, or document seizure request.
Board or executive committee
External adviser
Warrant copy, officials list, documents seized, objections, legal attendance notes.
Legal or regulatory, Reputational, Supplier or third-party impact
Modern slavery concern
Forced labour, exploitation, trafficking, or supply-chain abuse suspected.
Senior management
Board or executive committee
External adviser
Supplier details, worker safety steps, investigation, reports, remediation plan.
Supplier or third-party impact, Reputational, Legal or regulatory
Supplier ethical breach
Supplier breach involves labour abuse, sanctions, bribery, safety, environment, or fraud.
Senior management
Supplier evidence, contract rights, audit results, suspension decision, remediation.
Supplier or third-party impact, Operational, Financial, Customer or client impact
Key supplier insolvency
Critical supplier enters administration, liquidation, distress, or threatens service cessation.
Senior management
External adviser
Supplier notices, continuity plan, replacement options, contract rights, risk assessment.
Financial, Customer or client impact, Operational
Major customer insolvency
Customer default may cause material bad debt, service risk, or contractual exposure.
Senior management
Exposure amount, credit notes, contract rights, communications, impairment assessment.
Financial, Legal or regulatory, Reputational
Financing covenant breach
Incident may breach loan covenant, facility agreement, security, or reporting undertaking.
Board or executive committee
External adviser
Covenant calculation, lender notice, waiver request, board approvals, advice.
Audit qualification risk
Incident may affect financial statements, controls, evidence, going concern, or audit opinion.
Senior management
Board or executive committee
External adviser
Auditor correspondence, accounting impact, control failure, board papers, remediation.
Operational, Financial, Reputational
Payroll failure
Staff pay, pensions, PAYE, benefits, or statutory payments may be late or wrong.
Senior management
Affected employees, payment files, corrections, staff communications, HMRC impact.
Legal or regulatory, Financial, Reputational
Pension contribution failure
Auto-enrolment, contribution, scheme payment, or member data issue arises.
Senior management
External adviser
Affected members, missed payments, trustee or provider notices, rectification.
Legal or regulatory, Customer or client impact, Reputational
Accessibility failure
Digital service excludes disabled users or creates legal, service, or complaint risk.
Senior management
Accessibility findings, complaints, affected journeys, fixes, equality assessment.
Operational, Legal or regulatory, Customer or client impact, Reputational
AI output or model failure
AI system produces harmful, biased, confidential, unsafe, or materially wrong output.
Incident manager
Senior management
External adviser
Prompt, output, model version, user impact, mitigation, review decision.
Legal or regulatory, Customer or client impact, Reputational
Automated decision challenge
Person challenges automated decision with legal, significant, unfair, or discriminatory effect.
Senior management
External adviser
Decision logic, human review, DPIA, complaint, outcome communication.
Legal or regulatory, Customer or client impact
High-risk processing change
Incident response requires high-risk new processing, monitoring, profiling, or data sharing.
Senior management
External adviser
DPIA, necessity assessment, residual risk, DPO advice, consultation decision.
Legal or regulatory, Supplier or third-party impact
International data transfer issue
Incident involves transfer to non-UK country without clear safeguard or assessment.
Senior management
External adviser
Transfer map, safeguards, TRA, contracts, importer communications, remedial actions.
Legal or regulatory, Customer or client impact, Reputational
Data subject rights deadline risk
Incident prevents timely response to DSAR, erasure, rectification, objection, or portability request.
Team lead
Incident manager
Request log, deadline, search status, extension rationale, response copy.
Legal or regulatory, Reputational, Customer or client impact
ICO complaint or enquiry
ICO contacts organisation or individual complains to ICO about data handling.
Senior management
External adviser
ICO correspondence, complaint file, response deadlines, evidence, remedial actions.
Legal or regulatory, Operational, Customer or client impact
NIS reportable incident risk
Essential or relevant digital service incident may substantially affect service continuity.
Senior management
External adviser
Service impact, users affected, duration, competent authority notice, NCSC contact.
Telecoms security incident
Provider network or service security, availability, or resilience materially affected.
Senior management
External adviser
Network impact, customer numbers, Ofcom notice, technical reports, remediation.
Legal or regulatory, Customer or client impact, Operational, Reputational
Clinical service or patient data incident
Incident affects patient safety, care continuity, NHS data, or clinical records.
Senior management
External adviser
Patient safety assessment, records affected, NHS reporting, clinical mitigation.
Legal or regulatory, Financial, Reputational, Customer or client impact
Charity serious incident
Charity faces significant loss, harm, safeguarding, fraud, reputation, or governance issue.
Board or executive committee
External adviser
Trustee decision, Charity Commission report, incident facts, mitigation, follow-up.
Legal or regulatory, Customer or client impact, Reputational
Education safeguarding or pupil data incident
Incident affects pupils, safeguarding records, exam integrity, or school duties.
Senior management
External adviser
DSL record, parent communications, local authority contact, ICO assessment.
Customer or client impact, Reputational, Operational
Complaint volume spike
Complaints exceed normal volume or indicate systemic customer harm.
Incident manager
Senior management
Complaint themes, volumes, root cause, response scripts, remediation tracking.
Operational, Customer or client impact, Financial
Incident unresolved beyond SLA
Incident remains unresolved beyond internal SLA or customer contractual target.
Team lead
Incident manager
SLA timer, blockers, owner changes, customer updates, escalation decision.
Operational, Customer or client impact, Reputational
Repeated incident recurrence
Same root cause, control failure, or customer impact recurs within defined period.
Incident manager
Senior management
Prior incidents, RCA comparison, control actions, ownership, recurrence metrics.
Operational, Legal or regulatory, Financial, Reputational, Customer or client impact, Supplier or third-party impact
Severity cannot be assessed
Facts are insufficient but worst-case impact could be material or time-critical.
Incident manager
Known facts, assumptions, information gaps, next review time, decision rationale.
Operational, Financial, Customer or client impact
Resource conflict or decision deadlock
Teams disagree on containment, restoration, customer messaging, cost, or risk trade-off.
Senior management
Options, risks, dissenting views, decision owner, approvals, follow-up actions.
Reputational, Legal or regulatory, Customer or client impact
External communications required
Customer, regulator, investor, media, staff, or public statement is needed.
Senior management
External adviser
Drafts, approvals, distribution list, publication time, Q&A, legal sign-off.
Financial, Customer or client impact, Reputational
Customer compensation decision
Incident may require refunds, credits, redress, goodwill payments, or remediation scheme.
Senior management
Eligibility criteria, calculations, approvals, customer communications, payment records.
Customer or client impact, Reputational, Legal or regulatory
Mass customer notification
Large customer group must be warned, updated, migrated, refunded, or supported.
Senior management
Recipient list, message versions, send times, bounce reports, contact centre scripts.
Customer or client impact, Operational, Reputational
Support channel overload
Contact centre, email, chat, or complaints queues exceed crisis thresholds.
Incident manager
Senior management
Queue metrics, staffing actions, scripts, escalation routes, service levels.
Legal or regulatory, Reputational, Operational
Employee data exposure
Payroll, HR, disciplinary, health, absence, or monitoring data is exposed.
Incident manager
Senior management
External adviser
Affected employees, data types, union or HR communications, ICO assessment.
Legal or regulatory, Customer or client impact, Reputational
CCTV or monitoring incident
CCTV, call recording, device monitoring, or tracking is misused or compromised.
Incident manager
Senior management
Footage affected, access logs, policy review, privacy notice, complaint records.
Operational, Legal or regulatory, Reputational, Financial
Physical security breach
Unauthorised access, theft, tampering, lost keys, badge misuse, or secure area breach.
Incident manager
Senior management
Access records, CCTV, asset list, police report, lock or badge changes.
Legal or regulatory, Operational, Reputational
Lost or stolen device
Device contains business data, credentials, personal data, or privileged access.
Team lead
Incident manager
Device ID, encryption status, remote wipe, data assessment, police report.
Legal or regulatory, Reputational, Operational
Lost removable media
USB, hard drive, paper file, backup tape, or archive containing sensitive data lost.
Incident manager
Media inventory, encryption, contents, last custody, search actions, breach assessment.
Legal or regulatory, Reputational, Customer or client impact
Paper records breach
Paper files are misdirected, lost, stolen, viewed, or disposed of insecurely.
Team lead
Incident manager
File details, recipients, retrieval efforts, disposal evidence, risk assessment.
Legal or regulatory, Customer or client impact, Reputational
Misdirected email or message
Sensitive, personal, confidential, or regulated information sent to wrong recipient.
Team lead
Incident manager
Message copy, recipients, recall attempt, deletion confirmation, breach assessment.
Legal or regulatory, Customer or client impact, Reputational, Supplier or third-party impact
Unauthorised data sharing
Data shared without authority, lawful basis, agreement, transparency, or required safeguards.
Incident manager
Senior management
External adviser
Data shared, recipients, lawful basis review, DSA status, containment.
Legal or regulatory, Customer or client impact, Reputational
Consent or marketing breach
Marketing sent without valid consent, opt-out, soft opt-in, or preference compliance.
Incident manager
Senior management
Campaign list, consent records, suppression list, complaint data, remedial action.
Legal or regulatory, Reputational, Customer or client impact
Cookie or tracking breach
Non-essential cookies, pixels, or trackers deployed without valid consent or transparency.
Incident manager
Senior management
Cookie scan, CMP logs, consent records, vendor list, remediation evidence.
Reputational, Operational, Legal or regulatory
Website defacement
Public website displays unauthorised, malicious, false, offensive, or harmful content.
Incident manager
Senior management
Screenshots, logs, change history, takedown time, customer or media impact.
Operational, Reputational, Customer or client impact, Financial
Domain or DNS compromise
Domain, DNS, registrar, MX, SPF, DKIM, or hosting control is altered or hijacked.
Incident manager
Senior management
External adviser
DNS records, registrar tickets, change logs, restoration steps, abuse reports.
Operational, Legal or regulatory, Reputational
Certificate or key compromise
TLS certificate, signing key, API key, encryption key, or secret is exposed.
Incident manager
Key identifier, exposure source, rotation evidence, revocation, dependent systems.
Exploited critical vulnerability
Known critical vulnerability is exploited or exposed on internet-facing system.
Incident manager
Senior management
CVE, exposure window, patch status, exploit evidence, affected assets.
Operational, Legal or regulatory
Unpatched critical vulnerability
Critical vulnerability cannot be patched or mitigated within risk-based deadline.
Team lead
Incident manager
Asset list, CVSS or threat rating, exceptions, compensating controls, owner.
Supplier or third-party impact, Operational, Legal or regulatory, Reputational
Software supply chain compromise
Third-party code, package, update, build pipeline, or dependency is compromised.
Incident manager
Senior management
External adviser
Affected dependencies, SBOM, vendor notices, patch status, forensic findings.
Legal or regulatory, Financial, Reputational
Open-source licence breach
Software use may breach copyleft, attribution, source disclosure, or licence terms.
Senior management
External adviser
Component list, licence terms, product use, legal assessment, remediation.
Legal or regulatory, Financial, Reputational, Customer or client impact
Payment card data incident
Cardholder data environment, PAN, authentication data, or payment terminal compromised.
Senior management
External adviser
Card data scope, acquirer notice, forensic report, PCI evidence, customer impact.
Financial, Operational, Legal or regulatory
Banking access compromise
Online banking credentials, payment approvals, mandate, or treasury system compromised.
Senior management
External adviser
Bank contacts, access changes, transaction review, payment freezes, fraud reports.
Legal or regulatory, Financial, Customer or client impact, Reputational
Customer money or assets risk
Client money, custody assets, safeguarding, or segregation may be inaccurate or impaired.
Board or executive committee
External adviser
Reconciliations, shortfall estimate, customer impact, FCA notice, remediation.
Legal or regulatory, Financial, Reputational
AML control failure
Screening, monitoring, KYC, suspicious activity, or sanctions controls fail materially.
Senior management
External adviser
Control outage, affected customers, alerts backlog, MLRO decision, remediation.
Legal or regulatory, Operational, Financial
Legal hold required
Litigation, investigation, inquiry, regulator request, or claim requires evidence preservation.
Senior management
External adviser
Hold notice, custodians, systems, preservation scope, acknowledgements, collection log.
Legal or regulatory, Reputational, Operational
Evidence tampering risk
Logs, documents, devices, footage, or records may be altered, deleted, or concealed.
Senior management
External adviser
Chain of custody, preservation actions, access restrictions, forensic images.
Operational, Legal or regulatory, Reputational, Financial
Serious employee misconduct
Misconduct involves fraud, harassment, safety, data, violence, theft, or senior staff.
Senior management
External adviser
Allegation, HR file, suspension decision, investigation notes, outcome letter.
Operational, Legal or regulatory, Reputational
Workplace violence or threat
Physical assault, credible threat, weapon, stalking, or serious intimidation occurs.
Senior management
External adviser
Incident report, police contact, witness statements, risk assessment, support offered.
Employee welfare emergency
Immediate risk of self-harm, severe distress, unsafe working, or welfare emergency.
Senior management
External adviser
Welfare actions, emergency contacts, HR advice, confidentiality controls, support offered.
Operational, Legal or regulatory, Reputational, Financial
Fire or evacuation incident
Fire, smoke, alarm, evacuation, fire system failure, or unsafe premises issue.
Incident manager
Senior management
Evacuation log, fire service contact, alarm data, risk assessment, remedial works.
Financial, Legal or regulatory, Operational
Panel adviser requirement
Policy requires approved legal, forensic, PR, or loss adjuster before major spend.
External adviser
Senior management
Policy clause, insurer approval, panel appointment, scope, cost authorisations.
Operational, Legal or regulatory, Financial, Reputational
Specialist expertise required
Internal team lacks expertise for forensics, legal advice, PR, safety, tax, or sector rules.
External adviser
Reason for appointment, scope, engagement letter, advice received, decisions.
Operational
Incident owner unavailable
Assigned incident owner cannot act, is conflicted, or lacks authority.
Team lead
Incident manager
Reassignment decision, authority level, handover notes, contact attempts.
Operational, Legal or regulatory, Customer or client impact
Out-of-hours major incident
Incident arises outside normal hours and may need urgent decisions or notifications.
Incident manager
Senior management
On-call contacts, response times, approvals, decisions, next briefing time.
Legal or regulatory, Operational, Customer or client impact, Supplier or third-party impact
Multi-jurisdiction impact
Incident affects UK plus overseas customers, staff, regulators, contracts, or operations.
Senior management
External adviser
Countries affected, local counsel, notification map, communications, deadlines.
Financial, Legal or regulatory, Reputational
Transaction or M&A impact
Incident may affect due diligence, warranties, disclosure, completion, valuation, or financing.
Board or executive committee
External adviser
Transaction documents, disclosure analysis, buyer or seller notices, board approvals.
Legal or regulatory, Financial, Reputational, Customer or client impact
Public procurement compliance issue
Incident affects tender fairness, exclusion risk, contract performance, or public authority duties.
Senior management
External adviser
Tender records, conflict logs, authority correspondence, standstill impact, advice.
Legal or regulatory, Reputational, Financial
Conflict of interest
Incident involves undisclosed interest, related party, procurement conflict, or conflicted decision-maker.
Senior management
Board or executive committee
Conflict declaration, recusals, decision minutes, mitigation, independent review.
Legal or regulatory, Financial, Reputational, Supplier or third-party impact
NDA or confidentiality breach
Protected information is disclosed contrary to NDA, contract, bid rules, or court order.
Senior management
External adviser
NDA terms, disclosure facts, recipients, notice obligations, remedial steps.
Legal or regulatory, Financial, Reputational, Operational
Court order or injunction risk
Incident may breach court order, undertaking, disclosure duty, or injunction.
Board or executive committee
External adviser
Order terms, breach facts, legal advice, remedial action, court communications.
Legal or regulatory, Financial, Reputational, Supplier or third-party impact
Export control concern
Controlled goods, software, technology, or dual-use items may be exported unlawfully.
Senior management
External adviser
Item classification, destination, licence status, shipment records, legal advice.
Legal or regulatory, Financial, Reputational, Operational
Right-to-work compliance issue
Employee may lack valid right to work or checks are missing or defective.
Senior management
External adviser
Check records, visa status, Home Office guidance, HR actions, legal advice.
Operational, Supplier or third-party impact, Customer or client impact, Financial
Data centre or hosting incident
Hosting, colocation, cooling, power, connectivity, hardware, or facility incident affects service.
Incident manager
Senior management
Facility notices, affected racks, failover status, provider tickets, recovery time.
Operational, Customer or client impact, Financial
Capacity exhaustion
CPU, storage, bandwidth, licence, queue, or staff capacity threatens service availability.
Team lead
Incident manager
Capacity metrics, trend, emergency changes, cost approvals, prevention plan.
Legal or regulatory, Financial, Operational
Software licence compliance issue
Unlicensed, overused, unauthorised, or audit-triggering software use identified.
Senior management
External adviser
Licence count, usage evidence, vendor notices, remediation, settlement authority.
Legal or regulatory, Financial, Reputational, Operational
Regulatory licence condition breach
Incident may breach sector licence, authorisation, permit, approval, or undertaking.
Board or executive committee
External adviser
Licence condition, breach analysis, regulator notice, corrective plan, approvals.
Operational, Financial, Legal or regulatory, Reputational
Board reporting required
Incident is material, strategic, recurring, unresolved, or outside delegated authority.
Board or executive committee
Board paper, timeline, decisions sought, risk assessment, action tracker.
Financial, Operational, Legal or regulatory
Delegated authority exceeded
Response requires spend, settlement, contract change, write-off, or risk acceptance beyond authority.
Senior management
Board or executive committee
Authority limit, requested approval, rationale, approver, conditions, decision.

When Should A UK Incident Response Plan Require Escalation?

Escalation criteria should not be limited to technical severity. UK organisations should escalate quickly where an incident may involve personal data, regulated services, financial loss, vulnerable customers, safety risks, contractual notification duties, or senior stakeholder attention.

Which UK Legal And Regulatory Triggers Need Fast Escalation?

  • Personal data breaches should be escalated immediately where there is a possible risk to individuals, because the UK GDPR requires notification to the ICO without undue delay and, where feasible, within 72 hours.
  • Cyber incidents affecting FCA-regulated firms should be escalated to senior management and compliance where they may be material, because firms may need to notify the FCA promptly.
  • Reportable safety, fraud, AML, sanctions, and market-abuse concerns require escalation beyond the operational team because evidence preservation and regulatory notification decisions are time-sensitive.

What Evidence Should Be Kept When An Incident Is Escalated?

For each escalation, retain a concise audit trail showing what happened, when it was identified, who made the escalation decision, who was notified, and what actions were approved. For data protection and regulated-sector incidents, keep the risk assessment, notification decision, regulator correspondence, customer communications, technical logs, and legal advice records where applicable.

How Should Escalation Levels Be Designed?

Use tiered destinations: routine contained issues can go to a team lead; cross-functional or unresolved incidents should go to an incident manager; regulatory, financial, customer, media, or supplier-critical issues should reach senior management; existential, market-sensitive, or governance-critical incidents should reach the board or executive committee; specialist issues should involve an external adviser, such as cyber forensic, legal, PR, insurance, or safety specialists.

Incident Escalation Criteria Dataset
Want to Generate Your own Incident Response Plan?
Docaro AI can help you write your own Incident Response Plan for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

An incident escalation criteria dataset is a structured set of triggers, thresholds, roles, and decision rules used to determine when an incident should be escalated within a UK organisation.
Show All FAQs

You Might Also Be Interested In

Incident Response Plan Section Catalogue
Browse the United Kingdom incident response plan section catalogue to find key templates, topics, and guidance for faster planning.
Incident Response Roles and Responsibilities Matrix
Clarify United Kingdom incident response roles, responsibilities and escalation paths with a practical matrix for faster breach handling.
United Kingdom Incident Notification Decision Tree
United Kingdom incident notification decision tree to help assess reporting steps, timelines, and response actions after a security incident.
United Kingdom Incident Response Plan Selection Flowchart
United Kingdom flowchart to help select the right incident response plan quickly, clearly, and confidently.

References and Information Sources