The Role of the Risk Assessment
Crisis management is an integral component of effective reputation management. Protiviti’s Jim DeLoach discusses why it’s imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events.
Years ago, I had a conversation with a high-profile board chair of a top U.S. university. He told me that he and others in his profession (he was a lawyer) had concerns that organizations, both public and private, seemed to “relearn” the same lessons over and over without any marked improvement in their preparedness for the unexpected. We hit it off pretty well in this dialogue because this issue is one to which I have given much thought over the years, particularly since the global financial crisis. We agreed that the risk assessment process should inform the crisis management process.
As no brand is immune to a crisis, it is evident today that crisis management is an integral component of effective reputation management. A rapid and effective response to a sudden and unexpected event can actually enhance reputation, as astute observers know that even the most respected organizations can and will be tested over time. In the corporate world, however, the unprepared pay a high price.
One of the issues with traditional risk maps, heat maps and risk rankings based on assessments of the severity of impact of potential future events and their likelihood of occurrence is that they do not help companies pinpoint where preparedness – or response readiness – requires improvement. While these traditional approaches provide an overall “quick-and-dirty” picture of the enterprise’s risks, they offer little insight as to what to do about exposures to extreme events.
Often, the process of developing traditional risk or heat maps leads to a de-emphasis of the so-called “high-impact, low-likelihood” risks because of the low probabilities involved and the false sense of security arising from the lack of historical precedence. The irony is that these events are often the ones that can cause the most damage if and when they occur. Ignoring the risk of their occurrence results in tacit acceptance of their consequences to the enterprise should they occur, regardless of their magnitude. If the event occurs and the entity’s lack of preparedness is evident to investors, regulators, the public and other stakeholders, then management is exposed. Therefore, the real question is not whether the event will occur but how the entity will respond if it does occur.
To manage the impact of such events effectively, proactive preparation is vital. To contribute to a proactive approach, the risk assessment process needs to consider such attributes as:
- The velocity or speed to impact of an event, i.e., does it smolder for an extended period of time or is it sudden, and can the loss of any critical component of the value chain occur without warning?
- The persistence of the impact of the event, i.e., the duration of time it affects the organization, including the related “headline effect.”
- The resiliency of the company in responding to the event.
Likelihood of occurrence may not be as relevant as the factors cited above in evaluating exposure to catastrophic events and the enterprise’s response readiness. As noted earlier, sooner or later, every company faces a crisis. Even the most effective risk management cannot prevent this exposure. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to a risk assessment, particularly for high-impact risks with high velocity, high persistence and low response readiness. In some cases, management may even know that a crisis will occur because of actions it plans, i.e., discontinuation of a business segment, shutdown or relocation of a major plant, or the layoff of a significant group of employees.
If a crisis management team doesn’t exist or isn’t prepared to address a potential crisis, rapid response to sudden, unexpected events will be virtually impossible. Fires cannot be fought with a committee, especially one formed on the fly. Therefore, the risk assessment process should be designed to identify areas where preparedness is critical. For example, it is possible that the consequences of some identified risk areas may be preventable through improvements to operating processes. In other risk areas, it may be necessary to evaluate alternative responses and best-case/worst-case scenarios to formulate a response plan in the cool of the day, rather than during the heat of the moment when staring down an actual crisis.
To improve response readiness to a crisis, management should form a rapid-response crisis communications team consisting of representatives from executive management, leadership of any affected business units, and leadership of such functions as human resources, finance, operations, information technology, public relations and legal. If necessary, a suitable crisis management consultant may be needed. This team should authorize a pool of individuals who are well-trained to serve during times of crisis as spokespersons to speak on behalf of the organization to the media, internally at employee meetings and/or externally at public meetings.
The response plan should emphasize the importance of transparency, straight talk and effective deployment of social media. Messaging should emphasize the company’s plan, compassion for any victims and, as appropriate, efforts to investigate to ascertain what happened. Most important, the actions of the company’s response team must back up the messaging.
The rapid-response team should formulate a crisis management plan and ensure it is updated and tested periodically and supported by a communications plan complete with appropriate holding statements, prepared with the assistance of public relations and preapproved by legal, to express concern for the safety and well-being of any victims and buy time for the response team to investigate the incident and take appropriate steps to reduce the chances of another similar occurrence. Key internal and external stakeholders who matter most to the organization should be identified and a reliable system should be in place to notify them when a crisis emerges. Of course, this group of stakeholders should include the board of directors.
When a crisis arises for another company, directors and executives may often think, “What happened to them can’t happen to us.” Well, it can. Because many organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. Furthermore, it is a board imperative to ensure that management does this.
A world-class response to a persistent crisis is vital to the company’s ultimate recovery from it. Simply stated, early preparation improves an organization’s ability to respond to a crisis, reduces damage to a company’s brand image and reputation, and minimizes regulatory sanctions, penalties or fines.
Questions for Executives and Boards
Following are some suggested questions that senior executives and boards of directors may consider, based on the risks inherent in the entity’s operations:
- Does the risk assessment process provide insights into the specific areas where a crisis response plan is needed to improve the organization’s resiliency? Are the risk criteria used during the assessment process informing the crisis preparation process?
- Considering areas for which a crisis response plan is in place, is there an appropriately constituted rapid-response crisis communication team in place along with a crisis management plan that is carefully thought through as well as updated and tested periodically? Is the plan supported by an appropriate communications plan that buys sufficient time for the crisis response team to investigate the incident and take appropriate steps?