Intersecting Risk Management and Crisis Management

Protiviti Board Perspectives
Intersecting Risk Management and Crisis Management

Crisis management is an integral component of effective reputation management. A rapid and effective response to sudden, unexpected events can enhance reputation, as astute observers know that even the most respected organizations can be tested. In the corporate world, however, the unprepared pay a high price.

Key Considerations

One of the issues with traditional risk maps, heat maps and risk rankings based on assessments of the severity of impact of potential future events and their likelihood of occurrence is that they do not help companies pinpoint where preparedness requires improvement. While these traditional approaches provide an overall “quick and dirty” picture of the enterprise’s risks, they offer little insight as to what to do about exposures to extreme events. Often, the process of developing traditional maps leads to a de-emphasis of the so-called “high impact, low likelihood” risks because of the low probabilities involved and the false sense of security arising from the lack of historical precedent. This practice can present a flawed picture. The irony is that these events are often the ones that cause the most damage if and when they occur. To manage their impact effectively, proactive preparation is vital.

To contribute to a proactive approach, the risk assessment process needs to consider such attributes as:

  • The velocity or speed to impact of an event (i.e., does it smolder or is it sudden, and can the loss of any critical component of the value chain occur without warning?)
  • The persistence of the impact (i.e., the duration of time it affects the organization, including the related “headline effect”)
  • The resiliency of the company in responding to an event, including a catastrophic event

Likelihood of occurrence may not be as significant as the factors cited above in evaluating exposure to catastrophic events and the enterprise’s response readiness. Sooner or later, every company faces a crisis. Even the most effective risk management cannot prevent this exposure. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural followon to an informative risk assessment, particularly one which highlights high-impact risks with high velocity, high persistence and low-response readiness. In some cases, management may even know that a crisis could occur because of actions it plans (e.g., discontinuation of a business segment, shut down/relocation of a major plant, or a layoff of a group of employees).

If a crisis management team doesn’t exist or isn’t prepared to address a potential crisis, rapid response to sudden, unexpected events will be virtually impossible. Fires cannot be fought with a committee. Therefore, the risk assessment process should be designed to identify areas where preparedness is critical. It is possible that risk exposure in some of these identified areas may be preventable (or reduced significantly) by improving operating processes. In other areas, it may be necessary to evaluate alternative responses and bestcase/worst-case scenarios to formulate a response plan in the cool of the day rather than during the heat of staring down an actual crisis.

To improve response readiness to a crisis, management should form a rapid-response crisis communications team consisting of representatives from executive management, leadership of any affected business units and leadership of functions such as human resources, finance, operations, information technology, public relations and legal. If necessary, a suitable crisis management consultant may be needed. This team should authorize a pool of individuals who are trained to serve as spokespersons to speak on behalf of the organization in times of crisis to the media, as well as internally at employee meetings and/or externally at public meetings. The response plan should emphasize the importance of transparency, straight talk, frequent communications and effective deployment of social media. The objective is to keep employees, the public and media informed and avoid misinformation. Messaging should emphasize the company’s compassion for any victims, its efforts to investigate the incident and ascertain what happened and why, and its intention to contain the damage from the current crisis and prevent a repeat in the future. Most importantly, the company’s response team’s actions must back up the messaging.

The rapid-response team should formulate a crisis management plan and ensure it is updated and tested periodically and supported by a communications plan. This plan should include appropriate holding statements (prepared with the assistance of public relations and pre-approved by legal), which express concern for the safety and well-being of any victims and buy time for the response team to investigate the incident and take appropriate steps to reduce the chances of another occurrence. Key internal and external stakeholders who matter most to the organization should be identified, and a reliable system to notify them when a crisis emerges should be in place.

We often think “What happened to them can’t happen to us.” Well, it can. Because most organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. A world-class response to a persistent crisis is vital to a company’s ultimate recovery from it. Simply stated, early preparation improves an organization’s ability to respond to a crisis, reduces damage to a company’s brand image and reputation, and minimizes regulatory sanctions, penalties or fines.

Questions for Boards

Boards of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:

  • Does the risk assessment process provide insights into specific areas where a crisis response plan is needed to improve the organization’s resiliency?
  • For areas that have a crisis response plan in place, is there an appropriately constituted rapid-response crisis communication team in place, along with a crisis management plan that is carefully thought through and updated and tested periodically? Is the plan supported by an appropriate communications plan that buys time for the response team to investigate the incident to determine and take appropriate steps?

How Protiviti Can Help

We assist companies with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We also help companies integrate their risk assessment process with their core business processes, including crisis management.

Board Perspectives: Risk Oversight (Issue 45)

Click here to access all series

Ready to work with us?