Reputational risk assessment
They used to say that the first 24 hours of a crisis was critical. Now, it’s the first hour. Instant judgements are made on the basis of eyewitness reports, commentary from so-called experts and footage taken from camera-phones. When Concorde crashed near Paris, it was less than forty minutes before the BBC was interviewing ex-pilots, the editor of Flight International and recent passengers to speculate about the causes of the crash. In these circumstances it is critical that organisations can communicate quickly to establish control over a situation. Research from consulting company Oxford Metrica shows that companies are re-rated – up or down - based on the perceived quality of management during a crisis. And this re-rating process begins the moment the crisis breaks. So, exerting control and communicating effectively is essential to protect an organisation’s reputation. The starting point for this should be a reputational risk assessment. But the truth is that some organisations still can’t bring themselves to think the unthinkable. A corporate lucky charm and an attitude that “it’ll never happen to us” are the only things protecting such companies from disaster. In reality though, crises can strike anywhere – no organisation is immune. If this happens – and this is the really important bit – judgements about an organisation are made not on the fact that a crisis has occurred, but on how the company has managed it. A head in the sand approach will only increase the likelihood of this judgement being unfavourable. Once it has been recognised that no one can be safe from a crisis – just ask Coca Cola, Ford, McDonalds and many other world famous companies – the risk assessment process can begin. The purpose of this is to identify the kinds of events that could befall an organisation, their likelihood and potential impact on the business. Doing this provides a platform not only to prepare for potential crises, but also to prevent them. The process works best when a broad group of executives – typically six to twelve people - are brought together to brainstorm potential risks. Before the meeting, they should be briefed to consider risks from their professional perspective. So the HR director considers risks related to people, the production director risks related to manufacturing and so on. At the meeting these risks are shared and others are added as part of the brainstorming process. In our experience, securing information on the basis of people’s personal knowledge and expertise is essential. However, it is not enough. There is an understandable tendency to under-estimate or even hide the potential for risk in your own area. The IT director may not want to reveal to his colleagues that security against viruses We’ve found that the best way of overcoming this is through role play. Having completed the conventional brainstorm, we then ask participants to look at the organisation from a different, more challenging perspective. For example, an investigative journalist looking to write a scandalous story about the organisation – what’s the worst story they could concoct? Or an ex-employee recently fired by the company – what would they say about the company and its vulnerabilities? Or an arch-competitor seeking to undermine the organisation – what flaws would they point to? Taking this approach allows company executives to be more open-minded and realistic about problems the organisation may face. It allows them to consider the worst case scenario. With the brainstorm complete, it’s time to prioritise the risks. The group needs to score the individual risks on the basis of their likelihood and impact. A three or five point scale is typically used for this: a high score on the likelihood scale means that it is highly likely to happen; a high score on the impact scale means that it would have a major impact on the organisation’s reputation. Give the group parameters – a timescale and an understanding of what we mean by damage to reputation – but then complete the prioritisation exercise swiftly. Participants need to recognise that the exercise is designed to give us a planning framework, so agonised discussions about whether to rate a certain risk as a two or a three are unnecessary. Chart up the prioritised risks on a pre-prepared matrix and a clearer picture will emerge. The priority risks will be seen in the top right hand corner – high likelihood and high impact. For an airline, the risk of a crash would be in this part of the matrix. With this information, steps to prevent and prepare for crises can begin. The first job is to consider if any action can be taken to reduce the likelihood or impact of a particular risk. This could involve new procedures, training, contingencies or communication. In some cases it could even mean ceasing to do the thing that is causing the risk. Once these preventative steps have been considered and implemented, practical contingencies need to be put in place to manage the remaining risks should they occur. So, for example, a hotel group would ensure that counselling and family helplines are available in the event of a fire at one of their hotels. A management consultancy would ensure that there was an alternative office from which their consultants could work if a terrorist incident ever affected their headquarters. And from a communications perspective, preparation can take place so that the organisation is geared up to respond as soon as a crisis strikes. So, for example, if an oil company knows that one of its priority risks is an environmental incident, it can pre-prepare a positioning paper outlining its policy on the environment, its training safeguards and other actions relevant to this area. If a fast food restaurant knows that a food poisoning outbreak is a priority risk, it can pre-prepare template holding statements to be tweaked and issued early in the event of a real incident. Just as importantly, the risk assessment serves as a wake up call. It communicates the fact that we are not immune from crisis – it could happen to us. As such, it often acts as the catalyst for a comprehensive crisis management programme encompassing thorough plans, media training, crisis simulation and more. The value of an annual reputational risk assessment as a driver of crisis prevention and preparedness is enormous. And, if the crisis ever strikes for real, the head start it gives you can pay dividends in the form of a preserved reputation for years to come.
•Date: 13th June 2006 • Region: UK/World • Type: Article •Topic: Crisis management |
