Do you include a risk management plan when you organize significant communication activities? A risk management plan should be part of every important communication activity so you can minimize the impact of potential problems and are not caught completely by surprise if something goes badly wrong.
Risks are present in all communication activities, especially in major undertakings. Communication activities may not appear to involve much risk, but closer examination shows risk is integral to communication. Think of the risks resulting from a bad reputation, in controversial public issues, corporate crises, major sponsorships turning bad, poor counsel to senior management, hyped product claims in marketing communication, and in major events gone wrong. Many risk management experts believe that reputational risk is the most important of all – a risk that can cost in the billions of dollars to the value of a major company when its share price plunges.
Definition: A business risk is anything that can that can prevent or reduce the likelihood of the organization achieving its goals and objectives.
5 types of risk
Risks can be categorized into 5 broad types:
- Compliance, eg conforming to government regulations or legal requirements.
- Financial, eg making the organization to vulnerable to poorly thought-through financial decisions that could jeopardize its viability.
- Operational, eg taking insufficient care with potential problems in operational processes.
- Strategic, eg not planning sufficiently for changes in the business environment.
- Reputational, eg not taking account of organizational activities that expose it to the wrath of customers and other stakeholders.
In PR practice and communication management, control of risks is especially relevant to activities like:
- Major events
- Issue and crisis prevention and minimization
- New product launches
- Sponsored events
- Social media campaigns
We only need to see the way Facebook has handled its responses to the various business blunders it has made to see the way the company’s reputation and share price have suffered in recent times. The company’s share price dropped nearly 40% in the four months from July to November 2018 due to revelations about the unauthorized handling of user information, security breaches involving 50 million users, and the company’s use of a PR firm to denigrate its competitors.
Communicators tend to focus strongly on reputation risks, which are negative events that will diminish the opinions that stakeholders have of your organization, and therefore stakeholders’ willingness to give their support.
Reputational risks relate to the likelihood of negative perceptions adversely impacting an entity’s income, brand, support, and public image. Reputation penalties can be huge. Just look at the crises experienced by major companies in recent years when they failed their operational and ethical obligations and paid major formal and informal penalties: BP (Deepwater Horizon explosion and oil spill – cost $62 billion), Toyota (airbag problems), Wells Fargo bank (fake accounts scandal) and Volkswagen (car emissions fraud)
A corporation with a low reputational risk is positioned to gain greater stakeholder support and enjoy higher returns. On the other hand, a company with high reputational risk is less likely to overcome a PR-related crisis. These companies are not in a position to withstand a drop in stakeholder support, and often suffer legal setbacks and major loss of revenue as a result.
I will be writing an article soon on managing reputational risk.
Risks are part of corporate life. You should be alert to corporate and operational risks because communication may be needed to address the problems they raise.
Risk management comprises the culture, processes and structures for effectively managing potential opportunities and adverse effects. The role of risk management is to identify potential risks, reduce the chances of those risks becoming reality, and to reduce the size of incidents if risks do turn into reality.
Effective communication is vital to contain cyberrisk, one of the fast-growing types of risk. Around half of all cyberbreaches spring from insider threats – created by the behavior of employees, including contractors and trusted third parties.
Key benefits from active risk management
- Reduced likelihood of unpleasant and costly surprises.
- Better information provided for input into strategic planning and decision-making.
- More realistic allocation of resources, especially financial resources.
- Better results generated from communication programs and projects.
- Better compliance with regulatory requirements.
- It helps to more accurately define the scope of required insurance cover, which can lower insurance costs.
The risk management process can also identify potential opportunities from risk, just as issues and crises can create opportunities as well as problems.
Basically, risk management is intended to answer three questions:
- What can go wrong?
- What is the likelihood and impact of something going wrong?
- What can we do about it?
Risk reduction is the selective application of appropriate techniques and management principles to reduce either the probability of an occurrence or its impact or both.
8 steps in risk management
Risk management should be a continuing process applied to all significant communication activities, especially when planning sizable new activities. Eight steps are commonly used for effective risk management:
- Establish the context
- Identify the risks
- Analyze the risks
- Evaluate the risks
- Establish a risk register
- Treat the risks
- Monitor and review
- Communicate and consult.
1. Establish the context
The step of establishing the context involves identifying the key stakeholders. Risk management activities are more likely to be successful when internal and external stakeholders understand each other’s perspectives and are actively involved in decision making. The extent of any risk management actions for communication initiatives will reflect the corporate culture and risk management policy. The comms team needs to set objectives for risk management activities, and to establish criteria for accepting and treating risks.
2. Identify the risks
Potential risks can be identified in various ways:
- Consult manuals.
- Brainstorm with staff and/or organizing committee members to list potential causes and scenarios.
- Check records of previous similar activities.
- Initiate process flow mapping of the parts of an activity.
- Conduct risk audits.
- Question suppliers and subcontractors, many of whom have direct experience of dealing with the types of risks the organization is facing.
- Perform stakeholder analysis – many risks arise from the requirements of stakeholders.
3. Analyze the risks
Analyzing a risk is about developing an understanding of the risk. Through understanding a risk and ways to minimize its impact, the probability and impact can be estimated, allowing a level of risk to be determined. The likelihood, possible impact and levels of potential risks can be evaluated using tables or matrices that show likelihood against impact. Impact of an event or situation could be a loss, injury disadvantage or gain.
The adequacy of existing risk management strategies, if any, should be reviewed in this step.
Here is an example of risk analysis for a sponsored road race:
Here is a further example of a risk assessment matrix from a business setting. It can be easily adapted to communication activities:
4. Evaluate the risks
Conducting risk evaluation enables you to make decisions based on the outcomes of the risk analysis, about which risks need responses. The list of possible risks can be set in priority order according their rating, in a similar way to the ratings calculated in the above tables.
Also, the risks can be assessed in other ways. For instance, risks could be prioritized according to the cost of mitigation, the chance of occurrence, or the ease of action. Some of these approaches are obviously more rigorous than others and need to be developed within the corporate risk policy and criteria of acceptable PR risks.
5. Establish a risk register
Risks exist in all projects. Don’t skip the risk management process; failure to identify and document risks could end up killing the project. Creating, maintaining, and utilizing a risk register is a vital component of successful project management.Establishing a risk register for every significant project or activity is important so team members and stakeholders can quickly gain an overview of the risks involved. Team members, stakeholders and relevant end users should contribute to the development of the risk register. The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table, which can show considerable information quickly.
The risk register should be maintained as a management tool through a review and updating process that identifies, assesses, and manages risks down to acceptable levels. The register provides a framework in which problems that threaten the delivery of the anticipated benefits are recorded. Actions are then initiated to reduce the probability and the potential impact of specific risks.
Make your risk register visible to project stakeholders so they can see that risks are being addressed. They may identify risks you haven’t identified and give other options for risk mitigation. Some of the most widely used components of a risk register are:
- Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
- Description of the risk: A phrase that describes the risk.
- Risk type (project, stage): Classification of the risk: Project risks relate to the management of the project such as time frames and resources, and stage risks are risks associated with a specific stage of the plan.
- Likelihood of occurrence: Provides an assessment on how likely this risk will occur. Examples are: L-Low (0-30%), (M-Medium (31-70%), H-High (>70%).
- Severity of impact: Provides an assessment of the impact that the occurrence of this risk would have on the project.
- Counter measures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.
- Owner: The individual responsible for ensuring that risks are appropriately engaged with counter measures undertaken.
- Status: Indicates whether this is a current risk or if a risk can no longer arise and impact the project. Example classifications are: C-current or E-ended.
- Other columns such as quantitative value can also be added if appropriate.
You should review your risk register regularly, especially before progressing to the next phase of a project. Ensure your project sponsor is aware of the risks associated with the project.
6. Treat the risks
Risk treatment involves identifying the range of options for treating risk, assessing these options, and preparing and implementing treatment plans. Potential risks can be treated and controlled to:
- Reduce the likelihood.
- Reduce the impact.
- Transfer the risk, eg through insurance.
- Accept the risk.
- Avoid the risk.
7. Monitor and review
Few risks remain stationary – changing circumstances require close monitoring. Potential risks can be monitored and reviewed through:
- Risk reviews.
- Checking the records for any past or present claims against the organization.
- Internal and external audit reporting.
- Progress of the risk management plan.
8. Communicate and consult
Communication and consultation should be involved in every step because of the value resulting from being aware of stakeholders’ points of view. This ensures stakeholders are adequately informed and have the opportunity for input into the risk management plan, and can act to treat aspects of the risk applicable to them.
Common mistakes in risk management plans
Try to avoid several common mistakes that prevent risk management plans from being effective:
- The plans are formally developed, but never implemented or regularly reviewed.
- The plan’s owners are not really committed to effective implementation, and they may not have sufficient knowledge and resources (including time) to implement properly.
- Senior managers don’t understand and support the plans.
- Easy-to-treat risks may be dealt with while difficult risks remain untreated.
- Organizers rely too heavily on insurance or actions by third parties who can’t be fully relied upon.
- Plans are not amended as current risks change, new risks emerge or as old risks no longer apply.
Kim J. Harrison has authored, edited, coordinated, produced and published the material in the articles and ebooks on this website. He brings his experience in professional communication and business management to provide helpful insights to readers around the world. As he has progressed through his wide-ranging career, his roles have included corporate affairs management; PR consulting; authoring many articles, books and ebooks; running a university PR course; and business management. Kim has received several international media relations awards and a website award. He has been quoted in The New York Times and various other news media, and has held elected positions with his State and National PR Institutes.