How vulnerable to a crisis are you?

June 1, 2020

Most organizational crises are predictable and preventable. About two thirds of crises have been smoldering for some time – their causes are apparent, but no action has been taken to prevent them or reduce their impact. Only about half of organizations around the world have a crisis plan in place. Yet only about 30-50% of organizations hit by a crisis manage to survive.

Too often self-caused

A survey by Burson-Marsteller/Penn Schoen Berland in 2011 attributed the causes of crises largely to indifference and cost. However, analysis by international issue and crisis expert Tony Jaques found the real causes were more likely to relate directly to poor management:

  • Poor maintenance practices
  • Human error
  • Bad planning
  • Material failure
  • Unethical or dishonest behavior
  • Unresponsive culture
  • Leadership failure
  • Poor judgment
  • Insufficient training, eg maintenance workers, designers or accountants

Jaques’ conclusions were supported by analysis by the Institute of Crisis Management, which over many years has found the most common cause of corporate crises to be internal mismanagement/incompetence, or other reasons that amount to the same thing:


You can conduct a vulnerability analysis for your organization to better protect it against a crisis occurring. The number of crises has not necessarily increased in recent years, but the internet and social media have certainly made the business environment more volatile and therefore organizations more vulnerable.

I have been doing a crisis preparation exercise recently for my organization. We are identifying the possible types of crises we could encounter and working through the steps to predict and prevent them from occurring.

You can start the crisis vulnerability analysis by defining a crisis, so you know how a crisis is different, for example, from a pseudo-crisis caused by sensationalized discussion in social media.

A crisis is any issue, problem or disruption triggering negative stakeholder reactions that can threaten the organization’s viability.

 Notice that a crisis is about communicating with stakeholders, and is not an operational emergency, which is internally focused.

Types of crises

For instance, a list could be divided into groups of causes, such as:

  1. Economic, eg lack of funding, a major drop in share price or changes in government policy
  2. Informational, eg a loss of proprietary or confidential information
  3. Physical, eg breakdown or damage to vital equipment or resources
  4. Human resources, eg loss of key executives, management decision/indecision, worker sabotage
  5. Reputational, eg employee fraud, management ethics
  6. Psychopathic acts, eg product tampering, terrorism
  7. National disasters, fire, cyclones
  8. Cybercrime, hacking, online identity theft, ransomware, etc.

Key points

  • It is essential in capable crisis planning to document the way the plan supports of the mission and goals of the organization.
  • By knowing how the organization creates and executes its strategic business plan, the crisis communication response plan can be developed in an honest, open. and informed way.
  • This is most important for effective stakeholder relationship management in a crisis.
  • Stakeholder relationships are the key to most crisis outcomes.

Crisis simulation in preparation for a national census

Conducting a vulnerability analysis


Step 1. Start by conducting a brainstorm with relevant staff to identify the types of crises that could happen to your organization. This may produce a proliferation of scenarios, which can be intimidating and difficult to analyze to identify patterns. However, you can bring order to the list by putting the crises into types or categories.

Step 2. Meet with the key management across the organization. The reason for doing this separately from Step 1 is that staff at lower levels may be very reluctant to suggest in the presence of  senior decision makers any potential crises directly caused by those people’s mismanagement.

Depending on the size of your organization, these managers could include: C-Suite (President/CEO, CFO, COO, CIO), general counsel, corporate communication, senior divisional and regional managers, safety and risk management, human resources and investor relations, etc. Ask them these two key questions:

  • What corporate and operational matters concern you most?
  • What kinds of sudden and smoldering crises could happen in the coming year?

Their feedback should complement the potential crises suggested in Step 1. Combine the two sets of feedback and so you can prepare a matrix to assess the most probable types of crises and their likely impact.

Step 3. Matrix

Crisis vulnerability matrix

Create a matrix to rank common crises in terms of probability of occurrence and impact if they hit (see top matrix above as a broad guide). Use the above list of common types of crises as a guide.

The top version of the matrix shows the four broad scenarios. In the second version of the matrix, underneath, these scenarios can be analyzed by allocating a points score out of 10 for the probability of occurrence (shown on the vertical axis) and also for the extent of impact (shown on the horizontal axis).

Then multiply those two scores out of 10 to derive a total score for each scenario. For instance, if an earthquake is extremely unlikely to happen, you would allocate a score of, say, 1 for the vertical axis. But the impact could be catastrophic because your factory uses sensitive equipment, so you might allocate a score of 10/10 for impact. Multiply 1 by 10 to reach a score of 10 for that scenario.

Do the same for all the other main types of risks. Compare the scores for those main types of risks against the earthquake risk. A higher total points score means you give a higher priority to those types of risks in your crisis management strategy. You can plot the position of each type of risk and show in the bottom matrix for quick comparison.

Step 4. Meet again with the management from Step 2. In your meetings, discuss the most common types of risks raised overall and ask for their comments. Then ask questions such as:

  • Do we have in place: (1) an operational crisis plan, (2) crisis communication plan and (3) business continuity plan? If not, why not? If so, have simulations been conducted? Are the plans integrated?
  • Who would be the organizational spokesperson on the most likely types of crises that could emerge, and what kind of training, if any, have they had?
  • How likely are internal issues to become public crises? What needs to be done to solve them?
  • Who are the organization’s most important stakeholders?
  • How effective is our communication (1) internally and (2) with our external stakeholders?

It is vital to get honest and open feedback from the organizational leaders you meet with about potential crises. Often, an external consultant is best to conduct the vulnerability assessment and impact analysis because managers are more likely to share their true concerns with a consultant than they are with a colleague from within the organization.

Step 5. Use the vulnerability analysis to brief senior management and make recommendations for developing operational crisis management and crisis communication plans, including crisis recovery plans. The briefing may include a summary of each potential crisis, the estimated impact, alternative strategies to deal with them, and recommendations to prevent or minimize the damage to the organization.


Hard experience shows it is much easier and cheaper to prepare for and prevent crises than it is to recover and apologize after they happen. By carefully reviewing the probability of certain kinds of crises and preparing for them to happen in some form at some stage, senior management can protect the organization from serious operational damage or even closure.

The problem is that crises seldom occur to the individual organization, and in my experience, senior managers don’t want to seriously think about such matters due to the cost of preparing against their occurrence and the executive time to do this effectively. Discussion on this in further articles.


Kim Harrison

Kim J. Harrison has authored, edited, coordinated, produced and published the material in the articles and ebooks on this website. He brings his experience in professional communication and business management to provide helpful insights to readers around the world. As he has progressed through his wide-ranging career, his roles have included corporate affairs management; PR consulting; authoring many articles, books and ebooks; running a university PR course; and business management. Kim has received several international media relations awards and a website award. He has been quoted in The New York Times and various other news media, and has held elected positions with his State and National PR Institutes.

Content Authenticity Statement. AI is not knowingly used in the writing or editing of any content, including images, in these newsletters, articles or ebooks. If AI-produced content is contained in any published form in future, this will be reported to readers.

Leave a comment

Please read and respect our Comments Policy before engaging.


Further Reading

Here’s the best way how to tell your boss bad news

Your boss is the most important person in your working life – and having to give the boss bad news is often the worst fear of a professional communicator. In many ways, this is the personal equivalent of confronting a business crisis – because it doesn’t happen...

How best to tell your boss bad news.

No products in the cart

Send this to a friend