Article Collection

Management of risk in your communication planning

01 Jun, 2020 Issues and crises

Do you include a risk management plan when you plan significant communication activities? A risk management plan should be part of every important communication activity so you can minimize the impact of potential problems and are not caught completely by surprise if something goes badly wrong. Management of risk in your communication is essential to include in all levels of planning.

Risks are present in all communication activities, especially in major undertakings. Communication activities may not appear to involve much risk, but closer examination shows risk is integral to communication. Think of the risks resulting from a bad reputation, in controversial public issues, corporate crises, major sponsorships turning bad, poor counsel to senior management, hyped product claims in marketing communication, and in major events gone wrong. Many risk management experts believe that reputational risk is the most important of all – a risk that can cost in the billions of dollars to the value of a major company when its share price plunges.

Definition: A business risk is anything that can that can prevent or reduce the likelihood of the organization achieving its goals and objectives.

5 types of risk

Risks can be categorized into 5 broad types:

  1. Compliance, eg conforming to government regulations or legal requirements.
  2. Financial, eg making the organization to vulnerable to poorly thought-through financial decisions that could jeopardize its viability.
  3. Operational, eg taking insufficient care with potential problems in operational processes.
  4. Strategic, eg not planning sufficiently for changes in the business environment.
  5. Reputational, eg not taking account of organizational activities that expose it to the wrath of customers and other stakeholders.

In PR practice and communication management, control of risks is especially relevant to activities like:

  • Major events
  • Issue and crisis prevention and minimization
  • New product launches
  • Reputation building
  • Sponsored events
  • Social media campaigns
  • Trust strengthening.

We only need to see the way Facebook has handled its responses to the various business blunders it has made to see the way the company’s reputation and share price have suffered in recent times. The company’s share price dropped nearly 40% in the four months from July to November 2018 due to revelations about the unauthorized handling of user information, security breaches involving 50 million users, and the company’s use of a PR firm to denigrate its competitors. Such issues continue to plague the organization .

Disruptive forces

Amy Webb, Professor of Strategic Foresight at New York University, summarized “The 11 sources of disruption every company must monitor” in the MITSloan Management Review of 10 March 2020. Being aware of these potential sources of disruption enable competent management of risk in your communication strategies. Webb uses a simple tool to apply the future forces theory to organizations as they are developing strategic thinking. The tool lists 11 sources of macro change that are typically outside a leader’s control. She says technology is so intertwined with everyday life that it is shown as intersecting with all the other sources in the image below.

Image: The 11 sources of disruption every company must monitor, MITSloan newsletter, March 2020.

Prof. Webb says:

In 15 years of quantitative foresight research, I have discovered that all change is the result of disruption in one or more of these 11 sources. Organizations must pay attention to all 11 — and they should look for areas of convergence, inflections, and contradictions. Emerging patterns are especially important because they signal transformation of some kind. Leaders must connect the dots back to their industries and companies and position teams to take incremental actions.

The 11 sources of change might seem to raise an immense number of potential risk issues at first, but there are big benefits from taking such a broad viewpoint. The most success arises in teams who use the macro change tool not just for a specific deliverable but to encourage ongoing signal scanning. Webb says sources of macro change encompass the following:

  1. Wealth distribution: the distribution of income across a population’s households, the concentration of assets in various communities, the ability for individuals to move up from their existing financial circumstances, and the gap between the top and bottom brackets within an economy.
  2. Education: access to and quality of primary, secondary, and post-secondary education; workforce training; trade apprenticeships; certification programs; the ways in which people are learning and the tools they’re using; what people are interested in studying.
  3. Infrastructure: physical, organizational, and digital structures needed for society to operate (bridges, power grids, roads, Wi-Fi towers, closed-circuit security cameras); the ways in which the infrastructure of one city, state, or country might affect another’s.
  4. Government: local, state, national, and international governing bodies, their planning cycles, their elections, and the regulatory decisions they make.
  5. Geopolitics: the relationships between the leaders, militaries, and governments of different countries; the risk faced by investors, companies, and elected leaders in response to regulatory, economic, or military actions.
  6. Economy: shifts in standard macroeconomic and micro-economic factors.
  7. Public health: changes occurring in the health and behavior of a community’s population in response to lifestyles, popular culture, disease, government regulation, warfare or conflict, and religious beliefs.
  8. Demographics: observing how birth and death rates, income, population density, human migration, disease, and other dynamics are leading to shifts in communities.
  9. Environment: changes to the natural world or specific geographic areas, including extreme weather events, climate fluctuations, rising sea levels, drought, high or low temperatures, and more. Agricultural production is included in this category.
  10. Media and telecommunications: all of the ways in which we send and receive information and learn about the world, including social networks, news organizations, digital platforms, video streaming services, gaming and e-sports systems, 5G, and the boundless other ways in which we connect with each other.
  11. Technology: not as an isolated source of macro change, but as the connective tissue linking business, government, and society. We always look for emerging tech developments as well as tech signals within the other sources of change.

Communicators, can you take a leading role in influencing your top management to extend their horizon and start identifying tomorrow’s disruptors? This would be a great opportunity to add value to your role – not just monitoring the current operating environment, but anticipating future actions that may be needed.

Reputational risks

Communicators tend to focus strongly on reputation risks, which are negative events that will diminish the opinions that stakeholders have of your organization, and therefore stakeholders’ willingness to give their support. Protecting and strengthening reputation is a key area in which to manage risk in your communication work.

Reputational risks relate to the likelihood of negative perceptions adversely impacting an entity’s income, brand, support, and public image. Reputation penalties can be huge. Just look at the crises experienced by major companies in recent years when they failed their operational and ethical obligations and paid major formal and informal penalties: BP (Deepwater Horizon explosion and oil spill – cost $62 billion), Toyota (airbag problems), Wells Fargo bank (fake accounts scandal) and Volkswagen (car emissions fraud)

A corporation with a low reputational risk is positioned to gain greater stakeholder support and enjoy higher returns. On the other hand, a company with high reputational risk is less likely to overcome a PR-related crisis. These companies are not in a position to withstand a drop in stakeholder support, and often suffer legal setbacks and major loss of revenue as a result.

Risk management

Risks are part of corporate life. You should be alert to corporate and operational risks because communication may be needed to address the problems they raise.

Risk management comprises the culture, processes and structures for effectively managing potential opportunities and adverse effects. The role of risk management is to identify potential risks, reduce the chances of those risks becoming reality, and to reduce the size of incidents if risks do turn into reality.

Effective communication is vital to contain cyberrisk, one of the fast-growing types of risk. Around half of all cyberbreaches spring from insider threats – created by the behavior of employees, including contractors and trusted third parties. Due to the actions of employees, it is vital to include management of risk in your internal communication plans.

Key benefits from active risk management

  • Reduced likelihood of unpleasant and costly surprises.
  • Better information provided for input into strategic planning and decision-making.
  • More realistic allocation of resources, especially financial resources.
  • Better results generated from communication programs and projects.
  • Better compliance with regulatory requirements.
  • It helps to more accurately define the scope of required insurance cover, which can lower insurance costs.

The risk management process can also identify potential opportunities from risk, just as issues and crises can create opportunities as well as problems.

Basically, risk management is intended to answer three questions:

  1. What can go wrong?
  2. What is the likelihood and impact of something going wrong?
  3. What can we do about it?

Risk reduction is the selective application of appropriate techniques and management principles to reduce either the probability of an occurrence or its impact or both.

8 steps in risk management

Risk management should be a continuing process applied to all significant communication activities, especially when planning sizable new activities. Eight steps are commonly used for effective risk management:

  1. Establish the context
  2. Identify the risks
  3. Analyze the risks
  4. Evaluate the risks
  5. Establish a risk register
  6. Treat the risks
  7. Monitor and review
  8. Communicate and consult.

1. Establish the context

The step of establishing the context involves identifying the key stakeholders. Risk management activities are more likely to be successful when internal and external stakeholders understand each other’s perspectives and are actively involved in decision making. The extent of any risk management actions for communication initiatives will reflect the corporate culture and risk management policy. The comms team needs to set objectives for risk management activities, and to establish criteria for accepting and treating risks. This is an important way to set the foundation for the management of risk in your communication planning.

2. Identify the risks

Potential risks can be identified in various ways:

  • Consult manuals.
  • Brainstorm with staff and/or organizing committee members to list potential causes and scenarios.
  • Check records of previous similar activities.
  • Initiate process flow mapping of the parts of an activity.
  • Conduct risk audits.
  • Question suppliers and subcontractors, many of whom have direct experience of dealing with the types of risks the organization is facing.
  • Perform stakeholder analysis – many risks arise from the requirements of stakeholders.

3. Analyze the risks

Analyzing a risk is about developing an understanding of the risk. Through understanding a risk and ways to minimize its impact, the probability and impact can be estimated, allowing a level of risk to be determined. The likelihood, possible impact and levels of potential risks can be evaluated using tables or matrices that show likelihood against impact. Impact of an event or situation could be a loss, injury disadvantage or gain.

The adequacy of existing risk management strategies, if any, should be reviewed in this step. Here is an example of risk analysis for a sponsored road race:

Here is a further example of a risk assessment matrix from a business setting. It can be easily adapted to communication activities, and will help management of risk in your communication activities by making provision for their potential to turn into reality:

Source of matrix

4. Evaluate the risks

Conducting risk evaluation enables you to make decisions based on the outcomes of the risk analysis, about which risks need responses. The list of possible risks can be set in priority order according their rating, in a similar way to the ratings calculated in the above tables.

Also, the risks can be assessed in other ways. For instance, risks could be prioritized according to the cost of mitigation, the chance of occurrence, or the ease of action. Some of these approaches are obviously more rigorous than others and need to be developed within the corporate risk policy and criteria of acceptable PR risks.

5. Establish a risk register

Risks exist in all projects. Don’t skip the risk management process; failure to identify and document risks could end up killing the project. Creating, maintaining, and utilizing a risk register is a vital component of successful project management. Establishing a risk register for every significant project or activity is important so team members and stakeholders can quickly gain an overview of the risks involved. Team members, stakeholders and relevant end users should contribute to the development of the risk register. The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table, which can show considerable information quickly. This is important to enable astute management of risk in your communication activities.

The risk register should be maintained as a management tool through a review and updating process that identifies, assesses, and manages risks down to acceptable levels. The register provides a framework in which problems that threaten the delivery of the anticipated benefits are recorded. Actions are then initiated to reduce the probability and the potential impact of specific risks.

Make your risk register visible to project stakeholders so they can see that risks are being addressed. They may identify risks you haven’t identified and give other options for risk mitigation.

Data included in a risk register

Some of the most widely used data included in a risk register are:

  • Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
  • Description of the risk: A phrase that describes the risk.
  • Risk type (project, stage): Classification of the risk: Project risks relate to the management of the project such as time frames and resources, and stage risks are risks associated with a specific stage of the plan.
  • Likelihood of occurrence: Provides an assessment on how likely this risk will occur. Examples are: L-Low (0-30%), (M-Medium (31-70%), H-High (>70%).
  • Severity of impact: Provides an assessment of the impact that the occurrence of this risk would have on the project.
  • Counter measures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.
  • Owner: The individual responsible for ensuring that risks are appropriately engaged with counter measures undertaken.
  • Status: Indicates whether this is a current risk or if a risk can no longer arise and impact the project. Example classifications are: C-current or E-ended.
  • Other columns such as quantitative value can also be added if appropriate.

You should review your risk register regularly, especially before progressing to the next phase of a project. Ensure your project sponsor is aware of the risks associated with the project.

6. Treat the risks

Risk treatment involves identifying the range of options for treating risk, assessing these options, and preparing and implementing treatment plans. Potential risks can be treated and controlled to:

  • Reduce the likelihood.
  • Reduce the impact.
  • Transfer the risk, eg through insurance.
  • Accept the risk.
  • Avoid the risk.

7. Monitor and review

Few risks remain stationary – changing circumstances require close monitoring. Potential risks can be monitored and reviewed through:

  • Risk reviews.
  • Checking the records for any past or present claims against the organization.
  • Internal and external audit reporting.
  • Progress of the risk management plan.

8. Communicate and consult

Communication and consultation should be involved in every step because of the value resulting from being aware of stakeholders’ points of view. This ensures stakeholders are adequately informed and have the opportunity for input into the risk management plan, and can act to treat aspects of the risk applicable to them. Management of risk in your communication activities is becoming a more vital element over time for the organization, as we have seen with COVID-19 and its variants.

Common mistakes in risk management plans

Try to avoid several common mistakes that prevent risk management plans from being effective:

  • The plans are formally developed, but never implemented or regularly reviewed.
  • The plan’s owners are not really committed to effective implementation, and they may not have sufficient knowledge and resources (including time) to implement properly.
  • Senior managers don’t understand and support the plans.
  • Easy-to-treat risks may be dealt with while difficult risks remain untreated.
  • Organizers rely too heavily on insurance or actions by third parties who can’t be fully relied upon.
  • Plans are not amended as current risks change, new risks emerge or as old risks no longer apply.

VUCA analysis will also illuminate potential risks

My article, “VUCA analysis for issue planning and management is a valuable tool,” provides some further insights into potential external risks, and may tie in usefully with the risk management strategies discussed in this article. There is no doubt that you need to include management of risk in your communication strategies.

An article, “The art of communicating risk, “published in September 2020 by the Harvard Business Review, may also be useful in developing your risk management strategy for communication.

About Kim Harrison – author, editor and content curator

Kim Harrison, Founder and Principal of Cutting Edge PR, loves sharing actionable ideas and information about professional communication and business management. He has wide experience as a corporate affairs manager, consultant, author, lecturer, and CEO of a non-profit organization. Kim is a Fellow and former national board member of the Public Relations Institute of Australia, and he ran his State’s professional development program for 7 years, helping many practitioners to strengthen their communication skills. People from 115 countries benefit from the practical knowledge shared in his monthly newsletter and in his books available from

Articles, Ideas & Information to boost your career