Risk Assessment Goals: Raise Understanding and Prompt Planning

[Editor’s Note: Too often the media, us included, focus on crisis response. While that’s critical, of course, for this month’s Crisis Interview we decided to concentrate on risk and risk assessment, though we include other topics too. Our crisis pro is Jim Moorhead, APCO Worldwide’s newly minted North America crisis practice lead. The Harvard undergrad and Columbia Law School alum assumed the post after Kelly Stepno, a good friend of Crisis Insider, was named MD and leader of APCO’s North America Midwest team. In addition to five years at APCO, Moorhead was a MD at Burson-Marsteller, an attorney with Steptoe & Johnson, an investment banker and a political consultant.]

Crisis Insider: Let’s dive into risk assessment. What’s your approach?

Jim Moorhead: When you do a risk assessment, you’re really holding up a mirror to the company and saying, ‘What is most likely to occur and be high impact? And are you positioned, as a company, to mitigate those risks? To respond quickly and intelligently to those risks and recover well from them?’

With a risk assessment, we really are working on two levels. One, does the company understand its risks? And which are the high-quadrant risks that they should be paying attention to and do scenario-planning around? And second, do they have a good crisis architecture in place? That means the plan, the team, the crisis protocols, the training.

One of our goals is to make sure we identify the gaps. And so, we also look at the crisis experience of the company. How have they done [in previous crises]? Do they get an A or have they struggled? If so, why? And how can we help them improve that?

Crisis Insider: APCO seems to look at many areas when it comes to risk.

Moorhead: Yes, we look to be a partner with business on a broad assessment of risk. You have to. Look, how many folks predicted the pandemic? Or the labor shortage? There are 10,000 baby boomers retiring each day. So, we’re working with companies on this. We’re asking questions like, ‘Do you have the people you need? Do you have a resilient supply chain? Are you positioned to quickly make decisions for your business based on real-time intelligence?’

Crisis Insider: Do you find companies usually have a good crisis architecture?

Moorhead: Let me use an analogy. Crisis planning is like badly prepared food. It’s either underdone or overdone. With underdone, there’s no team, no plan, no training. The overdone situation we run into is that it’s just way over-engineered. So, there are multiple plans and they’re 100 pages long. It’s like a science project with no end in sight and it’s just not useful internally.

Crisis Insider: How do you conduct a risk assessment? Do you come in and ask a lot of questions, do you use surveys, meetings? All the above?

Moorhead: The first thing we do is to zero in on the architecture. What kind of plans do you have? Do you have one good plan? Or, as we see often, several plans, even several plans within a single department? So, first we do a data exchange, to see what they’ve got. Then, we move beyond that and do interviews with key people across the functions: the head of communication, CFO, general counsel and, if they have one, the head of security.

We also then talk to the full C-suite, the CEO, chief risk officer, CMO. It’s all designed to find what risks they’re keyed into, their experience, what resources they devote to crisis, where they feel they’re falling down, where they’ve improved. So, where do you stand and how can you do it better?

Crisis Insider: Typically, how long does this take?

Moorhead: It’s always a several-months process. But with a large, multinational company with several lines of business, then it will take longer.

Big Companies, Too Many Scripts

Crisis Insider: What do you find risk-wise with large companies?

Moorhead: One of the things we run into is that there isn’t a shared understanding with employees about when they need backup, when they need to elevate the issue. Or the general crisis approach isn’t understood by all the global employees who need to. Or the company isn’t staying current.

Crisis Insider: Do you have an example?

Moorhead: Well, with a retailer I worked with, we provided quarterly meetings about best practices. We’d give grades to its competitors on how well or badly they’d done on crisis response. This keeps people tuned in and taught them what was being handled well or not so well from a communication standpoint.

Crisis Insider: Aside from a pandemic moment, in normal times, how often do you recommend conducting a risk assessment?

Moorhead: It depends on the industry. In highly regulated industries and consumer-facing industries, those we think twice a year makes sense. Of course, if you’re a healthcare provider during the pandemic, we’re sitting by your side.

Crisis Insider: On risk assessment, do you still get blowback? A head-in-the-sand approach that, ‘We don’t need to monitor risk. We’re unlikely to experience a situation.’

Moorhead: We don’t tend to; there’s too much happening in the world. Particularly, the heavily regulated industries and consumer-facing companies that are brand-sensitive. They are hugely protective and interested in promoting their reputation.

Some of the B2B companies tend to see fewer of these crises. So, sometimes with them, the discussion is about how much resources to put into crisis planning, crisis prep, issues-management work.

Crisis Insider: Tell us a bit about the role of predictive analytics in risk assessment.

Moorhead: We have data scientists using technology to track issues and determine their direction and when an issue is likely to escalate. This is a combination of modeling and AI. And it’s really built on top of the more traditional tools, like Talkwalker and Meltwater. There’s an old line in sports, ‘You want to anticipate where the ball is going to be.’ So, we try to tell clients, ‘Look, this is what’s coming at you in the next six months.’

Crisis Insider: Do you have an example?

Moorhead: We had a CEO we worked with, and we picked up that he was going to come under attack for his salary. We were able to get ahead of the issue, show that his salary was competitive and that the company was providing benefit to the local community.


Acting Too Slowly

Crisis Insider: When you’re reading trades and stories about crisis, what’s something that companies and organizations do that makes you wince?

Moorhead: The overarching mistake that companies make is being too late. They’re too late to act, they’re too late to respond, they’re too late to engage with regulators and allies. That’s fundamental.

Crisis Insider: Anything else?

Moorhead: Also, they fail to take what I call an outside-in view. They don’t say, ‘What do our stakeholders care about? What do they want to hear us say? What do they want to see us do?’ And on that point, you see a lot of companies get wrapped up in what to say, but the key is what to do. If you take the right actions to uphold your values, to protect health and safety, to be transparent. And if you demonstrate you’re doing those things, then what you say about them follows very easily.


Issues Management and Crisis

Crisis Insider: Jim, what are some of the issues crisis pros are watching?

Moorhead: The first is what we call ‘CEO activism.’ The past year has transformed the role of the CEO, so that now they have to come off the sidelines and put their resources behind social justice. We did a survey in April and found that 72 percent of US employees feel their CEOs should speak out on issues of racial equity. So, what we’ve been telling CEOs and their communication teams is ‘Don’t Wait.’

Figure out, in advance, your playbook, so you’ll be able to make a quick, no-go decision about if, when, how to speak out on an issue. We’ve provided a framework to CEOs and their teams for this.

Crisis Insider: What are some of the questions you ask in creating this framework?

Moorhead: First, ‘Is this an issue important to your employees and potential recruits?’ What we’ve found is employees are your most important stakeholders around social issues.

Another question is, ‘Is this an issue you can have an impact on?’ Not just have an opinion, or be a voice in the crowd, but have an actual impact and be a leader for change.

And finally, ‘Is the position you want to take authentic?’ Is it real to your company and your brand?

We’ve found this is a useful approach not only for leaders, but to share with employees. So, employees know this is a thoughtful, disciplined approach. And also, you’re being transparent with internal and external stakeholders.

In addition, it helps to know this information in advance because it allows companies to issue a quick response. As you know, the timeframe for companies to decide whether or not they’re going to get involved on an issue or stand back and remain quiet is very short.

Crisis Insider: There are so many issues. A company could spend all its time thinking about its stances on issues. How do you suggest companies choose?

Moorhead: It’s important to make choices. You can’t weigh in on every issue. We recommend companies survey employees and find out what issues matter most to them. That’s not a single determining factor, but it’s an important consideration. Then you prioritize issues where the company is best positioned to take a stand.

Crisis Insider: What you’ve said sounds like an effort to head off or anticipate crisis, or at least an incident.

Moorhead: Yes. This is part of the new world of crisis. I’d like to loop back to that in a moment.

Crisis Insider: We will. And a second issue crisis pros are watching?

Moorhead: The new political and regulatory winds coming out of Washington. We saw this most recently with President Biden’s executive order promoting competition. He’s sent strong signals in this area…he was clearly sending a message to healthcare, agriculture, financial services, airlines. ‘I’m going to work to put in place regulatory changes that will make you more competitive and less consolidated.’ And then there’s a more regulatory posture from government agencies.

Crisis Insider: How does this relate to attempting to mitigate or head off crisis?

Moorhead: Congress is struggling to legislate. Something we know they are pursuing when they can’t legislate is investigations. So, we see coming in the run-up to the 2022 elections that Congress is trying to show that they are pursuing companies on a range of issues. That’s something we’re getting companies ready for.

For example, there’s a Fortune 500 financial services company that’s concerned that one of its leading products is going to come under scrutiny, either from Congress, regulators, NGOs or all three. So, what we’ve done is conduct focus groups with consumers and policy types. We’ve asked, ‘What’s your awareness of this product? What’s your sentiment around it? And what messaging about it will resonate?’

Crisis Insider: What happens from there?

Moorhead: Using that information, we’ve positioned the company to educate the people they know best, starting with their friends and then be in a position to counter criticism. So, that’s the kind of activity that ties into crisis prevention.

One thing about crisis prevention is that the world is so complex and is moving so fast and presents so many geopolitical risks for companies, that you have to prevent every crisis you can, because there’s still going to be a steady stream of things coming your way. Like climate change, product recalls, cyber-attacks.

So, we work hard to see what’s coming and, as I said earlier, we use predictive analytics and data scientists to help us and to focus on issue management, because if you do that well you can mitigate situations before they turn into crises.


Small Companies and Cyber

Crisis Insider: A scenario: Let’s say I’m a communicator in a small company. I have a limited budget and no special communication plan to handle a cyber attack. What guidance do you have for me?

Moorhead: There are things you can do even on a limited budget. First, decide in advance on the team that will help you. You need outside legal counsel, outside communication counsel and a very important thing, have an outside forensic firm. Companies do themselves a disservice when they say, ‘We can handle this ourselves.’ Especially with cyber, your stakeholders want to see that you’re getting the best assistance to address the problem and that going forward your network security is in better shape than it was previously.

A second thing, particularly for cyber, you need to talk to a lot of the right people right away. So, make a list. On that list should be your employees, shareholders, regulators, customers, vendors, partners and anyone else who’s important to your business. List them out because you have to communicate with all of them very quickly.

Let’s talk about a playbook. One way to do that inexpensively is to look around your industry. See how other companies have responded to cyber incidents. Look to them for guidance. There are so many cyber incidents these days, you should be able to find a lot of examples. At first, you might not know what’s a good vs bad response, but at least you’re beginning to educate yourself.

And last, know who’s going to write about this. Typically, there’s two sets of reporters who write cyber stories. First, there are general interest or beat reporters, who cover your company regularly. And then there are trade reporters who cover cyber, like [Brian] Krebs. If Krebs or one of the other cyber reporters becomes interested in your breach it will bring a whole new level of scrutiny.

This is one reason you want an outside forensics firm. I’ve often had the forensics firm speak on background to [cyber] trade reporters. Rumors fly around about cyber breaches and the forensics firm is in a position to say, ‘This is the real story. Here’s what’s going on.’ And they can add perspective and context.