Over the past 50 years enterprise risk management (ERM) has become increasingly important for leaders (McShane, 2018). Organizational leaders and their boards realized the need for risk communication, a public relations specialty, to support this work (Reckelhoff-Dangel & Peterson, 2007). Recent examples that support this call-to-action include the COVID-19 pandemic, social justice movements, national security issues, geopolitical events, international financial systems collapse, legal issues, and cybersecurity breaches.
In leading organizations, crisis and risk communication professionals work hand-in-hand. A successful ERM practice helps prevent crises from occurring. On the other hand, if the risk becomes a reality, crisis communicators are there to help raise awareness about what happened, why, and what the organization will do to correct it. Like effective crisis communication, risk communication should be as transparent as possible and infused with empathy (Xie et al., 2021).
ERM communicators and leaders can apply the following framework across sectors.
Risk Typology
Before exploring this framework, risk typology must be discussed. One must prepare for all challenges – no matter how conceivably improbable. If it can happen, it will, and the organization needs to be able to communicate about it. Here are the types of risk to monitor for:
- Competition/Sector Risk states that competitors and an organization’s respective sector constantly evolve, creating inherent possibility for peril.
- Legal/Regulatory Risk recognizes that changes in laws and regulatory compliance can impact one’s organization.
- Organizationally-Owned Risk comprises issues the organization may face from its own operations, management and leadership that include upset stakeholders; fraud, financial mismanagement and impropriety; cybersecurity breaches; reputational damage; and poor product/service delivery and quality.
- Social Responsibility Risk includes emergent social movements and changes that impact society and how the organization responds.
Enterprise Risk Management Communication Framework
Effective risk management requires risk identification, risk analysis, risk response, and risk monitoring. This framework allows organizations to plan accordingly for risk and know how to respond to it.
It is important to note that risk management differs from issues management in that risk management involves what could occur and how to prevent it, whereas issues management requires a response to stop an issue before it festers into a crisis (Compton, Wigley & Samoilenko, 2021).
Risk Identification requires spotting risks that could affect one’s organization. Methods to do so include situation and SWOT analyses, environmental scanning, and competition/sector comparison (Schober, 2016). The ERM team, comprising stakeholders from throughout the organization, conducts this process. This teamwork helps to ensure that there are no blind spots with risks falling between organizational silos (Fra. Paleo, 2015). During risk identification the team should appoint a “Devil’s Advocate” to speak to why something could be a risk if others on the team do not think it could be. Remember – anything goes.
Risk Analysis and Impact requires the ERM team to chart how likely a risk is to occur. Part of this process requires working with stakeholders to gain insights regarding how they perceive the risk (Hoover et al., 2021). The risk communicator can conduct this primary research through quantitative research, such as surveys and questionnaires, and qualitative research including focus groups and interviews. The team assigns scores to each perceived risk – the highest score indicates the risk most likely to occur. After the ERM team scores the perceived risk, they assess the organizational impact (Soltanizadeh et al., 2016).
Risk Response involves how the organization will act on a risk once it becomes reality (Lee, Meyer and Bradlow, 2009). Again, understanding how stakeholders want an organization to respond is essential. The risk communication professional crafts internal and external messages to disseminate to stakeholders regarding what occurred and how the organization will respond to the risk. Often, the crisis communication team will help formulate and coordinate risk response.
Risk Monitoring requires watching potential risks and gauging how these perceived threats change (Hopkin, 2013). These shifts require ongoing evaluation to the risks’ scores and how to respond to them.
Enterprise Risk Management Team Development is essential to help ensure that the organization is ready to address risk and communicate to stakeholders regarding it. Leading practice is to convene the team monthly to assess risk and modify their portfolio after evaluation. The ERM team also should act as part of twice-a-year crisis communication and emergency preparedness training led by an external facilitator. ERM, emergency preparedness and crisis communication plans should fold seamlessly into one another with team members’ duties explicitly assigned. The facilitator conducts a debriefing after the meeting to determine what went well and what improvements the organization can make.
Conclusion
At the end of the day, ERM communication should advance organizational outcomes (Nair et al., 2015). One should not conduct risk communication simply for communication’s sake. An added benefit is that this practice allows communication professionals to sit at the policy and decision-making table, boosting their importance within the organization.
References
Compton, Josh, Shelley Wigley, and Sergei A. Samoilenko. “Inoculation Theory and Public Relations.” Public relations review 47.5 (2021): 102116–. Web.
Fra.Paleo, Urbano. Risk Governance The Articulation of Hazard, Politics and Ecology. Ed. Urbano. Fra.Paleo. 1st ed. 2015. Dordrecht: Springer Netherlands, 2015. Web.
Hoover, Anna G. et al. “Balancing Incomplete COVID-19 Evidence and Local Priorities: Risk Communication and Stakeholder Engagement Strategies for School Re-Opening.” Reviews on environmental health 36.1 (2021): 27–37. Web.
Hopkin, Paul. Risk Management. 1st edition. Philadelphia, PA: Kogan Page Ltd, 2013. Print.
Lee, Ka Lok, Robert J Meyer, and Eric T Bradlow. “Analyzing Risk Response Dynamics on the Web: The Case of Hurricane Katrina.” Risk analysis 29.12 (2009): 1779–1792. Web.
McShane, Michael. “Enterprise Risk Management: History and a Design Science Proposal.” The journal of risk finance19.2 (2018): 137–153. Web.
Nair, Anil et al. “Enterprise Risk Management as a Dynamic Capability: A Test of Its Effectiveness During a Crisis.” Managerial and decision economics 35.8 (2014): 555–566. Web.
Reckelhoff-Dangel, Christine, and Dan Petersen. Risk Communication in Action : the Risk Communication Workbook. Cincinnati, OH: United States Environmental Protection Agency, Office of Research and Development, National Risk Management Research Laboratory, 2007. Print.
Schober, Madrean. “Role and Practice Development.” Introduction to Advanced Nursing Practice. Cham: Springer International Publishing, 2016. 95–109. Web.
Soltanizadeh, Sara et al. “Business Strategy, Enterprise Risk Management and Organizational Performance.” Management research review 39.9 (2016): 1016–1033. Web.
Xie, Chaowu et al. “The Effects of Risk Message Frames on Post-Pandemic Travel Intentions: The Moderation of Empathy and Perceived Waiting Time.” Current issues in tourism 24.23 (2021): 3387–3406. Web.
Matt Charles, DPA, APR, teaches Crisis Communications for the Georgetown University School of Continuing Studies Master’s in Public Relations and Corporate Communications program and is President & Founder of Matt Charles Public Relations+Strategy and a Fulbright. Matt previously served as deputy spokesperson for the University of Virginia and director of media relations for the UVA Darden School of Business. Connect with Matt on LinkedIn: https://www.linkedin.com/in/matt-charles-dpa-apr-6563571/.