Effective risk managers need good storytellers

August 14, 2019

Critical takeaways

  • A large part of what we do at Kith involves reputation risk management but we often see Communications teams excluded from the risk management process.
  • Communications is the only part of the business that can adequately share the risk story. They are also key to understanding what is taking place outside an organization.
  • Ensure that Communications is part of the process otherwise your risk management system will fall short.


The concept of risk, particularly reputation risk, is something we spend a lot of time thinking about. We’ve built a risk framework to help companies understand the kinds of reputational risks they might face and how to best respond to these different situations. 


We’ve also developed a crisis readiness diagnostic tool that assesses how ready organizations are if one of these risks arises. 

These help us support clients who want to understand their reputational risk and there’s often very little daylight between what we do for clients and what is considered risk management. 

However, I’m continually surprised to see organizations with an otherwise robust risk management process exclude the Communications team from things. So even though Kith has been engaged to work on reputation management, the in-house Communications team isn’t part of the process.

Enterprise risk management (ERM) should provide a whole-of-organization view of risk so an organization can achieve its objectives by understanding and acting upon the risks it faces. But by overlooking communications, a critical business function isn’t involved which creates a blindspot. Moreover, without the Communications Team, who is going to tell the company’s risk story?

So why is Communications overlooked? And can a risk management system truly be “enterprise” if Communications is excluded?


What is ERM?

An ERM system allows organizations to understand and address the complete range of risks they face. The Risk Management Association (RMA) defines ERM as “the management capability to manage all business risks in pursuit of acceptable returns.” Accordingly, an ERM system should answer three questions.

  1. Should we do it? Does the activity align with the business’s strategy, culture, values, and ethics? Is it under the organization’s risk appetite threshold?
  2. Can we do it? Are the people, processes, structures, and technology capabilities in place to support the activity?
  3. Did we do it? Are checks and balances in place to manage progress? Was everything completed as planned and were the results as expected? Were lessons learned recorded and acted upon? 

From The RMA’s Enterprise Risk Management Framework

ERM is a relatively new discipline, really only seeing wide adoption after the 2008 financial crisis. As such, it is continually evolving and there are many different frameworks and models available. However, on review of several of these, even otherwise comprehensive guides usually had no mention of communications.

This absence is troubling on two fronts. 

First, in a true “enterprise” system, you want input from the whole organization. Excluding Communications robs you of the insight of the team which, after customer-facing staff, has the best understanding of what takes place outside the organization.

The second issue is that once an organization understands its risks, it has to share these with staff, shareholders, regulators, and other stakeholders. Not only do these groups need to understand what risks exist, but they also need to know what to do about them. The Communications Team is best placed to tell this risk story effectively.

Moreover, risk communication is a two-way activity and the organization also has to listen to the response to its risk messages. The feedback you get might give you ideas on how to mitigate risks. At other times, the response might let you know that stakeholders have a different perspective on how big or small a risk is. Truly effective risk communication requires outbound and inbound interactions and the Communications team is best placed to manage this.

Unfortunately, the absence of Communications from ERM isn’t wholly surprising. Risk management has its background in the project, operational and financial fields, none of which are natural bedfellows with Communications. Similarly, HR might not have a prominent role in ERM despite the significant proportion of risks that arise from human factors. 

So it may be less of an intentional exclusion of the Communications team, but more a force of habit. Communications just isn’t part of the traditional ERM mindset, even though we can do a lot to enhance the process. 

But how can we change this?


Bring Communications into the mix

As communicators, we should initiate this change ourselves. We should build relationships with the ERM team by explaining how we can bring an external perspective to the process. We should also note that we can tell the risk story more effectively if we understand what has gone into the assessment and decisions. 

A savvy risk manager will see the benefit of our involvement and welcome our assistance in telling the organization’s risk story. After all, someone has to share the information and, if Communications isn’t involved, this would fall to the Risk Manager. (I’ve always found that lightening someone’s workload is a great way to get them onside.)

However, as communicators, we also need to up our risk management game. We need to approach the organization’s risks in a systemic way, not focus on every possible scenario. ERM discussions are not the time to focus on what’s trending on social media. Instead, we need to take a long-term, strategic view and think about how we can be part of the broader risk mitigation effort. (If you are interested in learning more about risk management, a friend of Kith’s runs an introduction to risk management course here.) 


There’s no ERM without Communications

I believe that for organizations to be successful, they need to understand the full range of risks they face, prepare for these and be able to adequately share their risk story with stakeholders and the wider public. A simple ERM system will help a business improve its understanding and decision making but, without the involvement of Communications, a vital external perspective is missing which creates a blind spot. More significantly, the organization’s most effective storytellers have been excluded which significantly reduces the company’s ability to tell its risk story and to learn from the responses.

Therefore, an ERM system where Communications is fully involved will be significantly more effective. There will be a better understanding of the external environment and an enhanced ability to share information about the organization’s risks. This collaboration also naturally enhances the organization’s crisis readiness as Communications can anticipate what might go wrong more effectively and prepare accordingly.

But as communicators, we shouldn’t let this status quo continue and we need to take the first step. So reach out to your ERM team and start a conversation. Get to understand your organization’s risk systems and structures and become part of the process. Take a long-term strategic view and help describe the external risks the organization faces to aid risk discussions. Then, develop and share your organization’s risk story with stakeholders and communities and feed their responses back into the system.

In my view, there can’t be a real ERM system if there is no Communications competent but let’s not be the ones who allow this omission to continue.


Filed under: Blog


Bill is a reputation management, crisis communications and professional development expert, keynote speaker, Wall Street Journal Risk & Compliance panelist, and best-selling author of Critical Moments: The New Mindset of Reputation Management. He has more than 25 years of global experience managing high-stakes crises, issues management, and media relations challenges for both Fortune 500 companies and winning global political campaigns.