A version of this post appeared on Risk & Compliance.

Strategic reputation risk and crisis preparedness has never been more essential to protect and preserve corporate value. Today’s accelerating and amplified crises, from more complex operations, faster pace of media and competitive landscapes to higher stakeholder expectations, are spawning disruption, uncertainty and paranoia that are dramatically impacting businesses. Increasingly, organizations targeted by new and growing strains of strategic risk, including “black bag” campaigns that mortgage corporate trust, destroy value and threaten leadership stability and license to operate.

Traditionally, black bag campaigns have been political in nature, used by their opponents to publicly take down congressional candidates or high-level government officials. Cases in point: the recent unsuccessful and separate attempts by conspiracy theorists to falsely accuse U.S. special prosecutor Robert Mueller and U.S. Democratic presidential contender Pete Buttigieg of sexual assault. Similarly, a large oil and gas company launched a major black bag campaign against economist and presidential assistant Peter Navarro that stemmed from strong differences in policy. The campaign triggered extensive media coverage across multiple media outlets within a single week.

However, this information warfare now includes businesses or governments taking the offensive to disrupt other businesses and their leaders for a variety of competitive and disruptive motives. For example, since 2017, Silk Way West Airlines, an Azerbaijani private carrier of nonlethal cargo, has been the target of Russian and Armenian sources who have disseminated fake news that Silk Way West was ferrying weapons to terrorists, which has hurt its ability to raise capital and renew contracts.

In basic terms, black bag campaigns use opposition research to develop a dossier of public and private statements, recorded interviews, tweets, emails and anything embarrassing, which may or may not be accurate, and that can be used in a corporate attack. This dossier is then provided to a media outlet, and when it goes public, digital wildfires and corporate crises erupt immediately. This is just one example that defines the new landscape of strategic risk and illuminates the stunning rise of corporate crises.

Countering such risks requires organizations to develop dynamic and agile preparedness plans. In our experience, pre-emptive risk-sensing and preparedness planning is essential to protecting the full gamut of organizational interests. It is increasingly important to take an active command center approach, whereby teams work together to see and understand the warning signs for crises. Consider the scope of the challenge: In less than a decade, the likelihood that a company will confront a major crisis has grown by more than 600 percent. And while financial markets may be performing and the economy appears stable, that does not signal a lessening of crises at a time when citizens are divided, governments are not doing much governing and the global order unravels.

Organizations must become more resilient to crises

In 2018, the World Economic Forum contended that a “critical period of intensified risks” has arrived. Ransomware attack statistics confirm this. Insurance company Chubb found that average ransom demands in 2018 grew to $700,000 from $18,000 in 2016, with professional services organizations accounting for 28 percent of last year’s ransomware attacks. When such incidents make headlines, the public actively judges an organization on how it responds to the crisis. They either quickly condone or condemn it. In today’s digital age, social media intensifies this response by providing an effective platform to galvanize and spread disgruntled voices and expose business to additional layers of scrutiny.

With reputational risk escalating and intensifying, a more extreme cost of failure emerges. As a result, it becomes even more critical for organizations to implement holistic risk management systems to strengthen their resilience to potential reputational threats. To confront new global realities, organizations must continually revisit detection, preparation, planning and training processes. They must pay increased attention to ethics, governance and corporate integrity, more aggressive enforcement actions and the now-mainstream use of digital technology and social media that stir debate and prolong controversy.

A proactive approach

Like all strategic risks, reputation risk and crisis management preparedness and response must be a core capability and not simply a function. A proactive approach and research-driven methodology must drive the process. It is also essential that parties deploy adaptive methodologies that encompass both protection and value creation while providing a holistic approach and pre-emptive planning to detect and disarm emerging threats wherever they may arise globally.

The most effective ways to approach and manage strategic reputation risk require organizations to:

  • embed an awareness of reputation and brand deeply into the company’s culture so that all levels of the organization work consistently toward promoting, protecting and evolving it;
  • create a “risk intelligent” organization with effective governance, board oversight and C-suite responsibility for reputation;
  • encourage risk-taking and value creation while addressing risk avoidance and mitigation;
  • promote a pre-emptive mindset for reputation risk that is integrated with the organization’s business strategy, processes and culture;
  • develop sophisticated strategies and mitigation measurements to preserve the organization’s viability, integrity and build resilience;
  • create robust scenario planning, stakeholder communications, fluid decision-making, outreach planning, simulations and training;
  • act proactively or responsively to mitigate or manage risks and employ crisis management strategies that seek to keep the organization ahead of serious threats with the potential to undermine the organization; and
  • recalibrate constantly in response to a situation and emerging information until the issue is resolved. Data and metrics are critical for informing and adjusting strategy.

Assessing risk

Organizational risk assessments also serve as a critical component of risk-readiness. Such an assessment requires a thorough review of existing plans, resources, frameworks, tools and governance systems. It must also include interviews with key team members because this facilitates a holistic framework for evaluating and measuring the impact of potential issues. It also drives alignment of issues internally to facilitate priority-setting.

As part of the evaluative process, participants complete an anonymous pre-interview survey that assesses issues that contribute to the overall assessment. Further, it is essential to conduct a qualitative assessment of up to as many as 20 current and forward-looking vulnerabilities, which includes evaluating the previous 12 months of landscape, uncovering trends and highlighting key stakeholders for each issue.

After the organizational risk audit and vulnerability assessment, a working session with select leadership or cross-functional team members should be held to align and prioritize previously identified issues. This meeting should address any gaps uncovered by the quantitative and qualitative assessment. Together, quantitative and qualitative data deliver a vulnerability scorecard in which to evaluate the full gamut of idiosyncratic market and nonmarket risks.

Based on the outputs of the risk audit and vulnerability assessment, the organization should develop high-level scenario plans for each of the 10 to 20 priority issues identified during the workshop. These plans must include recommended approaches, positioning, considerations, draft holding statements and talking points, as well as the identification of stakeholders and a sample draft communication that potentially will be tailored and used in any scenario.

Establish a reputation benchmark

Creating a reputation benchmark at the outset is vital to measure progress and determine the severity and impact of a crisis across the spectrum of an organization’s interest holders.

Businesses today operate in turbulent and often unprecedented waters that include many franchise risks, which did not exist even five years ago. Strategic risk preparedness must be a team sport with an “always on” mindset and must employ the companion resources, tools and preparation that enable organizations to track crisis threats proactively and simultaneously. Ultimately, leading organizations are demonstrating that planning is indispensable for crisis resilience, with data, preparation and training, such as real-time stress testing, the most effective way to prepare for an extraordinary event, whether that is critical misinformation, black bag campaigns or other crises.

Harlan Loeb is global chair, Crisis & Reputation Risk.
Francesca Trainor-Alt is executive vice president and group head, Crisis & Reputation Risk.

Photo: Matthew Henry