The vulnerability audit is a useful first step in the research communicators will undertake as part of their work on the crisis communications plan.
About 59% of businesses have a crisis communications manual in place that is constantly updated, according to a 2019 survey from PR News and Crisp. The ones who do not have a manual in place are missing out on an important tool to prepare themselves for efficient communication with their stakeholders at their brand’s moment of truth.
One of the reasons, in my experience, that companies will not have a crisis communications manual ready at hand is that a great many PR managers are not versed in crisis communications, and for that reason simply don’t know where to start. Inexperienced communications managers dread that the production of the manual will become too much of a burden on a team that is already tackling a multitude of other priorities, and also overestimate the costs they will need to incur if they decide to acquire the help from a specialized consultancy.
In this series of articles on how to write the crisis communications manual, I will take a look at the work that goes into drafting a crisis communications manual. If the effort is focused on what is truly critical to communicating in a professional manner during a crisis, the development of the manual does not need to be a daunting task. Actually, the end result of this endeavor could be limited to 20 to 25 pages and still cover all the basics.
Conducting the vulnerability audit
Through a vulnerability audit, companies list and then score the multifold ways they are exposed to either an operational or non-operational risk. Operational risks are any risks that are endemic to the way the company produces and delivers goods and services. A fire at a production site is an example of an operational risk. Non-operational risks are all other risks, for example a member of the executive team committing an act of bribery.
Once all the imaginable risks are included in a MECE list they are scored on both their likelihood of materializing and their potential impact if they occurred. Let there be no misunderstanding about the use of the ranking however: The crisis communications manual will not be written to just accommodate for the events in the high-likelihood, high-impact quadrant, but will provide resources and processes that are scenario-agnostic.
Putting the risk assessment to use
The list you made will serve the production of the manual well, as it will provide a holistic view on
- all the different stakeholders you would need to engage with in a crisis (clients and employees are among the most important ones, but let’s not forget suppliers, partners, regulators, etc.)
- all the different channels on which you would need to engage stakeholders in a crisis (to a large extent, but not entirely, you will be using existing channels)
- all the different types of formats that would need to employed in a crisis on those channels (the dark pages on a website form an example of a format that is only employed in a crisis, in most instances you will be using existing formats)
The crisis communications manual will arm the team with the processes and resources that will allow for the deployment of the necessary content formats on all channels that matter in communicating to all the stakeholders that needs to be addressed in a given crisis.
But you might wonder, why did we start off also scoring the risks on likelihood and impact? I see the use of scoring to lie mostly in informing the scenarios that are picked for the preparedness exercises with the crisis communications team. It will be easier to raise awareness with staff on the need for an exercise, and on the importance of learnings acquired during an exercise, if that exercise revolves around a scenario that is perceived to be not too unlikely and potentially of great importance to the organization.
Did you enjoy this piece on the use of vulnerability audits?
You might also like my article on how two heuristic biases will derail crisis communicators.