Why Risk and Reputation managers should work together…but don’t

As a risk practitioner with roots in reputation management, I have often wondered why reputation managers don’t engage more with enterprise risk & security leaders.

To be candid, there is a partnership to be forged here that neither of these functional leaders seem to have realised (at least not as a rule. Some companies do have their risk & communications leaders working in close connect, I agree.)

Allow me to try and defend this, potentially contentious, statement.

As reputation & communications leaders, we seem more keen to align with marketing, strategy and, now, HR functions. As risk or security leaders, we find a natural connect with operations, logistics, HSE, legal and compliance within companies. Truth is, both risk and reputation leaders often face the common issue of “being accepted at the top table” – which both could resolve if they work better together.

In a session we chaired for OSAC’s Chennai chapter last Friday to discuss the resurgence of the pandemic and key risks to businesses in India in 2021, I was asked whether any “soft issues” had come to the fore as organisations navigated their business through the pandemic year (2020). Two significant employee related issues had come to the fore – one, the increase in incidents of workplace violence (specifically harassment); and two, the surge in cyber compromises that involved phishing attacks triggered through unsuspecting colleagues working from home.

Both these issues have a hard security element to it – violation of organisational code of conduct and information security protocols. They also have a soft communications element to it – engendering empathy and respect for people’s mental health as we all struggle through isolation, loss and a yearning for the old ways of engagement. Even as comms leaders connect with HR on such matters and security folk gravitate towards legal & compliance teams to address it; there is an intuitive “rough with the smooth” path which involves firm communications & censure for bad behaviour (or naivete, in case of cyber compromise) that may have led to compromising on organisational principles (or resources) – along with a learning mindset that seeks to fix the weakest links / the most vulnerable minds among us.

My contention – these are issues that need a security PLUS communications mind to address; as much as IT, HR or compliance competence.

I was reminded of another line of enquiry we followed at the PR Club discussion earlier in March 2021 – to understand “Resilience”.

We concluded that highly resilient organisations are those that can identify and adapt to change and uncertainty before change becomes an urgent factor and forces behaviour shifts. Simply put, resilience is a pre-emptive (not just proactive) tenet of an organisation. Work and thought has to go in ahead of the crisis to build processes, common values and vision so that companies are ready for the inevitable.

Being a “learning organisation” is fundamental to understanding how companies responded and what they could have done better. Among security & risk managers, an “after-action report” is a sacrosanct part of the PDCA cycle institutionalised by the ISO standards that define risk and business continuity. In the world of communications, quarterly (and more frequent) evaluation of impact and outcome of digital initiatives, outreach programmes etc. is part of the gospel.

In both instances – we have professionals working to develop an ability to anticipate and adapt to change and evolve the way they act. At Control Risks we call it “resilience by design” – a programme that helps organisation to not only anticipate, prepare, respond and recover from traditional acute events and disruption more cost-effectively and efficiently, but also guide firms through the three stages from business resilience, to operational resilience and organisational resilience.

The point is – this is an established discipline… which both risk and reputation managers understand intuitively. There is a lot more to be gained if these two stakeholder groups come together more often, and with greater intent, within companies. That was my takeaway plea to all the communications delegates to attended that PR Club session – connect with your risk and security leader!

A well-defined enterprise risk framework (which covers governance, operational risk and compliance) requires soft skills based understanding as well as firm enforcement of discipline, which enables an enterprise to be better prepared to manage risks as they emerge.

This article was first published on the reputation management and corporate communications platform – Reputation Today– on April 1 2021, as contribution to a regular column I write focused on enabling marketers, crisis and risk managers everywhere who help companies find opportunities in risk.