Why Risk and Reputation managers should work together…but don’t

As a risk practitioner with roots in reputation management, I have often wondered why reputation managers don’t engage more with enterprise risk & security leaders.

To be candid, there is a partnership to be forged here that neither of these functional leaders seem to have realised (at least not as a rule. Some companies do have their risk & communications leaders working in close connect, I agree.)

As reputation & communications leaders, we seem more keen to align with marketing, strategy and, now, HR functions. As risk or security leaders, we find a natural connect with operations, logistics, HSE, legal and compliance within companies. Truth is, both risk and reputation leaders often face the common issue of “being accepted at the top table” – which both could resolve if they work better together.

Allow me to try and defend this, potentially contentious, statement.

In a session we chaired for OSAC’s Chennai chapter last Friday to discuss the resurgence of the pandemic and key risks to businesses in India in 2021, I was asked whether any “soft issues” had come to the fore as organisations navigated their business through the pandemic year (2020). Two significant employee related issues had come to the fore – one, the increase in incidents of workplace violence (specifically harassment); and two, the surge in cyber compromises that involved phishing attacks triggered through unsuspecting colleagues working from home.

Both these issues have a hard security element to it – violation of organisational code of conduct and information security protocols. They also have a soft communications element to it – engendering empathy and respect for people’s mental health as we all struggle through isolation, loss and a yearning for the old ways of engagement. Even as comms leaders connect with HR on such matters and security folk gravitate towards legal & compliance teams to address it; there is an intuitive “rough with the smooth” path which involves firm communications & censure for bad behaviour (or naivete, in case of cyber compromise) that may have led to compromising on organisational principles (or resources) – along with a learning mindset that seeks to fix the weakest links / the most vulnerable minds among us.

My contention – these are issues that need a security PLUS communications mind to address; as much as IT, HR or compliance competence.

I was reminded of another line of enquiry we followed at the PR Club discussion earlier in March 2021 – to understand “Resilience”.

We concluded that highly resilient organisations are those that can identify and adapt to change and uncertainty before change becomes an urgent factor and forces behaviour shifts. Simply put, resilience is a pre-emptive (not just proactive) tenet of an organisation. Work and thought has to go in ahead of the crisis to build processes, common values and vision so that companies are ready for the inevitable.

Being a “learning organisation” is fundamental to understanding how companies responded and what they could have done better. Among security & risk managers, an “after-action report” is a sacrosanct part of the PDCA cycle institutionalised by the ISO standards that define risk and business continuity. In the world of communications, quarterly (and more frequent) evaluation of impact and outcome of digital initiatives, outreach programmes etc. is part of the gospel.

In both instances – we have professionals working to develop an ability to anticipate and adapt to change and evolve the way they act. At Control Risks’ we call it “resilience by design” – a programme that helps organisation to not only anticipate, prepare, respond and recover from traditional acute events and disruption more cost-effectively and efficiently, but also guide firms through the three stages from business resilience, to operational resilience and organisational resilience.

The point is – this is an established discipline… which both risk and reputation managers understand intuitively. There is a lot more to be gained if these two stakeholder groups come together more often, and with greater intent, within companies. That was my takeaway plea to all the communications delegates to attended that PR Club session – connect with your risk and security leader!

A well-defined enterprise risk framework (which covers governance, operational risk and compliance) requires soft skills based understanding as well as firm enforcement of discipline, which enables an enterprise to be better prepared to manage risks as they emerge.

The views and opinions published here belong to the author and do not necessarily reflect the views and opinions of the publisher.

Amit Narayan
Partner & Managing Director, South Asia at Control Risks
Amit manages consultants who design, develop and implement risk-mitigation strategies for companies across South Asia. He has advised clients on political and regulatory risk, pre-investment risk, reputational DD, forensic investigations, public policy and stakeholder mapping. Amit has worked in Edelman in India and Burson-Marsteller in Singapore. He has also worked in-house at Vodafone in Singapore and The Walt Disney Company in Hong Kong.

Be the first to comment on "Why Risk and Reputation managers should work together…but don’t"

Leave a comment

Your email address will not be published.