The Vulnerability Assessment:  5 Steps to Gain Management Support for Crisis Planning

Vulnerability Matrix

Originally published on the PreparedEx.com blog August 3, 2015

It’s not news:  media headlines tell shocking stories of organizational crises every. single. day.  Moreover, while some crises happen suddenly, they are much more likely to smolder, perhaps for years before they erupt. A crisis may not be shock and awe, but can still derail your organization. A crisis threatens or damages sales, profits, or company reputation; it weakens the organization’s competitive position or drives down the stock price; it affects jobs and delivers a blow to employee morale. It may trigger litigation, government investigations, or consumer or investor action.  Statistics from the U.S. Department of Labor suggest that more than 50% of companies fail within two years of a disaster.

It can happen to ANY organization (even government agencies, schools, non-profits and charities). It will happen to YOUR organization. Again.

Crises involve people.  Research conducted over the past 25 years by The Institute for Crisis Management® (ICM) has consistently identified a number of common crisis categories (in no particular order):

  1. Natural disaster
  2. Environmental damage
  3. Sudden death, incapacitation or dismissal of a key executive
  4. Labor action or work stoppage
  5. Workplace violence
  6. Data/security breach or systems outage
  7. Employee indictment
  8. Law enforcement or government investigation
  9. Whistleblower or class action lawsuit
  10. Sexual harassment or discrimination
  11. Workplace injury or death
  12. Product recalls

ICM’s research shows that more than two-thirds of all crises are the smoldering kind that are both predictable and preventable.  Yet, it’s virtually impossible to prepare effectively for potential crises if you don’t know where and how your organization is at risk. A vulnerability assessment is a critical first step in building the integrated plans needed for effective organizational crisis preparedness.  To prepare your organization for the inevitable crises that will occur (and they WILL occur), follow these steps to prepare for the most probable crisis events in your organization.

STEP 1:   Start by creating a matrix to rank common crises in terms of probability of occurrence and severity if they were to occur (see sample matrix above).  Use the list of common crises above as a guide.

STEP 2: Schedule conversations with key leaders and managers across the organization, such as: C-Suite (President/CEO, CFO, COO, CIO, CAO), general counsel, corporate communications, division/region executives, safety and risk management, human resources and investor relations.

In your discussions with leadership, pose questions such as:

  • In terms of the organization, what keeps you awake at night?
  • What kinds of sudden and smoldering crises do you think are likely in the next 6-12 months? (review the list of common crises)
  • Do we have an operational crisis plan, communication plan and business continuity plan? If so, have they been tested? Are they integrated?
  • Who speaks for the company on various issues and what kind of training, if any, have they had?
  • What is the potential for personnel issues to become public crises? What needs to be done to solve them?
  • How effective are we at communicating with staff/employees? With the communities where our facilities are located? With community leaders and legislators? With investors? With regulators?

A critical key to the vulnerability assessment process is getting straightforward feedback from the individuals who would manage any crisis.  You may want to engage the services of an outside consulting firm to conduct the vulnerability assessment and impact analysis. In ICM’s experience, managers and leaders are more likely to share their true concerns with a consultant than they are with a colleague from within the organization.

STEP 3:  Based on the information you gather, use the vulnerability matrix to prioritize each potential crisis in terms of its probability of occurrence, potential severity, duration and financial impact.

STEP 4:  Once you have ranked the most likely crises and their potential impact on your vulnerability matrix, rank-order your potential crisis list to determine the issues a) most likely to happen, and b) most likely to cause significant financial damage. Then, develop a business and financial impact analysis by estimating the short- and long-term costs for potential:

  • Losses in sales, customers, profitability;
  • Depressed quarterly earnings;
  • Lawsuits or class action suits;
  • Market share loss to competition and erosion of brand/reputation;
  • Labor union actions;
  • Government investigations/ legal fees/ fines/settlements; and
  • Value of executives’ time dealing with the crisis.

Work with your colleagues in other departments to help develop cost estimates for the applicable impact items noted, as well as those that are unique to your business and industry. You will find that the numbers add up quickly.

STEP 5:  Use the impact analysis to brief senior management and make recommendations for developing operational crisis management and crisis communication plans.  The briefing may include a synopsis of each potential crisis, the estimated business/financial impact, possible containment strategies and recommendations to prevent or minimize the damage to the organization.  Then, get planning!

In summary, it is much easier (and cheaper) to prepare and prevent crises, than it is to repair and repent after they happen! By taking a critical view of the probability of certain kinds of crises and preparing for their inevitability, leaders can protect their organizations from the kind of damage that can lead to serious financial difficulties or worse, failure to continue as a going concern.


Deb Hileman is President and CEO of the Institute for Crisis Management (ICM), a crisis management planning, training and consulting firm based in Denver, Colo. Founded in 1989, ICM was one of the first consulting firms in the U.S. to focus solely on crisis management and communications. Hileman has more than 20 years’ experience managing serious business issues and a variety of common organizational crises, from natural disasters to criminal investigations and employees behaving badly. Her work spans public and privately held companies and non-profit organizations in a variety of industries. Contact Deb at DHileman@crisisconsultant.com, or visit the ICM website at www.crisisconsultant.com.