What Could Go Wrong? The Executive Guide to Reputation Risk Assessment

Written By steve gardiner

Most organisations approach risk assessment the wrong way. They build lists of what has gone wrong for others, apply a traffic light system to each item, present the matrix to the board once a year, and consider the exercise complete. That is not risk assessment. That is risk documentation — and there is a significant difference.

Real risk assessment is a continuous, living process. It asks not just what could go wrong, but what is already going wrong that nobody has named yet. It maps the organisation's exposure across every dimension – operational, regulatory, reputational, financial, and human – and it does so with the uncomfortable honesty that most leadership teams find difficult to sustain beyond the first hour of the conversation.

Why Most Risk Assessments Fail Before They Start

The first failure is structural. Risk assessment is typically assigned to compliance, legal or finance functions whose instinct is to document and contain rather than to surface and confront. The result is a risk register that reflects what the organisation is comfortable acknowledging, not what it is actually exposed to.

The second failure is cultural. In most organisations, identifying a serious risk is unconsciously associated with owning responsibility for it. So risks get minimised, reframed or quietly omitted. The matrix looks manageable. The board is reassured. And the actual exposure sits unaddressed until it becomes an incident.

I saw this pattern repeatedly across three decades at a senior level in some of the world's largest organisations. At Deutsche Telekom, Virgin Media, and Etisalat, the risks that caused the most damage were rarely the ones on the register. They were the ones that everyone privately knew existed but that no one had been willing to put in writing. The gap between the official risk picture and the real one is where crises are born.

The Three Dimensions of Reputation Risk

Effective reputation risk management maps exposure across three distinct dimensions.

Operational Risk

Operational risks are the threats that emerge from how the organisation functions day to day — supply chain vulnerabilities, technology failures, safety protocols, service delivery standards, data security. These are the risks most organisations are reasonably good at identifying, because they have direct financial consequences and tend to be measurable.

What organisations consistently underestimate is the reputational amplification of operational failures. A supply chain disruption is an operational problem. A supply chain disruption that becomes a news story is a reputational crisis. The operational risk register rarely captures that second dimension.

Regulatory and Legal Risk

Romania's regulatory environment is evolving rapidly across every sector — financial services, energy, data protection, employment law, and environmental compliance. Organisations that treat regulatory risk as a legal department concern rather than a communication concern are consistently caught unprepared when a regulatory event becomes public.

Crisis communication in a regulatory context is a specialist discipline. What you say to a regulator, when you say it, and what you say publicly in parallel require careful coordination that most organisations have not designed in advance.

Reputational Risk

Reputational risk is the most underassessed of the three dimensions because it is the hardest to quantify. It encompasses leadership conduct, media narrative, social media exposure, competitor activity, employee sentiment and the accumulated perception of every stakeholder group that matters to the organisation.

The organisations that manage reputational risk most effectively treat it as a continuous monitoring discipline rather than an annual exercise. They know what is being said about them, by whom, and in which channels — and they have a clear picture of where the narrative is drifting before it becomes a problem.

How to Conduct a Meaningful Risk Assessment

A genuine risk assessment process has four stages.

The first is exposure mapping — a structured audit of every operational, regulatory and reputational vulnerability the organisation carries, conducted with senior leadership involvement and without the self-censorship that characterises most compliance-driven exercises.

The second is probability and impact scoring — not with a traffic light matrix, but with honest scenario planning. What would this risk look like if it materialised? Who would know first? How quickly would it escalate? What would the media and regulatory response be? Who would be affected and in what sequence?

The third is gap analysis — comparing the organisation's current crisis preparedness capability against what each identified risk would actually require. Most organisations find significant gaps at this stage. The purpose is not to generate alarm but to generate a prioritised action plan.

The fourth is ongoing monitoring — establishing the systems, responsibilities and review cadence that keep the risk picture current. A risk assessment conducted once is a historical document. A risk assessment process conducted continuously is a genuine early warning system.

The Question Every Leadership Team Should Answer

Here is the question I ask every leadership team at the start of a risk assessment engagement: if the most damaging thing that could happen to this organisation happened tomorrow morning, would you know about it before the media did?

For most organisations, the honest answer is no. And that answer defines the gap between where they are and where they need to be.

Crisis management begins long before a crisis occurs. The organisations that navigate serious incidents with their reputations intact are not the ones that respond best in the moment — they are the ones that identified their exposure in advance, built their capability before it was needed, and invested in the preparation that most of their competitors quietly avoided.

The cost of a thorough risk assessment is modest. The cost of the crisis it prevents is not.

———

About the Author

Steve Gardiner (exec MBA) is a senior marketing and commercial leader at Lighthouse PR, bringing global experience from Accenture, Electronic Arts, Virgin Media, Telekom, and Etisalat. Latterly, as VP Business at Etisalat, he was responsible for $1.8B in revenue.

Today, Steve applies his strategic, marketing, and growth expertise to support Lighthouse PR clients as part of the agency’s service offering.

About Lighthouse PR

Lighthouse PR is a leading PR agency in Romania that works with a select number of organisations across Central and Southeastern Europe, delivering media relations, reputation management, crisis communications, social media and an extensive range of business continuity services — always led by senior practitioners.

We hold exclusive membership for Romania and the Republic of Moldova in both the Eurocom worldwide PR network and the CCNE, Europe's leading crisis communications network.

Lighthouse PR: Clear. Concise. Convincing.

steve gardiner https://www.lighthousepr.ro
Previous

Before the Crisis Arrives: How to Build a Crisis Preparedness Programme That Actually Works
Next

Are You Truly Prepared for a Crisis — or Just Comfortable Saying Yes?