What’s a vulnerability audit and why do you need one?

A vulnerability audit is a thorough self-inspection designed to identify potential crises before they occur and pave the way for creation of a crisis communications plan which will allow an organization to avoid, or at least minimize, the negative impact of such crises.

This is done by:

  1. Collecting data from people in key information flow positions. Senior executives are not always aware of all of the circumstances which can lead to the birth of a crisis. Hence, interviews are conducted with both white- and blue-collar personnel at various echelons of the company, typically a minimum of 20 interviews. Multi-location businesses usually require interviews with remote location personnel who have insights specific to their area.

  2. These interviews are conducted on an extremely confidential basis. Ideally, interviewees are told that the firm’s senior management will not, under any circumstances, be told “who said what.” Information gleaned during the interview process includes (1) potentially harmful trends (facts or perceptions reported by multiple sources); (2) significant inconsistencies between answers from different subjects; (3) non-verbal cues that there may be something amiss in certain areas, which then prompts further questioning; and, (4) consensus opinion regarding the probability of certain types of crises.

  3. Looking for operational and communications weaknesses which could cause or contribute to a crisis.An employee who’s a “loose cannon” is a more obvious potential source of problems, even if he/she is well-intentioned, but there are less obvious issues revealed through the vulnerability audit process. For example, one past client relied on a single fax machine for incoming and outgoing faxes from its headquarters offices during a crisis, which tremendously delayed communication with a number of important audiences. The simple addition of fax machines, creation of broadcast fax/email lists and similar tactics can often greatly improve crisis response.

  4. Anticipating actual crisis scenarios. Every organization is vulnerable to certain types of crises inherent in the nature of its business, plus others inherent, perhaps, in the nature of its particular style of operating. Additionally, the vulnerability audit has been known to reveal “skeletons” of which senior management may not have been aware.

  5. Reporting results. The conclusions from the vulnerability audit are then analyzed and presented both as a in-depth overview of issues that need to be addressed.

The information collected during the vulnerability audit process is used as the basis for writing a manual which will guide the entire organization in the communications aspects of responding to crisis situation. A side benefit we’ve seen – the discussions necessary to the audit process often spur more overall interest in protecting the company from crisis, which of course saves you money!

We typically spot the first vulnerability within minutes, and as the process continues problems “everyone knew” existed (except, often, those at the top!) quickly emerge. Time after time clients who feel they’ve prepared adequately are stunned by the list of vulnerabilities this process identifies, and the liability they would have faced if the possibilities had become reality. Every organization has weaknesses but they don’t have to put you out of business. Know what they are and make prevention a part of daily conversation.

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is vice president for the firm and also editor of its newsletter, Crisis Manager]

We love to connect with readers on LinkedIn! Connect with Bernstein Crisis Management | Connect with Jonathan | Connect with Erik