The biggest reputational risk I come across in conversations about risk management with founders of small-to-medium-sized organizations is one you’ll never see clearly represented on a risk register.

It’s the fundamental misunderstanding of what a reputational crisis is. And it’s rooted in attitude toward risk. We’ve often been trained to see crises as technical problems that can be solved with pre-planned mitigation. That might work for the mechanical aspects of project risks, but a reputational crisis is a social problem, not a technical one.

You’ve heard the saying that “failing to plan is planning to fail”, often attributed to Benjamin Franklin. But what if the plan itself is the failure? A whole lot of time gets wasted on crisis plans that simply don’t work in a situation they’re supposedly designed for. They might be outdated, never tested, fail because they’re treated as checkbox exercises… or fail because reputational crises are unpredictable. You can spend thousands on a plan that never gets used.

And businesses do. Often.

Why? Because although an outdated crisis plan (“but it was written last year”… it’s outdated, sorry) sitting in a drawer somewhere isn’t performing the function it was written for, it is providing a nice, comfortable (and unfortunately false) sense of security.

The fear of something going wrong makes us want a script to follow. Having a plan makes us feel like we’ve addressed the fear. But a solution that only addresses a symptom will only leave you with a hidden problem.

You wouldn’t turn up the radio to drown out the sound of a failing engine (OK, I have done this, but that was 20 years ago). So why do we treat reputational risk that way?

Technical problems versus social crises

A critical flaw I see repeatedly is the failure to distinguish between a technical problem and the social crisis it creates.

A technical problem has a clear cause and a predictable solution, and most of the time, your mitigation strategies will still apply months after you’ve put them in your risk register. Data breaches, product recalls, supply chain disruption… these are issues with technical problems that can be managed with a checklist. The social dimension of them? Not so much… Each of these issues also carries substantial reputational risk. Reputational crises unfold in real time and are substantially shaped by context, emotion, power dynamics, timing, and perception. Two organizations can face superficially similar situations and experience entirely different outcomes depending on how those factors interact and how they handle the social crisis aspect.

That’s why generic plans so often fail. Planning for specific scenarios is often ineffective because a social crisis can’t be controlled and neutralized in advance in the way a technical problem can. By all means imagine scenarios, but don’t mistake imagination for control, or rehearsal for prediction.

You can’t script your way out of a crisis of trust.

“Low Probability” is a dangerous illusion

This misunderstanding is most dangerous in relation to reputational risks that have a low probability of occurring but the potential to have an extremely high impact if they do.

That ‘low probability’ does a lot of work it has no business doing in building a sense of safety. One that shouldn’t be there.

We tend to focus on the ‘low probability’ and ignore the ‘high impact.’ And the impact of a reputational risk isn’t contained in the way a technical failure often is. It can spiral out of control fast. So, a little fear is a good thing when you’re working with something that has the potential to have a massive impact, even if it’s not considered likely to happen.

Take environmental risks, for example - one clear example of how reputational risks get misclassified rather than recognized. Those have their own category in a risk register and they’re often discussed with a compliance and regulatory focus, as if they are entirely separate from public perception. In practice, environmental and reputational risk are functionally inseparable because environmental harm, perceived lack of sustainability, accusations of greenwashing, etc., are extremely strong drivers of reputational damage. Treating technical compliance and reputation management as separate functions creates blind spots where severe public backlash, investor distrust, and market value loss occur regardless of whether regulatory standards are met.

Share

“I don’t even want to think about that…”

If someone tells me they don’t think a high-impact reputational risk is likely to become reality, I often ask them what they think would happen if it did. More often than not, I hear things like, “I don’t even want to think about that”, “I can’t even imagine this happening to us,” and “Thinking about that makes me paranoid for no reason”.

I’m not working with anyone who is obtuse or pathologically superstitious here. It’s just a very human tendency to be afraid of looking at the worst-case scenario and actively confronting the fact that it could become reality. Nobody wants to do that. It’s more comfortable to keep our eyes on the ‘low probability’ column and strategically place a coaster over the ‘high impact’ one.

But thinking about reputational risk isn’t meant to be comfortable.

And you do need to think about it. Just not in the ‘address this with a crisis plan we might never use’ kind of way.

No reputational crisis is the same

The truth is that no crisis plan can prepare you for a reputational crisis in the way you hope it will. That traditional crisis plan you might want will function less as an operational tool and more as emotional reassurance. It’ll help you believe you’re prepared and make the fear of reputational damage easier to live with… But reassurance is not readiness.

So if scripted plans don’t work, what does?

It’s decision-making capacity under pressure that you need. It’s harder, but it’s also simpler and less expensive than a traditional crisis plan. It requires three shifts in thinking:

• From prediction to preparation: Acknowledge that reputational risk exists and that you can’t predict and plan for every possible scenario. Instead, prepare your team to handle the unpredictable. Know who to bring in, what your values are, and how you’ll make decisions when the stakes are high.

• From control to influence: Accept that you will not be able to script your way out of every scenario. You can’t control a reputational crisis. You can only influence it. This means shifting your focus from internal processes to external perceptions, listening more than you talk, and prioritizing transparency over spin.

• From reassurance to readiness: Let go of the theatrical crisis plan that makes you feel good and focus on what will actually make you ready. This means stress-testing your decision-making processes, building relationships with key stakeholders before you need them, and having a team that can assess a situation as it is, not as you wish it were.

To be clear, this isn’t a call to abandon preparation altogether, but a rejection of scripted, scenario-based crisis plans that assume reputational risk can be neutralized in advance.

For most organizations, this means knowing in advance who you can bring in immediately when something happens. Someone who understands the interplay of the technical, legal, and social factors, and who can help you slow down enough to make accurate decisions while maintaining enough speed to shape the narrative.

Examined fear is a tool… use it

The problem isn’t fear itself. It’s what we do with it. Unexamined fear drives avoidance, denial, and false certainty. Examined fear sharpens attention and judgment. Confronting the nature of reputational risk requires examined fear. It’s a tool, so use it… instead of letting it drive you into denial or cosmetic solutions that won’t hold up over time.

Of course, discomfort doesn’t guarantee good decisions, but unwarranted comfort will almost always result in blind spots.

If you’re too comfortable with how prepared you feel, that comfort itself may be the biggest risk of all.