11/26/2014 02:21 pm ET Updated Jan 25, 2015

Past Is Prologue: Crisis Risk Management Begins Inside

In the last 15 years, nearly all major crises suffered from a breakdown in meaningful internal controls, corporate values and poor leadership. Often, the scale of the crisis - and even the crisis itself - was avoidable if corporate values fostered a proactive approach to crisis and risk management or if corporate leadership (particularly the board of directors) set a tone at the top that left no room for misconduct and situational ethics.

Beginning with the "fraud era" of Enron, WorldCom and Tyco, we were privy to leaders with larceny in their souls, and no board capacity or (more likely) desire to police their captains. In all three iconic examples that led to the enactment of Sarbanes-Oxley, the extent of the fraud, and perhaps the fraud itself, was preventable with even modest inquiry and a bias for action. Instead, Enron no longer exists, Tyco is barely a shell of what it once was, and WorldCom essentially was sold for scrap value. Three companies with lunar-like reputations in 2000 are now dead or profoundly humbled.

Skip ahead to the global financial crisis: dozens of global financial institution were building substantial trading portfolios in securitized debt largely consisting of mortgage-backed securities. While the public may not have understood fully the financial and reputational risks that these banks were assuming, the banks certainly did - and so did their boards. But stock price and 'keeping up with the competition' simply were too compelling to consider the financial and reputational impact.

Moving to 2010, nearly every industry sector suffered a major reputational crisis. From BP and Toyota to Goldman Sachs and Johnson & Johnson, the year officially ushered in the "age of crisis" that quietly began many years before. Like Enron and its companions in the early 2000's and the banks in the mid-2000's, each of 2010's reputational crises shared, at their core, manageable risks that were missed, deliberately ignored, or held an absence of decisional fortitude.

As we read about the travails of General Motors and recent foreign-exchange scandals, it's difficult to explain the enduring and elusive challenge that companies and organizations seem to face: the importance of learning from past mistakes. If 25 years of experience in crisis management reveals anything, it is this:

(1) The pursuit of opportunity, well intentioned or not, always outpaces the capacity to manage or even contemplate the associated risks;

(2) Internal risk management relies heavily on the soft skills of inspiring (versus mandating) human behavior and values-based compliance. There is a positive correlation between the ability to make decisions that guide customers or those constituencies which determine whether a company makes or profit or suffers a loss and robust crisis and reputational risk management; and

(3) All corporate operational risk is now simply reputational risk, given the ubiquity of social media and the global platform it provides to trade opinion, rumor and misinformation as fact.

These three insights challenge companies to be substantially more adaptive in their approach to crisis risk and embrace the certainty that most crises are directly tied to human behavior. Rather than running from the uncertainty and fear that it provokes, companies can and should employ and deploy the qualitative risk management models that contribute to internal alignment on crisis risk. The stakes are only getting higher.