Risk Management in PR: What Most Brands Get Wrong

ByKeith Lacy
Why PR Risk Is Bigger Than ReputationWhat Does a PR Risk Register Actually Look Like?The Decision-Making Structure Is More Important Than the PlanScenario Planning: The Tool Most PR Teams SkipThird-Party Risk Is Systematically UnderestimatedThe Accountability Gap: Where Most PR Crises Actually StartMonitoring, Early Warning, and the Signal-to-Noise ProblemBuilding a PR Risk Culture, Not Just a PR Risk Process

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

Risk management in public relations is the discipline of identifying, assessing, and preparing for threats that could damage an organisation’s reputation, relationships, or commercial standing. Done well, it shifts PR from reactive damage control into a structured, pre-emptive capability that protects brands before a crisis lands, not after.

Most organisations treat PR risk as something to manage when it arrives. The smarter ones treat it as something to architect before it ever does.

Key Takeaways

  • PR risk is not just reputational. Licensing failures, internal leaks, third-party conduct, and operational missteps all carry communications consequences that need mapping in advance.
  • Crisis response plans are only as good as the decision-making structures behind them. Who approves what, and in what timeframe, matters more than the document itself.
  • The biggest PR failures tend to involve risks that were visible but unowned. Accountability gaps are more dangerous than information gaps.
  • Scenario planning is underused in PR. Brands that run structured “what if” exercises before a crisis are measurably faster and more coherent when one hits.
  • PR risk management is not a communications function alone. Legal, commercial, HR, and product teams all generate risk that lands in comms, and they need to be part of the process.

In This Article

  1. Why PR Risk Is Bigger Than Reputation
  2. What Does a PR Risk Register Actually Look Like?
  3. The Decision-Making Structure Is More Important Than the Plan
  4. Scenario Planning: The Tool Most PR Teams Skip
  5. Third-Party Risk Is Systematically Underestimated
  6. The Accountability Gap: Where Most PR Crises Actually Start
  7. Monitoring, Early Warning, and the Signal-to-Noise Problem
  8. Building a PR Risk Culture, Not Just a PR Risk Process

Why PR Risk Is Bigger Than Reputation

The instinct is to frame PR risk narrowly: a bad press story, a social media pile-on, a spokesperson who goes off-script. Those things matter, but they are symptoms of a much wider problem. PR risk touches every part of a business that has any public-facing dimension, which in practice means almost everything.

I learned this the hard way on a Christmas campaign we built for Vodafone. The creative was excellent. The strategy was solid. We had brought in a Sony A&R consultant specifically to manage the music licensing component, because we knew rights issues in that space could be complicated. Despite all of that, a significant licensing problem surfaced at the eleventh hour. The campaign had to be abandoned. We went back to the drawing board, built an entirely new concept, got client approval, and delivered under extreme time pressure. The reputational risk in that moment was not just to the brand. It was to the agency relationship, to the client’s internal stakeholders who had already signed off, and to the credibility of everyone involved in the approval chain.

That experience shaped how I think about PR risk. It is not just about what journalists write. It is about the full surface area of your communications activity and every third-party dependency sitting underneath it.

If you are building out your broader PR and communications capability, the PR & Communications hub at The Marketing Juice covers the strategic foundations that sit underneath effective risk management, including narrative development, media relations, and measurement.

What Does a PR Risk Register Actually Look Like?

A risk register sounds like a compliance exercise. In practice, it is one of the most commercially useful documents a communications team can maintain, provided it is built with honesty rather than optimism.

The structure is straightforward. For each identified risk, you capture: what the risk is, what triggers it, how likely it is, what the impact would be, who owns it, and what the pre-agreed response is. The discipline is in the honesty of the likelihood and impact assessments. Most risk registers fail because teams rate everything as low-probability to avoid uncomfortable conversations.

The categories worth mapping for a communications team include:

  • Operational risk: Campaign delivery failures, third-party supplier issues, licensing or rights problems, production delays that force last-minute changes
  • Spokesperson risk: Executive conduct, off-message interviews, social media behaviour from senior leaders or brand ambassadors
  • Content risk: Messaging that lands differently in different markets, cultural missteps, claims that cannot be substantiated under scrutiny
  • Data and privacy risk: Breaches, misuse of customer data, regulatory non-compliance that becomes public
  • Third-party risk: Partner brands, suppliers, agencies, or influencers whose conduct reflects on your organisation
  • Competitive risk: Competitor activity that reframes your positioning, hostile narratives in the media, coordinated negative campaigns
  • Internal risk: Leaks, disgruntled employees, whistleblower disclosures, internal disagreements that become external stories

The Vodafone situation I described falls squarely into operational risk. We had a mitigation in place (the A&R consultant), but the mitigation was not sufficient. That is the lesson: having a control does not mean the risk is managed. It means the risk is partially addressed. The register needs to reflect residual risk after controls, not just the existence of controls.

The Decision-Making Structure Is More Important Than the Plan

Every organisation I have worked with has a crisis communications plan. Very few of them have a decision-making structure that would actually function under pressure.

The difference matters enormously. A plan tells you what to do. A structure tells you who decides, in what timeframe, with what level of authority, and what happens when the person who is supposed to decide is unavailable. When a crisis hits at 11pm on a Friday before a bank holiday weekend, the plan is largely irrelevant if no one knows who can approve the holding statement.

I have seen this failure mode repeatedly. A brand faces a reputational issue. The communications team drafts a response quickly and correctly. The response then sits in an approval chain involving legal, the CEO’s office, and a regional director who is in a different time zone. By the time approval comes through, the story has moved, the framing has hardened in the media, and the window for a measured, credible response has closed. The brand ends up looking slow and defensive rather than composed and in control.

The structural requirements for effective PR risk management are:

  • A named crisis lead with clear authority to approve holding statements without escalation
  • A defined escalation threshold that distinguishes issues requiring CEO involvement from those that do not
  • Pre-agreed holding language for the most likely scenarios, so the first response does not require a drafting process under pressure
  • Out-of-hours contact protocols that are tested, not assumed
  • A legal liaison who understands communications timelines and does not treat every statement as a document requiring three rounds of review

The organisations that manage crises well are not necessarily the ones with the best PR teams. They are the ones where the internal decision-making machinery is fast enough to match the pace of the news cycle.

Scenario Planning: The Tool Most PR Teams Skip

Scenario planning is standard practice in financial risk management. It is underused in communications, which is strange given that the consequences of a communications failure can be just as commercially significant as a financial one.

The mechanics are simple. You identify your ten most plausible risk scenarios, ranging from a product recall to an executive misconduct allegation to a data breach, and you work through each one in a structured session. What is the first public signal? Who finds out internally, and when? What is the first external question you will face? What is the holding position? What does full resolution look like, and what does it require?

The value is not in the outputs. It is in the process. When a team has sat in a room and worked through what a product recall would actually feel like, they respond faster and more coherently when a real one happens. The decisions have already been partially made. The language has already been partially shaped. The accountability has already been partially assigned.

During my time growing an agency from 20 to nearly 100 people, we ran scenario exercises with our largest clients as part of the annual planning cycle. Not because crises were imminent, but because the exercise itself built trust. Clients who had been through a scenario session with us knew that we had thought about their risks seriously. That relationship dynamic mattered when something real did happen.

The scenarios worth running are the ones that feel uncomfortable to discuss. If a scenario is too easy or too abstract, it is not the right one. The productive discomfort of a well-run scenario session is a signal that you are working on something real.

Third-Party Risk Is Systematically Underestimated

One of the more consistent blind spots I see in PR risk management is the treatment of third parties. Brands spend considerable effort managing their own communications behaviour and relatively little effort managing the communications risk embedded in their partner ecosystem.

This includes agencies, influencers, brand ambassadors, licensees, suppliers, and joint venture partners. Each of these relationships carries reputational exposure that the brand will own, regardless of where the conduct originated. The public does not distinguish between a brand’s direct actions and the actions of parties operating under its banner.

The music licensing issue in the Vodafone campaign is one version of this. But the more common version is the influencer who makes a statement that contradicts the brand’s values, the supplier whose labour practices become a story, or the agency that misrepresents the client’s product in a piece of earned media. These are all third-party risks that land in the brand’s communications environment.

Managing this requires contractual clarity (what conduct standards apply, what approval rights exist, what happens in a breach), regular relationship review, and an honest assessment of which third-party relationships carry the most exposure. The answer is not always the most prominent ones. Sometimes the highest-risk relationship is a mid-tier supplier who operates in a sensitive category with minimal oversight.

Organisations that have thought seriously about this tend to build what amounts to a communications due diligence process for significant new partnerships. Before a relationship is formalised, someone asks: what is the worst thing this partner could do, and what would it cost us if they did it? That question, asked consistently, surfaces a lot of risks that would otherwise remain invisible until they are not.

The Accountability Gap: Where Most PR Crises Actually Start

After two decades in agency leadership and client-side work across more than 30 industries, the single most common cause of PR crises I have observed is not bad luck or unforeseeable events. It is accountability gaps. Risks that were visible, but unowned.

An accountability gap occurs when a risk is known to exist but no individual or team has clear responsibility for monitoring and mitigating it. It tends to emerge at organisational boundaries: between the brand team and the legal team, between the agency and the client, between the global function and the regional operation. Everyone assumes someone else is watching it.

The Forrester analysis of high-profile corporate failures consistently points to this pattern. Risks that were surfaced in internal discussions but never assigned to an owner tend to materialise in the worst possible way. The information existed. The accountability did not.

Closing accountability gaps in PR risk management requires three things. First, every identified risk needs a named owner, not a team or a function, a person. Second, that person needs the authority to act, not just the responsibility to report. Third, there needs to be a regular forum where risk owners report status and escalate issues that are moving in the wrong direction.

This sounds like basic governance, and it is. The reason it fails in practice is that communications teams often lack the organisational standing to enforce it. PR is still treated in many organisations as a support function rather than a strategic one, which means risk management conversations happen around it rather than with it. Changing that dynamic is partly a capability argument and partly a commercial one: the cost of a reputational crisis, in lost revenue, customer attrition, and executive time, is almost always larger than the investment in preventing it.

Monitoring, Early Warning, and the Signal-to-Noise Problem

Effective PR risk management requires a monitoring capability that can distinguish between noise and genuine early warning signals. Most brand monitoring set-ups are better at the former than the latter.

Volume-based alerts, sentiment scores, and share-of-voice metrics are useful for tracking the steady state. They are less useful for detecting the early stages of a reputational threat, which often begins not as a spike in volume but as a shift in the quality of the conversation. A cluster of credible journalists starting to ask similar questions. A pattern of negative commentary from a specific community that has not yet reached mainstream attention. A competitor narrative that is gaining traction in a way that will eventually touch your brand.

The signal-to-noise problem is real. Organisations that monitor everything tend to respond to nothing because the alert volume is too high to be actionable. The more useful approach is to define a small number of specific early warning indicators for your highest-priority risks and monitor those with more precision. If executive conduct is a risk category, what are the specific signals that would indicate it is moving from latent to active? If product safety is a risk category, what does the early-stage conversation look like before it becomes a story?

The organisations that handle this well tend to have a human layer in their monitoring process, someone who reads the signals rather than just counts them. Automated tools are a perspective on what is happening. They are not a substitute for judgment about what it means.

For a broader view of how communications strategy connects to commercial outcomes, the PR & Communications section of The Marketing Juice covers the full range of strategic considerations, from media relations to measurement frameworks.

Building a PR Risk Culture, Not Just a PR Risk Process

Process without culture fails. A risk register that no one updates, a crisis plan that no one has read, a scenario exercise that happened once three years ago and was never repeated, these are theatre. They create the appearance of risk management without the substance of it.

Building a genuine PR risk culture means making risk awareness part of how the communications function operates day to day, not a separate compliance activity that sits alongside the real work. It means creating an environment where people surface potential problems early without fear of being seen as negative or obstructionist. It means treating near-misses as learning opportunities rather than events to be quietly forgotten.

The Vodafone campaign I mentioned earlier became a case study we used internally for years afterward. Not because the outcome was good (it was stressful and expensive), but because the near-miss taught us something specific about the limits of our third-party risk controls that we would not have learned any other way. That experience directly shaped how we structured licensing oversight on subsequent campaigns. The learning had commercial value precisely because we were honest about what had gone wrong.

The organisations that build genuine PR risk culture tend to have senior leaders who treat reputational risk with the same seriousness as financial risk. That tone from the top matters. When the CEO asks about PR risk in the same breath as revenue risk, the organisation takes it seriously. When PR risk is treated as something the communications team handles quietly in the background, it tends to stay there until it becomes a crisis that can no longer be handled quietly.

Effective risk management in communications is not a defensive posture. It is a commercial one. Brands that manage their reputational risk well spend less time in crisis mode, maintain stronger media relationships, and retain the trust of customers and stakeholders more consistently over time. That is not a soft benefit. It is a measurable commercial advantage.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

What is risk management in public relations?
Risk management in public relations is the process of identifying, assessing, and preparing for threats that could damage an organisation’s reputation, relationships, or commercial standing. It covers everything from crisis communications planning and spokesperson management to third-party conduct, licensing issues, and internal leaks. The goal is to shift PR from reactive damage control into a pre-emptive capability that reduces both the likelihood and the impact of reputational events.
What should a PR crisis communications plan include?
A PR crisis communications plan should include a named crisis lead with clear approval authority, pre-agreed holding statements for the most likely scenarios, a defined escalation threshold that distinguishes issues requiring CEO involvement from those that do not, out-of-hours contact protocols, and a legal liaison process that can operate within news cycle timescales. The plan is only useful if the decision-making structure behind it is fast enough to function under real pressure.
How do you identify PR risks before they become crises?
Identifying PR risks before they escalate requires a combination of structured risk registers, regular scenario planning exercises, and a monitoring capability that goes beyond volume metrics. The most useful early warning signals are often qualitative: a shift in the tone of journalist enquiries, a pattern of negative commentary from a specific community, or a competitor narrative gaining traction that will eventually affect your brand. Automated monitoring tools help, but they need a human layer to interpret what the signals mean.
What is third-party PR risk and how should brands manage it?
Third-party PR risk is the reputational exposure that comes from the conduct of agencies, influencers, brand ambassadors, suppliers, licensees, and other partners operating under or alongside a brand. The public does not distinguish between a brand’s direct actions and those of parties associated with it. Managing this risk requires contractual conduct standards, clear approval rights, regular relationship reviews, and a due diligence process for significant new partnerships that explicitly asks what the worst-case communications scenario would be.
How often should PR risk assessments be updated?
PR risk assessments should be reviewed at least quarterly and updated whenever there is a significant change in the business environment, such as a new product launch, a leadership change, a major campaign, a market entry, or a shift in the competitive or regulatory landscape. Risk registers that are built once and filed away lose their value quickly. The most useful risk management processes treat the register as a live document with named owners who are accountable for keeping their sections current.

Similar Posts