4 min read
CrowdStrike: A Lesson in Crisis Communications
CrowdStrike: A Lesson in Crisis Communications by Ben Baker By now, you’ve likely heard about the recent crisis at CrowdStrike. While it’s...
5 min read
Carol Williams : Aug 21, 2025 1:17:08 PM
This guest article was first published HERE
Let me be the first to say that even practitioners with many years of experience have lessons to learn, sometimes the hard way.
I only say this to encourage you in your professional journey and growth, but also to relay a story of a recent workshop that went sideways.
The story goes something like this…
A company hired our enterprise risk management consulting firm for help in getting a baseline risk assessment done in preparation for an upcoming Board meeting.
Sounds straightforward, right? At least that’s what one of my long-time consultants and I thought…
For the first phase of this project, we prepared 20 or so risk statements that included root cause and potential consequence, with each risk linked to a specific mission-critical business objective. Despite our best efforts to keep it at a high level, we still had (in their minds) a pretty long list.
On our call with the client to review the list, the client explained they felt the statements were way too complex, didn’t accurately represent the company, and would be difficult to explain to the Board. Not good feedback. And for this to happen on a call on a Friday afternoon, not the way we wanted the client to enter the weekend.
We agreed with the client to re-purpose an existing session on Monday to revisit the situation.
Our first thought immediately after the call was ‘what just happened,’ but after late night Friday and early Saturday email exchanges with the client, a few deep breaths, and taking the weekend to think it over, I decided to start off the Monday session by asking the client some additional questions to better understand what it would take to get comfortable with our approach.
We thankfully concluded the Monday call in a much better place and are now poised to provide the client with the information they need in a format their Board will be able to understand.
This experience has reminded me that you’re never too old to learn something new or be reminded of basic truths.
Specific to this situation, there are four lessons we learned and wanted to share with you.
This company had never worked with us before, but my team and I moved forward as if they were familiar with us, our approach, and our work. With most of our other engagements, the client could say “I know Carol and her team know what they’re doing, and we trust that we’ll get there, even if I’m not fully comfortable with it yet.”
However, since this company was new to both knowing me and working with us, they couldn’t say that. We, as the ERM practitioners, must first earn the trust of the executives. Each client is different for what will earn their trust – whether it is superior outputs, exceptional customer service, or an open willingness to listen, provide viable options, and flex with the client as they learn and determine what they really want.
Once that trust is earned, they will have assurance that we’ll ultimately deliver a valuable product for them.
This is all about the company’s culture, which is something we didn’t fully recognize at the beginning of the engagement. Some companies welcome open discussion, but for others, it’s easier said than done. In this situation, the leadership were comfortable with informal and blunt discussion amongst themselves, but once they started seeing risks all together in writing, they became nervous at the prospect of having to discuss them with the same frankness with the Board.
This made executives at the company nervous about the upcoming Board discussion and how to present the information. We showed them a mockup of how we thought the information should be presented to the Board. This allowed them to see what would be visible to the Board vs what the executive team would have available for talking points, if needed.
The discussion really honed in on providing assurances to the Board that the leadership was aware of the risks associated with the business, which risks are being managed, and which risks are higher than expected and need more resources or focus to achieve the objective. The client executives visibly relaxed when they realized they were not going to have to go line-by-line in an excruciating risk discussion.
The lesson here – read the room. Give them options that reduce the scare factor but still accomplish what needs to be accomplished: management providing assurances to the Board. This includes visual examples of what they could expect as a final product.
If we were working with executives who had at least rudimentary knowledge of the ERM ropes, perhaps our initial approach would have worked better. However, the reality was everyone we were working with was new to ERM. How then can we expect them to welcome us with open arms is if they don’t have the slightest idea of what they’re looking at or how the information will be used?
To address this issue, we began with the basics: describing what they can expect during a risk assessment workshop, the typical questions that will be asked, the information they will be expected to share.
We could visibly see the shoulders relax, their faces show a little less concern, as they began to realize this wasn’t as complex as they thought. It becomes doable, especially for these executives who know their business inside-and-out.
If trust hasn’t been built and the company is new to ERM, taking things slowly is one critical step in gaining buy-in for processes and outputs that will produce value for the company down the road.
As practitioners, we have the tendency to go all-in because we’re familiar with the steps that need to happen for the company to make risk-informed decisions. While we may know the lay of the land, they don’t necessarily, which is why baby steps are so important. This may require detailed explanation of where they currently are, the best course for achieving their goal, and what they should expect at the end.
Although the risk statements we created were accurate, they were not appropriate for this client because they were just beginning their risk management journey. Rather than rushing into approving full-blow risk statements, our immediate next step was to get their eyes on the risk titles and identify any gaps or anything that is unclear. This task was more easily accomplished and could keep the progress moving forward.
All these lessons really could be wrapped into one big one, which is…
This is a core responsibility we have as practitioners and/or consultants. Instead of taking a company on a journey we are comfortable with, we must understand their background, knowledge, and perceptions about ERM, available time, mental capacity, and other factors to determine the best approach.
There’s no one-size-fits-all, so what may have worked at one company will not necessarily work at another, even in the same industry.
This situation was a good reminder of this basic truth about ERM and business in general – one my team and I are thankful we were reminded, bounce back from, and move forward confidently.
Below are additional resources exploring topics discussed above:
Do you have any experiences where you had to learn important lessons?
4 min read
CrowdStrike: A Lesson in Crisis Communications by Ben Baker By now, you’ve likely heard about the recent crisis at CrowdStrike. While it’s...
4 min read
Dear Insurance Industry. . . a letter from those you serve by Ben Baker Photo by Suzy Hazelwood from Pexels If your customers were to write you...
3 min read
Fresh from the Grid: Learning from Utilities by David Sussman (This is the first in a two-part series from David Sussman) Similar Industries ...