We’ve talked before about crisis prevention in general. With any of the crises we’ve seen this summer, it would be hard to say, “This came completely out of the blue.” That’s because we all have an inkling of what could happen but few of us want to think about the worst case scenario. But without actually identifying potential crises, a company can never prevent it and will, in turn, not be prepared to deal with it effectively.

So CEOs and General Counsels need to think like their security officers and analyze the risk of a crisis by looking at the company’s vulnerability to a specific threat and identifying ways to lower that risk. Every police officer, federal agent and emergency manager knows the equation:

Risk = Threat x Vulnerability

Threats come in all forms. If you are a food processing company, it could come in the form of some health outbreak caused by a system failure or product tampering. There could be a catastrophic accident (such as we’ve seen recently in the Gulf), environmental harm, either from the accident or manufacturing processes, technological breakdowns, rogue employees (some rogue stockbrokers come to mind). The best way to prevent these potential crises is to sit down with senior management to examine the worst case scenarios, in order of likelihood, and assess the reputational, legal and economic damage each could do to the company.

Next, identify what systems are already in place to prevent these threats from occurring. Where a company can really benefit economically from a crisis audit is by helping the General Counsel see what systems, trainings, and compliance regimes are in place, inadequate, or not properly implemented. Do a cost/benefit analysis on what else could be done to reduce the threat. Sometimes it just isn’t economically feasible to “harden” every target, but keep in mind the cost of the potential legal liability if your inaction could be found “negligent.”

Third, develop a plan of action in the event that this threat becomes a reality. Make it specific, even down to potential messages that could be used in the first few hours. Identify which managers would be on the “crisis response” team and which law firms you would use to handle that particular type of crisis.

Finally, but probably most importantly, make sure these crisis audits are done under privilege, through the auspices of the General Counsel. Bring in unit managers and, ultimately, your PR team, but make sure that all communications go through the legal department.

A crisis audit, if done regularly, will also help you establish an “early warning system” and avoid the crisis before it hits.