Reputation risk is a strategic business issue for many senior executives today, and yet few know how to address it well.
Historically, reputation risk fell under the domain of the corporate communications team—“but those kinds of professionals usually don’t think about reputation as a risk; they think of it more as a brand issue,” says Andrea Bonime-Blanc, head of consulting firm GEC Risk Advisory, and author of a book on reputation risk.
Today’s hyper-connected world, where social media escalates issues instantaneously, “can threaten your reputation more significantly than in the past,” said Clayton Herbert, group chief risk officer for Australia-based insurance company Suncorp. “As a result, there’s more sensitivity to reputation risk in the context of those types of social developments and technology developments.”
Herbert’s comment comes from a recent study conducted by Deloitte, in which 87 percent of more than 300 directors, senior officers, and chief risk officers rated reputation risk as more important than any other strategic risks that their companies face. An additional 88 percent said they’re specifically focused on managing reputation risk.
“I’m a former partner with Arthur Anderson, and I spent 30 years building that brand. I consider myself a poster child in terms of reputation risk,” says Jim DeLoach of consulting firm Protiviti. “It’s extremely important.”
As vital as managing reputation risk is, many don’t seem fully aware of their exposure to it. According to the Deloitte report, for example, 39 percent of respondents rate the maturity of their reputation risk programs as “average” or “below average,” and only 19 percent grade themselves an “A” on their ability to manage reputation risk.
“Most companies today are at a low level of proficiency,” says Chuck Saia, chief risk, reputation, and crisis officer at Deloitte. Generally when companies experience events that affect their reputation, they are reacting to it rather than having done much to prepare for it. “Too many companies are caught off guard by reputational-impacting events,” he says.
At its core, effective reputation management is embedded into overall enterprise risk management. That means assessing reputation risk begins with identifying risks that could occur, “and then thinking about what the reputational consequences might be if you’re not prepared to deal with that risk properly,” Bonime-Blanc says.
“Reputation is an ‘amplifier risk,’ because it attaches itself to other risks.”
Andrea Bonime-Blanc, Head of GEC Risk Advisory
As the Deloitte report points out, a wide range of other business risks drive reputation risk: fraud, bribery, and corruption; cyber-risk; product and safety risk; third-party risk, and more. “Reputation is an ‘amplifier risk,’ because it attaches itself to other risks,” Bonime-Blanc says.
The five components of good reputation risk management are strategic alignment; cultural alignment; a commitment to quality; strong operational focus; and organizational resiliency. “These are the five broad areas around which to manage reputation risk,” DeLoach says. “Those risks, if allowed to get out of control, can lead to a significant reputation hit.”
As a result, companies should ensure that they’re integrating reputation risk into programs and processes they already have in place. “For example, if you have an ERM program, is reputation risk in that portfolio of risks?” Bonime-Blanc says.
Assessing reputation risk also involves lots of communication, with lots of people. “Looking at assessing customer satisfaction and consumer loyalty gives the company a sense as to how strong its reputation is with that key stakeholder,” DeLoach says. The same holds true with shareholders, regulators, third parties, and employees. “You’re really trying to assess their perception about your organization and your ability to deliver according to your brand, he says.
REPUTATION RISK ISSUES
Below Deloitte explores what issues can affect a company’s reputation.
A company’s reputation is affected by its business decisions and performance across a wide range of areas.
Financial performance. Shareholders, investors, lenders, and many other stakeholders consider financial performance when assessing a firm’s reputation.
Quality. An organization’s willingness to adhere to quality standards goes a long way to enhancing its reputation. Product defects and recalls have an adverse impact.
Innovation. Firms that differentiate themselves from their competitors through innovative processes and unique/niche products tend to have strong name recognition and high reputation value.
Ethics and integrity. Firms with strong ethical policies are more trustworthy in the eyes of stakeholders.
Crisis response. Stakeholders keep a close eye on how a company responds to difficult situations. Any action during a crisis can ultimately affect the company’s reputation.
Safety. Strong safety policies affirm that safety and risk management are top strategic priorities for the company, building trust, and value creation.
Corporate social responsibility. Actively promoting sound environmental management and social responsibility programs helps create a reputation “safety net” that reduces risk.
Security. Strong infrastructure to defend against physical and cyber-security threats helps avoid security breaches that could damage a company’s reputation.
“At the end of the day, reputational risk is all about your stakeholders’ expectations of your behavior, and if you’re living up to their expectations, you’re reputational risk will be minimized in terms of negative impact,” Bonime-Blanc says.
Reputation risk management has less to do with internal controls, and more to do with having a strong governance model “to ensure you’re protecting, preserving, and enhancing your reputation the right way,” Saia says. In many companies, a decentralized model to do that is becoming a thing of the past, he says.
Historically, many in the legal, risk, audit, and compliance profession haven’t always spoken the same language as business units, “because we operate in our separate silos,” Bonime-Blanc says. Reputation, however, is a risk that relates to everybody. “So I encourage folks who are in those functions—legal, compliance, risk, and audit—to think of reputation risk as a way to bridge the gap that exists between what they do and what the business does,” she says.
Enhancing reputation risk management means bringing together your strategic risk, communications, legal counsel, and government and regulatory affairs teams. “By having those inter-dependencies working together to address current and emerging reputation issues, you enable an organization to make timely and informed decisions, reducing surprises and adverse broad impact,” Saia says.
Many companies are, however, starting to invest in solutions to better manage reputation risk. More than half of the surveyed companies say they plan to address reputation risk by investing in technology, such as analytical and brand monitoring tools. At Deloitte, for example, “we use 24/7 ‘listening’ technologies to provide us with better visibility and intelligence on issues and stakeholders in both social and mainstream media to drive strategic risk-based decisions,” Saia says.
Crisis management is another crucial component of effective reputation management. “Start having exercises where you start to integrate ‘what if’ scenarios,” Bonime-Blanc advises. Put the board and senior officers through crisis-planning exercises using potential scenarios that could affect your company from a reputation standpoint. Having portions of that scenario deal directly with the personal reputations of directors or senior officers also is a good idea.
“One part of my job is to keep ‘evangelizing’ about risks and our preparedness,” Enrique Alanis, chief risk officer for building materials company CEMEX, said in the Deloitte report. “We are constantly updating the crisis management team and documenting how we are handling crises so we learn for the next one.”
Saia also advises having the right people on the team during these exercises, including someone from internal communications, public relations, and the government and regulatory affairs team. Additionally, he says, if the event affects a particular business, include the risk officer of that business unit on that team.
“It’s all about creating organizational resilience,” Bonime-Blanc says. “It’s all about knowing where your risks are, addressing them, integrating them into your portfolio, considering them as part of your business strategy.”