Hard to build, easy to destroy: managing reputation risk
May 2018 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
May 2018 Issue
A good reputation is among the most important assets a company can possess. However, this asset is fragile. In the event of a scandal, disaster or accident, a reputation that has taken years of diligence to build can be damaged in the wink of an eye and may, in some cases, be impossible to repair.
Reputation can be difficult to define, given that the perception of what is and is not reputable is ‘in the eye of the beholder’. However, the potential for irreparable reputational damage is why companies are well-advised to continually assess the business risks they face and reduce the possibility of worst-case scenarios.
“Reputation risk is generally defined as the risk to an institution from changes of perception by its key stakeholders, including customers, investors and regulators,” says Daniel Hermansson, engagement manager at Oliver Wyman. “The change of perception can stem from a wide range of events, but is driven by the belief that the future ability of an organisation to deliver on stated goals and performance targets will be worse than previously expected.”
In its 2017 report, ‘The hidden cost of reputation risk: an approach to quantifying reputation risk losses’, Oliver Wyman characterises reputation risk as a “multiplier effect”, where the financial impact of a risk event is exacerbated by the reputational damage it causes. “As such it is important for organisations to understand what type of risk events have the largest potential reputational risk impact (e.g., where the direct financial impact to the business is small, but the reputational cost is extensive) and take that into consideration when assessing the risk of its current businesses or some potential new venture”, states the report.
In the view of Alexander Stein, founder of Dolus Advisors, the difficulties in managing reputation risk are compounded by companies engaging in what he calls “reputation theatre”, the equivalent to security theatre, which is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.
“Their default position to potential reputational risk is defensive,” suggests Dr Stein. “A near-paranoiac anxiety about all the ways their brand could be attacked or besmirched. Consequently, they fixate on manipulating perceptions about image above all else with the goal being to pre-empt any possible crisis.”
Key areas for focus
The management of reputation risk is a complex endeavour. In its 2016 report, ‘Board Oversight of Reputation Risk’, Protiviti sets out 10 keys to help companies anticipate and prepare for reputational attack: (i) effective board oversight; (ii) integration of risk into strategy-setting and business planning; (iii) effective communications and image (and brand) building; (iv) strong corporate values, supported by appropriate performance incentives; (v) positive culture regarding compliance with laws, regulations and internal policies; (vi) priority focus on positive interactions with stakeholders; (vii) quality public reporting; (viii) strong control environment; (ix) company performance relative to competitors; and (x) world-class response to a high-profile crisis.
“While a one-size-fits-all approach does not exist, how a company addresses these keys will help shape its reputation over time,” notes the report. “Reputation risk management is inextricably linked to the risk management and crisis management disciplines, as well as to a company’s alignment of strategy and culture, and its commitment to quality and operational excellence.”
Another area where attention needs to be focused, and at the board level in particular, is social media and the impact the platform can have on moulding public opinion to the detriment of a company’s reputation. “Social media has given everyone a voice and companies are finding out that even small issues can quickly escalate into reputation-damaging news stories,” says John Palmiero, senior vice president of EMEA at MetricStream.
“Boards need to understand that social media is no longer simply something the kids do, but a platform for public opinion,” he continues. “Companies need to proactively monitor social platforms in order to gain an understanding of current sentiment and whether it is likely to change. When sentiment shifts quickly to be at odds with company practices, businesses can be caught like a rabbit in the headlights and not react quickly or sufficiently to issues. This will have an impact on reputation.”
The tendency to be caught largely unaware and unprepared stems from companies behaving reactively rather than proactively to risk. Food for thought is how to change often rigid mindsets.
“While it is common for a company to identify reputation risk as one of its most important risks, it is generally not a risk that is consistently and proactively managed,” suggests Mr Hermansson. “Much of the focus has historically been on crisis management after an event has occurred, rather than understanding a company’s reputational risk exposure beforehand and looking to manage and mitigate it. This has been largely driven by a difficulty in defining and quantifying reputational risk losses. This should be an area of focus for a company’s senior leadership.”
Establishing policies and procedures
Once reputation risks, as far as they can be ascertained, have been identified, the next stage in the journey toward resilience and sustainability is implementing policies and procedures that can effectively manage them.
According to Dr Stein: “It is a question of deciding which mechanism can best mitigate or help avoid the two major classes of reputational risk. First, external – those caused by an act of malice or other damaging impact event. Second, internal – those which are self-inflicted by avarice, hubris, ineptitude, negligence, denial, wilful blindness or idiocy.” That said, even though the implementation of clearly articulated, sensible and realistic policies and procedures is important, in many cases they prove inadequate to the task.
“Many companies, especially those for which trust is central to brand, tout robust corporate ethics, culture and compliance standards not merely as bulwarks against misconduct and regulatory scrutiny, but as key to their reputation management apparatus,” says Dr Stein. “However, ethics and mandated ethical conduct are not synonymous. Companies serious about creating a culture of ethics are philosophically and operationally different from those merely adhering to compulsory guidelines as a necessary means of avoiding sanction and reputational fallout.”
Indeed, implementing policies and procedures is one thing; embedding a strong values and principles culture into a company’s DNA is quite another. “People are the critical element,” adds Dr Stein. “Together with senior leadership, often also in consultation with specialist advisers, companies serious about building and preserving an authentically unimpeachable reputation will need to establish a corporate vision aligned with its commercial mission, and ensure this is legitimately supported in practice across the enterprise.”
For Mr Hermansson, while acknowledging that policies and procedures are an important element, it is more important to ensure that reputation risk is properly embedded in a company’s key strategic business processes, such as deciding growth targets, launching a new product and expanding to a new geographic market. “Many companies will have a process in place where a committee notionally considers reputation risk, but having truly effective reputation risk management practices requires being able to do detailed analysis of the specific risk drivers and quantification of the potential financial losses, even if simply to ensure the committee can make more informed decisions. This is harder to do and rarer to see in practice,” he suggests.
The emergence of a cluster of revolutionary technologies, such as artificial intelligence (AI), is well-known for its potential to disrupt the status quo. However, while it undoubtedly has the ability to deliver tremendous value for companies, AI is problematic in terms of its potential for being utilised as part of a reputation risk management strategy.
“Managing risks tends to be a reactive process and AI can help change the approach,” says Mr Palmiero. “With its ability to analyse datasets in a moment, companies have access to actionable information that will enable them to spot previously unidentifiable subtle trends. That said, the current fixation on AI could backfire. Computers do not think like humans do and we adapt quickly to each situation that arises. It is humans – employees and outside stakeholders – that create and maintain reputation, so empowering a computer to manage everything may not necessarily have the desired positive effect.”
Additional trends and developments, such as the continuing and seemingly escalating popularity of social media, instant communication and the 24-hour news cycle, are serving to position reputation risk management as ever more important. As a consequence, companies must consider their options for building and protecting their reputation in future.
“When complaints can be shared with millions in a second and potential customers around the world learn about events related to your company continuously on their phone, it is imperative that you consider the reputational damage that events can cause,” advises Mr Hermansson. “It also means that companies will need to be much more proactive both in preventing the events in the first place, as well as in how they manage the aftermath. Spending the time and resources upfront to understand and manage the risk can save a lot of headaches and money further down the line.”
Systems, processes, policies and procedures designed to preserve a company’s reputation can only do so much, of course. Many scandals or crises, although originating in a company’s third-party ecosystem and likely far removed, will rapidly work their way up the supply chain. Quite simply, there is no foolproof way of covering all eventualities.
“No universal formula or system exists to ensure a conflict-free existence,” asserts Dr Stein. “Each company faces risks particular to its operations and market. Some risks may be unavoidable; there will always be unscrupulous competitors, malicious actors, wilful misinformation or some unforeseeable turn of world or social events.”
The advice of Mr Hermansson is for companies to ensure they have the right framework in place to identify current and future reputation risks, quantify and analyse them to understand their relative importance, develop plans to prevent and mitigate them, and ensure that this knowledge is being used when making strategic decisions. “This can require some changes to how things are currently done,” he says, “but when billion dollar losses in market capitalisation are seen from reputation risk impacts, it underscores why it is important.”
Perhaps, when all things are considered, it is the very concept of reputation – how it changes over time and among different stakeholders – that needs to be re-examined. “Reputation alone is not a durable commodity,” adds Dr Stein. “Companies that prioritise reputation over substance will always be more vulnerable than they want to be to fluctuations, vicissitudes and threats outside their control. If a reputation can be destroyed in an instant, it may have been more fragile than was recognised.”
© Financier Worldwide