28 July 2009
Risk to reputation is one the most topical risks discussed by a board yet few people in senior management understand it. At a functional level it is not owned like financial risk by a Chief Financial Officer or information security by a Chief Technical Officer. Reputation is not owned by Corporate Communications as it is determined by behaviour not press releases. A Chief Risk Officer produces a risk register showing threats by probability and severity, yet reputation damage often evades scrutiny as it is impossible to predict and impossible to value.
Assigning ownership is important to determine whether risks are properly managed. It is tempting to deduce that where a risk is not owned it is not managed, yet with reputation it is never this simple. Often reputation is managed indirectly through good governance as reputation damage is often, although not always, a consequence of operational failure. In order to understand why you don’t find many Chief Reputation Officers it is necessary to consider what we mean by reputation and reputation risk.
Reputation is a relational construct: you have a relationship with someone and this is typically for something. It is thus about behaviour and the past is taken as indicator of the future. While it is hard to put a monetary figure on a relationship, there is an accepted value. Your reputation with others is determined by their experience, knowledge or belief about you. Thus reputation is more accurately a perception of character. It follows that as this perception is in the minds of others you cannot directly control it. Risk to reputation by contrast is within your control; it is determined by how well you meet expectations of others and hence you can reduce the risk. Risk control is about reducing uncertainty.
The management of reputation risk is therefore both the art and science of meeting expectations of other parties we call stakeholders. Many organisations fail to measure expectation among their stakeholders so cannot possibly be managing reputation risk, despite what they claim in their published reports. Risk to reputation occurs when behaviour falls well below (threat) or well above (opportunity) that which any ‘stakeholder’ audience had expected. Managing risk to reputation requires awareness of how behaviour affects the perception of suppliers, employees, customers and investors as well as many other secondary stakeholders.
Most risks identified in a risk register have an owner and an indication of their potential impact on business continuity. Financial impact or severity is to some extent calculable as also is the probability of occurrence. Reputation risk by contrast is very hard to predict because of the human element and the very unpredictability of behaviour. A secretary of state may surprise the Treasury or PMDU through a bold remark intended for the press; so also might a member of his department upset a partner agency or customer. Reputation damage is never deliberate and always accidental so is unpredictable.
Not only is reputation risk hard to predict but the impact or severity of damage is also incalculable; this depends on three things. Firstly, unlike other risks the handling of the impact event will influence the extent of the damage: speed of response is critical, whether remedial to address the crisis itself or admit culpability or contrition. Secondly the extent of damage will also be influenced by the prior health of reputation: the goodwill in the bank of public trust or ‘forgiveness factor’. The third determinant is the source or cause of impact event itself. Could the event have been avoided and to whom does blame attach itself?
Reputation risk can have an enormous impact on value, but the amount is always determined by individual circumstances. In the public sector value is expressed in terms of trust and confidence in the service provider. A poor reputation among citizens and tax payers will reduce trust in government so that ultimately the incumbent political party will be ejected by the voters. When the PM loses confidence in one of his ministers he is quick to appoint a replacement. Reputation matters because a bad one is an indictment of leadership quality and inevitably a precursor of change.
This is the question all responsible boards ask and for which there is no easy answer. The permanent secretary will manage the minster’s expectations but he is only one stakeholder. As a behavioural risk there is a case for laying responsibility with Human Resources, but this is rare. Marketing and Communications as a function should be monitoring audiences and may be aware of stakeholder expectations but reputation is a behavioural not communications risk: it is about what you do not what you say. The Finance function might want to report reputation as a principal risk but as it is impossible to value there are difficulties here. The Risk function might take responsibility for reputation risk and some organisations try to integrate it within their ERM framework, but the nature of the risk makes it difficult to monitor. There is a case for Strategy function managing the risk but this is rare as few really understand the dynamics of reputation or its relationship with operational risk.
Reputation risk is ultimately one of culture. Damage arises where there is value misalignment or value conflict. Soft risk and intellectual capital are not areas where operational directors feel comfortable.
Let’s look at major causes of reputation damage. Misalignment of value is where the behaviour of an organisation is divergent from its principles, where for example in the commercial world a sales culture leads to a focus on the bottom line at the expense of ethical business practice. In the public sector value misalignment is also possible given the different agendas of career civil servants and elected officials. This risk can be avoided but needs to be identified by an objective party such as an external consultant.
By contrast conflict of values normally occurs where a third party outside the control of your organisation has the capacity to contaminate your reputation through association with it. This is important where suppliers, agents or partners are integral to your customer or investor relationship. This type of risk is hard to control as it occurs when the values of your supplier or delivery agent are different to yours and your customers or investors are not their main focus of attention. This risk must be mitigated.
Managing an avoidable risk requires only awareness and good governance to spot an ethical or cultural risk, it is just a matter of who sees it. Managing contamination risk from a third party is more difficult but can be mitigated through good governance and thorough supplier vetting. Thus management of reputation risk requires evaluation of relationships both internal and external: the aim is to ensure value alignment of all parties who affect your reputation with stakeholders -customers, employees, partners, investors – or any other significant interest group.
Managing reputation requires an awareness of stakeholder expectation in relation to department performance or behaviour. There will always be a gap between the two and stakeholder expectation normally tracks above department performance. Stakeholders have information from a wide variety of sources and their expectations are built on their knowledge of other government departments and private service providers. Managing reputation risk is therefore managing this gap and requires a dual strategy of stakeholder expectation management and department performance improvement. It is not sensible to do one without the other.
There has been a well accepted protocol for risk handling in government ever since the Treasury published the Orange Book in 2004, but reputation is both an intangible and political risk. The reputation of a department is intricately linked to the personal reputation of its minister and his or her ministerial standing in the cabinet. In addition the reputation of the department among partners and customers is intricately linked to the reputation of the political leadership of the day and popularity of the party in government. Reputation among the wider public is to some extent determined by the media as a key influencer and secondary stakeholder.
Reputation can be added to the risk register and a series of metrics can be designed around Trust protection and recovery. It remains very difficult to assign responsibility for reputation risk to any single manager or director because risk to reputation is in reality the responsibility of all those in an involved with delivery of performance. It is the duty of all staff to ensure that stakeholder expectations are met or at least managed towards being met. Reputation risk being cultural it is inevitably a shared responsibility of organisational behaviour.
Reputation risk can be identified early using an Early Warning System. A risk radar tool can identify the source of potential damage, but of course this cannot predict magnitude. Through monitoring expectation among diverse stakeholder groups it is possible to identify where expectations run well ahead of delivery and where the potential for disappointment is high. Prompt remedial action will prevent escalation of disappointment and thus avert a crisis. Monitoring reputation risk should be an output of effective stakeholder engagement and feed into strategic planning.
Remember you will have a different reputation with different stakeholders as a function of their diverse perspectives. The key is to know with whom reputation matters most: where trust is vital and where confidence can be most quickly lost.
©2010-2012 Chiron Reputation Risk Consultants
25 St. Thomas Street, Winchester, Hampshire SO23 8RZ
Website design by 
