12 July 2009
Risk to reputation is one the most topical risks discussed by a board yet few people in senior management understand it. At a functional level it is not owned like financial risk by the Chief Financial Officer or information security by the Chief Technical Officer. Reputation is not owned by Corporate Communications as it is determined by behaviour not by press releases. The Chief Risk Officer produces a risk register showing threats by probability and severity, yet reputation damage often evades scrutiny as it is impossible to predict and impossible to value.
Ownership is critical for the audit function to determine whether risks are properly managed. It is tempting to deduce that where a risk is not owned it is not managed, yet with reputation it is never this simple. Often reputation is managed indirectly through good governance as reputation damage is often, although not always, a consequence of operational failure. In order to understand why you don’t find many Chief Reputation Officers it is necessary to consider what we mean by reputation and reputation risk.
Reputation is a relational construct: you have a relationship with someone and this is typically for something. It is thus about behaviour and the past is taken as indicator of the future. While it is hard to put a monetary figure on a relationship, there is an accepted value. Your reputation with others is determined by their experience, knowledge or belief about you. Thus reputation is more accurately a perception of character. It follows that as this perception is in the minds of others you cannot directly control it. Risk to reputation by contrast is within your control; it is determined by how well you meet expectations of others and hence you can reduce the risk. Risk control is about reducing uncertainty.
The management of reputation risk is therefore both the art and science of meeting expectations of other parties we call stakeholders. Many organisations fail to measure expectation among their stakeholders so cannot possibly be managing reputation risk, despite what they claim in company reports. Risk to reputation occurs when behaviour falls well below (threat) or well above (opportunity) that which any ‘stakeholder’ audience had expected. Managing risk to reputation requires awareness of how corporate behaviour affects the perception of suppliers, employees, customers and investors as well as many other secondary stakeholders.
Most risks identified in a risk register have an owner and an indication of their potential impact on business continuity. Financial impact or severity is to some extent calculable as also is the probability of occurrence. Reputation risk by contrast is very hard to predict because of the human element and the very unpredictability of behaviour. The CEO may surprise investors through an incautious remark in the same way a customer services operative may upset a customer. Reputation damage is never deliberate and always accidental so is unpredictable.
Not only is reputation risk had to predict but the impact or severity of damage is also incalculable; this depends on three things. Firstly, unlike other risks the handling of the impact event will influence the extent of the damage: speed of response is critical, whether remedial to address the crisis itself or admit culpability or contrition. Secondly the extent of damage will also be influenced by the prior health of reputation: the goodwill in the bank of public trust or ‘forgiveness factor’. The third determinant is the source or cause of impact event itself. Could the event have been avoided and to whom does blame attach itself?
Reputation risk can have an enormous impact on value, but the amount is always determined by individual circumstances. In a business financed by shareholders the confidence of investors is critical, a poor reputation among investors will directly reduce the company value and they can vote or lobby for a change in CEO or top team. In the public sector a poor reputation among citizens and tax payers will reduce trust in local or national government so that ultimately the incumbent political party will be ejected by the voters. Reputation matters because a bad one is an indictment of leadership quality and a precursor of change.
This is the question all Internal Auditors ask and for which there is no easy answer. The CEO should be managing it but invariably doesn’t formally do so. As a cultural or behavioural risk there is a case for laying responsibility with Human Resources or Personnel. Marketing and Communications as a function should be monitoring audiences and may be aware of stakeholder expectations but reputation is a behavioural not communications risk. The Finance function might try to manage it as a principal or strategic risk but as it is impossible to value there are difficulties here. The risk function might take responsibility for managing reputation risk and some organisations try to integrate it within their ERM framework, but the nature of the risk makes it very difficult to monitor effectively.
European regulations for harmonisation of banking and insurance (Basel II and Solvency II) recognise that reputation risk does not require any capital to be held in reserve to cover it so there is no requirement to value it as such. These regulations do however require a rigorous system of governance to be in place (Pillar II) and it will be necessary for the Risk function to show how it incorporates the control of soft risks like reputation within internal frameworks. As a result the question of ownership will remain a hot topic for at least the next few years. Reputation risk is ultimately one of corporate culture. Damage arises where there is value misalignment or value conflict and these concepts are hard for CROs and CFOs to grasp as they are not usually comfortable with intangible values.
Let’s look at major causes of reputation damage. Misalignment of value is where the behaviour of an organisation is divergent from its principals, where sales culture leads to a focus on the bottom line at the expense of ethical business practice. This type of risk is avoidable but requires an external audit as invariably the risk is not evident internally. By contrast conflict of values normally occurs where a third party outside the control of your organisation has the capacity to contaminate your reputation through association with it. This is important where suppliers, agents or partners are integral to your customer or investor relationship. This type of risk is hard to control as it occurs when the values of your supplier are not exactly the same as yours and so this risk must be mitigated.
Managing an avoidable risk is simple as it requires only awareness and good governance to spot an ethical risk. It is just a matter of who is responsible for this. Managing an intrinsic contamination risk from a third party is more difficult but can be mitigated through good governance and thorough supplier vetting. Managing reputation risk requires careful examination of relationships both internal and external. The aim of effective management of reputation risk is to ensure value alignment of all parties who contribute to your reputation with stakeholders, irrespective of whether these are customers, employees, partners, investors or any other significant interest group.
Managing reputation requires an awareness of stakeholder expectation in relation to company performance or behaviour. There will always be a gap between the two and stakeholder expectation normally tracks above company performance. Stakeholders have information from a wide variety of sources and their expectations are built on their knowledge of other companies and markets. Managing reputation is therefore managing the size of the gap, this requires a dual strategy of managing stakeholder expectations and improvement in company performance. It is not sensible to do one without the other. Effective reputation risk management requires information on stakeholder expectations as a foundation. This requires information on perceptions about the company which are not the same as satisfaction surveys.
In any organisation employing the three lines of defence, Internal Audit is the third line. In the first line management should be determining strategy and appetite for operational risks so hopefully reputation is covered to some extent here. In the second line functional responsibility for risk control lies with specific departments such as Finance and Risk and here good governance and quality control should address reputation risk as a consequence of potential functional failure. Internal audit as the third line is effectively an independent assurance to check that risks are properly managed. The focus of an internal auditor is to determine whether risk is being managed not how the risk is being managed.
There are of course examples in the Financial Services sector where the risk paradox applies. This is where risk taking is an intrinsic part of the business so the risk control function tends to be seen as at best a hindrance, or at worst something to be over-ruled. At both HBOS and AIG there is some evidence that the risk function was denied a voice in questioning risk in business model. Where the Head of Risk reports in to a CFO then it is clear that Risk is not seen as a strategic issue compared to organisations where the CRO has a voice in strategic decisions about the business. An effective Internal Auditor will need to be aware of both the risk paradox and boardroom politics.
©2010-2012 Chiron Reputation Risk Consultants
25 St. Thomas Street, Winchester, Hampshire SO23 8RZ
Website design by 
