Deploying reputational risk 2.0


Dr Andrea Bonime-Blanc – Chief Executive Officer and Founder of GEC Risk Advisory




1. An inflection point

Because of the unrelenting pace of change in this age of digital transformation, explosive social media and rising stakeholder expectations, we are at an important inflection point in organisational reputation risk management.

While companies and other entities (NGOs, government agencies, universities and others) have been managing their brand and reputation for decades (even centuries), most still don’t understand the keen difference between brand and reputation management, on the one hand and reputation risk management and oversight, on the other.

This article distinguishes reputation risk from reputation, places reputation risk into historical context, dissects the ill-fated launch of the Samsung Galaxy Note 7 in 2016 (a case of product safety and quality reputation risk) and concludes with specific qualitative and quantitative reputation risk management tools for leaders and their organisations to consider.

Why do all this? Because properly understanding reputation risk equips organisations and their leaders (C-suite and board) with three critical business tools:

■  Understanding the impact of their most important risks on their key stakeholders and their expectations

■  Blending reputation risk considerations (which have both positive value creation and negative value loss potential) into business planning and strategy

■  Building long-term organisational resilience and the ability to crisis manage effectively

2. Reputation v reputation risk: The reputation iceberg

Reputation risk is a relatively new concept (about 10 years old – see below) that is only partly related to reputation management, a well-known concept tied to the traditional arts of public relations and image and brand management. Here is the working definition of reputation risk from my 2014 book The Reputation Risk Handbook: “Reputation risk is an amplifier risk that layers on or attaches to other risks – especially ESG (environment, social & governance) risks – adding negative or positive implications to the materiality, duration or expansion of the other risks on the affected organisation, person, product or service.”[1]

Reputation risk is thus more closely related to the concepts of enterprise risk management (ERM) – the domain of management and the C-suite – and strategic risk governance (SRG) – the domain of the board. Viewed from the ERM standpoint, reputation risk is cross- disciplinary as it can touch almost any other risk, amplifying it for better or for worse, depending on how well an organisation identifies, mitigates and manages that risk as part of its ERM system and business strategy (see The Reputation Iceberg, below).

Because most organisations still think of reputation risk as a PR concept, they are either not dealing with it or are only touching the tip of that iceberg, i.e. using the traditional concept of reputation management as PR and not delving into the deeper risk and stakeholder expectations analyses that are necessary to protect and add value to the organisation.

The Reputation Iceberg shows how reputation management is the outward-facing domain of PR and brand management while reputation risk management and oversight is internal – managed by a cross-section of inter-disciplinary experts, integrated into strategy by the executive team and considered as part of strategic risk governance at the board level. Some of the key questions that need to be asked include:

■  Does the company understand its principal risks?

■  If so, has it prepared appropriate programmes, policies, controls and resolution teams to deal with those risks?

■  Has reputation risk analysis been applied to the most salient risks (including strategic risks to report to the board) emanating from the ERM process?

■  Have we integrated risk management into strategy and surfaced the primary strategic risks to the C-suite and the board through effective ERM and strategic risk governance?

This is the essence of effective qualitative reputation risk management.

3. Reputation risk in historical context

Let’s now place the concepts of ‘reputation’ and ‘reputation risk’ in historical context to understand how, when and why the latter rose in prominence. Here is a brief history divided into five phases (see graphic below):

a) Reputation 1.0 – the Socratic definition (400 BC through mid-20th century) Reputation as a concept emerges more than 2,000 years ago, and is nicely encapsulated by Socrates as follows: “Regard your good name as the richest jewel you can possibly be possessed of – for credit is like fire; when once you have kindled it you may easily preserve it, but if you once extinguish it, you will find it an arduous task to rekindle it again. The way to a good reputation is to endeavour to be what you desire to appear.”[2]

b) Reputation 2.0 – the rise of brand and public relations (circa 1950-2000) Fast-forwarding 5,950 years to the mid-20th century, we witness the rise of brand management, television and mass advertising, of Madison Avenue and the art of public relations. As Warren Buffet famously said during this period: “It takes 20 years to build a reputation and five minutes to ruin it.”.

c) Reputation 3.0 – the evolution of brand and reputation metrics (1990s through to today) As the concept of brand matures and the role of public relations and marketing grows, we see an evolution in brand management to something that includes metrics, measurement and rankings, including, for example, the RepTrak metrics developed by the Reputation Institute to measure the reputation of companies, countries and other entities.

d) Reputation risk 1.0 – The ‘risk of risks’ is born (early 2000s through 2016/2017) Enter ‘reputation risk’ as a concept in the early 2000s. Prescient as always, the Economist Intelligence Unit nailed it in its 2007 report, calling reputation risk the ‘risk of risks’. And with that a new wing of inquiry arose.

By 2013, a couple of professional services firms published surveys showing that reputation risk had become one of the top five to 10 strategic risks boards and executives were concerned about. And why suddenly? Simply put: the birth and viral global spread of social media where anyone can say anything about anyone – good, bad or ugly, false, true or otherwise.[3]

e) Reputation risk 2.0 – the battle to quantify reputation risk begins (2016/2017) In response to the age-old business imperative that ‘you can’t manage what you can’t measure’ as well as regulatory pressures (mainly in the EU focussed on the financial sector), some reputation risk quantification efforts have now begun in earnest, including by reputation metrics pioneer, Dr Leonard J. Ponzi, together with this author. Some of the key concepts we have been developing include:[4]

■  Stakeholder reputation studies – research studies that are based on a variety of stakeholder respondents that rate a company on customised reputation attributes mapped to specific risks

■  Media studies – a media-tracking tool is used to build the model in terms of the likelihood and impact of reputation risk events.

Other questions asked:

■  What is the total value of reputation risk to our company?

■  For each specific risk or event, what is the reputation value at risk?

■  What should be our budget for mitigating a risk?

■  What is the ROI?

While these quantitative reputation risk assessment efforts are still in their early stages and are not necessarily a science (at least not yet), they represent increasingly disciplined methodological approaches which, combined with qualitative reputation risk management can provide companies a robust tool to manage reputation risk. With the emergence of more sophisticated forms of data analytics and artificial intelligence happening as we speak, these efforts may lead to something heretofore considered impossible. Stay tuned.

“It is time for boards and executives to wake up to the fact that reputation risk management and oversight are not about reputation management”

4. Better reputation risk management and oversight: lessons from Samsung Galaxy Note 7

Most readers of this article will be familiar with the Samsung Galaxy 7 Note new product release crisis that occurred in the late summer of 2016, which led, after several missteps and deepening quality and safety concerns, to a complete product recall.

Within a couple of weeks of the new product launch, several cases of product quality defects (resulting in small explosions and fires) became known. Samsung initially appeared to manage the crisis and PR aspects of the crisis relatively well. But then things went wrong, very wrong. The new product was completely withdrawn from the market, after a series of stumbles by the company that seriously affected its reputation in the marketplace as well as beginning to have serious financial consequences. At the time of writing, the latest information available was that Nomura Securities estimated that the decision to ditch the Note 7 would cost Samsung $9.5billion in sales and put a $5.1billion dent in profit between October and the end 2017.[5]

Applying reputation risk 2.0 to the Samsung case: lessons for the C-suite and the board How would effective reputation risk management have helped in this situation? While we can only speculate whether some of these measures took place within the company, we can suggest that the following would constitute elements of an effective reputation risk management strategy:

■  Enterprise risk management First, an extensive and effective ERM system would be in place to determine all the relevant risks that a company like Samsung faces. Product quality and product safety risks would have to be high on the risk register and would have to be identified as key risks for which necessary and desirable policies, controls and procedures (including product defect reporting and testing) would be in place. Additionally, effective ERM can only exist in an environment of c-suite and board support

■  Stakeholder analysis Second, Samsung would also need to have a keen understanding of who its key stakeholders are. In this case, those with an important stake in the proper and safe operation of a consumer product, such as  the Galaxy Note, would include costumers, dealers, the regulator, airlines and the flying public (many airlines forbade the carrying of this Samsung phone product on their flights for several months during this critical period)

■  Qualitative reputation risk assessment Third, Samsung would have conducted some form of qualitative reputation risk assessment, including crisis scenario planning, risk brainstorming and other exercises, to evaluate the consequences of risk gone wrong, including impacts on the expectations of their key stakeholders. One could only expect that product safety would have been a key topic of concern and analysis in terms of its possible impact on the consumer

■  Cross-disciplinary risk and crisis teams Fourth, coordinated cross-disciplinary risk management and crisis management teams need to be at all times deployed within a company

■  Quantitative reputation risk assessment Fifth (and this is where the 2.0 part of reputation risk 2.0 comes in), a highly evolved and responsible company will also undertake the additional, periodic step of assessing its reputation risk from a more quantitative and metrics-based standpoint[6]

To underscore our analysis of the Samsung case above, below is a chart from RepRisk AG of the key ESG issues (from its ESG issue identification list), showing how, since 2012, Samsung has had serious risks identified through systematic data analytics of media and social media for the risks we identified above: see, under ‘Employee Relations’ – ‘Occupational Health & Safety Issues’ and under ‘Cross-Cutting Issues – Products [Health and Environmental Issues]’. See the ESG Issues Heat Map below).

Finally, Table 7 below is an excerpt from a ‘reputation risk management toolkit’, from The Reputation Risk Handbook, showing some of the 15 risk assessment related measures that are part of a robust ERM and qualitative reputation risk management strategy.[7]


It is time for boards and executives to wake up to the fact that reputation risk management and oversight are not solely about reputation management and instead require a more systematic approach that is part integration into ERM, part integration into business planning and strategy and part strategic risk governance – an essential board role and responsibility.

Until boards and CEOs require and support these measures, reputation risk management will continue to be an afterthought at best or part of the vicissitudes of crisis and PR management at worst instead of a tool to create smarter business and strategic planning and value creation. Companies that get this will have a competitive advantage in more ways than one.


About the Author:

Dr. Andrea Bonime-Blanc is the chief executive officer and founder of GEC Risk Advisory, a global firm that provides strategic and tactical governance, risk, ethics, compliance, CSR, reputation and crisis advice to boards, executives, investors and advisors (

She is author of The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency ( the 2015 Conference Board Research Report, Emerging Practices in Cyber-Risk Governance ( She is a global keynote speaker, and member of several international boards. 


1Andrea Bonime-Blanc. The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency. UK: Greenleaf Publishing 2014.

2The Reputation Risk Handbook

3The Reputation Risk Handbook

4Andrea Bonime-Blanc and Leonard J. Ponzi: ‘Understanding Reputation Risk: Proposing a Quantitative Solution’ and ‘Understanding Reputation Risk: Measuring Reputation Value’

5According to Nomura Security analysts quoted in this story:

6For a more detailed exposition of this quantitative approach to reputation risk analysis see the following two articles by Andrea Bonime-Blanc and Leonard J. Ponzi: Understanding Reputation Risk: Proposing a Quantitative Solution and Understanding Reputation Risk: Measuring Reputation Value

7This is an excerpt from Table 7 from: The Reputation Risk Handbook