Why “Reputation Risk” is Suddenly on the Radar Screen
Reputation risk has arrived. In the past couple of years there’s been a buzz about it – almost overnight. Leading consultants and advisors, poll takers and survey makers have been producing evidence that senior executives and board members have identified a different, somewhat amorphous, and possibly threatening new strategic risk: reputation risk.
Why is this? There is a relatively straightforward explanation. The age of hyper-transparency has changed everything – the internet, social media, instant communication of everything from megabits of big data to tiny 140 character tweets. This rapid, unceasing and increasing avalanche of data and exposure together with the democratisation of the means of communicating it has changed the reputation risk equation dramatically and materially. Companies, organisations, governments, leaders, each of us personally have fewer places to run to or hide in.
Embedded in all this is some good news too, a possible silver lining for organisations that are paying attention: effective reputation risk management can create organisational resilience and reputation opportunity. Just think Johnson & Johnson and the Tylenol poisoning episode – highly successful crisis management leading to effective reputation risk mitigation and perhaps even the achievement of reputation enhancement. Who didn’t trust Johnson & Johnson after the brilliant and stakeholder-centric way in which it handled the terrible crisis?
So what does reputation risk mean, why is it strategic and how do board members, specifically, get their arms around yet another potentially daunting risk topic?
Reputation Risk is Strategic
In The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency, I try to put shape around the often vague, misunderstood and, at times, virtual concept of reputation risk. Reputation risk is a term that will continue to evolve and mutate but whose essence can be summarised as follows:
Reputation risk is an amplifier risk that layers on or attaches to other risks – especially environmental, social and governance (ESG) risks – adding negative or positive implications to the materiality, duration or expansion of the other risks on the affected organisation, person, product or service. An interesting feature of reputation risk, as lists showing data collected by RepRisk AG for top issues and top industries suffering from negative reputation risk reveal, is that most of the core risks that lead to serious reputation risk come from the world of ESG. These ESG risks are one of the key sources of reputational risks today. Issues such as environmental degradation, corruption, human rights abuse and fraud can lead not only to reputational challenges, but also to compliance risks and bottom-line implications.
So why is reputation risk a strategic risk?
It is strategic because it is a risk that, if not properly attended to, can have dramatic consequences on the financial health, strategic path, leadership, short term or long-term viability of the organisation. This applies to all forms of organisations from business to government, NGOs to academic. Reputation risk can be sudden, swift and material, and as such needs to be prepared for and handled at the highest levels of an organisation including the board.
Types And Examples Of Reputation Risk
Jorge Cachinero, an author and reputation management practitioner, has developed the following classification of types of reputational risk, depending on where they originate:
Natural risks: Those determined by the natural environment including climatic, atmospheric or seismic events or phenomena that cannot be easily predicted by companies.
Leadership risks: Those directly related to mistakes by organisations, their senior managers, in exercising their responsibilities as leaders.
Operational risks: Those arising as a result of the production process of each business, including aspects of the value chain, the supply chain and logistics.
Environmental risks: Important regulatory or legislative changes with a decisive effect on the operating environment of a specific industry or sector. Here are a couple of specific illustrations:
Example One: You are one of the leading retail companies in the world with a multinational footprint, many thousands of employees, vendors, suppliers and partners. Your financial results have been stellar. That is, until a whistleblower reports that aggressive accounting and revenue recognition practices seem to have been painting a much rosier picture than warranted. And this is apparently not only true for your most recent quarter – an independent investigation reveals that this has been going on possibly for years. You not only have major possible accounting fraud risk, you now also have serious reputation risk. Your reputation risk is so severe that restatements are showing a 92 per cent drop in profits from one quarter to the next and the chairman of your board has just resigned. You are Tesco.
Example Two: You are a major family-owned industrial conglomerate that among other things owns a passenger ferry company that carries many thousands of passengers and cargoes to multiple locations every day. Due to massive safety violations from cargo overloads, one of your ferries, filled with hundreds of passengers, sinks leading to the death of 304 people (most of them teenagers on a field trip). Due to the nature of your business, you knew you ran the core risk of possible health and safety incidents. You should have also known that violating safety laws could lead to accidents and death, with resulting massive reputation risk. Indeed your reputation risk could also extend to some of your major stakeholders like the regulators who didn’t regulate you and looked the other way (or were paid to do so). You are the Yoo Byung-eun family who owned the doomed Sewol Ferry and the South Korean Government whose regulators didn’t regulate.
A World Of Stakeholders, Expectations And Trust Issues
Simply put, in today’s world of instant, dramatic, nanosecond information flows, everyone has to worry about reputation and reputation risk. This includes each of us personally and the multiple stakeholders in our lives (family, friends, schools, workplaces). The reverse is true too: we need to worry about the reputation risk of those we associate with including our boards, employer, school, community, clubs, etc – as their missteps and bad acts may stain us. We are stakeholders in the people and organisations we associate with and they are stakeholders in us. This idea is depicted in Figure 4 from The Reputation Risk Handbook – ‘Reputation Risk & You’.
That’s where reputation risk management comes in. Traditionally, reputation management and its tools, techniques and practice were pretty much the domain of public relations practitioners and firms. Reputation was often equated to brand and it was all about brand management, marketing and image. This has all changed with the advent of the age of hyper-transparency. To be even moderately successful at it, boards and management now need to think about reputation management – and reputation risk management specifically – more holistically and more strategically.
The Board’s Role in Reputation Risk Oversight
So what is a board to do in the face of this relatively new, amorphous yet critical risk? What follows are some key oversight roles and responsibilities boards should consider when it comes to reputation risk.
Know your own reputation risk:
Reputation risk starts at the board – at the most elemental level with board members and board candidates who need to be properly vetted. Directors and prospective directors should ask: if something negative (or positive) occurs to me personally or professionally what are the possible consequences to the organisation? And vice versa: if something negative or positive happens to the organisation, what are the consequences to me as a board member?
The answers are pretty simple: reputations may suffer or benefit. In the more severe negative cases, personal reputations can suffer significantly and it is in these cases that boards and those overseeing corporate governance need to be vigilant and proactive.
Know the CEO’s leadership style and company culture:
Boards have an obligation to understand the leadership style of the CEO and the prevalent culture of the organisation. Does the CEO encourage open dialogue, discussion of difficult issues, allow bad as well as good news to surface and encourage employees to speak up without fear of retaliation? Or is the CEO more controlling and limiting of dialogue, less tolerant or more dismissive of bad news, discouraging the discussion of negative or difficult information?
In a more open, transparent culture, employees with concerns won’t go underground or become anonymous whistleblowers – they will express concerns early and often, diffusing the potential for serious deterioration in the issue or risk involved and its attendant reputational risk. Leadership style and organisational culture have potentially huge consequences for how an entity handles its risks and how amplified its reputational risk might become.
Connecting reputation risk to company strategy:
Any strategic planning and development should include consideration of attendant reputation risk. This consideration should involve questions like: Does the strategy of the company include initiatives and objectives that increase existing risks or offer potentially new risks? If so, what would the negative reputational consequences of not handling these core risks be to the company?
So, for example, if a strategy involves the creation and production of a new form of transportation (Virgin Galactic), have all of the core safety and technology risks been taken into account as well as the attendant reputational risk consequences of a negative event?
Ensuring the right stage of risk management evolution: As Figure 5 from The Reputation Risk Handbook shows, there are five stages of risk management evolution. It is only in the latter stages of development (namely 3-5) that effective reputation risk management is even possible. As the member of a board, you need to understand where your company is on this evolutionary ladder and ensure that it is where it needs to be to handle all of its risks including reputation risk.
Mapping reputation risk to the company’s other major risks:
All boards have a responsibility for understanding the risk profile of their companies. They need to have a grasp of the structure and content of ERM, have a feel for how risk management is conducted and whether it is appropriate to the company’s needs. This includes understanding what I call the ‘big buckets’ of risk, substantive areas of risk that most entities must deal with in one shape or another – political, legal, technological, financial, environmental, etc.
However, because reputation risk is not a standalone ‘big-bucket’ category but a different kind of crosscutting category of risk – see Figure 6 from The Reputation Risk Handbook – and it needs to be effectively mapped to the other standalone risks in the company.
Understand the company’s principal stakeholders
The board must have a clear picture of the main stakeholders of the company – investors, shareholders, customers, partners, employees and regulators. Reputation risk is borne from stakeholder engagement and the expectations they have of the entity in which they hold a ‘stake’. Give them negative news and their expectations are broken with attendant possible negative reputation risk and loss of other value (stock value, for example). The opposite is true too. Give stakeholders better than expected news and there is opportunity for reputational and other value enhancement,
Reputation risk management oversight: Reputation risk is now the domain of the boardroom and the C-suite and therefore it is also the domain of a cross-section of professionals who need to understand its meaning and implications within an organisation. The days of reputation management being the strict domain of public affairs or public relations are over. It is far too complex, multi-dimensional and cross-disciplinary. Board should ask questions about how the company is handling reputation risk, who is responsible for and participating in the effort and whether the effort is yielding a proactive and effective approach to this risk.
Reputation risk & crisis management:
From at least an informational standpoint, boards should be part of the crisis management infrastructure of their company, especially when there is a potential reputational ramification. Indeed, the board should have a designated director liaison should a crisis arise. The organisation’s crisis management plan and team should have a reputation risk management component – and an expert internal or external resource that has been identified for crisis situations. This could be PR, investor relations or a communications executive, or someone else qualified. Reputation risks should be included in crisis management scenario exercises, which may include members of the board. This kind of preparation is essential to weathering a storm. Clearly in the two cases mentioned earlier – Tesco and Sewol – the board was or should have been involved.
Conclusion: The Board is responsible for organisational resilience and integrity oversight.
Boards have a critical role to play with regard to reputation risk. They own risk oversight and, as a strategic risk, they also own reputation risk oversight. Boards hold the CEO and executive team accountable on a broad variety of strategic issues. They have committees specialised in different aspects of management of the entity to do this. Depending on the entity, audit, risk, and/or compliance committees own risk oversight. If they haven’t already, as part of their oversight portfolio, such committees need to add reputation risk oversight to their portfolio.
Boards would also benefit from having at least one independent director, savvy and experienced in risk issues, not just tangentially but directly. The board is the ultimate protector and guardian of organisational integrity and value. Reputation loss (and gain) can materially affect integrity and value. What’s more, board members have their own personal integrity and value to protect. Ultimately, reputation risk oversight is one of the intrinsic governance roles of a board. The new bottom line for boards is that they need to demand a new bottom line from their chief executives – one that provides as much accountability on risk and reputation management and metrics as is currently provided on financial management and metrics.