Managing Reputational Risk
In recent years, world renowned companies have come under fire for various reasons, seriously impairing their reputation. Chief executives of 269 executives surveyed by the Economist Intelligence Unit picked reputational damage as the largest risk that their company faces in today’s economy. In fact, reputational risk was picked over ten percentage points higher than events like natural disasters, human capital issues, and crime.
Reputation can make or break a company. Research indicates that when an organization has a positive, trusted reputation or brand, over half of shareholders surveyed believe positive information that comes from that organization the first or second time they hear it, while only 25% will believe any negative information the first or second time they hear about it. But, when the company has a negative reputation or image, almost the exact inverse is true. That is, for organizations with a negative brand/reputation, 57% of shareholders believe negative information about these companies the first or second time, but only 15% believe news about a positive event coming from these types of organizations. So, clearly, perceptions about reputation and brand have a major impact on how outsiders view and embrace information about an entity.
With such an emphasis on the psychology of the consumer and brand recognition, it is surprising that so many companies are not focused on threats to branding issues. Data obtained by Deloitte found that only 24% of companies formally measure or report on brand value. Deloitte argues that responsibility for managing risk to reputation should reside with the board of directors and senior executives and not be delegated to marketing functions. Deloitte states that “Managing risk to reputation is about fundamental perceptions of the company’s contributions, value, and strategic direction.” A simple explanation is available for that. Traditional risk management focuses on risk from an inside-out perspective that focuses only on those risks foreseen by management. The question often asked is: “What are the risks we see the company facing in our planning horizon?” However, according to Deloitte, risk management should include an outside-in perspective that looks outside the walls of the entity for reputational issues. In this situation, the company should ask “What kinds of risk events are being foreseen by outsiders of then entity?” This approach will help the company prepare for the unexpected events that are sure to happen in uncertain times and prevent these events from picking up momentum and velocity.
Deloitte’s thought paper offers insights for developing a risk management strategy around reputation risk. The paper outlines a three-step process to managing reputation risks that consists of three phases(which can be aided by proprietary software): Discovery, Baseline, and Proactive Management of Risk to Reputation.
In the Discovery stage, the entity must clearly understand its view from an inside the organization perspective. The current insider’s view of strategies, risks, and vulnerabilities must be put out on the table so that all “known known” and “known unknown” risks are understood. Though this sounds easy, it can be quite time consuming to go through this process.
Baseline stage takes key stakeholders and gets their individual opinions on the business. The main goal of this stage is to get the perceived impact of the reputation of the company on its enterprise-wide strategies. The organization identifies key stakeholders who can help provide the outside-in view. For example, opinions voiced by in blogs, industry forums, academic papers, and the media (including social media) should be analyzed to see what the business environment looks like through their an outsiders lens. iAny holes in the strategy and unrecognized risks are closed during this stage as the company goes from interviewing key stakeholders to reading Twitter.
The final stage of the process is known as Proactive Management of Risk to Reputation. This stage never really ends, as the company should always be anticipating threats to strategy and reputation, analyzing which of those threats could pose the biggest potential downside, and taking action on the most threatening situations.
When using proprietary software, alerts can be made for when risks begin to emerge and help make presentations to upper management about reputation risk by showing a dashboard of various risks that are determined to be the most important. The importance of a risk is driven by the intentions of the event, the actions that are needed to mitigate the event, and the results of what could and eventually does happen.
For such a major part of the company, very little can be done about reputation. Money can’t be thrown at it to make it stronger; it can only be won and earned from the general public. A single event could tarnish the cleanest reputation – Penn State football just being one of a long line of examples in the past 15 years of this being true.