A strong risk culture, a proactive board and operational resilience are among the keys to successful reputational risk management.
Friday, March 1, 2019
By John Thackeray
As Warren Buffett once said, “It takes 20 years to build a reputation and five minutes to ruin it.” This rings especially true today, as high-profile crises - including cyberattacks, product recalls and damaging social media posts - become more prevalent.
Reputation represents an interpretation or perception of an organization's trustworthiness or integrity. Reputation equals integrity and integrity equals social responsibility - i.e., sustaining the “social license to operate” and ensuring that business practices, operating procedures and corporate behaviors are acceptable to employees, stakeholders and the public.
Reputational risk is the current and prospective impact on earnings and enterprise value arising from stakeholder opinion. To understand and address reputational risks, and to create a sustainable plan for mitigating them, an organization must first identify and assign ownership for each of its risks and then determine its appetite for risk/reward.
Management of reputational risk can then be addressed via the three lines of defense, which include strategic alignment, cultural alignment and operational focus.
Create effective board oversight.
Reputational risk management starts at the top. Matters of strategy, policy, execution and transparency (particularly with respect to reporting) must be closely overseen by the board. Indeed, these issues are vital to effective corporate governance, which plays a huge role in sustaining reputation.
Managing reputational risk doesn't typically fit neatly into a single function. Ultimately governed by the board, it requires clear accountability, leadership and engagement across numerous teams.
Integrate risk into strategy setting and business planning.
The board and executive management must ensure that risk is not an afterthought to strategy setting and business planning. Reputational risk must be identified as both a material risk and a strategic risk, and should be inextricably linked to the company's risk management and crisis management disciplines.
Board and senior management should also ensure that there is adequate focus on the critical enterprise risks that could impair the firm's reputation. What's more, a process for identifying emerging risks on a timely basis must be established, and the company's risk profile must be continuously appraised.
Emphasize effective communications, image and brand building.
Building brand recognition unique to a business is vital to market success and, when all else is working well, augments reputation. A good story is easy to tell. Typically, though, the best companies (1) develop powerful and distinctive messaging; (2) establish accountability for results with metrics and monitoring; (3) work social media effectively; and (4) passionately live up to their values every day.
Pay close attention to crisis planning and operational resilience.
Successful management of a crisis event can mitigate potential reputational damage. Through an effective crisis management framework, an organization can integrate the right processes, roles and governance into existing contingency plans.
Of course, it often takes practice to know when to mobilize a crisis response, what information to communicate to which stakeholders and how to coordinate communications across different teams. Companies can test processes and gain experience by running crisis simulation rehearsals based on the most critical reputational risks.
Collaborate with stakeholders.
The executive team and board of directors should interact more with customers, employees, suppliers, regulators and shareholders. News about risks, business operations and branding should be communicated proactively.
No organization or brand will be able to succeed without doing good and doing well - i.e., delivering ?nancial performance while also making a positive contribution to society. Social purpose needs to be embedded into the very fabric and heart of the enterprise.
Establish strong corporate values, supported by appropriate performance incentives.
Boards need to ensure that executive management implements a strong tone at the top, a variety of effective escalatory processes and periodic assessments of the tone in the middle and tone at the bottom. To shape and influence the corporate culture from end-to-end, the executive team must align performance incentives with corporate values.
Moreover, executives and directors need to pay attention to the warning signs posted by the independent risk management function and to audit reports that offer evidence of possible dysfunctional behavior.
Comply with laws, regulations and internal policies.
Few incidents undermine reputation more than serious compliance violations. The accompanying media headlines can drag a company's brand through the mud. Senior executives, with board oversight, should take steps to implement effective, compliance-driven internal controls.
Build a strong control environment.
Embarrassing control breakdowns, especially in the arena of public reporting, can tarnish reputation. Every board should therefore expect and demand a strong control environment that not only signals management's commitment to integrity and ethics but also lays the foundation for a risk-aware culture.
Develop an early warning system.
Embedding risk sensing into an organization's risk governance program enables the continual identification of emerging threats. To spot potential risks, many leading companies perform 24/7 monitoring of traditional and social media outlets and internal data sources.
Monitoring teams can support both daily reputational threat sensing and crisis management response. Companies with strong monitoring capabilities can more effectively analyze and interpret data, leading to better, more-informed business decisions.
Reputation is everything, and financial institutions must therefore do everything in their power to better measure and mitigate reputational risk. This is a challenging task, but a strong risk culture, a proactive board and a comprehensive framework for operational resilience are excellent starting points. To be effective, they must all act in harmony with each other; this is not the place for compromise or shortcuts.
John Thackeray is the founder and CEO of Risk Smart Inc. Over his long career, he has held many risk positions, including CRO posts where he interacted and engaged with US and European regulators. He frequently contributes articles on his risk insights to the Financial Executives Networking Group (FENG).