December 16, 2014
A Better Way to Think About Reputation Risk
by Norman Marks
Assessments of reputation risk should become part of the discussion when any risk is being considered, because almost all have an effect on reputation.
A new survey by Deloitte reinforces the obvious truth that a smart CEO and her board will nurture the organization’s reputation because it is critical to success (in almost every case). The survey states one other truth that should be obvious to us all: “Reputation risk is driven by other business risks.” As Miriam Kraus, a senior vice president at SAP responsible for its risk management program, is quoted as saying in the report: “Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”
But, while the paper has many interesting numbers and charts, I think it leaves much left unsaid.
I wish that Deloitte had advised that when decision-makers assess risks they should consider the potential impact on the organization’s reputation (which can be good, bad or neutral) and add this to the assessment of other (more direct) potential effects.
It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the impact from fines, lost time and so on. In addition, the impact on reputation may be positive while the impact on, say, cash flow is negative! For example, the decision to divorce the organization from a supplier who is found to have broken the law may raise costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.
I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While Deloitte mentioned a few important areas, it omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures and so on.
I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize reputation.
Monitoring is key, and Deloitte has a sidebar that talks to some of the ways to do this. Deloitte calls the process risk-sensing.
One aspect that I didn’t see mentioned is that an organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time, statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response would help or hurt.
In the same way, when there is violence in some part of the world, people look to the U.S., EU, and others for a reaction. It’s not only the action that can affect reputation but the failure to act.
When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more damaging than a poorly worded press statement.
Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents and even customers) can affect reputation. They need to be identified, assessed and monitored closely, as well.
Reputation risk is critical. While Deloitte doesn’t make this clear, because so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.
Every manager and decision-maker — not just the chief risk officer — needs to own the risk.
One final point: One of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.
Do you agree?
I welcome your comments and perspectives.
This article was first published on: Norman Marks on Governance, Risk Management, and Audit.