This article was published in Risk Management Magazine (New York), September 2007 and is presented here to illustrate an article written by George Neufeld.
Today, intangible assets can account for 70% of the value of a business. These intangible assets include, among others, brands, employee loyalty, credibility, trust and reputation. In a world that has been rocked by corporate governance and audit scandals, reputation is now more important than ever before.
In late 2005, the Economist Intelligence Unit (EUI) produced a report entitled “Reputation: Risk of Risks” based on survey input from 269 risk managers in companies of varied size. EUI’s conclusions were that:
- Corporate reputation is a hugely valuable asset that needs to be protected
- Serious reputational damage can occur simply as a result of perceived failures, even if those perceptions are not grounded in fact
- Understanding how different aspects of an organization’s activities impinge on stakeholder perceptions is a vital aspect of protecting a company’s reputation
- Many companies feel that their capabilities in managing reputational risk leave much room for improvement, but the high rewards of success should provide strong motivation for progress in this area
- Incurring reputational damage can be fatal, but establishing a robust reputation can provide a strong competitive advantage
Reputation has always mattered. Managing reputation, however, has become a bigger challenge with e-mail and blogs that empower customers, suppliers, interest groups, investors and the media. The scope of external stakeholders’ concerns has also broadened to include employment practices, environmental impacts, human rights and community relations—which comprise what is now increasingly referred to as corporate social responsibility. Modern enterprises face reputational challenges stemming from operations around the world.
Reputational risk management addresses conventional risks as well as an organization’s relationship with its stakeholders, consistency in outward communication, corporate trustworthiness and management-employee ethics.
Reputation needs to be protected as well as built. Hence, there are two types of reputational risks: negative and positive. This is important for reputation risk management as the mindsets for addressing risks from a negative and a positive perspective are quite different. Negative risk involves thinking about what could go wrong. Positive risk is about creatively enhancing the company.
Negative risks lead to loss of reputation, loss of market share, financial losses and, sometimes, as in the case of Arthur Andersen, for instance, the demise of the company. Several private and public enterprises have been in the media limelight in recent years as a result of problems with their products (e.g., Menu Foods), their internal strategies and operations (e.g., British Petroleum) and the actions of their management (e.g., Enron).
For private sector enterprises, loss of reputation is not good for their business. For public sector entities, loss of reputation reduces influence and impact. Private and public enterprises suffer from negative risks due to having an attitude that “it won’t happen to us,” taking actions without wanting to acknowledge the consequences or thinking that “we can get away with it.”
Positive risks are those that enhance a company’s reputation, market share, share value and profitability. More and more private and public sector enterprises are managing (or taking) risks that integrate economic, social and environmental imperatives into their mission, strategies, business and culture.
For example, Toyota started producing smaller and greener automobiles before there was a significant market for such vehicles. Taking such risks requires assessing public opinion and market demands. In the case of automobiles, it appears to be paying off for Toyota. Competing dealers are currently concerned that they do not have the environmentally-friendly products that buyers are looking for. Enterprises sometimes fail to take positive risks because they are too inwardly focused and fail to see external trends and changes.
Generally, positive and negative reputation risks are of equal importance. Like so much in life, maintaining balance is essential. Enron seemingly focused on positive risks (opportunities), with little regard for negative risks. U.S. car manufacturers seemingly focused on negative risks (e.g., no scandals to date) with little regard for positive risks—otherwise they would not be experiencing a decline in market share.
The key steps to managing reputational risk are to identify and assess the risks, make decisions and then follow through on the decisions.
Managing Negative Risks
What is your organization’s approach to managing negative risks? Are you reactive or proactive? Being proactive puts you in a position to mitigate or even avoid disasters, be ready when a disaster hits and seize opportunities to enhance your organization’s reputation. Where to start?
The first step is to identify the kinds of events that could befall your enterprise. Here are three possible approaches to identifying risks:
- Identify several persons within and outside your enterprise and have them provide a written list of risks that your enterprise faces and, for each risk, provide a brief assessment of its likelihood and impact.
- Conduct a 360-degree organizational survey that seeks input on potential risks from a people within the organizations as well as outside the organization (selected from such players as members of the board, suppliers, customers, partners, auditors, legal advisors or experts in fields such as computer security, financial fraud and corporate culture).
Contributors in (1) and (2) tend to be more candid if they are assured that their input will be kept anonymous. The external input in (1) and (2) motivates dealing with the brutal facts, making decisions and moving to action. The findings from (1) and/or (2) can be challenged and refined though focus group meetings with groups of managers and employees; the side-benefit of focus groups is that it engages managers and employees.
- Involve a broad group of executives from across the enterprise in a brainstorming session to identify potential risks. The brainstorming session is most productive if participants are briefed in advance to think of risks in their respective areas of responsibility. This can include providing them with the results of (1) and/or (2).
It is useful to include role playing in the brainstorming session, where different persons or small groups look at the organization from different perspectives including that of an investigative reporter looking for a scandalous story, a disgruntled executive, a recently fired employee, a disappointed investor or an unhappy customer. Role playing overcomes the tendency to underestimate, or even hide, what could go wrong.
The second step is to prioritize the risks. This must ultimately involve a broad group of executives from across the enterprise. This is sometimes preceded by conducting a focus group(s) of employees and managers from different groups and functions within the enterprise. This step begins with providing participants with the risks that were identified in the first step. Depending on the complexity of the risks, it may be useful to provide them with an explanation or one-page briefs before actually ranking the risks.
Risks are ranked on the basis of likelihood and impact. Round-table discussion is then usually the practical way to apply a “sanity check,” i.e., does the ranking of the priorities feel intuitively correct and does it make common sense? What changes to the ranking need to be made?
Together, the first and second steps can be thought of as the assessment stage.
The third step is to decide on the risks for which it is cost-beneficial to apply mitigation measures that may involve outright risk reduction as well as emergency planning. To optimize the investment in risk mitigation, it is best to compare mitigation measures for selected risks on the basis of cost and reduction of likelihood of occurrence and/or impact.
The fourth and final step is to agree on and implement an action plan that includes what is to be achieved, by whom and by when. There should also be a specific person accountable for following up on the agreed-upon results going forward.
Managing Positive Risks
What is your organization’s ability to manage positive risks? Are you able to identify trends and changes that will impact on your organization’s reputation and sustainability?
For private sector enterprises, being proactive increases the odds of having the right products and services at the right time, strategically exploiting new technologies and being ahead of the competition. For public sector organizations, proactively managing risks increases the reputation of both politicians and officials, and promotes the well-being of citizens. What to do?
The four-step process for managing negative risks is relevant, with some important changes:
Step one is identifying positive risks. Whatever method is applied, the process needs to involve persons who are effective in thinking creatively, looking ahead and communicating their ideas.
The second step is to prioritize positive risks. In the case of negative reputation risks, the focus is on assessing the likelihood of occurrence and the negative impact if it occurs. In the case of positive risks, the focus is on the likelihood of materializing and the positive impact or benefit if it does materialize. Hence, risks with a high likelihood and high impact are still of great interest, but from a very different perspective. Now they are no longer events to mitigate but rather possibilities to pursue and exploit.
Step three is to decide on risks to be pursued. In the case of negative risks, the focus is on reduction of risks and their impacts and costs. In the case of positive risks, the focus is on benefits/pay-back and required investment.
The final step is action planning and implementation. The process is similar to that for negative risk management. The content of the actions will of course be different.
Establishing a Reputational Risk Management Group
The process of assessing and making decisions needs to be managed by an individual or group, that has access to the CEO. The person or group needs to provide a corporate perspective, as opposed to a legal, financial, operations or strategic one. Since positive and negative risks invariably overlap, it is best that the same group manage both the process for assessing and decision making for both types of risk. Given the inter-relationship between risk management and strategic planning, it makes sense for the same person or group to lead the process and coordinate the supporting analysis for both.
The responsibility for action planning and follow-through will depend on the risks to be acted upon. Accountability for results can be exercised through established or, if necessary, improved management arrangements.
Common Challenges
The first challenge to managing reputational risk is to get started before it is too late. Starting with a complete organization survey is a safe and effective way to kick-start risk management.
The second challenge is following through on the decisions made. Public and private sector enterprises have a poor track record in implementing new initiatives and projects. The failure rate of initiatives and projects is high, typically about 70%.
Some of the reasons why performance initiatives fail at companies, both large and small, include cultural problems, lack of executive sponsorship, and poor execution or implementation. But the real reason they fail is something more basic: The initiative or project is not being linked to the people, processes and existing technology within the company. To stay successful, it is critical to engage middle managers and opinion leaders, resolve implementation issues in a timely manner and remain focused yet flexible.
The third challenge is to deal with the brutal facts and resolve differences of opinion. Involvement of a third party can help in specific cases. Systemic improvement may require a combination of training and culture change.
Proactive reputational risk management sends the message to all levels of management and employees that the enterprise expects their actions to sustain, and if possible enhance, the enterprise’s well-being. It also sends the message that the organization is not immune from crisis and from being overtaken by external events and new competition. Just as there are many examples of companies that took positive risks that enhanced their reputation, there are also many entities that turned a blind eye to reputational risks and that have suffered the consequences.