Home > Risk > Considering reputation risk

Considering reputation risk

November 1, 2014 Leave a comment Go to comments

An organization’s reputation is critical to their success (in almost every case). A smart CEO and her board pay attention to the organization’s reputation and take care to nurture, protect, and grow it.

A new survey by Deloitte reinforces that obvious truth and states one other truth that should be obvious to us all: “reputation risk is driven by other business risks”.

Miriam Kraus, a senior vice president at SAP responsible for their risk management program, is quoted in the report:

“Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”

The paper has many interesting numbers and charts but I think it leaves much left unsaid.

I wish that Deloitte had advised that when decision-makers assess risks they should consider and assess the potential impact on the organization’s reputation (which can be good, bad, or neutral) and add this to the assessment of other (more direct) potential effects.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the likelihood of other impacts such as fines, lost time, and so on.

In addition, the impact on reputation may be positive while the impact on, say cash flow, is negative!

For example, the decision to divorce the organization from a supplier who is found to have broken the law may adversely impact costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.

I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While they mentioned a few important areas, they omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures, and so on.

I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize the reputation of the organization.

Monitoring is key and Deloitte has a sidebar that talks to some of the ways to do this. They call it risk-sensing.

One aspect that I didn’t see mentioned is that the organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response to the attack would help or hurt.

In the same way, when there is violence in some part of the world, people look to the US, EU, and others for a reaction. It’s not only the action that can affect reputation, but the failure to act.

When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more than a poorly-worded press statement.

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents, and even customers) can affect reputation. This needs to be identified, assessed, and monitored closely as well.

Reputation risk is critical. Deloitte doesn’t make it clear but since so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.

Every manager and decision-maker needs to own the risk, not the CRO.

One final point: one of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.

Do you agree?

I welcome your comments and perspectives.

  1. Scott Killingsworth
    November 2, 2014 at 5:44 AM

    Insightful observations, particularly in pointing out that reputation risks are not always in lockstep with underlying “driver” risks — more resonance than echo. Compliance risks may technically be judged by a “must” standard but the associated reputational impact will often result from the public’s application of a “should” standard. Similarly with the discontinuity between the likelihood and impact of an underlying risk and those of its reputational counterpart — for example much depends on whether the press or social media put a human face on the negative effects of a decision, a policy, or a breakdown.

  2. November 2, 2014 at 6:56 AM

    I certainly agree with your criticisms. But I think, given the page count, that they focused on the themes and not the detail. Frankly, with reputation/conduct risk, I think it’s best to focus on the culture of risk and to guide the decision-makers at every level to consider reputation – of the firm and its clients – while making decisions. I’m trying to instill this kind of thinking by publishing on both the firm’s risk tolerance statement and including reputation in risk decisions. I’ve just this week posted something about it here, if you’re interested:


    To answer your question, I think ISO 31000 is more interested in the mechanics of treating abstract “risks” than it is on dealing with the cultural aspects inherent in reputation risk. I think ISO 31000 is better suited for dealing with risk in terms of operational variance.

    Thanks for continuing to post your thoughts on these timely subjects, Norman.

  3. allanmisner
    November 5, 2014 at 4:11 PM

    I can’t help think about how the “parent” risks are often ignored when the “children” can be individually discounted. As your post (and the underlying report) point out, it is important to consider both. Whether a company invests in improving reputation (aka negative reputation risk) likely relates to how much of their customer base is affected by direct customer interaction. For example, a bank, with thousands of individual and business customers should care more about reputation in general than a mining company, that sells a commodity to a few dealers would.

  4. Norman Marks
    November 5, 2014 at 4:15 PM

    Allan, I hear you – but what about the reputation a mining company has with the regulators and the union? If it has a poor reputation for employee safety or the proper handling of waste, the reaction by either or both parties can be swift and harmful. For example, some mines have been closed even before allegations are found proven.

    • allanmisner
      November 5, 2014 at 4:34 PM

      Well, safety is an entirely different “parent” risk. Yes, a cousin, or maybe sibling of reputation, but it holds its own. Just as safety at the bank isn’t nearly as compelling as at the mine.

  5. John
    November 12, 2014 at 5:00 AM

    What about the biggest probably the biggest risk that no one can control– $#!% happens. Just ask the people at Texas Presbyterian in Dallas when an ebola patient just slips thru the cracks. Their patient census halved overnight. They won’t get their reputation back that fast!

  1. November 1, 2014 at 2:29 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: