Considering reputation risk
An organization’s reputation is critical to their success (in almost every case). A smart CEO and her board pay attention to the organization’s reputation and take care to nurture, protect, and grow it.
A new survey by Deloitte reinforces that obvious truth and states one other truth that should be obvious to us all: “reputation risk is driven by other business risks”.
Miriam Kraus, a senior vice president at SAP responsible for their risk management program, is quoted in the report:
“Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”
The paper has many interesting numbers and charts but I think it leaves much left unsaid.
I wish that Deloitte had advised that when decision-makers assess risks they should consider and assess the potential impact on the organization’s reputation (which can be good, bad, or neutral) and add this to the assessment of other (more direct) potential effects.
It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the likelihood of other impacts such as fines, lost time, and so on.
In addition, the impact on reputation may be positive while the impact on, say cash flow, is negative!
For example, the decision to divorce the organization from a supplier who is found to have broken the law may adversely impact costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.
I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While they mentioned a few important areas, they omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures, and so on.
I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize the reputation of the organization.
Monitoring is key and Deloitte has a sidebar that talks to some of the ways to do this. They call it risk-sensing.
One aspect that I didn’t see mentioned is that the organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response to the attack would help or hurt.
In the same way, when there is violence in some part of the world, people look to the US, EU, and others for a reaction. It’s not only the action that can affect reputation, but the failure to act.
When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more than a poorly-worded press statement.
Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents, and even customers) can affect reputation. This needs to be identified, assessed, and monitored closely as well.
Reputation risk is critical. Deloitte doesn’t make it clear but since so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.
Every manager and decision-maker needs to own the risk, not the CRO.
One final point: one of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.
Do you agree?
I welcome your comments and perspectives.