Three Steps to Managing Reputation Risks


Risks to your organization’s reputation—its corporate name or its brands—are among the most challenging to manage. They can arise from sources as diverse as outsourcing, product quality, social media, cash repatriation, and environmental impact. They also often arise rapidly. Goodwill that took decades to build and word-of-mouth support worth millions in annual sales can be lost in hours.

Standard risk management tools (such as insurance, hedging, diversification) are generally no help against reputational risks. And while these risks can be managed within the organization’s risk management infrastructure—its people, processes, and information—leadership often assigns them to corporate communications, marketing, and investor relations. While these functions have valuable roles to play, so does risk management.

Other times, leaders simply underestimate the importance of threats to reputation. In a poll of more than 1,100 executives during a May 2011 Deloitte webcast (“Brand Resilience: Protecting Your Brand Assets from Saboteurs in a High-Speed World”), only 24% of respondents’ companies formally measured and reported on brand value. Fewer than 22% thought it likely or highly likely that negative information about their brands would show up on social media in the coming year. That may be wishful thinking given the volume of ranting, raving, and ranking going on in social media.

In his book Brand Resilience: Managing Risk and Recovery in a High-Speed World, Jonathan Copulsky, principal at Deloitte Consulting LLP, highlights the threat. “Brands are under constant attack,” he writes, “and brand stewards must systematically understand the risks that their brands face, the potential impacts, and the options for managing these risks.”

Meanwhile, a highly positive reputation is itself a tool in managing risks to reputation. The PR firm Edelman’s 2011 “Trust Barometer,” an annual survey that “measures attitudes about the state of trust,” found that, when a company is trusted, 51% of stakeholders will believe positive information about the company after hearing it once or twice. And only 25% will believe negative information after hearing it once or twice.

Distrusted companies, however, fare poorly by comparison: only 15% of stakeholders will believe positive information about a company they don’t trust, and 57% will believe negative information after hearing it once or twice about such organizations. This study also linked trust to customer purchases, investor share purchases, and people’s recommendations to others.

The following approach to managing risks to reputation departs from that used at most organizations. It places reputational risk management with the appropriate, high-ranking members of executive management, and it emphasizes the need to develop an external view of reputational risks and to monitor those viewpoints. Follow this three-step guide and you will be better off than you are today—and, most likely, your peers.

Step #1: Internal Identification

Internal identification entails an examination of the organization’s strategies, initiatives, operations, and risks with the goal of locating risks to reputation. This step provides an inside-out perspective and should cover reputational risks that executives expect to accompany their decisions and activities, and those that could arise but are harder to specify.

In-depth interviews conducted by the chief risk officer (CRO), or whoever else is the ultimate “owner” of the risk management program, with other senior executives can identify risks to reputation. For each member of the C-suite, the interviews should cover the following items.

Chief Executive Officer
Strategies and their underlying assumptions can pose both known and unknown reputational risks. For example, a potential acquisition may hold financial and business risks as well as risks to reputation that remain hidden during due diligence.

Chief Operating Officer
Many points in the value chain can draw activists’ attention or cause disruptions that may threaten reputation. So it is wise to estimate the potential reputational impact of supply interruptions, customer inconvenience, media reactions, and other side effects of operational risks.

Chief Financial Officer
Financial risks can arise in the course of business and from risk events that affect reputation. Quantifying the likely financial impact of reputational risks helps to build the business case for aggressively managing them. For example, can finance gauge the revenue impact of various percentages of customers lost in the wake of a risk event that harms reputation?

Chief Marketing Officer
Marketing must reinforce reputation in ways that are substantive, credible, and meaningful to stakeholders. Different stakeholders will have different concerns, depending on the company’s industry, products, and locations, and those concerns translate to different reputational risks.

Chief of Human Resources
Reputation is a strong weapon in the battle for talent, and damage to reputation can undermine a company’s attractiveness to employees for years. Hiring decisions, employment practices, and compensation policies may also hold reputational risks.

General Counsel
The manner in which the regulatory and legal aspects of a risk event are handled can present risks to reputation.

In these interviews, executives should provide their views, refer the CRO to other internal resources, and identify external stakeholders who can provide useful perspectives. Desk research can identify additional external stakeholders who can provide those perspectives or who could directly affect reputation.

Step #2: External Identification

This step gathers intelligence from external stakeholders identified in step one to assemble the outside-in perspective. This enables the organization to assess risks to reputation from external viewpoints and to gauge baseline reputation.

This also enables an organization to identify areas of high or low opinion, gaps between desired and actual reputation, and opportunities for improvement. For instance, recall that customers tend to believe positive and discount negative information about companies they trust. Stakeholders who distrust the organization may thus be predisposed to believe bad news and should perhaps receive special attention.

While some stakeholders can be interviewed, others should be monitored from listening posts like those identified by Frederick Funston and Stephen Wagner in their book Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise. For risks to reputation these might include industry analysts, news outlets, social media, nongovernmental organizations (NGOs), regulators and bloggers. It should also include any organization that publishes quality, customer service and “green” ratings and indexes.

In this step, aim to gather unbiased data using consultants or survey vendors. And then present these results to management as matters of fact. Make sure you give the top brass the stakeholders’ unfiltered opinions. For the most complete picture, search blogs, forums, websites, and social media for corroborating or contradictory data—and for threats to reputation.

This outside-in view should be blended with the inside-out view developed in step one to construct the fullest possible picture of the risks to reputation.

Step #3: Ongoing Monitoring

Monitoring is paramount because the sooner a risk to reputation is discovered the sooner it can be addressed. Monitoring means continuous scanning of the environment, periodically “taking the temperature” of stakeholders through formal and informal surveys, and alerting management to changes in and threats to reputation.

Considering the number of areas in which threats to reputation could arise, organizations can harness technology to develop the data-gathering and analytical capabilities needed to detect and assess them. These capabilities should flag reputational risks (such as media activity), other risks that could lead to reputational risk (such as interruptions to operations), and decisions that could affect reputation (such as price increases, location openings or closings, and high-level hires or terminations). Ideally, organizations should locate risks to reputation whether or not they have a basis in fact.

Constructing dashboards and systems that flag these risks and provide the analytics can be tricky. The components of these systems—governance, risk management, and compliance (GRC) software—continue to evolve. Established and emerging vendors are developing systems that offer externally focused, as well as internally focused, indicators of reputati on risk.

As the market continues to improve, be sure to employ current technologies to do the job. Use “low-tech solutions” such as human review, external briefings, and stakeholder surveys—to monitor risks to reputation and to fully consider the reputational impact of seemingly run-of-the-mill decisions.

And above all, cultivate fans. Organizations with trusted reputations tend to have one or more sets of stakeholders who simply love them—passionate customers, preferred suppliers, long-term investors, or employees who believe it’s the best place to work. Emotional connections can be cultivated, and the costs of doing so should be considered an investment in reputation. And if your name truly is your biggest asset, you should have no troubles investing in it.

Henry Ristuccia

More articles by »

About the Author

Henry Ristuccia is a partner at Deloitte & Touche LLP and co-leader of the company’s governance and risk management services.


Leave a reply