How to Manage Reputation Risk



As a risk manager, you generally know three things about reputation risk: it is amorphous, invaluable and vaguely transferrable. Since someone upstairs is likely starting to clamor for a solution, however, it is time to fully understand what you are dealing with, including pervasive myths and misconceptions.

Defining Reputation Risk
From your boardroom and C-suite to the SEC and Office of the Comptroller of the Currency, everyone agrees reputation risk exists, yet few can describe it. However, this isn’t as difficult as it seems.
Reputation is an expectation of behavior. Customers have expectations when they buy products or services, employees have them when they accept jobs, vendors have them when they partner, creditors and investors have them, and even regulators have them. Not to be left out, members of society at large have expectations too. The expectations of your company’s stakeholders govern their behaviors—how much and how quickly they buy, what they are willing to work for and what they will charge your firm for credit.

A reputation crisis occurs when stakeholders change their expectations and behaviors. Customers stop buying, employees leave, vendors lose interest in servicing, and regulators, litigators and reporters inevitably pile on. Adding insult to injury, culpability and public opprobrium land on directors and officers. For them, the stain of a reputation crisis can be personal and permanent.

While adverse media events can be embarrassing, they do not become reputation crises if stakeholders’ behaviors are unchanged. The corollary is that great media coverage does not necessarily avert a reputation crisis, nor does it rectify one after the fact.

Reputation risk is the threat to meeting expectations that in turn precipitates a crisis. It is created when expectations are poorly managed and exceed capabilities, or when a company simply fails to execute.
Negative media coverage is often blamed on marketing, but the internet now extends exposure far beyond the reach of marketing activities. Almost everything a company does, overtly or covertly, is a public form of communication. Any stakeholder with access to a keyboard and the internet can be a self-appointed investigative journalist.

Managing expectations is all about governance, operations and risk management—the blocking and tackling of running a business. Clearly, there can be perverse brilliance in a business strategy of setting expectations very low. Less obvious, however, is the fact that public relations efforts to pump up expectations or spin a story can backfire terribly if the campaign is not supported by operational realities.

Measuring Reputation
Most executives agree that the value at risk in a reputational crisis is great, but they often think it is not readily measurable. That is no longer the case.

Of course, reputational value has long been precisely measurable in hindsight by benchmarking historical corporate profit and loss statements. Others have approximated it through various formulaic treatments of corporate financial statements. Now there is  big-data indexing of corporate reputation value through the algorithmic analysis of forward-looking decision markets. It is important to note that reputational value is very different from piecemeal measures such as brand recall, customer satisfaction, company affinity and other opinion-based marketing survey instruments.

Reputation value is the consequence of stakeholder behaviors. The high value of a positive reputation comes in the form of customers tolerating pricing premiums, creating shorter sales cycle times and buying in greater sales volume. It also manifests itself in lower employee costs, turnover and other human resource expenses. On the back end, it can mean better vender terms and more reliable service, lower credit costs, equity multiples and favorable regulatory discretion.

Reputation Insurance
Another myth is that reputation insurance can’t help because it is generally capped at $100 million—an insignificant indemnification limit for most companies concerned about reputation. But this is the wrong math for the wrong loss.

Reputation insurance coverage from companies such as AIG, Munich Re, Steel City Re and Zurich belong to the same class of value-added service coverages as kidnap and ransom insurance, for example, where the actuarial value of the covered losses (premium/burden vs. frequency/severity) is secondary. More important are the expert risk mitigation and risk management services embedded in the policy-based solutions. These services prevent issues rather than just compensate for the costs of problems after the fact. These policies can provide risk mitigation before, during and after an incident through controls and preparedness, including crisis communications and messaging support and media training to help retain stakeholder loyalty and protect enterprise value.

Risk Management in Practice
The conceptual framework of reputation risk management can help a risk professional quickly analyze gaps in enterprise-level controls, conceptualize an ideal state and implement a roadmap to reduce reputation risk. Better expectation management and operational controls are enabled by quantitative reputational controls, historic reviews of financials and related tools. These can help define the value at risk associated with reputational volatility and stakeholder expectations. Today, several consultancies have built practices to provide guidance and support in this critical area of reputation risk management.

Reputational events are tried in the court of public opinion, not the court of law. The traditional actuarial math of premium-frequency-severity works well in courts of law. This so-called calculus of liability—known in the courts as burden-probability-loss—has prevailed since it was articulated in Judge Learned Hand’s 1947 ruling in United States v. Carroll Towing.

But when directors and officers are being excoriated, that math may not work. The Ford Pinto’s flaming gas tank risk cost Ford little in that legal calculation, yet resulted in enormous costs in the court of public opinion.

In a rapidly evolving reputational crisis, directors and officers need personal exculpations and stakeholders need to understand why the company deserves to be given the benefit of the doubt. A reputation policy should comprise alternative strategies for meeting these key risk management objectives.

Author Nir Kossovsky will be among the panelists speaking at a session entitled, “Reputation: Your Company is Worried About It – Is It Part Of Your ERM Strategy?” at the RIMS 2014 Annual Conference & Exhibition in Denver.

Nir Kossovsky

More articles by »

About the Author

Nir Kossovsky, M.D., is CEO and director of Steel City Re.



  • Nir, I agree that an effective approach to reputation risk uses the language of "stakeholder expectations" and identification of "gaps" to be mended.
    With a focus on higher education, I have recently published a post on this topic, which may interest your readers:

  • Very interesting, Paula. Your list of actionables, "Send out messages that clarify or correct what people have perceived as “the promise”; Send out messages that clarify or correct what people have perceived as the delivered outcome; or Honestly acknowledge the gap is real; show how it will be redressed and repaired by actively involved college leaders," is reasonable. An advanced level of reputation risk management would involve instituting systems that 'listened' for both expectations and indications of looming adverse events. Thank you for sharing. N.

  • lorenzopreve

    I like to consider reputation as one of the places in the firm where we feel the effects of risk. Risk managers have historically considered risk effects on cash flows and firm value, however, there are also effects on reputation, ability to compete, etc. Therefore, there are several risk factors that can affect reputation. For example, BP's reputation was affected by an operational risk, whereas, several banks' reputation in recent years has been affected by compliance events and so on.

  • Indeed, Lorenzo. However it is important to note that not all operational failures result in adverse reputational events. In the setting of a superior reputation, stakeholder may forgive the company and its management — provided stakeholders are confident that the company superior reputation was earned through excellence in governance, controls and risk management and not fabricated through extensive PR.

  • Samuel Y Amebley

    I am wondering; the short article above, when it tis read well in between the lines, implies that reputation risk, though an intangible risk or an organizational (non-financial risk) has far reaching financial and non-financial ramifications. Would one therefore be right to some extent to say that the entire purpose of enterprise risk management is to manage the reputation of the firm? Suggestions are welcome.

  • Mike Jordan

    You can’t teach management of reputational risk. It’s like integrity … you either have it or you don’t.


Leave a reply