How can reputation be integrated within an enterprise risk management (ERM) framework? Unfortunately this is not possible, because reputation is both a behavioural and consequential risk, so you never know what might cause it until it is too late. Reputation is not easy to value or protect, and many insurers will not underwrite reputation risk.
It is however possible to reduce reputation risk at least partially. But first we need to recognise seven facets of reputation:
- Reputation cannot be controlled: it exists in the minds of others so it can only be influenced, not managed proactively.
- Reputation is earned: trust is based on consistent corporate behaviour and performance .
- Reputation is not a single entity: it depends on the stakeholder’s view. One organisation can have many different reputations, varying with each stakeholder.
- Reputation quality will vary: each stakeholder brings a different expectation of behaviour or performance and so will have a distinct perception of reputation.
- Reputation is relational: you have a reputation with someone for something. The key question is therefore: ‘with whom, for what?’
- Reputation is comparative: it is valued in comparison to what a particular stakeholder experiences or believes in relation to peers, performance and prejudice.
- Reputation is fragile: it can take a lifetime to build and seconds to lose. The true value of reputation can only be appreciated once it is lost or damaged.
So how can reputation risk be managed? The first step is to understand the scope of possible damage, as well as potential sources and the degree of possible disruption:
- In the private sector the impact of reputation risk is usually investor flight and share value decline, and these can spiral out of control if confidence cannot be restored.
- In the public sector the risk is typically withdrawal of government support to reflect declining confidence.
- In the professional sector where partnerships thrive, client confidence is vital for business sustainability. Each industry can point to scenarios where reputation damage impact can be anything from mild to catastrophic.
Managing reputation risk requires three steps:
- Predict: All risk is future uncertainty, and we need an appropriate risk forecasting system to identify reputation risk. This will be client specific but the information must feed directly into the strategic planning process if reputation risk is to be taken seriously.
- Prepare: Reputation risk is a collective responsibility and not just for the board. All management and operational staff must recognise it and take responsibility for addressing it.
- Protect: A vulnerability review will reveal where reputation risk is greatest, and guide actions to prevent possible damage. In most cases a protection plan only needs to address the most sensitive or critical aspects of reputation, so these must be assessed objectively.
So although reputation risk cannot be easily integrated into an ERM framework, there is much we can do to be aware of its existence and minimise its potential impact.
© Copyright June 2014, Garry Honey/The Risk Doctor Partnership