The case for ERM practitioners to view reputational risk less as an impact of other risks and more as a risk itself.
The power of social media to damage corporate reputations in the blink of an eye is just one factor leading a growing number of enterprise risk managers to take a more proactive stance toward heading off reputational risks rather than reacting to them after the fact. This marks a shift in perspective by some ERM practitioners who have traditionally viewed reputational risk more as an impact of other threats instead of a bona fide risk itself.
- That emerged as a key takeaway at a recent monthly session of NeuGroup for Enterprise Risk Management where several members shared how they collaborate across departments including communications in order to be prepared should their companies’ reputations come into question.
- One member at the forefront of this trend noted that “from a social media perspective, companies are being held to account for things that they say now. Activist investors and activist groups are more sophisticated at picking apart statements and promises and holding us to account.”
- The climate of heightened scrutiny and instant critique underscores the relevance of the oft-repeated phrase quoted by one member at the session: “Reputation takes a lifetime to build and minute to destroy.”
From impact to risk. The traditional view of reputational risk framed it as a byproduct of other, operational risks such as human rights violations by vendors in the global supply chain (a major area of risk for multinationals with thousands of suppliers). John Sidwell, a member of the ERM group and co-author of “Enhanced Enterprise Risk Management,” explains: “Reputational risks historically relate to being associated in ERM as an impact of other risk topics and generally part of the assessment in rating the risk topics in the risk profile.”
- The pivot to viewing reputational risks as “individual risk profile topics,” he says, also reflects the effects of geopolitical events, media reporting and new regulations governing public company disclosures related to cybersecurity and ESG. Those realities are prompting some senior executives to view reputational risk through a sharper financial lens.
- “We were one of the two-thirds of organizations two years ago who viewed it as an impact call rather than a risk,” one member said. “Then we had an executive comms session where we had certain leaders in the organization who felt there was a direct carrying cost to capital and propensity to win business based on poor decision-making around ethics and compliance.
- “So, it wasn’t just an impact, but a preceding risk. We changed tack and flipped to the other side of the fence, and we manage it as a risk in itself. It typically polls as a top-15 risk.”
- That said, it’s important to set boundaries and not position ERM to track every reputational risk, such as customer complaints. “We set some limits around materiality,” the member said. “They are expressed as long-term revenue impact, free cash flow impact and share price impact.”
Ahead of the curve. The proactive perspective taken by members who are ahead of the curve requires tactics and cross-functional collaboration to prepare and plan. “Every company needs to have robust programs in place to proactively identify, treat and respond to reputational threats,” Mr. Sidwell observed. “These would be embedded in the company’s ERM program.”
- He added, “This overall risk governance would include mitigation strategies including crisis management plans, communication protocols, and contingency measures, risk awareness of employees and their role in safeguarding the reputation of the organization.”
- Of critical importance is aligning with the corporate communications team on reputational issues. Several members said they game out possible risks and have “drawer statements” ready should a negative story break.
- “Our ERM team talks to our head of communications quarterly and then many times on an interim basis” one member said. “They have a playbook that they keep in close proximity that if something were to come up, then they have a plan as to how they are going to respond.”
Enlisting audit. Corporate risk managers must work in tandem not only with communications departments but also with internal auditors responsible for monitoring overall risk governance, according to Mr. Sidwell, who is chief audit executive at Infinera. “The internal audit function has the responsibility to ensure the company has effective risk management programs in place,” he said. “It can proactively help protect an organization’s reputation and build trust with stakeholders.”
- He added, “To audit a company’s reputation protection effectiveness, auditors would really need to focus on those sources of events that could damage a company’s reputation and assess the robustness of the efforts in place to identify and manage reputational risks collectively as a singular program—not a fragmented approach or in a reactive manner.”
