Risk management: Reputation is everything
Reputational risk is the number one risk concern among business executives globally, according to a study conducted by Forbes Insights on behalf of Deloitte Touche Tohmatsu Limited. That concern appears justifiable because reputation accounts for a significant portion of a company’s market value and affects its future viability. Incidents that damage reputation, whether they stem from security breaches, revelations of fraud or other cause, can result in greater financial loss than the original event. Yet because it is so difficult to measure, reputational risk is often neglected in an overall risk management strategy.
The lack of a consistent set of factors that determine reputational risk makes it challenging to measure. Traditional types of risk that may impact reputational risk include strategic, operational, financial and compliance. They can often be quantified, but their collective impact on reputation is difficult to anticipate. Reputation can also be damaged by additional risks that fall outside these areas, notably those that come from social media traffic.
In developing a strategy for managing reputational risk, companies therefore must use a multifaceted approach. The first line of defense is through a governance, risk and compliance (GRC) program, and the second is a broader plan of risk sensing that extends beyond the quantitative areas into a more complex environment of information and events.
Hard to quantify
“Reputational risk is more of an art than a science,” says Vidya Phalke, CTO of MetricStream. “Financial risks can be quantified much more easily. The same goes for supply chain—metrics can raise a red flag if there is a problem.”
Such signals can also be an early warning of reputational risk. “A GRC platform can cut across all the business units and give real-time visibility,” Phalke explains. “It can be the glue that holds together many diverse elements. If not addressed, those warnings can also become a reputational problem.”
MetricStream’s risk management system is built on its GRC platform. It contains a framework for documenting risks (including reputational risks), identifying issues and managing remediation. Remediation workflows, dashboard alerts and analytics are among the features provided by the risk management system. It can also ingest and aggregate information from social media and other relevant sources.
News travels fast these days, and bad news travels faster. Most companies are now attuned to the fact that a few disgruntled customers or employees can leverage their opinions into a movement. “Social media can spread information like wildfire,” Phalke says. Monitoring those developments is essential, and numerous software products are available for social media monitoring and sentiment analysis.
Other more subtle measures also exist to keep tabs on customer satisfaction or frustration. “Even basic measures, such as how many people abandon an e-commerce purchase process, can be an indication of a problem that will affect reputation,” says Phalke.
Identifying the source
Risk management is mostly about handling uncertainty, according to Steven Minsky, CEO of LogicManager. “If you want to prevent fires, look for flammable substances. Don’t count fire extinguishers,” Minsky says. Being aware of the root cause of adverse outcomes helps organizations anticipate and manage events that might affect reputation.
LogicManager provides an enterprise risk management (ERM) solution that enables companies to assess, monitor and report on risk across the enterprise. It contains prebuilt, industry-specific libraries of risks and a taxonomy that allows the organization of risk management resources, as well as the connections among them and to the strategic goals of the company.
One of its features is the ability to feed into a client’s knowledgebase information that could impact its reputation. “If a company has a supplier and negative information has emerged about it, or if the supplier has been acquired, alerts are sent to the relevant individuals, such as a process owner, to let them know a problem might be emerging,” Minsky explains.
Research conducted by Queens University, the Risk and Insurance Management Society (RIMS) and LogicManager indicates that 25 percent of a company’s market value resides in the effectiveness of its ERM program. “Mitigating the root cause of risks in advance with an ERM program to prevent reputational damage is the only viable way forward these days,” says Minsky. “PR can no longer hide behind issues and gloss over them. In cases where a company should have protected data, they should not blame anyone else for its loss.”
Concern about ethics and integrity is at the top of the scale as a factor that affects reputational risk, according to the Deloitte study. Questionable or fraudulent business practices were cited as a cause of many of the low rankings of many companies in a Harris Poll Reputation Quotient survey. That perception applied most strongly to companies in the financial sector.
“Training and communication around policies are essential functions for maintaining standards, which are directly connected to reputation,” says Jimmy Lin, VP of product management and corporate development at The Network. “We assist companies in building an awareness and understanding of corporate policies.” They are pushed out in a consumable format that explains them clearly.
The Network was founded more than 30 years ago by an ex-FBI agent who was consulting with local retailers to follow up on incidents of store theft. “He found there were employees ready to share information, but they were unwilling to speak out in front of their managers,” Lin says. By setting up a hotline, he was able to obtain the information needed to address the issues.