US – Governance Risk-and-Compliance | Deloitte US has been added to your bookmarks.
A manufacturer’s sales representatives are accused of bribing foreign officials to gain business. A credit card breach at a retailer threatens consumers’ personal data. A corporate headquarters relocation is characterized in the media as a tax avoidance move. Each of these risk scenarios poses a reputation risk for the company involved. And in each case, the reputation risk is a byproduct of another business risk—ethics, security, tax. Understanding the interconnectivity of reputation risk is essential to staying ahead of this critical issue.
Henry Ristuccia, global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited (DTTL), discusses the growing threat of reputation risk and the steps leading companies are taking to address it.
Q. Why is reputation risk a top strategic concern?
A. Reputation risk is evolving. It’s a strategic concern because it is connected to and magnified by other business risks. According to a recent DTTL survey, Reputation@Risk, the most prevalent drivers of reputation risk are risks related to ethics and integrity, physical and cyber security, and products and services. Third-party relationship risk is also rapidly emerging, as companies are increasingly being held accountable for the actions of vendors, brokers, and similar associates. So as those risks proliferate, reputation risk heightens as well.
Reputation risk keeps business leaders up at night because it’s a meta risk. It can originate and spread from inside and outside the organization, at an alarming speed. The executives interviewed in the global survey expressed the inherent challenges in this situation. For example, perceptions can vary from geography to geography, so an issue or event may not pose a threat in one locale, but may trigger a worldwide media frenzy in another with very real consequence to reputation.
Adding to the concern is that some of these risks are beyond the company’s direct control. Respondents to the survey were less confident about managing risks from third-party/extended enterprise issues, competitive attacks, and hazards or other catastrophes than about managing risks they can control internally, such as those related to regulatory compliance or employee misconduct.
Q. How is this concern over reputation risk being reflected in organizations?
A. Certainly the potential for damage from a negative reputation event is real and can take many forms, from loss of brand confidence to impact on revenue/earnings to closer scrutiny from regulators. But there is also opportunity to benefit from how a reputation event is handled, both to mitigate its immediate effect and to gain long-term insight to better respond to—or better yet, prevent—future events. For the survey participants, crisis management is a key area for investment.
True crises—catastrophic mega events or a series of escalating events that threaten an organization’s strategic objectives, reputation, or viability—are an ever-present danger. They test a company’s values, leadership, and character at a time when there is no room for error. Crisis management involves identifying and preparing for these risks so companies can hit the ground running, using tools and techniques such as crisis simulations, monitoring, risk sensing, and rapid response and communications teams.
Developing processes and investing in tools to monitor the landscape is also a way companies can get ahead of reputation risk. Another area of opportunity is scenario planning—more than one-third of the surveyed companies don’t do “what if” scenarios, which can be extremely helpful in addressing risk strategically.
Q. What are some other ways companies are managing reputation risk?
A. Companies at the leading edge of managing reputational risk are finding ways to link strategy and innovation with their risk management programs and identify where the next disruption could arise. They’re using data analytics to gather and help interpret market intelligence to identify threats to their reputation. And they’re readying their leaders and the organization to respond and recover in the event of a crisis.
Monitoring and managing stakeholder expectations is an ongoing effort. Reputation risk occurs when performance does not match expectations, so you have to understand what stakeholders (customers, regulators, shareholders, employees) expect—and realize that those expectations tend to evolve over time. Companies are using external analysts and data sources to supplement their internal observations from, say, marketing and HR.
Unraveling reputation risk
Marc Duchevet and Hervé Phaure, partners with Deloitte France, focus on how organizations can analyze the risk exposure and vulnerability of key stakeholder groups to better understand the potential impact of a reputation event.
A lingering challenge that many organizations face is that they approach reputation risk reactively. You don’t want to wait for a reputation risk to occur and then scramble to respond. Leading companies address reputation risk as an ongoing strategic issue, recognizing that managing reputation risk requires constant vigilance. Ultimately, how a company manages the expectations and performance related to its reputation determines whether value is created or destroyed.
As a first step, it is critical to define the homogeneity of the organization’s business units regarding reputational risk. This analysis considers the structure of each group, existing brands, types of product, and geography in order to determine whether reputation risk is confined to a particular business unit independently or is a potential contagion that could affect the business.
Then, the process of understanding potential losses begins by analyzing the risk exposure and vulnerability of key stakeholder groups, for instance—direct and indirect customers; public authorities and regulators; senior executives; employees; shareholders/investors; and media/analysts. The aim is to determine each stakeholder group’s capacity and willingness to act on reputation issues in a way that negatively impacts the company or threatens its business model.
For example, if a negative event occurs around a particular product, what is the risk that customers could boycott the product and turn to a competitor’s product instead (i.e., do customers have the capacity to act on a negative issue)? And second, how likely are they to take that action (i.e., are they sensitive enough to reputation issues to be willing to boycott or switch)? If the product has no real competitors or is seen as a necessity by customers, customers may have neither the capacity nor willingness to take action, in which case an image problem does not pose significant reputational risk.
Understanding the sensitivities of key stakeholders also helps guide crisis management. One of the questions that arises when dealing with a reputation-related issue is what kind of communication to deploy, in what media, with what objective, and with what frequency. If you know that a certain stakeholder is not that sensitive to the negative event, or that there is no potential contagion from one stakeholder to another or one product to another, you can conclude that there is no real value in spending a lot of money communicating to these people when a reputational issue occurs.
Reputation risk and other types of strategic risk that might significantly affect an organization’s business model are often addressed in agency rating analyses under the scope of “business risks.” Knowledge of credit methodologies as well as operational risk can be a key to developing an effective modeling approach.