Jonathan T. Marks CPA, CFF, CFE and NACD Board Fellow

Reputation Risk Management Doesn’t Have a Start or End Date!

Customer Experience Concept, Best rating for Satisfaction present by Hand of Client giving a Five Star Rating

Background

How can we protect our brand? What are we doing to protect our brand? Questions all board members should be constantly asking.  Reputational risks can damage the most well-crafted business strategies and is a growing challenge that companies around the world are still learning how to manage.

By definition, reputational risk refers to the potential for negative publicity, public perception, or uncontrollable events to adversely impact a company’s reputation, thereby affecting its revenue.

Board directors covet their company’s reputation because it’s their most valuable asset. A study by Deloitte and Forbes affirmed this conviction, but should not surprise anyone.  Senior-level executives also agreed that their company’s reputation presented the greatest risk to the company’s ability to achieve business strategies.

Survey

The Red Flag Group recently conducted a survey, which asked business decision makers 20 questions to determine the importance of protecting reputation.  Highlights of the survey questions include:

I have highlighted some of the results below.  I encourage you to read the entire survey.

Highlights of Survey

According to the survey, the majority believe that legal and reputational risks are of approximately the same importance.

When looking at the survey results, the most commonly flagged and biggest reputational risks were identified as follows:

What’s also interesting is the survey revealed that a current employee’s actions cause the most harm to reputation.  Alternatively, the threat is from within.

As previously mentioned, current employees present the highest risk to the company’s reputation.

However, it is interesting that third parties such as distributors, suppliers and former employees are ranked so low given recent headlines about data breaches caused by suppliers handling data of large, international companies. Similarly, if we look at the top five risks previously identified as potentially impacting the company’s reputation, we find that these are some areas that typically involve the use of third parties to perpetrate the misconduct:

  1. Data security breaches
  2. Corruption (FCPA/UKBA)
  3. Fraud
  4. Antitrust and competition
  5. Business continuity

While companies are typically faced with the actions of their own employees for these risk areas, many of the risks above involve a high degree of interactions with outside third parties such as distributors, service providers and vendors. In this sense, the identified problematic groups, perceived top risks and recent examples of reputational risk failures aren’t in congruence. Although it can be more practical to control the existing workforce at a company, there needs to be a focus on external parties who also pose a risk to the company’s reputation..

Mitigation

The strategy of mitigating risks often falls on the shoulders of the department(s) or individuals who own the risks.  Based upon the survey responses, the legal and compliance functions are often identified as owning or providing oversight for some of these risks. This is a slippery slope, because the business or management should own the risks – not legal or compliance!

We have been battling this same issue with internal audit over the years, so let’s set the record straight.

Internal Audit’s (3rd Line of Defense) objective is essentially to provide independent assurance that risk management, governance and internal control processes are operating effectively.

The Compliance function (2nd Line of Defense) is there to reasonably ensure that the company is complying with all applicable laws, rules and regulations, as well as internal codes of conduct, policies and procedures.  There objective is predominantly operational.

It is management’s job to identify the risks facing the organization and to understand how they will impact the delivery of objectives if they are not managed effectively.  Moreover, management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.

Data Analytics Can Help Boards Understand

Many boards fear that the lack of control over reputational risk makes it impractical or improbable to manage these risks.  Managing reputational risk requires managing internal and external stakeholders such as customers, employees, vendors; however mitigating reputational risk is a challenging and worthwhile endeavor as this creates and preserves value for any organization.  Boards must acquire and utilize the right set of tools to measure, monitor and analyze reputational risk.  The use of data analytics, if done properly, is a powerful tool that can help identify and quantify market and media response and in some instances unveil new risks that have been hidden or lurking in plain sight.  For example, an uptick in negative social media posts could signify the emergence of a risk such as a possible product recall, negative customer experience, or other risk that could negatively impact the company’s reputation or possibly the reputation of a competitor, which could lead to new opportunities.

Some Keys to Managing Reputation Risk

  1. Include reputation risk as part of the overall risk management strategy
  2. Ensure your enterprise risk assessment proactively identifies, prioritizes and manages key risks – don’t boil the ocean
  3. Ensure policies, procedures, and controls are in place and operating effectively
  4. Train employees and external parties appropriately
  5. Understand your stakeholders expectations
  6. Communicate prioritized risks and risk management strategies effectively
  7. Have a crisis management plan in place and conduct regular simulations or “red ball drills” to properly prepare for the occurrence of a risk event.

Closing

Reputation risk is real, which means companies should continue to improve their capabilities for managing this risk.  Leading organizations already treat reputation risk as a strategic risk, which is an accelerating trend and a tactic that leads to the creation and preservation of value.

An effective approach to managing reputation risk requires a sustained effort — before, during, and after a crisis. Reputation risk management does not have a start or end date!

Baker Tilly provides services to help manage reputational risk.  Our data analytics capabilities, cultural surveys, and crisis management advisory services provide the tools and strategies to help organizations manage this risk.

I welcome your thoughts and comments, but know that Baker Tilly can help!

Best!

Jonathan T. Marks, CPA, CFE