4 Informative Case Studies to Help Guide Reputational Risk Management
Societal phenomena such as #MeToo, #opioidcrisis, #boycottNRA and #deleteFacebook are exposing inadequacies in risk and governance frameworks, and astute managers recognize the need to seek remedies.
What’s needed are systems and processes helping risk managers prepare to adapt and respond to culturally-linked perils that are outside the usual framework of 1st party, 3rd party and compliance risks. Notwithstanding the implications for mission creep, development of those systems to protect corporate reputation is something enterprise risk managers should embrace.
Confidence in a company’s ability to pursue its strategy is what motivates investors to risk capital, lenders to advance capital and employees to engage. Customers expect to be delighted by product and service experiences.
These stakeholders, implicitly or through covenants, expect risks to their expectations will be managed. In addition, in certain commercial sectors, regulators demand risk management with failures manifesting in fines, criminal charges and loss of business rights. It is therefore obvious that the economic benefits of meeting stakeholders’ expectations is the value of a firm’s reputation; the Economist newspaper crowned risk to that value as the “risk of risks” more than a decade ago.
Most risk management frameworks lump reputation among a firm’s valuable assets. Reputation risk, it would seem, should be managed like other 1st party risks. Actuarial models developed by risk bearers help risk managers allocate resources to mitigate 1st party economic losses. However, until my firm developed actuarial models for reputation risk using synthetic measures of reputation value, the insurance world offered little guidance.
What follows are four case studies on how company’s tried and failed or succeeded in managing this risk.
Example 1: Facebook.
Facebook’s 2017 10K explicitly notes the value of reputation and the potential cost of its loss 14 times. In the spring of 2018, the audit committee was overseeing reputational matters but had no quantitative measure of reputation’s importance and no risk managers working from a framework that linked reputation risk to cash flows or other economic metrics. As a result, few at Facebook seemed to anticipate that the loss of trust precipitated by the Cambridge Analytica disclosures would erase 20 percent of the firm’s market cap when its impact on user growth and engagement became known to investors.
Facebook created the expectation of trust and failed to meet it. Reputation risk is the peril of stakeholders’ disappointment and anger when there is a gap between stakeholder expectations and reality. Noxious media typically amplifies that gap, which it certainly did in Facebook’s case.
Liability risk models, such as the burden-probability-loss formula that was articulated in Judge Learned Hand’s 1947 ruling are failing in the face of cultural issues. Among the most memorably is the case of the exploding Ford Pintos.
Example 2: NiSource
A current example of cultural issues shaping a liability exposure involves NiSource, one of the nation’s largest natural gas distribution companies serving approximately 3.9 million customers in seven states.
Well aware of its reputation risk, which is disclosed in six mentions in the 2017 10K, it also acknowledges that angry disappointed stakeholders lead to “loss of cost recovery and increased litigation.” The board’s nominating and governance committee is charged with “reviewing and evaluating risks to the Company’s reputation and the steps management has taken to monitor and control such risks.”
After a series of gas explosions in the Boston area, and facing a complaint from the Governor of Massachusetts, the company undoubtedly faces costly liabilities and has already experienced a loss in market cap. However, they could in theory be much worse. In my firm’s experience, reputational value losses can exacerbate 3rd-party related liability losses by factors ranging from 2 to 7 times. What is helping to mitigate the reputational damage is that NiSource appears to have a genuine interest in the welfare of both its customers and employees, and such culturally-sensitive goodwill manifests in times like these where competing forces are battling for the mind of the stakeholder.
Reputation risk is the peril of stakeholders’ disappointment and anger when there is a gap between stakeholder expectations and reality. Noxious media typically amplifies that gap, which it certainly did in Facebook’s case.
Financial stakeholders may have been somewhat impressed with the company’s apparent sensitivity to reputation risk. Had they been more impressed, the company may have mitigated the loss in equity value which will trigger the inevitable pile on of litigators. How? Through the conventional practices of risk financing and transfer.
On a pro-forma basis, our firm modeled NiSource’s potential equity loss in a material crisis to be $764 million. Based on its inferred reputation risk management efforts, existing P/E ratios and other actuarial factors, a source of contingent capital from the pooled resources of an insurance captive and insurance markets of about $40 million would have materially dampened the stock market’s negative reaction.
Example 3: Weinstein and Company
Two other recent cases also illustrate weaknesses in the third pillar of a risk management framework: compliance-centricity.
In the matter of Weinstein and Company, the board was too close to the alleged perpetrator to be able to distance itself from the ethical breach. Stakeholders expect that, even with a strong CEO, a company’s board will be able to exercise appropriate oversight. As a result, found culpable in the court of public opinion, the firm was not salvageable.
Example 4: Wynn Resorts
On the other hand, at Wynn Resorts, the board successfully jettisoned the alleged perpetrator, Steve Wynn, protected itself from the opprobrium of gaming regulators and recovered all of its lost
equity value in under 20 weeks. The American Law Institute, in its upcoming publication Principles of the Law, Compliance, Enforcement, and Risk Management for Corporations, Nonprofits, and Other Organizations, is expected to address the timing discrepancy between courts of law and public opinion.
When it comes to mitigating enterprise-wide threats, reputation risk appears to be challenging existing risk management frameworks.
Risk managers must understand that the work involves mitigating not only negative media coverage but also anger and disappointment of stakeholders whose expectations have not been met.
In this mix, reputation insurances provide indemnifications that affirm trust and reduce economic losses. &