Framing Reputation for Risk Managers
Home Depot. Target. General Motors. The Veterans Administration. The entire U.S. government. News headlines today come peppered with organizations and what they have done wrong. Cyber security breaches. Product recalls. Corruption and scandal.
Reputations and brands — and in case of public companies, market caps — may be wrecked in wave of tweets.
In this context, the risk management community has turned its attention to reputational risk like never before.
Indeed, for the first time in its 11-year history, the RIMS/Marsh Excellence in Risk Management Survey this year revealed that both risk professionals and other executives put reputational risk in their top-10 exposures list.
So now that reputational risk is on their radar, what should risk managers do about it?
The Risk and Insurance Management Society (RIMS) offered an answer in an executive report titled “Managing Reputational Risk to Drive Strategic Performance.” The report’s ultimate point is that a traditional risk management approach may not be sufficient by itself to tackle such exposures; instead, the report advocated the use of a strategic risk management framework.
It viewed the complicated exposure through the lens of five questions:
• What is the organization’s risk appetite and tolerance?
• What is the time plan?
• What would cause an exposure leading to negative (or positive) impact?
• What can be done to proactively control it?
• What might be the impact to the organization’s overall risk portfolio and strategy?
Perhaps the word to focus on in those five questions is “positive.”
The key benefit of using a strategic risk framework is that it can allow organizations to leverage their reputation to both protect and create value, said report author Andrew Bent, a senior risk adviser with Suncor Energy Inc. and a member of RIMS Strategic Risk Management Development Council.
Take the example of a company whose competitor suffers a product recall. That recall could tarnish the entire industry, unless companies use the opportunity to proclaim and demonstrate its better controls and strengthen its reputation as trustworthy members of that industry.
In particular for risk managers, the strategic risk management approach has two selling points.
One is that it doesn’t involve a drastic change in what they are already doing. For sophisticated, larger organizations with an enterprise risk management program, strategic management of reputational risk can be viewed as an extension of that, Bent said.
For organizations that may not have yet implemented ERM, the use of a strategic risk management framework allows them to lean on their key relationship that probably already exist throughout their organization.
That brings us to selling point two: Risk managers can place themselves in the center of reputational risk efforts.
“As risk managers, we often use a framework for managing our risks … but we also need to take into account a range of other topics such as governance, regulation, public and investor relations as we’re managing the risk,” Bent said.
“As risk managers, we may not have the expertise or insight to fully understand these risks … so we need to make sure that we bring the right people to the table for those conversations.”
The trend is already manifesting itself in Fortune 1,000 organizations in the form of uber risk management leaders called chief risk and compliance officers (CRCOs).
CRCOs have an eye on virtually everything that a company does and can be tightly aligned with operations, said Tracy Knippenburg Gillis, global leader of Marsh Risk Consulting’s Reputational Risk & Crisis Management Group.
In other words, they have their focus on the day-to-day goings-on at a company — and the controls, policies and processes that ensure they go off well — that ultimately drive reputational “safety,” so to speak.
Such tools “can position you to be resilient in the face of things in your control or out of your control,” Gillies. “It’s that way of mitigating or avoiding reputation threat in the first place by doing the right thing.”
What’s more, she said, CRCOs are responsible for corporate preparedness functions like business continuity, crisis management, and cyber and product recall.
That’s a lot of responsibility for one person, and internal governance and oversight are only as good as the people conducting them.
The greatest cause of reputation risk, said Robert F. Hurley, professor and director of the Consortium for Trustworthy Organizations at Fordham University, is the “drift” of individuals, then whole organizations, toward the darker side of human nature, the subversion of everyday rules and practices.
“The real reputational risks are cases of deviance that have been rationalized and normalized,” he said. “Seeing these and taking action requires leaders who can step out onto the balcony and see and feel what others do not see because they are trapped in their thinking.”