Reputational Risk

The Underwriter’s View of Reputation Risk

The transfer of reputational risks involves both preventative strategies as well as finding ways to mitigate the impact.
By: | October 15, 2014

Thanks to the speed of the Internet and all things “viral,” scores of companies have found themselves at the center of a maelstrom of litigators, regulators and bloggers, often involving the public humiliation of the CEO and board of directors by activist investors.

Nir Kossovsky, CEO, Steel City Re

Nir Kossovsky, CEO, Steel City Re

Such are the hallmarks of a 21st century reputation crisis. The long-term economic consequences and the personal sting are among the compelling reasons for managing reputation risk.

Stakeholders expect companies to behave a certain way. That includes responsible behaviors such as supply chain integrity; manufacturing or production quality; ethical standards; innovation and intellectual property management; environmental sensitivity; and security (both physical and cyber) management.

It specifically includes C-suite and board-level behaviors including governance, risk management and compliance (GRC) policies. From time to time, companies fail to meet stakeholder expectations.

It may be surprising that reputation crises don’t always follow operational failures. But the explanation for this is simple and a key predictor of success. Reputation risk is the threat of a change in stakeholder expectations.

Provided the company was both aware and diligently managing its risks, stakeholders will forgive (read, preserve the reputation value of) a company that has suffered an operational failure.

As Frederick the Great explained nearly 150 years ago before the Internet undermined the effectiveness of corporate marketing and communications, “It is pardonable to be defeated, but never to be surprised.”

Since the goal of reputation risk management is to reduce the risk of a change in stakeholder expectations, risk management starts with understanding the underlying causes.

A comprehensive GRC strategy that centers on reputation risk should enumerate both mitigable causes of risk and mitigable consequences should those risks become reality. Reputation risks can be divided into four risk archetypes:

1. Spatio/temporal (being in the wrong place at the wrong time);

2. Criminal behaviors;

3. Negligent behaviors (including ethics, innovation, quality, safety, sustainability and security); and

4. Black swan events.

Some of the sources of business operating losses arising from these four reputation risk archetypes are business interruption, unauthorized or underreported product sales, excessive GRC and operating costs, redundant production costs, restitution costs, litigation costs, and regulatory fines and penalties.

Video: Bloomberg TV reviews the “red flags” ignored by JPMorgan during London whale trading scandal.

Such results of failure to deal with risks lead to lost revenue and earnings, and reduced enterprise value.

When these consequences spill over and lead to reputational harm, the range of monetary losses rises to a strategic level and can result in potentially unlimited costs from damaged stakeholder relationships going forward.

Losses then also include reduced pricing power, increased human resource costs, increased supplier and vendor costs, increased credit costs, above average fines and penalties, and depressed earnings multiples.

When an adverse operational event blossoms into a full-blown reputation crisis, in addition to the often long-term nature of strategic financial consequences, the personal consequences for the company’s directors and officers can be significant.

So it’s no small wonder that reputation risk has become a top governance risk in board-level surveys in recent years and that reputation risk management has become one of today’s leading strategic corporate imperatives.

Some insurers offer products that effectively warranty the governance of the companies they insure — assuring stakeholders that the insured has the requisite risk controls to protect the company’s reputational value and to better weather any reputational storm.

Such products require companies to have GRC processes and technologies that provide reputation-protecting controls, which an underwriting team must see before it agrees to cover these risks.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Underwriting Touch Points

Underwriters use qualitative measures that focus on operational awareness at the board and senior executive levels, and use questions designed to understand how a company effects oversight and operational control over the critical business processes that underpin reputation.

The scope of qualitative analysis is generally limited to a defined range of business processes and a listing of critical stakeholders including customers, vendors, employees, creditors, equity investors, and regulators.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Examples of common issues that are underwriting red flags are information management and human resource management strategies that are likely to lead to unpleasant surprises, or governance policies that create ambiguities about the understanding of corporate values.

Underwriters also use indexed quantitative measures of reputational value and control. But even in cases where objective metrics might indicate that stakeholders are assuming responsible governance, underwriters might conclude that an organization was at risk for a rude surprise if:

• An organizational framework is not in place to manage and maintain a fluid information environment.

• Human resource management systems do not factor enterprise-level reputational consequences into the incentive systems.

• Board-level communications, including regulatory filings, do not present a uniform view of reputation risk and its management.

Video: Observant risk managers are aware of latent problems, such as the geopolitical risk that flared up between the Chinese and Vietnamese.

Reputation Management

The element of surprise is a common theme underpinning reputation risk. Because surprised stakeholders tend to punish companies that fail to meet their expectations, information management is a key strategy for providing better awareness for executive decision-makers, and also for better managing stakeholder expectations.

There are three information management systems underwriters like that provide business decision-makers with timely actionable intelligence.

These systems work by identifying risk patterns:

• From the federated information the companies house in their various data repositories;

• From the wealth of information found on the web; and

• From tacit information (read, gut feelings) held by key stakeholders.

All four risk archetypes have signatures that, when recognized, can lead to better risk mitigation or consequence management.

The art is in employing technologies and processes that can find these signatures and present actionable intelligence to executive decision-makers before “surprises” manifest.

Forewarned of latent and emerging risks, decision-makers are better equipped to protect a firm’s reputation by improving operations, mitigating operating risks, and responding more rapidly and effectively should threats materialize.

Spatio-temporal risks have obvious signatures. Flood plains have geographical and historical signatures. Weather patterns have emerging signatures.

Even emerging geopolitical risks have signatures — the burning of Chinese-owned factories in Vietnam, for example, was preceded by a long history of ethnic tension, a recent history of economic exploitation, and very near-term military disputes and government encouragement for the Vietnamese people to “express their feelings.”

Both negligent and criminal behavior (moral hazard) risks also have signatures. Consider the group at JPMorgan Chase taking outsized risks that eventually cost the bank $8 billion. The most prominent culprit in the group — the “London Whale” — was well known among his peers.

Criminal risks have signatures, which is a feature long appreciated by the global intelligence agencies. Black swans have signatures usually obvious only in hindsight.

These bits of information are like needles in a haystack, but can be found using algorithms that spot anomalies, discrepancies, and other departures from expectations.

However, before these technologies can help expose emerging risks in the publicly accessible data space, they need to be looking at the right haystacks. In that regard, big data engines that can merge multiple divergent stores of internal data can be very helpful.

Solutions that merge the two capabilities — targeting and spotting — comprise the family of technologies that can help reduce organizational surprises.

As for tacit information, there are systems that can provide insight into what employees and other internal stakeholders generally know but rarely share.

These systems perform the role for which hotlines were created, but they are far more effective, and in practice, embody “gamification” strategies for risk management.

All three technology capabilities can also help reduce insurance premiums.

Shareholder disappointment when a company fails to properly set expectations or fails to meet them can have significant personal consequences for the company’s directors and officers and can result in potentially unlimited costs of damaged stakeholder relationships going forward.

GRC processes and technologies can help to mitigate risk and to reduce the reputational consequences should the risk materialize.

Nir Kossovsky is CEO of Steel City Re, which mitigates the hazards of reputation risk with parametric reputation insurances, ESG insurances, and risk management advisory services.