Reputational Risk

The Underwriter’s View of Reputation Risk

The transfer of reputational risks involves both preventative strategies as well as finding ways to mitigate the impact.
By: | October 15, 2014 • 6 min read

Thanks to the speed of the Internet and all things “viral,” scores of companies have found themselves at the center of a maelstrom of litigators, regulators and bloggers, often involving the public humiliation of the CEO and board of directors by activist investors.

Nir Kossovsky, CEO, Steel City Re

Nir Kossovsky, CEO, Steel City Re

Such are the hallmarks of a 21st century reputation crisis. The long-term economic consequences and the personal sting are among the compelling reasons for managing reputation risk.

Stakeholders expect companies to behave a certain way. That includes responsible behaviors such as supply chain integrity; manufacturing or production quality; ethical standards; innovation and intellectual property management; environmental sensitivity; and security (both physical and cyber) management.

It specifically includes C-suite and board-level behaviors including governance, risk management and compliance (GRC) policies. From time to time, companies fail to meet stakeholder expectations.


It may be surprising that reputation crises don’t always follow operational failures. But the explanation for this is simple and a key predictor of success. Reputation risk is the threat of a change in stakeholder expectations.

Provided the company was both aware and diligently managing its risks, stakeholders will forgive (read, preserve the reputation value of) a company that has suffered an operational failure.

As Frederick the Great explained nearly 150 years ago before the Internet undermined the effectiveness of corporate marketing and communications, “It is pardonable to be defeated, but never to be surprised.”

Since the goal of reputation risk management is to reduce the risk of a change in stakeholder expectations, risk management starts with understanding the underlying causes.

A comprehensive GRC strategy that centers on reputation risk should enumerate both mitigable causes of risk and mitigable consequences should those risks become reality. Reputation risks can be divided into four risk archetypes:

1. Spatio/temporal (being in the wrong place at the wrong time);

2. Criminal behaviors;

3. Negligent behaviors (including ethics, innovation, quality, safety, sustainability and security); and

4. Black swan events.

Some of the sources of business operating losses arising from these four reputation risk archetypes are business interruption, unauthorized or underreported product sales, excessive GRC and operating costs, redundant production costs, restitution costs, litigation costs, and regulatory fines and penalties.

Video: Bloomberg TV reviews the “red flags” ignored by JPMorgan during London whale trading scandal.

Such results of failure to deal with risks lead to lost revenue and earnings, and reduced enterprise value.

When these consequences spill over and lead to reputational harm, the range of monetary losses rises to a strategic level and can result in potentially unlimited costs from damaged stakeholder relationships going forward.

Losses then also include reduced pricing power, increased human resource costs, increased supplier and vendor costs, increased credit costs, above average fines and penalties, and depressed earnings multiples.

When an adverse operational event blossoms into a full-blown reputation crisis, in addition to the often long-term nature of strategic financial consequences, the personal consequences for the company’s directors and officers can be significant.

So it’s no small wonder that reputation risk has become a top governance risk in board-level surveys in recent years and that reputation risk management has become one of today’s leading strategic corporate imperatives.

Some insurers offer products that effectively warranty the governance of the companies they insure — assuring stakeholders that the insured has the requisite risk controls to protect the company’s reputational value and to better weather any reputational storm.

Such products require companies to have GRC processes and technologies that provide reputation-protecting controls, which an underwriting team must see before it agrees to cover these risks.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Underwriting Touch Points

Underwriters use qualitative measures that focus on operational awareness at the board and senior executive levels, and use questions designed to understand how a company effects oversight and operational control over the critical business processes that underpin reputation.


The scope of qualitative analysis is generally limited to a defined range of business processes and a listing of critical stakeholders including customers, vendors, employees, creditors, equity investors, and regulators.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Examples of common issues that are underwriting red flags are information management and human resource management strategies that are likely to lead to unpleasant surprises, or governance policies that create ambiguities about the understanding of corporate values.

Underwriters also use indexed quantitative measures of reputational value and control. But even in cases where objective metrics might indicate that stakeholders are assuming responsible governance, underwriters might conclude that an organization was at risk for a rude surprise if:

• An organizational framework is not in place to manage and maintain a fluid information environment.

• Human resource management systems do not factor enterprise-level reputational consequences into the incentive systems.

• Board-level communications, including regulatory filings, do not present a uniform view of reputation risk and its management.

Video: Observant risk managers are aware of latent problems, such as the geopolitical risk that flared up between the Chinese and Vietnamese.

Reputation Management

The element of surprise is a common theme underpinning reputation risk. Because surprised stakeholders tend to punish companies that fail to meet their expectations, information management is a key strategy for providing better awareness for executive decision-makers, and also for better managing stakeholder expectations.

There are three information management systems underwriters like that provide business decision-makers with timely actionable intelligence.

These systems work by identifying risk patterns:

• From the federated information the companies house in their various data repositories;

• From the wealth of information found on the web; and

• From tacit information (read, gut feelings) held by key stakeholders.

All four risk archetypes have signatures that, when recognized, can lead to better risk mitigation or consequence management.

The art is in employing technologies and processes that can find these signatures and present actionable intelligence to executive decision-makers before “surprises” manifest.

Forewarned of latent and emerging risks, decision-makers are better equipped to protect a firm’s reputation by improving operations, mitigating operating risks, and responding more rapidly and effectively should threats materialize.

Spatio-temporal risks have obvious signatures. Flood plains have geographical and historical signatures. Weather patterns have emerging signatures.

Even emerging geopolitical risks have signatures — the burning of Chinese-owned factories in Vietnam, for example, was preceded by a long history of ethnic tension, a recent history of economic exploitation, and very near-term military disputes and government encouragement for the Vietnamese people to “express their feelings.”

Both negligent and criminal behavior (moral hazard) risks also have signatures. Consider the group at JPMorgan Chase taking outsized risks that eventually cost the bank $8 billion. The most prominent culprit in the group — the “London Whale” — was well known among his peers.

Criminal risks have signatures, which is a feature long appreciated by the global intelligence agencies. Black swans have signatures usually obvious only in hindsight.

These bits of information are like needles in a haystack, but can be found using algorithms that spot anomalies, discrepancies, and other departures from expectations.


However, before these technologies can help expose emerging risks in the publicly accessible data space, they need to be looking at the right haystacks. In that regard, big data engines that can merge multiple divergent stores of internal data can be very helpful.

Solutions that merge the two capabilities — targeting and spotting — comprise the family of technologies that can help reduce organizational surprises.

As for tacit information, there are systems that can provide insight into what employees and other internal stakeholders generally know but rarely share.

These systems perform the role for which hotlines were created, but they are far more effective, and in practice, embody “gamification” strategies for risk management.

All three technology capabilities can also help reduce insurance premiums.

Shareholder disappointment when a company fails to properly set expectations or fails to meet them can have significant personal consequences for the company’s directors and officers and can result in potentially unlimited costs of damaged stakeholder relationships going forward.

GRC processes and technologies can help to mitigate risk and to reduce the reputational consequences should the risk materialize.

Nir Kossovsky is the Chief Executive Officer of Steel City Re. He has been developing solutions for measuring, managing, monetizing, and transferring risks to intangible assets since 1997. He is also a published author, and can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]