It follows that if a reputation has value, then anything that can reduce this value represents a risk. This is the basis on which reputation risk is generally perceived – something that can cause damage. Unfortunately this is indicative of how many people perceive risk as something to be avoided or controlled, certainly not something to encourage or invite. Entrepreneurs and investors may have a very different view. They seek out risk in order to make gains and create wealth.
Risk to reputation is generally understood to mean the uncertainty surrounding circumstances in which a good reputation may become ‘tarnished’ tainted or reduced in some way. Technically of course there is a converse risk of a bad reputation being improved which implies risk is an opportunity not a threat. This is rarely seen or recognised as reputation risk, being more likely a ‘stroke of luck’. So reputation risk is commonly seen as a risk of value reduction not value increment.
Is there a definition of reputation risk? Yes, reputation risk involves an organisation acting, behaving or performing in a way that falls short of stakeholder expectations. Risk sits in the gap between stakeholder expectation and company performance. Managing the risk is all about closing, or trying to minimise, this gap. This simple explanation is complicated by the fact that different stakeholder groups have different expectations depending on their perspective and concerns.
Stakeholder expectations are not a static commodity; they are fickle and subject to other influences including media exposure, market knowledge, and competitor claims. The only certainty is that expectations normally go up not down, it is rare for stakeholders to expect less of you year on year. This implies the need to anticipate where and how stakeholder expectations will shift and deliver against them: under-delivery is clearly a risk but over-delivery is an extravagant waste. Efficient management is about alignment of values to reduce risk (see Figure 2.1).
Risk to reputation is caused by a misalignment of values; the organisation failing in some way to meet stakeholder expectations head on, delivering either significantly above or below expectation. As reputation is a relational concept this failure can manifest itself in a number of different ways from mild disappointment to extreme outrage. The risk is value based (just as relationships are) not cost based and it cannot be expressed in this way.
Stakeholders have expectations and damage to our relationship with them depends on how much our behaviour diverges from their expectations. Where trust is completely lost and cannot be regained outrage is a likely response; for example, an act of major fraud, particularly in an institution where trust is implicit such as a charity. Conversely trust may be questioned prompting stakeholder disappointment, a situation from which it is possible to recover given time, money and some forgiveness. It is rarely damaging in the long term.
I find it useful to image a scale of stakeholder response, using ratings from 1–5, not unlike the hurricane severity scale used in the US. This enables you to express damage in relation to trust destroyed as a result of performance under-delivery (see Figure 2.2).
The extent of any damage depends both on how much trust is lost and also on the time, effort, patience and cost required to regain this trust. Damage severity can be extreme or slight depending on three things: a) quality of reputation prior to the incident; b) the cause of the incident and c) the handling of the incident to prevent it becoming a crisis (Figure 2.3).
If your reputation enjoys a reservoir of goodwill prior to an incident, if the incident was clearly not your fault and could not reasonably have been predicted or prevented, or if your response is immediate, comprehensive and compassionate then very little damage should result.
A potentially damaging incident may be contained and defused through luck and quick action, but equally a minor incident can escalate if it is poorly handled. Those who believe that local problems stay local under-estimate the capacity of bad news to travel fast – only good news stays local.
The impact of reputation risk therefore depends on the cost of recovering trust, and the consequent risk impact grid is similar to the stakeholder response scale. The key difference is that in risk impact terms trust recovery, as opposed to trust damage, is the determining factor. Below is an example of a risk impact grid designed to enable a global corporation to add reputation to the risk register (Figure 2.4).
Reputation risk is thus ‘a risk to value in a relationship of trust, where the cost of the risk is the cost of recovering lost trust’. How do you protect this trust? The answer is expectation management. Where expectations are aligned with performance there can be no risk and therefore no surprises – which is the mantra of all truly transparent organisations. In any relationship we have expectations which subsequently may or may not prove to be correct. Where they prove correct we have no surprises, but where they prove incorrect we have surprise. Everything depends on our expectation at the outset (Figure 2.5).
Can you put a price on lost trust or the damage it causes? Most analysts rely on the drop in share price or market capitalisation as a tangible indication of reputation damage. This is not the whole picture but is understandably newsworthy as it translates into millions of pounds. Share price represents reputation with one group, at one moment in time and it excludes the reputation damage which will show as a future cost: declines in future customer revenue, employee morale and supplier confidence which all have a cost that will impact in subsequent financial reporting.
Short term damage can be seen financially in the cost to recover confidence either of investors, customers or other key stakeholders. Cost of lost sales, product recall or operational on-costs can all be allocated to reputation damage cost, but these are essentially short term in comparison to the longer term cost of damaged trust. Nobody knows how many future sales are lost when customers switch to more reliable brands or service providers.
Talk of reputation damage makes for emotive headlines but fails to cut much ice with risk or finance people who want to know the cost of a damaging event. Herein lies the problem, reputation damage is not caused by an event, it is caused by a misalignment of expectation and delivery. If reputation damage were caused by a single event then it could be covered by insurance. As reputation cannot be priced, it follows that damage to it cannot be priced. Reputation damage is an emotional expression of value reduction which impacts over time.
There are at least six different possible sources of reputation damage. To understand these it is first necessary to identify four different types of risk handling strategies, to three of which reputation risk is relevant.
Four Risk Handling Strategies
Some risk can be transferred through insurance or other vehicles such as securitisation. The financial crisis which became the ‘Credit Crunch’ was caused by excessive risk transfer. Consumer debt in the form of mortgages with a relatively high risk of default was repackaged as low risk and sold as securitisation on wholesale financial markets worldwide. The risk was passed around until none of the banks knew exactly how much potential default each was carrying. The interbank lending rate crept up to reflect this mutual distrust and the most highly leveraged banks suffered.
Some risk can be transferred but only if the party taking it on is fully cognisant of the extent of the financial liability and probability of exposure. Mortgage debt repackaged as triple A security was nowhere near as safe a risk as ratings agencies indicated. Creative product development took caution out of risk leading to reckless investment by leading banks.
Reputation however cannot be insured as the owner represents a ‘moral hazard’ who can significantly influence both the probability of a claim and the extent of any loss. Reputation risk is essentially behavioural and cannot be passed to a third party. Insurers have not yet found a satisfactory policy formula to cover reputation risk.
Much of what passes for enterprise risk management (ERM) is in reality a system for identifying and avoiding risk which can have a negative financial impact. Avoiding risk is how most risk managers see their roles in business. Preventing cost damage liability through a system of checks and balances designed to avoid risk. Cynics have said that risk management as a discipline is fast becoming one of managing the avoidance of risk not actually one of managing risk itself.
Avoiding risk comes naturally in the workplace where Health and Safety regulations set in place a code for common sense personal safety. As a behavioural risk, reputation risk can and should be avoided but the risk can sometimes seem too obvious to notice. A workplace environment that is driven by sales or profit growth can expose itself to ethical and even legal problems.
We may think we can spot the next Enron or Barings but in reality the legal boundaries are subject to interpretation, for example, the difference between tax avoidance and evasion. In the same way as banks encouraged complex investment vehicles to create wealth, so too the accountancy firms encourage clients to minimise tax liability to retain wealth.
Some risk has to be managed because it cannot be outsourced or transferred to a third party, it is inherent within the operation of the organisation. Think of employee relations, human capital and people risk. These have two sub-categories, executive and operations, both of which are normally fully accounted for under the remit of internal audit or risk management teams within any organisation. Failure at either level can usually be traced to failure of quality process or internal vigilance.
Executive risk is expressed as the quality of decision making by the board or management team. Any shortfall in performance can usually be dealt with by shareholders or institutional investors through changing Chair or CEO with the remit to shake up the team.
Operational risk is more common in manufacturing and distribution channels where a fault in the production process leads to a product recall. The risk to reputation occurs when a recall indicates that product quality is no longer as consistent as the brand name implies.
Damaging risk to reputation is rare within the category of managerial risk. This is because the systems are normally already in place and the fault can easily be traced and remedied. Most serious reputational damage happens in two other categories, cultural (avoidable) and external (mitigable).
Some risks lie outside the organisation’s direct control yet the nature of business and its dependence on suppliers, agents, contractors and other third parties means that the organisation has no choice in accepting the risks. For these risks the strategy must be reduction or mitigation as the organisation has no direct control over them. External risks can come from a business relationship or a natural hazard in the environment.
Natural hazards such as fire and flood usually cause less reputation damage than actual physical damage. Customers and suppliers are usually sympathetic to a business hit by fire or flood (unless of course the cause is believed to be negligence). The financial damage of a flood or fire can be covered by insurance but the reputation damage from closure is more difficult to cover.
The risk to reputation from association with a supplier or partner whose actions can damage your organisation is dramatically but correctly termed ‘contamination risk’. Think here of British Airways and their contract caterers Gate Gourmet a few years ago, the actions of a supplier damaged the reputation of the airline. Business partners must be chosen to align with the sponsor’s values or else provide grounds for contamination damage.
Imagine you are an un-named law firm whose whole reputation rests on the motorcycle courier contractor you have selected to deliver critical documents to clients, courts and counsel. If the contractor doesn’t share your values of punctuality, fastidiousness, courtesy or whatever, there is a chance you will suffer the consequences of this value conflict. One of the biggest contamination risks today lies in outsourcing customer services to call centres. Irrespective of whether the call centre is in Glasgow or Bombay, customer service should be a core function of a sustainable business and not peripheral.
Six Causes of Reputation Risk
Having looked at the four types of risk handling strategy and recognised that only three apply to reputation risk, it is worth expressing these three (avoid, manage, mitigate) from the perspective of the sources of risk to give us six separate causes of reputation risk (see Figure 2.6)
1. Cultural – Legal
2. Cultural – Ethical
3. Managerial – Executive
4. Managerial – Operations
5. External – Associations
6. External – Environment
The two most interesting areas for reputation risk are highlighted: ethical and associations.
Cultural/ethical risks are intra-company and involve different departments or business units that espouse contradictory values and risk the reputation of the organisation as a whole. Here there is often a behavioural risk in the procedures and supervision that can damage an organisation. The risk lies in value misalignment with the company core values.
A Canadian drug firm with an ethical policy introduced new sales targets to its telesales team but soon found that customers were concerned about the pressure they were under and the claims being made for the drug. An investigation found that the pressure to achieve targets had led the sales force to act beyond the ethical boundaries of the company. A value misalignment had occurred between the company values and those of its own workers.
The risk was identified through examining the process, not simply in terms of basic governance and looking at value misalignment within the organisation. The risk was under the noses of management but apparently invisible to them.
External/association risks are inter-company and involve partner organisations with whom we operate jointly and who represent a contamination risk where their behaviour may impact our reputation. The risk here is in the case of the values of the people and organisations with whom we work showing little or no alignment with our own. In some cases there may be a value conflict. This misalignment needs to be identified and recognised as a reputation risk.
As an example, imagine an outsourced call centre. The values of its management are rarely the same as its sponsoring client. Knowledge of products and services is never as good as the parent company. My water supplier’s call centre was based in India and offered a very prompt online enquiry service, the only problem was the call centre employees didn’t know how my meter worked or how the company billed me.
The values of third parties can never be identical to those of a sponsor. The risk lies in the scale of the gap and the quality of the strategy for mitigating it. Audits of contamination risk show just how this risk can balloon into serious reputation damage. Inevitably the figures that support an outsourcing decision never allow for intangible risk and rarely show how much risk exists in a small cost saving.
Reputation risk sits in the gap between performance and expectation. Managing the risk lies in management of expectation among stakeholders as much as it does in performance. The key to expectation management is alignment. Where expectation is too high or too low then reputation is likely to suffer damage. Stakeholder response will depend on the size of misalignment: if great it could be outrage, if little it could be disappointment. This is the impact of reputation risk.
The cause of reputation risk is most commonly either internal misalignment of values or external value conflict. The former occurs where the operating culture of an organisation is at variance with its own values or behaviour codes; the latter occurs where an external third party, acting on behalf of the organisation, fails to deliver the same value as expected and thus contaminates reputation through this conflict of values.