Reputational Risk Or Risks to Reputation?

www.bibiconsulting.net

Reputational Risk or Risks to Reputation?

By: Wa’el Bibi, CPA, CIA, CISA

Reputation is the soul of any business. What is reputation? Without it there is, basically, no business. Rep·u·ta·tion/repyəˈtāSHən/Noun Many factors, internal and external, may lead to the destruction of reputation. These The Merriam Webster dictionary defines factors are called risks. reputation as “overall quality or character Professionals have been debating whether as seen or judged by people in general”. there is such thing as reputational risk Would this simple definition apply to (category of risk by itself), or simply there corporate reputation as well? Moreover, are risks to reputation .In this article, I will what is the difference between reputation, attempt to shed some light on these two corporate identity, image and brand? schools of thoughts. Peter W .Roberts and Grahame R. Dowling define corporate reputation as follows:

“It takes 20 years to "A perceptual representation of a build a reputation and company’s past actions and future five minutes to ruin it. If prospects.”

you think about that, In other words, reputation is created when an you’ll do things organization’s experience meets or exceeds stakeholders’ expectations. differently.” Warren Buffet Reputation = experience - expectations

Oonagh Mary Harpur Before I start the discussion, let’s familiarize ourselves with the related terminologies: Corporate identity, image and brand are all ingredients of corporate reputation.

What is risk? Committee, involvement in executive level Reputation Planning (including Risk is the effect of uncertainty on establishment, maintenance and objectives. Risk is measured in terms of monitoring.) impact and likelihood.

What is reputational risk?

The Committee of European Banking Supervisors defines reputational risk as follows: “Reputational risk is the starting point of all risks.” “Reputational Risk is the current or prospective risk to earnings and capital Dr. Guruswami Raghavan arising from adverse perception of the image of the financial institution (organization) on the part of customers, counterparties, shareholders, investors or regulators.” On the other hand, there are those who do not believe that reputational risk is a Does reputational risk exist? category by its own right, among them is Dr. Jean Paul Louisot, Professor of Risk Some risk managers believe that reputational risk is a risk of itself (standalone category) and Management at the Sorbonne University, that it can be isolated and measured. who says:

Greg Shields, Partner at Mitchell Sandham “There is no such thing as reputational risk, Insurance Brokers in Toronto, writes in his blog: only risks to reputation.” He adds : “The term ‘reputational risk’ is a convenient “My support would go to the ‘standalone catch –all for all those risks, from whichever category’. Damage to reputation is a very source that can impact reputation. The real secondary risk to every primary risk, source could be legal, non-compliance, a however, since it can also be a direct loss, data security lapse, an unexpected profit with no primary risk cause, the risk has to warning or unethical behavior in the have its own policies, procedures, boardroom.” measurements (prioritize if not quantify) and unique solutions. This means, crisis management plans, dedicated ‘category There is no such thing as owners’, internal (separate from) external reputation risk; rather all risks communication plans, oversight/policing of may have an impact on an Reputational Risk Management component organization’s reputation. of every divisional/category Risk

There are those who believe that less quantifiable they are more likely to see reputational risk status is determined by reputational risk as a class in their own the organization’s ability to identify and right.” manage first-tier risks, an example of this According to same study, 52% of opinion is represented in a Deloitte respondents consider reputation risk as a publication, it reads as follows: risk by itself, while 48% consider it as a “Notwithstanding the fact that the majority consequence of other risks. of reputational damage can be described as a second order impact, a number of What do I think? reputational risks can nevertheless be In researching for this article, I have read a classified as ‘independent risks’ meaning large volume of materials concerning that reputational damage could be reputational risk. I have concluded that all considered as a first order impact. These risks may have an impact on reputation and independent risks can often be associated that reputational risk, in most cases, is a with ethics. Organizations that do not abide consequence of other risks. by high ethical standards and that ignore principles of market conduct are vulnerable When I think about the demise of Arthur to losing their customers’ trust and Andersen, I am a former partner; I remind confidence. In short, each organization has myself that what destroyed the firm’s a social responsibility that it cannot ignore reputation was a regulatory risk. Using the and that it must address in its corporate same argument, what tarnished British governance.” Petroleum’s reputation recently was an environmental risk. A 2005 Economist Intelligence whitepaper further explains this: So What?

“Risk managers are divided on whether What difference does it make if reputation reputational risk is an issue in its own right risk is considered a separate risk or not? or simply a consequence of other risks. The Risk is risk regardless of what you call it or latter view predominates where there is a how you classify it. Isn’t this just a formality tradition of well-structured risk and we should look at substance over form? measurement and management .In The difference is in the organization’s industries where risk managers feel they response to this risk and how it is managed. have identified the key first-tier risks facing If the reputational risk is categorized as a their business, they may be more inclined risk of itself, management may tend not to to consider reputational damages as simply integrate it within the Enterprise Risk a failure to manage these risks properly. In Management (ERM) or any other risk contrast, in sectors where first-tier risk is management framework, but rather treat it

as a public relation issue and assign it to A white paper by Deloitte suggests that public relations to manage it. If this is the “Traditional risk management techniques case, one would expect a reactive reaction aren’t adequate for countering today’s killer to risk in the form of damage management. risks, because they focus almost exclusively on risk avoidance and an inside-out Although communication with stakeholders perspective on threats.” The paper calls for a is a key to a successful reputational risk new approach it calls “ outside - in management, it should not be the only one. perspective of threats”. Under this approach, Reputational risk is the responsibility of effective management of risks to reputation involves a three-step process of internal every one. This applies to an employee discovery, analysis of stakeholder and posting his/her status and thoughts on marketplace threats and opportunities, and social websites to the dealings and behavior proactive management of actions designed of management. to protect and enhance reputation and value. Reputational risk management should be integrated with the organization’s risk management plan. What is new today is the need for a 360-degree risk overview that effectively incorporates an

outside-in risk perspective with inside-out Risk Intelligence. Key elements of managing reputational risks are: Deloitte ..

● Prompt and effective communications

with all categories of stockholders.

● Strong and consistent enforcement of controls on governance, business and Role of Internal Auditors legal compliance.

● Continuous monitoring of threats to An article published in the IIA’s internal reputation. auditor magazine in June 2009 provides a comprehensive view on the internal ● Ensuring ethical practice throughout the auditors’ role in managing reputational risk: supply chain.

● Establishment and continual updating of “Internal auditors have long been involved crises management plan and with reputational risks at companies, establishment of a crises management monitoring these risks in ongoing audit team, empowered with specific power engagements and in ad hoc consulting and authority. activities. With the growing prominence of reputational risks to organizations, internal auditors should ensure their level of

involvement is adequate to assist the  Maintaining awareness of changes organization in dealing with these risks to reputational risks; for example, appropriately. Internal auditors can environmental responsibility is a accomplish this level of involvement in relatively new reputational risk several ways: impacting organizations

 Identifying risk champions  Updating and adjusting risk throughout the organization, whose assessments throughout the year as roles include monitoring and circumstances change reporting on reputational risks While new reputational risks are continually  Having a place at the table when the coming to light, other established committee in charge of risk reputational risks still exist and are often management in the organization is enhanced. Established reputational risks discussing reputational risks that may increase due to the economic downturn include fraud, theft, and quality  Regularly discussing reputational corner cutting. Furthermore, the economic risk as part of the risk universe at an downturn has increased many reputational risks because companies may not be able to Reputational risk recover as quickly from the financial management is everyone’s impacts of a misstep.” responsibility.

organization The last Word!  Being aware of reputational risks The reputation of an organization is very and identifying areas that represent important to its success and existence. All threats because they are not being risks may have an impact on reputation on managed correctly a way or another. The reputation risk  Ensuring organizations examine management is the responsibility of every reputational risks at the inherent one with management having top lead on level as well as at the perceived it. Internal auditors play an important role residual level in ensuring that reputational risks are identified and managed on timely basis.  Increasing monitoring of social networking websites to track the public mood

References

- Managing Risks to reputation – From theory to practice. Jean-Paul Louisot, Jenny Rayner.

-Koenraad van Hasselt, Do we know all the risks? -Deloitte,Risk management brief ,September 2008

- Economist Intelligence 2005 whitepaper,Reputation: Risk of risks.

-The Importance of Reputation ,by Ansi Vallens.

- Reputational risk, Greg Shields, Partner, Mitchell Sandham Insurance Brokers

- Russell A. Jackson, “Keeping Your Reputation Clean,” Internal Auditor, June 2009

- Without reputation, you have no business ,By Bob McDowall.The register 2006

- Deloitte’s “A risk Intelligence view of reputation – An outside –in perspective” .

------Bio:

Wa’el Bibi,cpa,cia,cisa is the president of Bibi Consulting ,a Canadian internal audit and risk management consultants .He is a strong advocate of internal audit and corporate governance .Prior to establishing Bibi Consulting he has been a partner with Arthur Andersen. He can be contacted at: [email protected] www.bibiconsulting.net

Tel: 613-986 3884

Ottawa, Ontario -Canada