On any good risk register there will be number of risk areas which would have negative impact on the company’s brand or reputation if actualised. In this short article I want to talk about this area of risk management. How real is reputation risk to any business and how much of an impact can it have?
What is reputation risk?
Reputation risk can be thought of as any situation which as could result in adverse impact on the brand or reputation of a company if it occurs. Traditionally it may have been seen purely as a risk to a company’s public relations arm but that is not the case. A company’s reputation matters with all of its stakeholders not just with the public. Events may occur that damage public perception of the business, but it could also be an organisations reputation with its employees, shareholders, investors, or suppliers which can be impacted. This can make reputation risk harder to measure at times as the metrics can be different for each of these areas. It is not however impossible and should not be ignored just because its hard to do.
Reputation risk generally gets its own area on an consequence table as the range of secondary impacts can be varied. It cannot be said that the only consequence of reputation damage is financial (lost business). It could also be a strategic risk in the form of an inability to meet business objectives, or an operational risk in terms of inability to source materials or products, recruitment or retention of people, or indeed a financial risk in lost sales or cash flow.
It can also in itself be a secondary consequence from other risks such as people risks (accidents etc), property risks( vandalism or damage).
Measuring reputation risk
So how to measure this type of risk? Like all intangible risks it can be difficult because the range of consequences arising from it are challenging to measure. Quantitative risk measurement tools can start the process but can be difficult to get right. Firstly putting a number on it can be hard. For example what length of time do you apply to the consequence . If a reputation risk results in a drop in sale for example of 500,000 over a year is that the measurement of the risk or do we need to calculate the impact over the length of time it will take to bring the sales back to pre-event levels? How long could that be? What about the other consequences such as increased difficulty and costs in recruiting and retaining employees after a reputational impact. What about the increased cost of engaging suppliers after such an impact. Where does one stop? Of course these can be calculated with the right tools (assessment methods) but those tools are outside of the the general risk management toolbox of a lot of organisations. A simplistic 5×5 risk matrix where you pick a colour or a number generally wont cut it here I’m afraid.
Qualitative risk measurement can also help and although more difficult to measure it can be done. It’s really a case whether an organisation wants to invest the resource into measuring the risk.
Should business care?
If it’s difficult to measure and many organisations don’t fully measure it anyway then why should an organisation bother? The answer is because organisations know that it matters. They may not know how much but they know it matters. Just because you don’t measure or manage it doesn’t make it go away. The excuse of “if it’s not on the balance sheet it doesn’t matter” is a dangerous fallacy. There is an approach worse than pretending not to know a problem exists. That approach is knowing that a problem exists and not doing anything to measure or manage it.
Risk reduction for reputations
I’ve uttered the following (extremely unpopular) phrase to a number of organisations over the past number of years. It never goes down well but it’s the truth. “You don’t have a security issue, you have a governance issue”.
Most organisations I’ve seen who have been impacted by reputation damage suffer from poor governance control. If you have poor governance you will have poor security, poor reputation and probably poor communications and recovery after an incident.
In these organisations there is usually a distinct difference between management strategy and vision as it written and their behaviour and actions. There is also usually a difference between the business strategy, its policies and their application on the ground. This is a driver of reputation risk and what increases the impact on the reputation to become more severe, costly and long lasting in the event of an occurrence.
I’ve got some general tips below but most businesses should be doing these things anyway. Like I said it’s more likely an overall governance issue rather than a reputation risk.
- Measure it to manage it: It might be more difficult to measure reputation than some other areas but it certainly isn’t impossible. There are many operational indicators which can be measured and can indicate reputation risks. Recruitment rates, retention rates, repeat custom rates, complaints, commendations. All of these can indicate where your company respiration sits. Having key results areas relating to business reputation is always a good idea provided those results are not provided by ‘yes’ men in ‘yes’ departments.
- Third party audits: The outside eye looking at your risks can be a real eye opener (full disclosure: I am slightly biased here). Internal audits have there place but will always have bias and may just simply not see the forest for the trees. Third party audits constructed correctly are one of the best indicators of differences between work planned and work done on the ground and can highlight governance issues before they become reputation issues. After that is is up t the business how they manage those risks.
- Governance controls: Controls on governance can bring inconvenience. No question about it. That inconvenience is the price you pay to safeguard your business from loss and damage in the medium term. That loss or damage can be caused by the people, at the top of the organisation inadvertently. It shouldn’t need to be said but, to be blunt every business needs to get the finger out and put controls in place on how they govern and manage themselves. That’s a whole different article though so I’ll leave this point alone for now.
- Monitoring: You can’t manage your reputation if you aren’t measuring it and you can’t measure it if you aren’t monitoring it. Invest in a person, company or system to monitor what the world is saying about you. Whether that’s a PR approach you take or a business intelligence approach is up to you but have somebody keeping watch and advising you when negative and positive messages emerge so that you can act before the risk grows. Thus is still not a proactive approach as the problem is already in existence if the message has gotten this far but it is a sensible step in addition to the others mentioned above.
“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”-Warren Buffett
Reputations matter. They don’t seem to matter enough to some organisations however. They don’t become important until the damage is done. Usually we see the ‘lets blame the intern’ or the prepared ‘it was a high level criminal incident’ or ‘nobody could have predicted that’ responses to incidents resulting in reputation risk. The world is beginning to see through those though. If your reputation matters to you as a business then you owe it to yourself and your stakeholders to manage it. Sometimes it may not be all your fault as an organisation (See LiveStrong) but you still should plan for it and consider how you might prevent manage and respond to such an incident.