Reputation Risk Management: An Introduction

An organization’s reputation can be viewed as a driving force for success, a driving force which is complex and difficult to define. Without a positive reputation, potential customers and clients are wary to invest in or do business with a company in which they are uncertain in the quality of products and/or services provided by the company. A reputation for sound business and quality services is a necessity for doing business; it is the key that unlocks the door to opportunities for growth. Without this key, businesses become stagnant and never reach the high performing level. While it may be difficult to state precisely what it is, reputation is recognized as one of the cornerstones of a successful business.

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that you will do things differently.” – Warren Buffett

Risk Management and Reputation

In our recent blog regarding the relationship of risk management and business continuity management, we expressed our view on the importance of the two being interconnected within organizations. Reputation risk management is a prime example of how the importance of the link between these two management systems is vital to an organization. Effectively identifying, assessing, and treating of risk related to reputation can safeguard a company’s reputation and reduce the risk to an acceptable level. This statement assumes that proper controls are put in place and in turn employees practice said controls. Further, effective business continuity and recovery plans allow companies to curtail damage caused by threatening events to a reputation. Combining these to management systems, and ensuring their synergy is essential to effective management of reputation risk.

Adequate reputation risk management begins by identifying the organizational assets that are subject to threats that, if realized, will impact the organization’s reputation. From a top down perspective, the asset in question is reputation itself. Major risks that threaten a company’s reputation include; not adhering to government regulations, major product recalls, environmental, health and safety exposures, to name a few.

From a bottom up perspective, reputation related assets are abundant and could include a product’s brand, employees and confidential documents to name a few. Risks that threaten reputation include, staff shortages, careless communication of information to unauthorized recipients, duress of staff, and death of personnel, among many more.

In the risk assessment process regarding reputation, it is important to evaluate the risk levels based on multiple factors. We suggest, as a starting point considering the threats probability, impact and the vulnerability of the assets being assessed. By utilizing these factors, a company will be able to identify the threats with the highest security risk, and implement decisions and policy that mitigate said threats.

Establishing a systematic approach to identifying, assessing and treating the risk associated with reputation is only half the battle. Implementing business continuity and recovery plans that address reputation protection is an essential part of reputation risk management. With any disruption, effective, prompt and optimal response is necessary for ensuring protection of a company. The same holds true when a major event occurs that brings a company’s reputation into the limelight. A well-managed and flawless response to a major disruption, be it directly or indirectly related to reputation, can greatly improve or maintain a stellar reputation.

In order for a business continuity and recovery plan to have the aforementioned results, effective and efficient planning must take place. The BCM system put in place to manage a crisis must have a clear understanding of their roles and recovery objectives, as well as the authority to make reputation effecting decisions.

“It takes many good deeds to build a good reputation, and only one bad one to lose it.” – Benjamin Franklin

Reputation risk management, as with all aspects of risk management must be systemically distributed throughout an organization at a granular level. All employees have the potential to dramatically effect a company’s reputation, and as such must be considered when managing risk. Though it is true the CEO and the board are the ones responsible to protect the company’s reputation, a culture of risk management should be embedded within an organization from the top down, to the bottom up.