Why should organizations be concerned about Reputation Risk?
As the world become more and more networked, more and more companies are exposed to a changing set of vulnerabilities. The landscape of risk has changed. No longer can any country or organization ignore the
happenings of 911, Bali and London.
In this new world, incidents can damage a good reputation purely because an organization can take too long to act decisively with problems. For instance a reputation damaging incident can become international
news in a matter of seconds and destroy relationships and brand value in other
countries where the incident did not even take place.
The figures and surveys are there to support the need for sensitivity about reputation. Reputation has been rated as the number one risk in Economist magazine and more than four other international surveys. It was even mentioned at Davos.
To minimize reputation risk – the way a company is viewed by its stakeholders, companies need to take a total view of the company - from operations and behaviors to policies and objectives - so that methods of
securing and protecting the business can be worked out.
A very broad view of the risks faced also needs to be established: a disaster could do a lot of damage to the business, but so could a small issue that perhaps are seen to be trivial by the organization but seen as material by stakeholders.
A simple example shows the difference between normal risks and reputation related risks. Assume that the directors of a very large public company consistently incur, and do not pay personally, parking fines for their company cars. The primary risk to the company, in this case of financial loss, is probably very small in relation to its annual turnover. Accountants and auditors would say that these amounts are not material, should not be separately disclosed in the annual report and should be ‘lost’ in general expenses. But what would the public think of this behavior by corporate leaders?
How would the media report it if it came to light? Indeed, what general signals of corporate trustworthiness would this give?
Herein lays the secondary or reputational risk for the organization. Reputation has turned the concept of materiality upside down; financially immaterial events may have huge potential significance for the organization. The management of such risks demands attention to the deepest operating assumptions of organizations. Paying attention to the things that can impact on reputation makes good business
Viewed strategically, the management of perceptions offers organizations real advantages, enabling them to become more sensitive and more efficient, while also reducing the risk of failure at times of change and transformation. It is not just about enterprise wide risk management, governance or ethics, it is about understanding the perceptions, opinions and expectations that stakeholders may have.
To create a robust reputation protection framework will necessitate a holistic view of the organization. This is why using a third party can be particularly beneficial. Because they are so familiar with their own businesses, organizations can make assumptions which outside consultants will question. Consultants will look at a company from the top down and are able to bridge all the information and operational silos that a typical organization's structure generally creates. For example, management may believe that reputation can be managed by a Public Relations or Communication department. Yet the reality is that crisis do not hit in a departmental silo but impacts across boundaries.
If a company wants to protect its reputation it will need to identify those smoldering crises – the unknowns that can cause unwanted publicity and destruction long before it appears or is mentioned in a blog, on a website or in mainstream media.
Part of this reputation risk assurance framework is something called a crisis management and crisis communication response plan. Today’s knowledge market economy expects a company to react quickly and with finesse when there is a crisis of any kind. Yet many companies have never tried and tested their planned response. To complicate matters even further companies have a myriad of fragmented plans ranging from disaster recovery and emergency response to business continuity with little integration in place.
A CSO Magazine survey on business continuity in the US a few years ago showed that, while an overwhelming majority (93 per cent) of US companies had a business continuity plan in place, only 37 per cent had tested
it in a real life situation. In today's world, this is no longer acceptable.
In the past three years I have had more than 350 national government and listed organizations attend my Crisis management & Communication response workshops here in South Africa. The rate for organizations that have tried and tested their plans must average out at about the 20% mark.
Delegates cite all sorts of issues:
constantly try to impact upon it.