With three-quarters of companies naming reputational risk as a top risk concern, directors are increasingly seeking methods of risk oversight that are independent of management
The reputational fallout from the hacking of Sony Pictures has played out like a mini-series of misery, with no clear end in sight. Just as the furor had begun to die down over leaked Sony emails revealing – among other things – that only one of the company’s 17 highest-paid executives is a woman, Patricia Arquette revived the gender-pay issue in her Oscars acceptance speech, with Meryl Streep’s wildly enthusiastic response rapidly becoming a viral meme.
At Sony, ‘there were emails written that if they came to light would show a culture that was disrespectful,’ says Davia Temin, CEO and founder of Manhattan- based reputation consultant Temin and Company. Referring to the Sony security breach, she asks: ‘Can culture be a reputational risk? Well, maybe.’
In an annual survey by law firm EisnerAmper, 75 percent of participating companies identify ‘reputational risk’ as their number-one risk concern. What’s more, Robyn Bew, director of research at the National Association of Corporate Directors (NACD), says roughly a third of corporate directors would like to gain more information externally, including information about non-financial risks like reputation.
Chuck Saia, a partner and chief risk, reputation and crisis officer at financial services firm Deloitte, attributes a ‘low level of proficiency’ to how boards currently respond to reputational risk. During recent reputation crises, he says, both traditional and social media companies have looked ‘like they’re back on their heels – you can actually see the sausage being made in their responses.’ By contrast, ‘world-class firms would already have scenario- planned and would have crisis models in place,’ Saia continues. ‘They’d be prepared to get their message out as it relates to the particular event well in advance of it happening.’ For Saia, preparedness is everything: ‘There are always surprises, but it’s the way you respond to them that counts – and many firms need to do better.’
New reputation risks emerge
In March 2011, when a reactor at the Fukushima Daiichi nuclear plant exploded following the damage it suffered as a result of a tsunami, owner Tokyo Electric Power wasn’t completely blindsided. The company knew such an event could happen, but that the likelihood was extremely remote, says Jim DeLoach, managing director at global risk andbusiness consultant Protiviti.
‘The investment community knows that terrible stuff happens to even the proudest brands – and in the boardroom, directors are figuring this out as well,’ he says. ‘The environment is exactly that complex, and the moving parts that numerous.’
Cyber-security is one risk that has rapidly climbed the list of directors’ most pressing concerns. Last year, 71 percent of companies listed cyber-security as their greatest risk concern in the EisnerAmper survey. ‘We found that while reputational risk is still the greatest risk overall, for private and very large public companies cyber-security and IT risk are much bigger concerns,’ says Steven Kreit, partner in EisnerAmper’s services to public companies practice.
He attributes the heightened attention to cyber-security to incidents such as Target’s much- publicized security breach during the 2013 holiday season, an event that the company acknowledged hurt sales. ‘As boards see where a hit to reputation can really affect the bottom line of the business they’re governing, they’re starting to ask more questions and to think outside the box about what could really affect reputation,’ he says.
Difficult to define
Reputational risk can come in many guises, from cyber-security to environmental, human rights, regulatory compliance, product recalls, fraud, succession planning, quality and even cultural risks. Beyond known risks, there are the ‘known unknowns’, sometimes called ‘black swan’ events.
‘It’s very hard for directors of any organization to get a full handle on what the reputational risks are,’ says Temin. ‘While there are always predictable risks – airlines will have crashes, for example, while consumer goods companies will have fraud or security breaches – some of the worst crises are the ones that come from left field.’
Temin points out that certain reputational risks are situational, depending on how a company is perceived by others. She notes that a top executive having an affair that becomes public is usually not a reputational risk, unless that company is in an industry where public trust matters deeply. ‘If you’re a television network and one of your senior anchors – who has proclaimed himself a family man – turns out to have the morals of an alley cat, then you’ve got a problem,’ she says.
IS HUMAN RIGHTS RISK ON YOUR BOARD'S RADAR?In 2002, when yahoo! complied with a Chinese government request and handed over the emails of dissident Wang Xiaoning (a move that resulted in him being jailed and abused), journalists, ngos and other observers of the company were outraged, says Rachel Davis, a research fellow at the Harvard Kennedy School and a managing director of shift, a non-profit that helps businesses, governments and stakeholders put the UN Guiding Principles on Business and Human Rights into practice. ‘This helped kick-start recognition in the [technology] sector that actions could lead to negative impacts on people,’ she explains. ‘Word travels very fast when companies get something wrong.’ Human rights risks differ greatly by industry. Davis points out that the extractive sector has been pushed to understand human rights risks because ‘the problems are literally on your doorstep.’ she cites research by the Wharton School of Management into Canadian junior gold-mining firms that found 63 percent of the market capitalization of these companies was tied to the quality of their stakeholder engagement – that’s double the percentage linked to the value of the gold in the ground. Although mining companies grasp these challenges, other companies aren’t always so aware. ‘It’s about getting the board to understand that you’re not just thinking about existing, regulatory risk,’ says Davis. ‘You’re also thinking about emerging risk, and nowhere is emerging risk so great as in the poor management of negative environmental and social impacts.’ Increasingly, explains Davis, a spotlight is being shone on this type of risk and the damage it can do to a company’s reputation. under UK law, for instance, directors of publicly listed companies must report how they’re managing human rights risks where this is necessary for an understanding of the business – a question that many companies have never asked themselves. Central to staying abreast of human rights risks is having customer complaint hotlines and other grievance mechanisms in place, and then making sure that credible information is acted upon. Davis highlights Coca-Cola’s response to the abuse of migrant workers in its orange supply chain in Italy. Coke didn’t shirk responsibility because the problems concerned a supplier, but instead dug into the issue, analyzed what was happening and used its influence to encourage those responsible to change their behavior. |
Bew points out that boards can choose to view reputational risk through a variety of lenses. ‘Reputation risk has two sides to it,’ she says. ‘When your reputation takes a hit, you have usually failed to manage some other risk effectively enough.’
DeLoach offers a similar take. ‘Reputation risk is not something you manage directly, in my opinion, but something you manage indirectly by focusing on all the right fundamentals,’ he says. He points out that when a company ceases to perform well in any of the five key areas of strategic alignment, cultural alignment, quality commitment, operational focus and organizational resilience, the company is ‘potentially more exposed to reputation risk’.
When will an incident go viral?
Saia emphasizes the importance of governance structures for protecting, preserving and enhancing a company’s reputation. As a best practice, he urges companies to report on a monthly basis the reputational risks that could affect components of strategy. Other best practices include using either an internal or external reputational sensing group to monitor key stakeholders and traditional and social media, creating a well-designed crisis playbook, and engaging in scenario planning that specifically addresses reputational risks.
Saia also believes companies should appoint a chief risk officer who reports directly to the chief executive. Board-level risk committees are worthwhile, too; in a recent Deloitte study, 22 percent of the 400 international companies surveyed had a board-level risk committee. What’s more, Saia advises ranking reputational risks as Tier 1, Tier 2 and Emerging, so that the board understands which are most pressing.
When assessing risk, DeLoach believes that many directors are looking at too few factors, examining only the likelihood of occurrence and the severity of impact. Another factor to consider, he says, is the speed at which consequences become apparent. When the Deepwater Horizon rig exploded, for instance, the CEO and a team of top executives left for the Gulf Coast immediately because of the gravity of the event.
Persistence – or the ‘headline effect’ – is another concern, as evidenced by lululemon’s product debacle. When a production line of the Canadian company’s yoga pants proved to be see-through, the problem wasn’t life-threatening, but the quality issue became the punchline of jokes on nightly talk shows so the reputation hit was worse than the event perhaps warranted.
Finally, social media is intensifying reputational risk issues because posts about a misstep can go viral very quickly. For instance, the YouTube video ‘United breaks guitars’, which comically spotlighted a customer service snafu after a musician’s guitar was roughly handled by United Airlines, got 14 million hits between 2009, when the incident happened, and February 2015.
In a recent NACD survey, more than half (50.9 percent) of corporate directors say they aren’t getting regular reports about their companies’ social media activities. Bew maintains that such reports matter because ‘a problem can take off in social media and become a reputational issue for a company pretty quickly.’
Temin points out that social media itself has become a new source of reputational risk for companies. ‘Imagine what might happen if a CEO starts blogging in the middle of the night or some part of the organization uses a really stupid hashtag,’ she says.
In one real-life misstep, JPMorgan launched its #AskJPM hashtag in the aftermath of the financial crisis and was flooded with questions such as: ‘I have mortgage fraud, market manipulation, credit card abuse, Libor rigging and predatory lending: AM I DIVERSIFIED?’ To staunch the flood of such embarrassing comments, the company abruptly brought its Q&A to a halt.
The flip side: reputation capital
The board is clearly front and center when it comes to managing reputation risk. In fact, in the 2014 EisnerAmper survey, when asked who should lead the plan or response to a situation that puts an organization’s reputation at risk, 40 percent say the board, followed closely by the chief executive or president at 39 percent.
Bew has found that directors want insights into reputation risk that are independent of management input. She suggests that having directors on the board who have reputation risk expertise is one possibility, yet she acknowledges that boards may not want to devote a valuable seat to someone with reputation-risk expertise when so many other skills are also needed in a boardroom. Other possibilities include inviting investment analysts with ‘sell’ recommendations to give the board an outsider’s perspective and bringing in third-party experts on fast-moving risks like cyber-security.
What’s more, directors can ask management for different types of metrics that might serve as reputational indicators, such as customer service reports and employee turnover statistics. ‘A good question boards could ask themselves is: what is management looking at to monitor perceptions of the company?’ says Bew. Finally, because a serious hit to reputation often originates with a black swan event, boards should be asking to review their company’s crisis response plans.
In the end, reputation risk is a powerful threat to any organization precisely because reputation itself is such a valuable source of competitive advantage.
It follows, therefore, that one of the best ways to survive a reputational quagmire is to have a sterling reputation at the outset. Bew notes that many directors talk about ‘putting a good reputation in the bank to draw on when things go wrong or a crisis happens.’ In other words, she says, ‘having a good reputation helps the company be more resilient.’
‘Reputation goodwill often carries you through crises better than if you didn’t have that great a reputation,’ agrees Saia. Too often, he maintains, the narrative of a crisis ‘takes on a life of its own,' so one of the best ways to cope with a crisis is to have a powerful counter-narrative that trumpets one’s strengths. ‘You see companies get themselves in trouble when every response is about the issue, not about who they are as a company,’ he says.
In a world of 24/7 news cycles and social media, companies simply can’t sidestep crises altogether. What they can do, however, is slowly, steadily and consistently build and burnish reputations that are capable of weathering hard times. ‘The world is moving so much more rapidly and technology makes everything move far quicker than in the past,’ concludes Temin. ‘Companies have to understand that crisis is the new normal.’
