The vital role of Reputational Risk Management

In simple terms, reputation is the way an institution is perceived by its relevant stakeholders like clients, employees, shareholders, rating agencies or the general public in terms of its expertise, integrity and trustworthiness. Every organization, no matter the structure, nature of operations, or size, has reputational risk. All risks are significant in and of themselves, but resulting reputation damage can be even more catastrophic, as a reputation is one of a company’s biggest assets. Sometimes all it takes is a rumour to make the public lose confidence in an organization, ending it quite quickly as Warren Buffett is credited where very importantly, he said that “it takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently".

The biggest problem with reputational risk is that it can erupt out of nowhere and without warning & can pose a threat to the survival of the biggest and best run companies and has the potential to wipe out millions or billions of dollars in market capitalization or potential revenues and can occasionally result in a change at the uppermost levels of management. Reputational risk can also arise from the actions of errant employees, such as egregious fraud or massive trading losses disclosed by some of the world's biggest financial institutions. In an increasingly globalized environment, reputational risk can arise even in a peripheral region far away from home base.

Reputational risk exploded into full view in 2016 when the scandal involving the opening of millions of unauthorized accounts by retail bankers (and encouraged or coerced by certain supervisors) was exposed at Wells Fargo. Its?CEO, John Stumpf and others were forced out or fired. Regulators subjected the bank to fines and penalties and a number of large customers reduced, suspended, or discontinued altogether doing business with the bank. Wells Fargo's reputation was tarnished, and the company continues to rebuild its reputation and its brand

What exactly is Reputational Risk?

Reputational risk is usually defined as the threat or danger to the good name or standing of a business or entity. Reputational risk can occur in the following ways:

• Directly, as the result of the actions of the company
• Indirectly, due to the actions of an employee or employees
• Tangentially, through other peripheral parties, such as?joint venture partners or suppliers

The strength of the reputation of an organization flows through to the bottom line. Institutions with a strong reputation tend to perform better and are supported by having loyal customers who may spend more and having a strong reputation can also help institutions attract and retain a highly effective workforce. At the heart of a solid reputation lies trust and without trust, no organization can truly thrive. Therefore, reputation and trust are key factors that help us distinguish one organization from another.

Reputational Risk in Financial Services

It is arguable that in the financial services sector where customers entrust institutions with their savings and investments, reputation and trust matter a lot and crucially, an institution's reputation will determine the level of trust that regulators afford to it.

Just as police cannot be expected on every street corner, the same applies for a Central Bank. In a post-financial crisis world, financial services firms are expected to have a strong compliance culture, a functioning moral compass and to do the right thing even when no one is watching. The Central Bank expects that institutions will seek to do the right thing, but they cannot watch over or scrutinize every action or decision of regulated institutions in real time.

As much as we might wish it were otherwise, there will always be transgressions and that is what drives the supervisory approach of a Central Bank whose toolkit includes imposing routine reporting requirements on firms, ongoing supervisory team engagement, the conduct of on-site inspections, market-wide thematic inspections, and the pursuit of contraventions through the enforcement processes.

Conduct of individuals

While externally triggered mishaps can inflict serious reputational damage on an organization (e.g. data breach, fraud etc.), it is invariably the choices made by individuals, whether acting alone or in concert, that hold greater potential to do longer-term damage to the firm’s hard-earned reputation.

If one was to ask any cybersecurity officer about what the weakest link is in his or her firm’s I.T. security system, they would without doubt state that it’s their people. It just takes one curious or careless person to click on the wrong link and expose the otherwise well-guarded I.T. infrastructure to a bad actor. The same can also be said of a company’s reputation i.e it is invariably the misguided or wrongly motivated actions of individuals that can lead to the destruction of a reputation that has taken decades to build.

Reputation risk Management is not Crisis Management

Reputation risk management is definitely not and should not be considered to be crisis management. Reputation risk becomes subject to crisis management when and if a crisis emerges with reputational implications in which having a well-developed and ready to deploy crisis management plan and team is essential to successful reputation risk management. Unlike reputation risk management, crisis management is something that happens suddenly and in the short term. Although to be successful, crisis management requires advance planning, the creation of a crisis management plan and team and plenty of training and scenario planning at different levels of management and even the board.

Developing a reputation strategy

Developing a reputation strategy requires certain specific set of competencies for success that are

1. The understanding that reputation strategy is a long-term vision
2. The ability to assess and predict what issues will hurt company reputation most
3. The capability to identify of reputation attributes that will mitigate the issue
4. The ability to manage an issue through proper internal resources and budget
5. The authority to identify and empower risk owners and other management in charge
6. The skills to influence the company culture
7. The experience to map organizational processes to understand causation, occurrence, consequences and remedies
8. A keen understanding and prioritization of key stakeholders

Some of the distinct ways in which reputation risk is beginning to take hold within organizations includes:

? Reputation risk management and risk registers are becoming part of the enterprise risk management lexicon (and even dashboard) in a number of leading companies and industries

? Boards of directors are increasingly aware of the importance of reputation risk and are demanding that executive teams and risk management include a consideration of it in their risk work

? Surveys are showing that both boards of directors and chief executives are placing reputation risk (not just brand) in their top 5-10 strategic risks

? Ethics, compliance and corporate responsibility practitioners are starting to understand and integrate the reputational aspects of their work into their policies, training and systems

? Human resources and public relations professionals are integrating reputation risk into their respective considerations especially as it relates to social media – its uses and abuses as they reflect on their organization

? Those at the forefront of this issue in their companies, realize that reputation risk is not only about downside protection but presents untapped opportunities for value creation

? Managing reputation involves managing opportunities as well as risks. Doing it well requires cooperation between all those who have relevant knowledge and skills

Identification and Assessment of Reputational Risk

Setting up an effective reputational risk management process is crucial for institutions to avoid costly recovery. Traditional quantification processes used for classic risk types do not work properly for reputational risk. Due to the lack of data and experience as well as the high complexity to differentiate Reputational Risk from other risk types, sophisticated quantification methods are still in the process of being established and matured by institutions.

Factors that may impact the level of consumer trust in banks include:?

• The degree of alignment between customer expectations and bank performance (does the institution deliver?)?
• The quality of customer service (does the institution provide an exceptional experience?)?
• Whether there is a history of regulatory?compliance issues?or?cybersecurity breaches (has the institution made errors in the past, and if so, how have they been rectified?)?
• Widespread economic challenges (e.g., the bailouts of 2008)

It is often difficult to identify the underlying reasons for materialized reputational risks. Therefore, the key is not to focus on steering or measuring the risk, but to reduce the exposure to reputational risk by implementing mitigation measures and to deal with residual risks by setting up adequate risk buffers. Defining an identification and assessment strategy in order to decide whether to mitigate or cover Reputational Risk potentials is crucial.

To identify reputational risk potential, it is helpful to observe typical risk drivers, such as social standards, financial performance, quality of internal processes or customer satisfaction just to mention some examples. For this reason, a regular as well as an ad-hoc hazard analysis is advisable in order to identify threats throughout the whole organization.

Undeniably also, reputation is strongly connected to (social) media, its reporting and the resulting external recognition. Therefore, a separated identification approach might be helpful, e.g, via:

• Outside-in (e.g. customer survey, external reputational risk studies or databases)
• Inside-out (e.g. internal expert judgments)

When focusing on the inside-out view, an institution should know whether there are business divisions or competence lines that bear (a high) potential for reputational risk. Retail banking divisions are exposed to reputational risk in a different way than investment banking or controlling divisions. Carrying out self-assessments and identifying different risk potentials will be crucial for reputational risk management (expert judgements).

Once those threats have been identified, it is crucial to cover risks in day-to-day business. Therefore, it is necessary to define Reputational Risk as an integrated part of the whole organization and enhance existing control systems with Reputational Risk aspects.

Handling Reputational Risk Exposure

Once reputational risk potential has been identified and assessed, reliable and useful handling processes need to be developed. Reputational issues should always be considered when dealing with new processes or products (new product processes) in order to make a conscious decision whether to take the risk or not. Through a special focus on corporate social responsibility, image cultivation could be driven and reputational risks mitigated along the way. This is closely linked to questions related to creating a sound risk culture within an organization.

Banks and non-banks have the flexibility to implement and design their reputational risk management as stand-alone function or integrated with other risk management functions depending on how reputational risk exposures are being managed.

Effectively managing reputational risk begins with recognizing that reputation is a matter of perception. A company’s overall reputation is a function of its reputation among its various stakeholders (investors, customers, suppliers, employees, regulators, politicians, nongovernmental organizations, the communities in which the firm operates) in specific categories (product quality, corporate governance, employee relations, customer service, intellectual capital, financial performance, handling of environmental and social issues). A strong positive reputation among stakeholders across multiple categories will result in a strong positive reputation for the company overall.

As stated in the beginning, a company’s reputation takes years to build. It can be destroyed overnight, taking the board of directors’ credibility and reputation down with it. Ultimately, boards are responsible for overseeing reputational risks along with other risks.