Reputation Risk and Opportunity Governance: A 5-Point Blueprint for Boards by Andrea Bonime-Blanc, JD/PhD
Reputation risk and opportunity management is the front line job of management – however, it is the job of the board to provide reputation risk and opportunity oversight for their company. And most boards don't even think about reputation risk until the crisis or scandal hits and their company's reputation, as well as their own personal reputations possibly, may be at risk.
In this article, we define reputational risk, identify recurring themes that were present in cases where reputation risk has gone wrong, and offer a high level five point blueprint for boards to oversee reputation risk and opportunity at their companies. Why do this? Because effective reputation risk management – just like effective enterprise risk management – is not only useful to mitigate losses and liabilities but also to build reputation opportunity and value with and from key stakeholders (customers, employees, regulators, etc.).
Reputation Risk Defined
Within the context of an organization (whether a company, a government agency, a university or a non-profit), reputation risk is a strategic risk that can amplify other underlying and related risks especially non-financial or ESG (environmental, social and governance) risks when those risks have not been properly identified, managed or mitigated. Here is a simple definition of reputation risk I offer in my book, The Reputation Risk Handbook:
Reputation risk is an amplifier risk that layers on or attaches to other risks – especially ESG risks – adding negative or positive implications to the materiality, duration or expansion of the other risks on the affected organization, person, product or service.
When one couples the notion of an amplifier risk with the notion of stakeholder expectations and impact, one can surely start seeing the gestalt of why reputation risk has both qualitative and quantitative dimensions.
Reputation Risk Management Gone Wrong
It is important to note a recurring theme throughout cases where reputation risk went wrong: something or some things did not work well within these companies in advance of the crisis and there are three critical topics that seem to appear in most of these cases:
- The Board did not have a proactive stance on effective risk oversight, let alone reputation risk oversight.
- The CEO/c-suite were not creating or supporting a culture of accountability and customer-centricity thus allowing for the erosion key stakeholder trust.
- The company itself does not appear to have effective risk management and/or views risk as a liability that happens to unlucky companies (instead of a manageable asset that also has embedded opportunity and potential value).
Why Good Reputation Risk Management and Oversight Matter
Reputation risk matters for worse and for better because it's what happens when the expectations of stakeholders – potentially a multitude of them – are missed, met or exceeded. Reputation risk acts as an amplifier and accelerator of an underlying risk that is not managed at all, poorly managed or is managed up to and possibly beyond the expectations of key stakeholders.
While stakeholder expectations can be characterized as being largely behavioral, emotional or intangible, what happens as a consequence of exceeding, meeting or missing stakeholder expectations is far from intangible:
- An organization's meeting or exceeding its stakeholders' expectations can have neutral to positive qualitative and quantitative consequences.
- An organization's missing its stakeholders' expectations can have negative consequences – both qualitative and quantitative.
How well an organization understands and incorporates a qualitative assessment of its key stakeholders and their expectations is where the qualitative and quantitative dimensions of reputation risk meet: one does not make sense without the other and one feeds upon the other. The below chart from my book, The Reputation Risk Handbook, shows a range of some of the key stakeholders that organizations should be considering in such an assessment.
The bottom line is this: flying without a reputation risk net is tantamount to hoping for the best in a world full of challenges, risks, threats and (lost) opportunities. Adopting such a framework, in turn, provides the resilience needed for long-term survival and even out-performance as risks are managed and new opportunities are identified on the way to effectively managing reputation risk.
With these themes in mind, let's take a look at the five keys to successful ongoing board reputation risk oversight.
A Five Point Reputation Risk Governance Blueprint
Below is what I would consider to be the five key tasks of a board intent on overseeing reputation risk and opportunity effectively for their company:
- As an Amplifier and Strategic Risk, Reputation Risk should be on the Board Agenda Regularly. Reputation risk does not occur in isolation but in relation to other underlying risks. As such, reputation risk must be on every board agenda together with strategic and enterprise risk oversight.
- Boards Must Oversee Effective Enterprise Risk Management (ERM). Reputation risk cannot be properly understood, managed or supervised without robust underlying ERM that identifies all risks and allows related reputation risk to be properly gauged.
- The Board Must Know Who the Company's Key Stakeholders Are. Why? Because every stakeholder has expectations of a company's behaviors and results both financial and non-financial. If and when those expectations are not met, both qualitative and quantitative consequences will follow, most of them negative. The reverse is true as well: the better an organization understands, nurtures and tends to its principal stakeholders, the better off that organization will be when and if crises occur, with both qualitative and quantitative consequences, most of them neutral or positive.
- A Cross-Disciplinary Team of Company Experts Should Manage Reputation Risk. And it is up to the Board to understand from such experts – from the chief risk officer and head of public relations and communications to the general counsel and the audit executive. They are best prepared to understand the reputation risk of the company if they prepare accordingly. That team must also be synchronized with a proper and effective crisis management program.
- Reputation Risk is Directly Connected to Corporate Resilience, Opportunity & Value Creation. It is the board's role to ensure that the company and its management develop and implement resilience measures to counteract and mitigate material risk and to take advantage of risk opportunity – reputation risk oversight is a critical part of this process. The more prepared an organization is for its risks, the greater chance it will have to successfully manage the risk, associated crises and value opportunities.
For more information and case studies, readers should go to the thought leadership page of the GEC Risk Advisory website.
Dr. Andrea Bonime-Blanc is CEO founder of GEC Risk Advisory and a global governance, risk and value creation strategist. Her firm specializes in governance, risk, ethics, compliance, corporate responsibility, reputation and crisis advice to the private, public, governmental and non-profit sectors worldwide. She is author of The Reputation Risk Handbook and Emerging Practices in Cyber-Risk Governance and has been consistently recognized by Ethisphere as one of the "100 Most Influential People in Business Ethics." In 2017, she was appointed Ethics Advisor to the Financial Oversight and Management Board of Puerto Rico, created by the U.S. Congress to oversee the restructuring of the Puerto Rican economy. She tweets @GlobalEthicist and writes the Risk2Value Blog.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.