Making qualitative risks quantifiable
By Chris Howells
Reputation is fast becoming one of the most important risks to manage. Build quantifiable arguments to get boards on board.
Corporate reputation, the close cousin of a firm’s brand, is one of the most intangible assets a company has. If a brand is the inside-out perception of a firm, reputation is the outside-in perception. Therefore, risks to a reputation can come from anywhere. It’s difficult for boards to control, and the financial impact of a damaged reputation is deemed to be higher than climate change or a cyber-attack, according to the Asia Risk Report by StrategicRISK..
A damaged reputation can be exacerbated by its interconnectedness with other risks. In the same report, survey respondents ranked “damage to company reputation/brand” as the risk most connected to environmental risks, social unrest, and regulation, among others.
What’s more, companies are increasingly valued on intangibles. Mitigating risks to reputation was at the center of a recent panel discussion as part of INSEAD’s Risk Breakfast Series, which brought together academics and experts in the field to share views on how to protect firms against reputation damage.
The first barrier companies face in building protection against reputation damage is in quantifying it. Reputation, like brand, is qualitative. But like brand equity, it is essential to building trust. Standard & Poor’s has added reputation risk to its enterprise risk management assessment of companies.
As Leesa Soulodre, managing partner at RL Expert Group said, reputation risk management is about both a company’s legal and regulatory license to operate (the risks) and its social license to grow and innovate (opportunity). The ability of a firm to recover trust after a reputation incident has been significantly affected by the global financial crisis, and reputation risks are increasingly emerging from what others say about the firm.
This means boards need to start building their reputation risk frameworks to protect it. The trouble is, boards also prefer to look at their organizations in quantitative terms.
To overcome this, Soulodre shared her experience working with a global financial institution to get the board on board. It had 130 pages of risks it wanted to evade, but she and her team worked to whittle it down to 30 top risks that could lose the company its legal and regulatory license to operate. To more dynamically adapt risk appetite and tolerance to the company’s risk register, an upstream risk team, composed of multidisciplinary functional and board leadership, was recruited to proactively look at emerging risks. This ensured a life-cycle risk-management approach. The risk forum could examine all the company’s license-to-operate risks on a monthly basis and dynamically allocate resources to the priority risks.
Soulodre added that it was also essential to make sure the organization had a single position on each of the top 30 risks to ensure appropriate engagement with key stakeholders.
With the risk landscape changing so quickly, she made sure the client was updated by smartphone so that each issue could be brought up and put into the right context at any time. A single company position was articulated, the background context of the issue explained, and the company’s three key messages on its position in relation to the risk were made clear. The company leader engaging with stakeholders could then report back via smartphone the level of advocacy that the stakeholder was offering the organization, which helped its allocation of resources on key reputation risk topics.
As the Asia licensee of the Reputation Institute, Soulodre shared the framework for defining and managing reputation risks developed with AIRMIC:
1. Risk identification
2. Assessment of reputation risks
3. Prioritization of reputation risks
4. Risk mitigation
5. Measure reputation performance
Measuring the risk
Sara Gori, head of reputation risk at AXA, noted that AXA treats reputation just like any other risk such as credit, liquidity, market, or regulatory risk. Similar to Soulodre’s approach, the company starts by identifying, then assessing and prioritizing the potential reputational risks. The organization should ask, “Which risks have the potential to negatively impact the company’s reputation? What is our risk tolerance?”
For example, if a customer or the general public airs an opinion of the organization, saying ”I like or hate X company,” the risk to reputation will be taken into account but can be deemed tolerable, whereas risk due to internal fraud would not be tolerated.
AXA quantifies each risk with a traffic light system of red, amber, and green, which correspond to severe, moderate, and minor, respectively. This then gives the firm visibility over what the potential reputation risks are. For instance, it could be how many agents or employees leave the firm on an annual basis, which could become a reputation issue. They then move to prevention to tackle the root problem.
To ensure the whole company sings the same tune, AXA also has a firm escalation policy, which is in place from local markets to headquarters. “Even if we’re going to say ‘no comment,’ we need to know what is going on,” Gori says. This is handled by one dedicated in-country representative, who gathers all the local facts of an issue and bundles it up to headquarters.
Gori advises that reputation issues be prioritized based on their ability to cause the firm to lose its license to operate; lead to increased regulatory scrutiny; or closer scrutiny from media and other stakeholders, which has the ability to perpetuate a reputation issue.
Measuring the extent of reputation damage
Attempting to make qualitative risks quantifiable is the central challenge. A reputation issue could be caused by an operational disaster that drags the firm’s reputation down for months or even years. It’s not impossible to clean up a reputation problem. INSEAD Professor of Accounting and Control, Gilles Hilary, outlined the steps taken by the International Olympic Committee in the wake of a bribery scandal as effective for countering reputation damage: Apologize immediately, investigate and punish, and then reform.
But prevention is better than cure. Ultimately, the source of any reputation damage is a culture that allowed an incident to occur. Gori recommends building risk intelligence and compliance into company culture to ensure that the frameworks to facilitate whistle-blowing and reporting are there, as well as the willingness to use them. This, she says, must come from the top.
This article is republished courtesy of INSEAD Knowledge. © INSEAD 2016.