Executives know the importance of their companies’ reputations. Firms with strong positive reputations attract better people. They are perceived as providing more value, which often allows them to charge a premium. Their customers are more loyal and buy broader ranges of products and services. Because the market believes that such companies will deliver sustained earnings and future growth, they have higher price-earnings multiples and market values and lower costs of capital. Moreover, in an economy where 70% to 80% of market value comes from hard-to-assess intangible assets such as brand equity, intellectual capital, and goodwill, organizations are especially vulnerable to anything that damages their reputations.
Most companies, however, do an inadequate job of managing their reputations in general and the risks to their reputations in particular. They tend to focus their energies on handling the threats to their reputations that have already surfaced. This is not risk management; it is crisis management—a reactive approach whose purpose is to limit the damage. This article provides a framework for proactively managing reputational risks. It explains the factors that affect the level of such risks and then explores how a company can sufficiently quantify and control them. Such a process will help managers do a better job of assessing existing and potential threats to their companies’ reputations and deciding whether to accept a given risk or to take actions to avoid or mitigate it.
The Current State of Affairs
Regulators, industry groups, consultants, and individual companies have developed elaborate guidelines over the years for assessing and managing risks in a wide range of areas, from commodity prices to control systems to supply chains to political instability to natural disasters. However, in the absence of agreement on how to define and measure reputational risk, it has been ignored.
Consider the 135-page framework for enterprise risk management (ERM) proposed in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group of professional associations of U.S accountants and financial executives that issues guidelines for internal controls. Although the framework mentions virtually every other imaginable risk, it does not contain a single reference to reputational risk.
Nor does the Basel II international accord for regulating capital requirements for large international banks. In defining operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” the Basel II framework, issued in 2004 and updated in 2005, specifically excludes strategic and reputational risks. That’s mainly because of the difficulty of factoring them into capital-adequacy requirements, most banking-risk professionals would say.
Given this lack of common standards, even sophisticated companies have only a fuzzy idea of how to manage reputational risk. A large U.S. pharmaceutical company reflects the current state of practice among well-run organizations. It has an ERM system for managing operational and financial risks, as well as hazards from external events such as natural disasters, that is loosely based on the COSO framework. The firm’s vice president of risk management oversees the system. However, the company manages reputational risks only informally—and unevenly—at the local and product levels. Its leaders consider reputational risk only when they make major decisions such as those involving acquisitions. (The company’s due-diligence process includes the evaluation of problems that could affect reputation, including pending lawsuits, weak product-testing procedures, product-liability concerns, and poor control systems for detecting management fraud.) The risk management VP says that reputational risk is not included in the long list of risks for which he is responsible. Then who is responsible? The CEO, the vice president surmises, since that is who oversees the firm’s elaborate crisis-response system and is ultimately responsible for dealing with any events that could damage the company’s reputation. This pharmaceutical firm is not alone. Contingency plans for crisis management are as close as most large and midsize companies come to reputational-risk management. While such plans are important, it is a mistake to confuse them with a capability for managing reputational risk. Knowing first aid is not the same as protecting your health.
Determinants of Reputational Risk
Three things determine the extent to which a company is exposed to reputational risk. The first is whether its reputation exceeds its true character. The second is how much external beliefs and expectations change, which can widen or (less likely) narrow this gap. The third is the quality of internal coordination, which also can affect the gap.
Effectively managing reputational risk begins with recognizing that reputation is a matter of perception. A company’s overall reputation is a function of its reputation among its various stakeholders (investors, customers, suppliers, employees, regulators, politicians, nongovernmental organizations, the communities in which the firm operates) in specific categories (product quality, corporate governance, employee relations, customer service, intellectual capital, financial performance, handling of environmental and social issues). A strong positive reputation among stakeholders across multiple categories will result in a strong positive reputation for the company overall.