10 Keys For Executives To Manage Reputation Risk
With today’s electronic and social media, the news cycle reporting on the downward spiral of a once-proud organization that has suffered severe reputation impairment is not a pleasant one to watch. Unfortunately, such news events capture our attention all too frequently, leaving an indelible impression about a company’s reputation and brand image.
Applied to a business, “reputation” represents an interpretation or perception of an organization’s trustworthiness or integrity. While the truth ultimately prevails over the long term, reputation can be based on false perceptions in the near term. If accurate over time, reputation provides a barometer of how an organization is likely to respond in a given situation. However one defines reputation, everyone agrees it’s a precious enterprise asset and recognizes a reputation that has been damaged beyond repair.
We define “reputation risk” as the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. To one author, it is “the loss of the value of a brand or the ability of an organization to persuade.”1Bottom line, reputation is fragile. What takes decades to build can be lost in a matter of days.
Below, we explore 10 essential keys for senior executives and directors to consider in managing reputation risk. We classify them in five critical areas – strategic alignment, cultural alignment, quality commitment, operational focus and organizational resiliency.
#1: Effective board oversight: Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution and transparent reporting is vital to effective corporate governance, a powerful contributor to sustaining reputation and the ultimate checkpoint on CEO performance. For example, the board’s oversight of risk is important because effective identification and management of risk can identify major threats to reputation and ensure they are reduced to an acceptable level.
#2: Integration of risk into strategy setting and business planning: The board and executive management must ensure that risk is not an afterthought to strategy setting and business planning. Integrating risk with these core management processes makes it a relevant factor at the decision-making table, facilitates a strategic view to undertaking risk, and intersects risk management with performance management. In an effort to make the strategy more robust, directors and executives should understand the critical assumptions underlying the strategy, ask appropriate questions to challenge assumptions constructively and consider reasonable scenarios that could render one or more of the assumptions invalid. It is important for management to define the inherent soft spots, incongruities and opportunity and loss drivers that could impact execution of the business plan and dramatically affect performance. Also, the budgeting and forecasting processes supporting the business plan must be effective in managing liquidity risks that can threaten the organization’s viability during the planning period.
#3: Effective communications, image and brand building: Building brand recognition unique to a business is vital to market success and, when all else is working well, augments reputation. A good story is easy to tell, but every savvy board and CEO know that some companies are better at telling their story than others. Therefore, directors and executives need to understand the image and brand-building game plan. Typically, the best companies are customer-focused; understand their value proposition; develop powerful and distinctive messaging; listen well and act to improve their processes, products and customer experience continuously; establish accountability for results with metrics, measures and monitoring; work social media effectively; and passionately live up to their brand promise every day. The messages the press, analysts and others communicate about the company through print and electronic media and word of mouth are influenced by good marks on the other nine keys to managing reputation risk.
#4: Strong corporate values, supported by appropriate performance incentives: The trickle-down notion that, if tone at the top is good, the organization’s culture must be good, doesn’t always hold. Lower-level employees often pay more attention to the messaging and behavior of their supervisory middle managers than the messaging and values communicated by the organization’s leaders. Boards need to ensure that executive management implements a strong tone at the top, a variety of effective escalatory processes, and periodic assessments of the tone in the middle and tone at the bottom. To that end, the executive team needs to ensure alignment of performance incentives with corporate values to shape and influence the corporate culture end to end:
- Up, down and across the organization
- Upstream with strategic suppliers
- Downstream with channel partners
Also, executives and directors need to pay attention to the warning signs posted by the independent risk management function and in audit reports evidencing the possibility of dysfunctional behavior.
#5: Positive culture regarding compliance with laws, regulations and internal policies: Few incidents undermine reputation more than serious compliance violations with the attendant headline effect of the brand being dragged through the mud by the media. Senior executives, with board oversight, should ascertain that effective internal controls over compliance matters are implemented. Executive management must “walk the talk” with respect to compliance, meaning executives should:
- Maintain strong compliance administration and oversight across the organization;
- Periodically conduct a comprehensive risk assessment;
- Refresh the compliance program for changes arising from new regulatory developments;
- Understand the players and third-party agents in countries in which the organization does business and monitor their dealings closely;
- Implement robust compliance training and certification;
- Ensure that adequate documentation of compliance-related communications to and training of employees is maintained; and
- Implement escalatory processes for reporting wrongdoing and suspected violations along with effective follow-up upon receipt of allegations meriting investigation.
In addition, effective auditing and monitoring capabilities to evaluate compliance effectiveness should be in place to ensure the above capabilities are functioning as intended.
#6: Priority focus on positive interactions with stakeholders: The executive team and board of directors should ensure that there is a passionate focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders and other stakeholders have with a company as a result of its business operations, branding and marketing. If internalized and acted upon, they are a powerful driving force for improving and sustaining reputation. To illustrate, organizations that take the time to really know their customers, align company goals with customer needs and act to ensure a distinctively different experience for customers are going to be noticed in the marketplace.
#7: Quality public reporting: When public companies restate previously issued financial statements for egregious errors in the application of accounting principles or omission or misuse of facts, investors notice. For companies contemplating an initial public offering, a well-designed financial close process, effectively functioning internal financial reporting controls and an understanding of what not to say when talking with the press and the investor community are important. For established companies, vigilance in maintaining internal control over financial reporting and in deploying effective disclosure controls and procedures is important to ensure reliable public reports. The markets take quality public reporting at face value. Once a company loses the public’s confidence in its reporting, it’s tough to earn it back.
These points suggest that a strong audit committee is an imperative.
#8: Strong control environment: A critical component of internal control, the control environment lays the foundation for a strong culture around achieving the organization’s operational, compliance and reporting objectives. In addition to management’s commitment to integrity and ethical values and the oversight provided by the board of directors in carrying out its governance responsibilities, as discussed earlier, the control environment consists of the organizational structure and assignment of authority and responsibility; the processes for attracting, developing and retaining competent people; and the rigor around setting the appropriate performance measures, incentives and rewards that drive accountability for desired results. Because embarrassing control breakdowns can tarnish reputation, every board should expect and demand a strong control environment.
#9: Company performance relative to competitors: Even if a company does everything else right, its reputation will suffer if its business model is not competitive. Market recognition of success is a huge validation of a company and its management team. Recognition of differentiating strategies, distinctive products and brands, proprietary systems and innovative processes are intrinsic sources of value that can translate into superior quality, time, cost, innovation, talent management and customer-fulfillment performance relative to the company’s competitors. On the other hand, significant performance gaps vis-à-vis competitors can diminish reputation if they are not addressed in a timely manner. These factors should weigh heavily on a board’s evaluation of company performance over time.
#10: World-class response to a high-profile crisis: Sooner or later, every company is tested. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to risk assessment, particularly for high-impact risk events with high-velocity, high-persistence and low-response readiness.
Executive management, under the board’s oversight, should ensure that the risk assessment process is designed to identify areas where preparedness is lacking and, therefore, response planning is needed. If a crisis management team doesn’t exist or isn’t prepared to address a specific sudden crisis scenario, a rapid response will be virtually impossible. Fires cannot be fought with a committee. Response teams should be supported with robust communications plans emphasizing the importance of transparency, straight talk and effective use of social media. The response team should update and test the rapid response plan periodically.
While a one-size-fits-all approach to reputation risk management does not exist, attention to how a company addresses these 10 keys will help shape its reputation over time. Reputation risk management is inextricably linked to the company’s risk management and crisis management disciplines, as well as to the alignment of strategy and culture with the enterprise’s commitment to quality and operational excellence.
From the standpoint of executive management and the board’s oversight, the 10 keys offer a framework for focusing on what’s really important when managing reputation risk.
Questions for Executive Management and Boards
The following are some suggested questions that senior executives and boards of directors may consider, based on the risks inherent in the entity’s operations:
- Is executive management focused on the appropriate fundamentals for enhancing and preserving the enterprise’s reputation?
- Does the risk assessment process source significant threats to the company’s reputation and identify areas requiring consideration of response plans to improve preparedness and rapid response? Is there a rapid response plan for the high-impact, high-velocity and high-persistence scenarios identified in the risk assessment process?
- Is there adequate focus on the critical enterprise risks that could impair the enterprise’s reputation if not managed effectively? Does management apprise the board timely of significant changes in the enterprise’s risk profile? Is there a process for identifying emerging risks on a timely basis?