Historically, risk managers and internal auditors struggled to define reputational risk. Some saw it as the ultimate result of the failure of the organisation to manage other risks properly. Others saw reputational risk as being a separate category of risk in its own right. What united both groups, and business leaders, was the view that reputational risk was the most serious risk facing their organisation; and that they had to avoid the kinds of outcomes that had regularly plagued and destroyed reputations in the past.
As an example, experience has shown that if a clothing company sources stock from a company that uses child labour, pays what consumers see as exploitative rates of pay or provides dangerous working conditions, the company's reputation will be at risk when consumers and their proxies the media find out. Companies that might face this or analogous problems regularly recognise this kind of source of reputational risk.
'Roads to Ruin' the Cass Business School report for Airmic shows that this approach is fundamentally inadequate. Reputational damage does indeed happen when an organisation fails to manage other risks properly. But when root causes are considered, the deeper insight is that reputations are usually lost when stakeholders come to believe that the organisation is not as “good” as they previously thought.
So what is reputational risk? To arrive at a sound answer, we need first to ask what reputation is. A useful working definition is:
"Your reputation is the sum total of how your stakeholders perceive you"This definition emphasises four points.
- Your reputation is about how you are perceived, which is not necessarily the same as how you really are;
- Your reputation is not about how you perceive yourself; it is about how your stakeholders perceive you;
- As it is your stakeholders who hold that critical perception, if your stakeholders come to perceive you in another way, your reputation changes; and
- That 'sum total' may vary depending on which stakeholders are most influential at any particular time.
In our experience, a good working definition of reputational risk is therefore:
“Reputational risk is the risk of failure to fulfil the expectations of all of your stakeholders in terms of performance and behaviour”This definition emphasises the root causes of reputational damage, which are all to do with performance and behaviour.
Thus the damage in the clothing company example may, superficially, be due to child labour, exploitative rates of pay or dangerous working conditions. But looking through those immediate causes to root causes, the use of very cheap labour may emerge from the strategy of the company (e.g. buy as cheaply as we can) the ethos of the company (e.g. source cheaply -I won’t ask questions about/don't want to know how you achieved it), internal incentives (prioritising cost saving above ethicality), a leadership which doesn’t think about ethicality at all or other individual or collective behaviours or features of the way the organisation is put together. Understanding those root causes, and dealing with them, will not just prevent a recurrence of the same problem but will prevent new problems with similar root causes. That is how aviators have made commercial aviation so safe that the most dangerous leg of a long overseas trip is the journey to the airport. Unfortunately these risks are difficult to find and regularly lie unrecognised for years before giving the board an unpleasant suprise.
This insight is now widely recognised. It lies at the root of the latest Financial Reporting Council Guidance on Risk; and at the root of the growing emphasis by financial regulators on human behaviour as the origin of all financial failures.
The challenge is for organisations to find these often deep-rooted risks before they cause harm.
Our experience is that most business leaders are unaware of these risks and their implications. So too are many in risk teams. This is because behavioural and organisational risks are recent additions to the risk lexicon and not all risk professionals yet understand them.
That is why the latest FRC risk guidance explicitly sets out to ensure that boards and risk teams learn about these risks as a prelude to finding and dealing with them. With the right kind of education and evaluation, these lethal but under-recognised vulnerabilities can be understood, found and fixed before they cause harm.