This post has been modified to reflect new information since its original publication.
Reputational risk management is in vogue among corporate risk management circles. However, reputational risk is fundamentally different from other kinds of business risk, and there’s no guarantee that actuarial approaches developed for other scenarios will carry over effectively.
Understandably, in our age of viral news and a permanent online record of virtually everything, executives are increasingly concerned with managing reputation risk. In Deloitte’s well-known Reputation@Risk global survey of executives, 87% rate reputation as the most important strategic risk facing their companies.
Despite this emphasis, however, we continue to see high-profile examples of companies failing to manage reputation risk effectively—sometimes despite having an explicit reputation risk management framework in place. On a regular basis, businesses come to ReputationDefender for assistance with reputation crises their internal safeguards missed.
To truly manage reputation risk, it is important to understand how reputation risk works, as well as what can—and can’t—be done to mitigate it. Otherwise, reputation risk management approaches may themselves become risk vectors, lulling executives into a false sense of security.
In this article, therefore, we will examine the anatomy of reputation risk, where traditional frameworks often go wrong, and what you can do to protect your business.
The anatomy of reputation risk
Reputation risk is not well defined in most risk management frameworks. It is also resistant to standard risk identification methods. By examining its structure, however, we can find ways to deal with it effectively.
All reputation risks share the following characteristics:
It is virtually impossible to quantify exactly how much reputation loss will result from a specific risk, in part because reputation is lost on the level of the individual. The extent of reputation lost will be determined by the sum total of the change in the opinions of all stakeholders.
Those opinions, however, will be strongly influenced by personal factors, the current business and political climate, the change of other stakeholders’ opinions, and what other company news appears immediately before and after the risk event.
Types of reputation risk can certainly be categorized—product failures, political scandals, employee misbehavior, and so on—but individual risks are more unique than they are similar. Consider, for example, the brake problems and subsequent recalls of the 2004-2007 Prius, followed again by more brake problems and recalls for the 2011 model, and then again for the 2016 and 2017 models.
On the surface, all three reputation events seem to be instances of the same thing: malfunctioning brakes. However, each subsequent recall affected Toyota’s reputation differently. That’s because, in the eyes of consumers, the three recalls are combined retroactively into a single event: a pattern of unreliability. One recall might be a mistake. Two recalls might be a poorly executed remediation plan. Three recalls, however, begins to look like a sign of a fundamentally dysfunctional corporate culture.
When it comes to reputation risk, therefore, a + a does not equal 2a, it equals b. As a result, reputational P&L predictions become near impossible to make.
Perceptual and non-linear
All reputation risks are based on the perceptions of an outside observer. Each observer will have different priorities, know different details, and have a varying level of influence over the perceptions of other observers.
For that reason, reputation risk events simply cannot exist in a vacuum. By their nature, each will force the stakeholder to reexamine previous events and judge whether or not his or her opinions of the company are still valid.
This sets up the potential for vicious butterfly effects, where something that the company might consider to be a relatively minor reputation risk escalates into a widespread scandal as stakeholder opinions reinforce and amplify each other.
Reputation risk does not stem from any one aspect of a company’s activities. Although responsibility for reputation risk is usually seen as the CEO’s purview, virtually anyone or any activity can create a risk of any size.
Even beyond that, since reputation is perceptual, companies face risks for things third parties do, or for perceived issues that never even happened. This is especially true in poorly understood or controversial industries; for example, we worked with a financial services company a few years ago that was maligned by incorrect and misleading press reporting.
Why reputational risk frameworks fail
Given this anatomy, it’s not surprising that traditional risk management principles are a poor fit for reputation risk. The risk vectors are too malleable and interdependent to be isolated. They change constantly, transformed by other risks and their contexts, making objective P&L assessments nearly impossible.
As such, reputation risk management approaches designed along traditional lines tend to fail. Among ReputationDefender clients, we see two points of failure most commonly:
1. Lack of appreciation for risk interconnectivity
Most advice on developing a reputation risk management framework focuses on identifying specific risks, quantifying their probabilities and estimated P&L effects, then developing metrics for assessing risk and/or handling crises. This approach is flawed largely because reputation risks cannot realistically be considered independent events. Any reputational risk has the potential to create knock-on reputation effects of an unknowable scale.
Consider Turing Pharmaceuticals (not a ReputationDefender client), whose now-infamous ex-CEO Martin Shkreli gained widespread notoriety when he raised the price of a generic but critical toxoplasmosis drug by over 5000% in 2015. Internal documents from Turing prior to the price increase demonstrate that the company had weighed the reputational impacts of the price hike. They determined that the blame could be pushed to insurance companies with minimal blowback on Turing and that any reputational risks would be easily offset by increased profits.
However, Turing’s fundamental assumptions about how patients, insurers, doctors, and medical institutions would react were largely incorrect. These assumptions creating a string of logistical problems for Turing and for its frustrated stakeholders, which in turn brought media attention to the situation.
Turing might have been able to predict this initial scenario with more careful planning. However, they certainly couldn’t have anticipated the possibility that a string of callous, tone-deaf comments by their CEO would lead to widespread public rebuke, extensive negative media coverage, and a congressional inquiry. Nor could they have predicted that Shkreli would eventually be arrested for fraud related to a previous business.
What was initially perceived as a minor reputation risk quickly grew into a much larger risk and then triggered a series of unforeseeable additional risk events not strongly related to the original issue.
2. Conflicts with company culture
As noted above, responsibility for reputation risk management is usually delegated to the executive suite. To have any chance at success, however, reputation risk management needs to be internalized into the company culture. Risks can appear anywhere in—and travel in any direction along—the chain of command. Furthermore, as risks move, they tend to grow stronger.
The Wells Fargo account scandal of 2016 is a prime example (also not a ReputationDefender client). Over a number of years, Wells Fargo set unrealistic cross-sell targets for its employees. At the same time, the company allowed a culture to flourish that either encouraged or turned a blind eye toward the fraudulent creation of unauthorized new accounts by employees trying to meet these quotas.
When the scandal broke in 2016, Wells Fargo fired some 5,300 mostly low-level employees who had been involved in the fraud. The company likely assumed this would resolve the situation. However, it actually made things worse.
Accusations arose that Wells Fargo’s corporate culture was the real problem: that the company had tacitly encouraged employees to create the fake accounts and then blamed them for it once they got caught. The fact that these employees were let go simply served to paint them as additional victims of a predatory corporate culture set up by unaccountable executives.
True or not, the employee firing created a huge reputation backlash for Wells Fargo. Increased demands for accountability led to a congressional hearing. The states of California and Illinois announced they would be cutting all business ties with the bank. Wells Fargo lost its Better Business Bureau accreditation. Eventually, CEO John Stumpf was forced to resign and return part of his compensation package.
Wells Fargo may have thought it was managing risk effectively by keeping executives isolated from the fake accounts scandal. However, the company’s culture pushed reputation risk back up to the executive suite, amplifying it along the way and making it worse.
Reputation risk management approaches that work
These examples demonstrate why reputation risk can’t be handled like other types of business risks. This doesn’t mean, however, that there is nothing companies can do. We have found a number of approaches that have worked for our clients in the past. What follows are a few suggestions, applicable to businesses of all sizes.
Treat all risks as catastrophic
Consider Warren Buffett’s famous advice on reputation risk: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Instead of trying to catalog and quantify the P&L effects of all potential risks, assume that any reputation risk event has the possibility of snowballing into a catastrophic scandal. Surely Wells Fargo’s management didn’t think aggressive sales quotas would lead to the loss of the business of two entire US states. However, they could have easily predicted that allowing a culture of fraud to fester might have wide-reaching reputational effects. An appreciation of how their sales quotas would affect employee behavior should have been part of their reputation risk calculations.
Monitor reputational behavior independently
Since reputation risk can come from anywhere, it is important to have effective monitoring protocols, both within and outside of the organization. Equally important, the people responsible for collecting this data and making recommendations should be independent from any of the company’s core business activities. As seen in the Turing Pharmaceuticals case, it’s much too easy for internal stakeholders to adopt an overly rosy interpretation that aligns with their agendas. Much better to get an objective assessment that can properly inform strategic decision making.
Safeguard against personal data vulnerabilities
The reputation risks caused by data breaches and other hacks are some of the most serious facing any modern business. For this reason, it’s important for companies to counteract the vulnerabilities caused by easy access to personal information about the company’s executives. You can do this by identifying and removing personally identifiable information that could be used by hackers in social engineering or spear-phishing attacks. It’s also important to create a culture of cybersecurity within the company and educate all officers and employees about emerging digital threats.
Create sources of positive reputation
Not all reputation risk management is about crisis remediation. Reputation risk can also be avoided by generating a positive track record, a tactic that we emphasize in many of our client engagements. Without a doubt, this is easier said than done, but a company that fosters a healthy corporate culture of responsible risk taking and innovation is much less likely to find itself in a reputational crisis than a company that tries to hide in grey areas.
The difference in approach between Google’s and Uber’s self-driving car programs is illustrative here. Google’s Waymo has cultivated a reputation for obsessive testing, regulatory compliance, and helping seniors and the disabled. Uber has instead decided to create a reputation of flaunting DMV and state regulations, blaming its drivers, and rushing unsafe vehicles onto the streets of San Francisco. Which approach is more likely to lead to positive reputational impacts on the long run?
By creating sources of positive reputation and then reinforcing them through traditional and online media, companies can buffer themselves against misrepresentation and reputational attacks.
You can help your company culture move away from reputational risk by making more of its activities transparent. Of course, not everything can be put out into the open all the time, but if your business processes are built around asking “what needs to stay hidden” instead of “what needs to be made public,” you are more likely to come up with solutions that steer you away from reputation problems.
It should be clear by now that there are no formulas or shortcuts for reputational risk management. The most effective strategies revolve around developing a healthy corporate culture that is responsive to and realistic about internal shortcomings, not just to external competitive challenges. Regardless of the difficulty, however, a reputation-focused approach is what it takes to succeed in today’s hyper-connected digital media environment—we see the proof in our client interactions on a daily basis. The companies that find the best solutions are the ones most likely to reap the biggest profits.