Reputation loss can kill a company; just look at the Weinstein Co., once a leading independent film studio, that went broke after 60+ actresses accused Harvey Weinstein of sexual harassment and assault. The resulting lawsuits and cancelled deals made the company unsaleable even after Weinstein exited. Reputation-generated losses exceeded the total value of the company, so to speak. But what about Equifax? It took a devastating hit to reputation as a guardian of personal information, after a massive data breach, yet it’s still in the PII business. How much in reputation losses did it suffer?
Of all the losses counted up in quantitative risk analysis, reputation loss is, well, the least quant. FAIR model creator Jack Jones defines it in his usual crisp way as “losses resulting from stakeholder belief that an organization's value has decreased and/or that its liability has increased”.
Andrea Bonime-Blanc has navigated the tricky topic of reputation in roles for multinational companies as a general counsel, chief ethics officer, chief compliance officer, and chief risk officer. She’s written extensively on reputation and risk, including The Reputation Risk Handbook: Surviving and Thriving in an Age of Hyper-Transparency, and several publications for The Conference Board, where she has served as the lead cyber-risk governance researcher. Bonime-Blanc currently runs her own consulting shop, GEC Risk Advisory, advising boards and executives on strategic governance, risk and ethics issues. In 2017, she was appointed ethics advisor to the Financial Oversight and Management Board for Puerto Rico. Here are some of her thoughts on measuring and managing reputation loss and gain.
Q: You’ve written that one way to think about reputation is as something that attaches to other risks. What do you mean by that?
A: In an organizational context, reputation risk attaches to and amplifies other risks that are not properly attended to. Take Equifax as an example. Equifax should have been on the high end of protecting their most important crown jewels – customer personal information. Instead, they appear to have been negligent or even willful in disregarding basic risk mitigations to protect such information .
So, the reputation risk that associates itself with that is way greater, as it should be, because stakeholder expectations have been ignored or disregarded. While in the short term their stock price may recover, there are other long-term reputational consequences that could be much more damaging from a financial standpoint than if they had done what was expected of them by their stakeholders by investing more appropriately into cyber-defenses and cyber-security.
The idea of reputation risk acting as an amplifier and accelerator of unattended underlying risks is something I developed from years building ethics and compliance programs. I found it to be a useful concept in presenting the need for greater sensitivity to these issues to management and boards. Business people are very financially focused, and don’t always think about culture, ethics or risk as concepts that can actually bolster resilience and value in an organization.
Q: You talk about reputation risk as cutting two ways; it’s also an opportunity. How is that possible?
A: Here’s an example: The U.S. Department of Justice prosecuted a Morgan Stanley executive suspected of engaging in corruption in China, but, having looked at the company’s well developed underlying anti-corruption program, the DOJ complimented Morgan Stanley for having such a good program in place and did not prosecute the company because of this. So, if anything, they had a reputation enhancer for investing in anti-corruption compliance and risk management.
Q: How do you advise companies to quantify risk of reputation loss?
A: I have a strategic knowledge sharing relationship with RepRisk a big-data analytics company that does real time monitoring of news media and social media, 24/7, for global companies. They’ve developed a typology for environmental, social and governance issues, and have developed a 1-100 point index of what the marketplace is saying. It gives you a snapshot in time, and a sense of where the issues are that you need to be concerned about. So that’s one approach.
In conjunction with another quantitative expert, Dr. Leonard J. Ponzi, we have a qualitative/quantitative methodology for companies to survey their key stakeholders, for instance, for companies that have done a good job of identifying their top risks and want to dig deeper to understand the potential consequences of one of those risks going wrong. The survey is done with key stakeholders and then a regression analysis is applied to achieve a quantitative analysis of what the risk might be vis a vis those stakeholders should such risk transpire.
Imagine if Wells Fargo, back when it had a great reputation, had in its risk register “overly aggressive sales incentives leading to fraud” – and they had measured what that risk could do to them if it went wrong.
But quantification is difficult and that’s why I come back to the concept of a resilient organization. With resiliency, an organization is capable of addressing risk more proactively and successfully thus also improving the chances for reputation building.
Q: How do you define a resilient organization?
A: A resilient organization is one that has well rounded and properly evolved risk management, effective crisis management, and business continuity, and the right programs and policies and training in place to address your specific risks and promote a culture of speak up/listen up, and it is done consistently and effectively at all levels of the organization.
That means having some talented people who know what they’re doing, the right kind of technology solutions, the right policies, training and alertness within the employee and third-party population. These are not hard and fast things, they are an accumulation of mitigations and measures that will help the organization be resilient at a time of need and that will demonstrate to stakeholders that you care about avoiding negative impacts to them and adding value to the overall organization.
Many companies don’t care about this until a scandal hits them and then they scramble to try to put a compliance program together.
Q: You’ve recommended a triangular approach to build this resilience.
A: It’s just a simple, visual way to understand how to make good cyber risk governance or any risk governance happen. It’s about having synchronicity between the board, the executives, and the operational and functional experts (like the CTO, CISO, lawyers, financial people) to implement a strategy for such risk governance.
Q: How do you recommend companies implement it?
It’s really important to put together a small but mighty task force of smart people within the company to first of all vet what the company is doing and what is still needed. Such a group needs buy-in from management about the need to do something proactive or conscious about this. That might involve bringing in outside experts, technical experts or governance people to help assist the thinking.
Do a gap analysis, do a survey, do what’s necessary to provide a sense of where the company is and where it needs to go.
Then engage the board. One of the common failings of companies is that they don't think beyond CEOs and CFOs for board members. I’m an advocate of having a broader risk, ethics, corporate responsibility person, maybe retired or from another company, with a more developed sense of risk and opportunity and who also is a digital person who understands technology who can thus be a broader resource as a board member.
Few boards have that. I hate to say this, but they have a homogenous group of older, usually men who have been CEOs and CFOs. They are really quite far removed from understanding the sort of tectonic shifts that are happening to us right now.
It’s critical for boards to expand their horizons in terms of who is sitting on the board and/or to bring in an outside consultant to help them think outside the box. Frankly, the same goes for many management teams who often don't take into account as much as they should someone with a broader lens, a contrarian or futurist who can shake the tree and talk about the new stuff. In the absence of the board changing or even the executive team changing, a cross-functional, interdisciplinary team of smart people is absolutely essential.
After I published this blog post, I heard from a number of FAIR Institute members that the post did not adequately provide a counterpoint to the repeated use of the term “reputation risk” in the post. The responsibility is entirely mine, not Andrea Bonime-Blanc’s. As these readers pointed out, FAIR has a more accurate and more useful way of approaching reputation in risk analysis, as Jack Jones laid out in a blog post There Is No Such Thing as Reputation Risk. There is such a thing as reputation damage, but it’s an outcome of a risk (for instance, data breaches against Equifax or lawsuits against Harvey Weinstein) not a risk itself. Not a trivial distinction if we are trying apply critical thinking and do meaningful risk measurement.
--Jeff B. Copeland