So, with that gauntlet thrown down, which of the following is not like the others:
Clearly, the title of this blog post gives away the answer, so let me ask a different question. Why? Why is “reputation risk” different, and why doesn’t it belong with the others in a list of risk types? Take a moment to think about it…
In order to answer the question, I’ll start with an analogy. Imagine if the medical or insurance professions used a list of “causes of death”, which included:
Think about it. Isn’t bleeding often an outcome of the other four “causes”? As such, it wouldn’t make much sense for it to be listed as a distinct cause of death. It’s simply an outcome or symptom of events, rather than a cause. In fact, I can’t think of a single circumstance where a loss of blood occurs without some event happening to cause it.
So, when does reputation damage occur? It occurs as an outcome from a wide variety of events. For example:
Notice anything about these examples? They’re events that match the first four risk types listed at the top of this article. Also, each of the examples reflects the effect of damaged reputation on stock price, market share, etc. So my point isn’t that the potential for reputation damage doesn’t exist. It absolutely does. My point is that reputation damage is not a type of risk. It’s an outcome.
Well, for one thing, I often hear people say that, “You can’t measure reputation risk.” Given my perspective above, I’d agree with them because "reputation risk" is not an accurate representation of how reputation factors into the risk picture. You can, however, measure reputation damage. The difference is that if you stick with the common use of "reputation risk", you end up being unable to measure a critical component of the risk landscape. If, however, you treat reputation damage as an outcome of the actual risk types, then you can do meaningful risk measurement.
I’m sure some people will think I’m nit picking. Others may try to defend “Reputation Risk” as a well-established principle. To the first group, I’d answer that mature professions don’t operate with fundamental logical flaws in their foundational terminology. Furthermore, if we’re going to accurately and meaningfully measure risk within the organizations we serve, we have to avoid making these kinds of conceptual errors. Errors that genuinely prevent us from measuring risk well. To the second group, I’d ask for a logical and rational defense for "reputation risk" that — frankly — I don’t think exists. I’m all ears though, for someone who cares to offer one.
This is just one example of where the risk management profession hasn’t applied enough critical thinking to really understand the problem space. I could make the very same argument about “Liquidity Risk”, "Financial Risk" or a number of other terms and concepts that are regularly used in our industry. All I’m suggesting is that the risk management profession needs to take a step back and more carefully examine common terminology and practices. There’s room for improvement, and each of us can help to move the needle. The next time you're about to use the phrase "reputation risk", remind yourself that there's no such thing — that it isn't a type of risk. Instead, refer to reputation damage as a potential outcome of legitimate forms of risk.
The good news is that FAIR treats reputation damage as an outcome, which is one of the reasons why it's been so effective at dealing with this aspect of risk measurement.