What is the biggest risk that will face your company or organisation this year?
For the past two years, when insurance giant AON surveyed 1,400 of the world’s biggest companies, risk of damage to reputation or brand featured near the top of the ten risks ranked by companies.
Only economic slowdown, regulatory or legislative changes or greater competition pose a bigger threat to business than damage to reputation or brand.
Global accountancy and strategic consultancy firm Deloitte has also been analysing reputation risk and, in a report Reputation@Risk, published last year, revealed that 88 per cent of 300 executives questioned were explicitly focusing on reputation risk as a major business challenge.
The findings followed Deloitte’s 2013 global executive survey on strategic risk that found reputational damage was the biggest risk concern to executives around the world. Today, 87 per cent of executives rate reputational risk as more important or much more important than any other strategic risk they face.
But who should have responsibility for dealing with reputation risk? Deloitte’s latest survey is clear in its findings that reputation risk is a boardroom issue. But while in more than one third of companies (36 per cent) it is the chief executive that takes responsibility for this area, 11 per cent put the finance director in charge while one in five companies assign responsibility to the chief risk officer.
So where does this leave the director of communications or corporate affairs director, the people who normally have the reputation and communication expertise in any given firm.
There are fears that communications professionals, who do not have a legalistic or financial risk background, may no longer have the ear of the chief executive in this area.
Also, communication strategies are often at odds with legal liability advice, especially in a crisis.
The financial sector in particular has begun transferring responsibility for reputation to chief risk officers who are shifting their focus from traditional operational risk to more strategic risks, including brand and reputation risk.
Deloitte itself is a case in point. For example Chuck Saia is the chief risk officer and reputation and crisis leader of Deloitte’s US member firm, reporting to the chief executive. The role became more defined in the wake of the global financial crisis.
‘In the past, the chief risk officer’s main focus was on traditional Enterprise Risk Management models (for example information security issues, business continuity). The role has now shifted to focus on the top and emerging risks that directly and strategically impact business strategies,’ explains Saia in the Deloitte report.
While this may be true for some companies in the financial sector, it is by no means a uniform trend, according to Rupert Younger, director for the Centre for Corporate Reputation at Said Business School.
Companies with strong consumer brands, for instance, make corporate reputation a boardroom issue and usually have a board committee that will oversee it, underlining that reputation is such a key issue responsibility it has to be shared.
Corporate affairs directors in many of these companies will sit on an executive committee, just below the board, that deals with reputational matters. This situation is reflected at other high street names, including banks and retailers.
But there is no one size fits all.
In the recent past, corporate affairs at Tesco, was overseen by Lucy Neville-Rolfe, who was also general counsel and latterly sat on the retailer’s main board.
At Barclays bank, there is a chief risk officer – Robert Le Blanc – but his job is to focus on financial risks and a separate board committee on Conduct, Reputational and Operational Risk keeps a watch on reputation issues.
‘It’s a great question as to where the risk register fits in, but there’s no clear trend yet,’ Younger says.
Far from seeing the corporate affairs function edged out in these discussions, he believes the increasing focus on reputation risk is a huge opportunity for talented corporate affairs operators.
‘The best corporate affairs directors have a breadth of expertise and are responsible for giving insight into the way others see an organisation. Their knowledge and skills are now being taken much more seriously and many more very talented people are now attracted to this area.’
Nor does Younger see inappropriate attempts to measure intangibles, such as reputation. ‘It would be a mistake to put everything through the lens of measurement,’ he says, particularly since the Centre for Corporate Reputation’s research shows that every organisation has multiple different reputations and audiences.
But Younger notes that lawyers, strategic consultants and insurers are all trying to muscle into the area of ‘reputation’ and are developing products to mitigate problems, such as reputation management insurance and crisis management packages.
‘Risk officers, lawyers and insurers are badgeing themselves as reputation specialists to get boardroom access and get taken seriously,’ he says. Louise Shield, director of external communications at insurer Royal Sun Alliance, has not seen any tension between risk departments and communications teams. She says: ‘In the last few years, reputational risk has become prominent on the risk agenda. As director of external communications I am part of a risk committee that includes specialists from legal, financial and audit and we meet regularly to discuss the main risks for our business.’
‘I feel that there is more of a partnership than a tension between the communications team and risk officers in my business. There is no sense of the risk team looking to take over our work. They deal with a whole spectrum of risks and wouldn’t expect to be experts in each area. They rely on the experts to help and guide them,’
Robert Nuttall, co-founder of strategic consultancy Fortitude Partners, agrees that responsibility for reputation will go beyond narrow functions.
‘Reputation has touch points across the entire company and indeed along the entire supply chain. It must be the (ultimate) responsibility of the chief executive,’ he explains. ‘In a catastrophic reputation event, it is the chief executive who goes, think Fred Goodwin of RBS, think Nick Buckles of G4S, think of Chris Hyman at Serco.’
Practically speaking, however, Nuttall believes that the finance director should be tasked with managing the risk register (including reputation). He also advises that companies consider insuring against the mitigation costs of responding to events that can damage reputation.
But the problem with such an approach is that there is currently no sure way of being able to assess the share price or balance sheet implications of reputation loss, which is why there is a temptation to push reputation risk into a financial risk metric, in an attempt to analyse it in legal or insurance-based terms.
In the experience of Fortitude, it is more likely to be larger US-based companies that tend to run corporate affairs in a legalistic fashion, and indeed may report into the chief legal officer.
Nuttall says this could cause a problem. ‘We would argue that especially in the age of digital transparency, reputation responses must be as fleet as foot as possible, which is not necessarily the attitude or training of lawyers,’ he says.
In Deloitte’s case the company sees it as part of their obligation as auditors and consultants to advise boardrooms on the possible adverse effects of damage to reputation, given that a problem in this area can have a significant impact on shareholder value.
Hans-Kristian Bryn, strategic risk partner at Deloitte, who contributed to Reputation@Risk, says that this is not an attempt to take control of reputation from communications or corporate affairs professionals.
‘There isn’t one individual that will hold the entire responsibility for reputational risk in an organisation. The communications or corporate affairs function has a key role to play, but the impact of a reputational event has become much more significant so to minimise that there needs to be a range of capabilities [involved],’ he explains. ‘Organisations are on a journey regarding this aspect of risk. It is not a settled area and there isn’t one solution that fits all.’
Deloitte’s survey found that 39 per cent of executives viewed their own reputation risk management programmes as either average or below average. Indeed, fewer than one in five (19 per cent) rated their programmes as excellent.
Consequently, 57 per cent plan to focus on improving their capabilities for managing reputation risk. They are considering investing in people, such as reputation risk officers; investing in data, such as media and social media monitoring tools; investing in technology, such as brand monitoring and predictive analytic tools; and developing reputation risk and crisis management processes and capabilities.
Five years ago when Sir David Walker, now chairman of Barclays, produced his review of corporate governance in banks in the immediate aftermath of the financial crisis, he considered closely the effectiveness of risk management in the boardroom.
At the time, one area that he did not really consider was the question of reputation risk. In a recent interview, Sir David explains that if he were asked to write the same report today, he would recommend that all banks should have a committee to deal with ‘soft culture’ issues such as conduct, operational and reputational risks.
A recent selection of stories from the financial media appears to bear out Sir David’s observations. Supermarket giant Tesco has dominated the headlines, and has seen its reputation damaged by the revelation that supplier payments had been booked early to help flatter profits. High street banks, including state-owned RBS, continue to dominate the headlines regarding their past mis-selling of payment protection insurance and their treatment of small businesses. And energy companies continue to face bad press for not passing on wholesale energy price falls and for mis-selling.
Boardrooms are fully awake to the fact that hard-won reputations, garnered over years, can be lost in a morning’s trading. But the fact that risk managers are only now trying to quantify and measure damage to reputation only seeks to underline the fact that reputation risk is set to remain on the list of top ten threats to businesses.