Managing Your Organization’s Reputation — Why it Matters

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

RISK MANAGEMENT

By Patty P. Tehrani

Patty P. Tehrani, Esq., is an experienced compliance attorney and has nearly 20 years’ experience in compliance including senior in-house roles at top financial institutions, authoring articles and blogs, and compliance consulting engagements. She has created a series of tools, guides, and reference materials on governance, risk, and compliance functions—including guidance to help establish reputational risk frameworks—available in the compliance-focused practical guidance on Bloomberg Law’s Corporate Practice Center.

Does your organization know the importance of its reputation? Warren Buffett (Chairman and CEO, Berkshire Hathaway) said years ago: “It takes 20 years to build a reputation and five minutes to ruin it.” Recent scandals confirm that even hard-earned reputations can be vulnerable via social media and ongoing news coverage. The impact is faster and more enduring, leaving a once impeccable reputation tainted or irrevocably damaged.

Most organizations understand that their reputation has value and know the benefits reaped from a good one but struggle with how best to protect it. The enduring trust of customers, investors, suppliers, regulators, employees, and other stakeholders boosts the organization’s confidence and its bottom line, but a weak or damaged reputation can lead to shareholder dissatisfaction and loss of revenue.

This article focuses on using a dedicated framework or program to anticipate reputational risk and provide defined measures to prevent, detect, and manage them. If designed/implemented properly, the program would align organizational values with what it does (or does not do) in response to a crisis.

What is your organization’s reputational risk?

As a first step, an organization should define reputational risk based on its operations, values, and vulnerabilities. Your definition should be able to answer questions like the following:

  •  How are your organization’s trustworthiness and integrity perceived?
  •  Which stakeholders’ perceptions of your organization’s reputation have been included in the calculus?
  •  Where among your organization’s business activity is there likely an impact on brand, influence, earnings, or value?
  •  Which areas of business activity are most vulnerable to experiencing measurable loss — in revenue, clients, engagements, employees, brand value— from reputational damage/crisis?
  •  In what circumstances would value loss be immediate, and in what circumstances gradual?

And make sure the defining process is collaborative. Get input from different groups/functions within your organization, document it, and then review it periodically for effectiveness.

Why should your organization include reputational risk in its controls?

Defining reputational risk is not the finish line. Your organization needs to also determine how it will manage it. Even the most mature organizations struggle with how best to manage their reputation and the conduct that can negatively impact it. It’s not that these organizations ignore these risks. Many have well-established compliance and risk management frameworks, but they often omit reputation in these controls only to be forced to address these risks when facing a crisis. With little to no focus on long-term repercussions, pitfalls abound amid the rush to react to a crisis, especially when there has been no proactive strategy to assess and minimize reputational risk:

  •  Actions are too little, too late
  •  Response time lags coverage on the issue
  •  The response doesn’t reassure stakeholders
  •  The response misses or glosses over the harm to the organization’s reputation
  •  Accountability is deferred and/or blame is misplaced
  •  A history or repeated nature of the issue is ignored or intentionally obscured
  •  Trust is lost either temporarily or permanently

A program’s success requires ongoing support at the highest levels of management. Don’t stop there — make sure your employees are aware of their role in protecting the organization’s reputation. Integrate reputational risk considerations into regular training and reminders. Even the third parties engaged by your organization must know the program and their responsibility for safeguarding your organization’s reputation.

What should your organization do?

At a minimum, don’t wait to be amid a full-blown public relations crisis or other difficult situation to start your efforts. Unless your organization is well-positioned to act swiftly and effectively to change or avoid a negative event, outcomes could be severe if not irreparable. Having a dedicated framework allows your organization to identify potential risks in advance, to prevent the preventable, and to quickly deploy measures to manage them.

The reputational risk materials in the Bloomberg Law practical guidance library include outlines for developing a framework and other critical reputational risk considerations:

  •  What types of triggers are there for reputational risk?
  •  How does the reputational risk assessment team act on the data it collects while designing a matrix?
  •  How is the reputational risk matrix implemented?
  •  How to integrate reputational risks into project development, oversight protocols, and transactions?
  •  Who should own the reputational risk program?

The materials also provide sample policy and employee communication templates for raising awareness and reinforcing the importance of your program.

How should your organization start?

There should be a structured approach to establishing and ultimately maintaining your reputational risk program. Consider the practical guidance materials, which set a suggested outline for a step-by-step development process summed as follows:

Step 1: Establish Team and Define Plan.

Step 2: Identify and Measure Reputational Risk.

Step 3: Define and Maintain Response Measures.

Step 4: Establish and Maintain Reputational Risk Program Policy.

Step 5: Integrate Program into Controls and Operations.

Step 6: Response/Communications Plan.

Step 7: Establish Reputational Risk Reporting and Metrics.

Step 8: Educate and Train.

Step 9: Monitor and Test.

Step 10: Maintain Program.

Keep in mind that the program can stand on its own or part of an existing program. However, if your organization elects to establish its reputational risk program, make sure it has dedicated and sufficient resources for proper maintenance.

In the end, building a good reputation may take years to achieve but protecting it will be easier if there is continuous support of these common principles:

R – definition of reputational risk

E – expectations set in a policy

P – promotion of compliant and ethical controls and actions

U – understanding of and defined approach to mitigate risks to reputation

T – tone at the top through engagement of senior management

A – alignment with organizational culture and values

T – training on program

I – inventory and integration of reputational risk triggers

O – oversight by a cross-functional team

N – new products and certain transactions

The Bloomberg Law practical guidance materials can help establish a framework factoring in these principles and ultimately protecting your organization’s reputation.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law