Reputation is like a ticket to the big game. Show it at the door, or you won’t get in. It is also irreplaceable. Lose it, and it’s game over. Protiviti’s Jim DeLoach offers four tips for nurturing and preserving your company’s most precious asset — its reputation.
A company can tarnish and even ruin its reputation with a single exercise of poor judgment. While some may define reputation differently, everyone agrees it’s important. In addition, most of us can recognize a reputation that has been damaged beyond repair. As explained by one author, reputation risk is “the loss of the value of a brand or the ability of an organization to persuade.” In a previous article, I described 10 keys for managing reputation risk arrayed among five categories: strategic alignment, cultural alignment, quality commitment, operational focus and organizational resiliency.
Below are some thoughts about reputation and how to nurture and preserve it.
Adopt an end-to-end process view: You can’t pass the buck
Managing reputation risk is inextricably tied to risk management and crisis management processes. It begins with an effective risk assessment process that considers an end-to-end, extended view of the value chain, requiring consideration of looking upstream to supplier relationships (including the Tier 2 and 3 suppliers to critical Tier 1 suppliers), as well as downstream to channels, customer relationships and all the way to the ultimate end user. In effect, the enterprise’s ecosystem of business relationships and partners is just as important as its internal processes, personnel and systems, because they are inextricably linked to what makes the business model work.
To illustrate the use of this big-picture approach, uncompensated risks (exposure to events that have significant downside with little or no upside potential) sourced across the value chain can be causes of reputation risk. These risks require attention because they include “stop the show” supply chain disruptions, mega warranty costs and/or product recalls and headline-grabbing environmental, health and safety exposures.
Lead content, toxic materials, impure ingredients and other inputs provided by suppliers that fail to meet specifications set by the laws and regulations to which a company is subject in the markets it serves can damage its brand and reputation. Unsafe working conditions, child and slave labor, conflict minerals and other issues that lurk upstream in the supply chain are waiting for discovery, at which time they not only will become an embarrassment to a company’s brand and reputation but also could result in a loss of market share. In today’s era, consumers care about transparency in the supply chains supporting the products they buy. An organization that permits ignoring prudent public and worker health and safety standards in favor of cost and schedule considerations faces the eventual day of reckoning when the spotlight finally shines on its dysfunctional culture.
The above discussion explores the risk management side of managing reputation risk. There is also the crisis management side. World-class reaction, resilience and agility can be very effective in preserving a reputation and brand. Quick response time and open, honest communication on using social media outlets enables a company under crisis to control the story, maintain good faith with its customers and protect its brand.
An effective response doesn’t happen by accident. If a crisis management team doesn’t exist or isn’t prepared to address a potential crisis, rapid response to sudden, unexpected events will be virtually impossible. Fires cannot be fought with a committee. Therefore, the risk assessment process should be designed to identify areas where preparedness is critical, as discussed further below.
Bottom line, a company’s customers and stakeholders could care less where the source of risk is. All they care about is the company they are dealing with keeping its brand promises, explicit and perceived. They expect the CEO and the board ultimately to be responsible for protecting the enterprise’s reputation.
Occasionally, a contrarian voice is needed at a crucial moment; will you have one?
Washington Mutual (WaMu) was an unfortunate casualty of the 2008 financial crisis. Two former chief risk officers (CRO) asserted that they tried to curb risky lending practices at the bank; however, they claimed they met resistance from top management when they escalated their concerns.
One CRO claimed he was excluded from meetings among senior executives and financial advisers when the bank’s response to the growing crisis was being discussed and, by January 2008, was fully isolated until he was fired by the CEO a few months later. The other CRO testified before a congressional committee that he had tried to both discourage loans to those who were unlikely to be able to repay and limit the number of loans made without verifying borrowers’ income. However, he, too, was ignored by executive management as low- and no-doc lending continued.
WaMu filed for Chapter 11 bankruptcy in 2008. With respect to total assets under management, its closure and receivership is the largest bank failure in American financial history. It didn’t have to happen. Simply stated, risk management was ignored as a discipline; if it is viewed by executive management as a check-the-box compliance exercise, it has little strategic relevance.
A strong contrarian voice is occasionally needed in an organization’s history. More importantly, there are times when such a voice needs to be heard by the right people. This is a matter of proper positioning of independent risk management and compliance functions, which entails several important principles:
- Leaders of such functions should be viewed as peer-to-business line leaders.
- They should have a direct reporting line to the CEO.
- They should have a reporting line to the board or a committee of the board with no access constraints.
- The board or a board committee should conduct mandatory and regularly scheduled executive sessions with these functional leaders.
- A formalized escalation process should exist.
In summary, to ensure an effective contrarian voice, there should be clearly defined positioning for the risk management and compliance functions and how they interface with line-of-business and executive management as well as the board of directors. Most importantly, the board and the CEO must have a mutual understanding of the value contributed by these independent functions with the intent of preserving their independent role within the organization as part of a “speak up” culture in the corporate decision-making process.
Every organization can expect to be tested eventually. Are you ready?
Stuff happens. Even the proudest organizations and brands are not immune to being called out by the unexpected. As stated earlier, organizations are boundaryless. An “extended end-to-end enterprise” perspective requires a look at the full value chain that summarizes the entire life cycle of value creation, i.e., management should look upstream to key suppliers and downstream to key customers to identify dependencies that really matter. For example:
- Which suppliers do we depend on for essential raw materials, commodities and component parts? What would happen if we were to lose one of them for any reason? How long would we be able to operate? Are there other qualified sources of supply that can be readily available?
- Have our key suppliers performed their own risk assessment, looking at their suppliers? Do they have effective plans for taking corrective action in times of disaster? How do we know?
- What if there were temporary shortages in key commodities and raw materials? Or serious defects in supplier raw materials and component parts? Or material volatility in prices?
- Are there customers we can’t afford to lose? What if major customer contracts were not renewed? What if major customers were to consolidate? What if we were to lose a major distribution channel?
- What if there were significant disruptions in transportation?
- What if our vulnerabilities to cyber threats were exploited and attacked?
The Covid-19 pandemic and Russian invasion of Ukraine have illustrated the importance of some of these questions. Throwing darts at the wall to guess at probabilities to determine that a particular risk is remotely likely to happen isn’t going to eliminate the threat. That is why risk assessments should consider the following factors in addition to significance of impact and likelihood of occurrence when assessing risks:
- Velocity to impact once an event occurs (e.g., does the scenario or event have an immediate impact upon occurrence, allowing little time for reaction, or does it smolder for years, mired deep into the company’s processes, until the day of reckoning finally arrives?)
- Persistence of the impact (e.g., does the scenario or event have a lasting headline effect, or will it quickly become yesterday’s news?)
- Resiliency of the company in responding to the scenario or event if and when it occurs.
These additional criteria help management evaluate high-impact, low-likelihood threats to determine areas where preparedness must be improved. When these additional factors are considered, risk management begins to intersect with crisis management.
Managing the tension between creating and protecting enterprise value is the toughest risk management task
Every CEO pursues opportunities with the objective of building enterprise value. It is what every board expects, whether it means entering into new markets, investing in new products, merging with or acquiring another entity, building new plants to expand or exploiting other market opportunities. Implicit in the bets the CEO makes is the organization’s appetite for risk. A winning strategy exploits to a significant extent the areas in which the company excels relative to its competitors.
However, the execution of any strategy is governed by the willingness of the organization to accept risk in the pursuit of value creation, as well as by its capacity to bear that risk. From a strategy-setting standpoint, it is useful to have a notion of when the organization’s capacity for bearing risk is encroached upon (i.e., when is the organization taking on too much risk?). Consider the following questions:
- Does it make sense to take all of the risks an organization is capable of undertaking without reserving capital, borrowing capacity and establishing other financial resources for unexpected extreme losses, investment opportunities and other contingencies?
- Is it appropriate to retain a significant risk when options for transferring that risk are available at reasonable cost?
- Are there certain aspects of the strategy that may be unrealistic and may result in unacceptable risks if managers are stretched to achieve established performance goals?
A disciplined approach around protecting enterprise value should consider these questions. One lesson from the financial crisis is that there are consequences when a CEO “bets the farm” and ignores the warning signs posted by the risk management function. WaMu is a prime example, as are Countrywide Financial, Lehman Brothers and Bear Stearns.
Tension between value creation and protection is inevitable in corporate decision making. For example, how does an organization balance its credit policy with its sales strategy? There have to be some limits somewhere. A CEO who wants to operate without any boundaries may be signaling to the board that they are unfocused strategically. Worse, such behavior may connote that they will lock in to the status quo and drive the existing business model relentlessly to “make the numbers” even if it drives the organization into a ditch as markets shift. This occurred during the financial crisis, when underwriting standards were thrown to the winds. Low-doc and no-doc loans, in which the lender doesn′t require proof of income, became commonplace at troubled banks.
Boundaries provide a broad context for balancing the organization’s objectives and performance goals for creating enterprise value with the policies, processes and control systems deemed appropriate to preserve enterprise value. In essence, they are a tool for managing the tension between the two. They force dialogue, escalation and even arbitration.
The objective is to balance the entrepreneurial activities and control activities of the organization so that neither one is too disproportionately strong relative to the other. This task is fundamental to managing risk culture. As one author explains, rather than tell the CEO what to do or how to run the business, the board provides direction as to what not to do through “a constructive ring fence around behavior.”
Summary
Strategy setting and risk management share a common focus: They are both forward-looking activities. So is reputation management. Time devoted to monitoring retrospective performance indicators (so-called “lag indicators”) is useful and appropriate when managing performance but is of limited value looking forward for purposes of formulating strategy and assessing risk in a dynamic market. There is an important difference with respect to reputation, however, in that it is often rooted in long-standing core values. That said, reputation management is also about navigating change over time.