It takes too many deeds to build a reputation, and only one bad one to lose it - Benjamin Franklin
It seems that nearly every business day brings news of an oversight or misstep that shines a bright light on the need for a new way of looking at reputational risk. When tragedy and misfortune strike, some of the largest and otherwise well-equipped organizations have realized that they overlooked reputation as a performance indicator and therefore a serious risk condition.
Yet decision-makers are not always focused on branding issues or threats. Polling conducted among more than 1,100 executives during a Deloitte webcast, Brand Resilience: Protecting Your Brand Assets from Saboteurs in a High-Speed World, revealed that only 24% of companies represented by participants formally measure and report on brand value. Furthermore, fewer than 22% of the webcast participants thought it either likely or highly likely that negative information about their brands would show up on social media in the coming year.
In the book Brand Resilience: Managing Risk and Recovery in a High-Speed World, author Jonathan Copulsky, principal at Deloitte Consulting LLP, makes the case that in the age of social media, a new playbook is required. “In a world filled with intentional and accidental brand saboteurs, companies need to aggressively play defense as well as offense. Brands are under constant attack, and brand stewards must systematically understand the risks that their brands face, the potential impacts and the options for managing these risks.”
Managing risk to reputation is about fundamental perceptions of the company’s contributions, value and strategic direction. For many companies, the first step involves reevaluating their current risk management program. “Traditional enterprise risk management approaches have focused boards and C-suite executives on avoiding risks and protecting assets,” says Henry Ristuccia, partner, Deloitte & Touche LLP, and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited. “These are important objectives, of course, and necessary for preserving the enterprise. But the traditional approaches often focus too much on risks within the organization and not enough on the ‘outside-in’ view. In other words, they don’t consider risks that can be seen and foreseen by observers from outside the company—an organization’s stakeholders.”
Time and again, catastrophic risk arrives unexpectedly. “This is generally because only the inside-out perspective has been considered,” notes Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “What is new today is the need for a 360-degree view of risk that effectively marries an outside-in risk perspective with inside-out risk intelligence.”
This need and the steps that senior executives can take to develop a program to manage risk to reputation are discussed in a report, “A Risk Intelligent View of Reputation: An Outside-in Perspective,” developed by Deloitte in collaboration with RiiЯ Ltd.
Setting up a Program to Manage Risk to Reputation
The true value of a “Risk to Reputation” program is to integrate an outside-in perspective into the enterprise risk program, providing a holistic overview of major and potential risks.
Step 1: Embark on a Discovery
Core to the discovery phase is a detailed examination of the firm’s current view of its strategies, risks and vulnerabilities. This helps ensure that, when the Risk to Reputation program is launched, the “known knowns” and the “known unknowns” are fully explored through a series of in-depth interviews conducted with C-suite executives. Depending on the firm and the industry, the interviews would be conducted with such C-suite executives as:
—Chief Executive Officer: The major enterprise strategies and their underlying assumptions (this informs the risk to and of the strategies).
—Chief Financial Officer: The financial profile of the organization, its record with the markets (under/over-delivery on expectations) and outlook for sector and firm.
—Chief Risk Officer: The key risks the firm is monitoring; major industry threats and opportunities.
—Chief Operating Officer: The major vulnerability points that exist within the organization.
—Chief Marketing Officer/Chief Communications Officer: The competitive positioning and pressures in the industry.
—Chief Human Resource Officer: Exposure to the battle for talent, as well as weaknesses in recruitment or staffing profiles.
—Office of General Counsel: Regulatory and intellectual property (IP) exposures are critical to integrate as well.
From these exchanges, the organization’s key stakeholders are identified—those who will provide the outside-in perspective. Desk research can identify other stakeholders (sustainability indices, Non-Governmental Organizations (NGOs), Department of Justice, etc.) whose impact on sector and corporate reputation might be vital. “Listening Posts” are then identified to harvest the opinion of all stakeholders from such diverse sources as staff and analyst blogs, industry forums, academic papers, media commentary, direct interviews and the full range of social media.
Discovery culminates in a presentation to management of the inside-out perspective and the overall program is ready for launch.
Step 2: Establish the Baseline
In the second phase critical stakeholders are engaged to help assess the first outside-in perspective. Typically, this might cover regulators, financial and sector analysts, and local communities based around partners, customers, staff, suppliers, legislators, NGOs and other agencies.
A variety of techniques are employed to gather intelligence from the different audiences involved. It is important to gauge from the various perspectives the perceived impact of the firm’s reputation drivers on major enterprise strategies.
The baseline report focuses on the known knowns and the known unknowns. It analyzes threats and opportunities to strategy on an enterprise level, and the breakdown of those threats by stakeholder and by reputation driver. The report also looks at interconnected threats across the various listening posts and stakeholder groups, which might individually seem innocuous but, when viewed together, represent threats requiring action.
During the baseline phase, analysis of the unknown unknowns begins and includes searching Internet Web dialogue—from blogs, forums, websites or other social media platforms—to detect potential threats and opportunities to strategic execution and relating those findings to reputation drivers.
The primary output of the baseline phase is a gap analysis of how the organization’s stakeholders view reputational impacts on strategies versus management’s objectives. It sets the agenda for a program of proactive management of threats to strategic execution and opportunities for advancement. It also provides a benchmark for bridging the gap over time.
Baseline culminates in a presentation to management of the outside-in perspective.
Step 3: Proactively Manage Risk to Reputation
By this time, techniques of outreach and research are established and the lessons from the discovery and baseline phases are put into action. There are three areas of focus at work:
—Anticipation of threats to strategy and opportunities for enhancement.
—Analysis of trends which may lead either to threats or opportunities.
—Action on reputational levers and corporate behaviors to assure successful strategic execution.
Three reporting mechanisms are instrumental to proactive management of risk to reputation:
—An alert service of emerging risks, picked up by software and vetted by individuals for operational management.
—Online reporting of risks to reputation and opportunities for strategic enhancement for senior management.
—Quarterly presentations to top management of major trends requiring changes to corporate behavior that could impact strategic outcomes.
“The payoff for effective management of a Risk to Reputation program is greater confidence in strategic execution,” notes Mr. Ristuccia. “By understanding and integrating external risks and opportunities into the organization’s Risk Intelligence, the goal is to end up with a program that puts the board and senior executives on the leading edge of knowing what might inhibit—or advance—the company strategy and then be prepared to act accordingly.”
Related Resources
- A Risk Intelligent View of Reputation—An Outside-in Perspective
- Using Metrics to Protect Brand Value
- Managing Risks in the Digital Age: Lessons and Tools
Questions? Write to Deloitte Risk Journal Editor.
Follow us on Twitter @DeloitteRisks