Reputation can make or break an organization. As famed investor Warren Buffett once said, "It takes 20 years to build a reputation and five minutes to ruin it." Indeed, an organization's reputation can deteriorate rapidly— and it can be difficult to restore.
Beyond its potential impact on organizational success, reputational risk is also unique in nature. Unlike a risk that can exist in isolation — such as any given operational, financial, or compliance risk — reputational risk only exists in relation to other risks. And managing it depends on the organization's ability to address those risks.
"I view reputation risk as a consequence of another tier-one risk occurring," said Arya Yarpezeshkan, chief risk officer for U.S. insurance company Navigators Group in a recent Deloitte global survey on reputational risk. "For example, if we have a compliance or fraud risk event, that could lead to reputation damage and have a stock market impact. An event occurs which poses a risk to reputation. Therefore, I look at [reputational risk] as a result of other events."
No matter how obvious it may seem, reputational risk can be extremely difficult to measure and quantify — and that can make reporting on it to the board and audit committee a challenge. But addressing reputational risk is essential to the health of the organization, and often a necessary challenge for practitioners to undertake. With an understanding of potential types and sources of reputational risk, internal auditors can better assess the organization's exposure and develop an audit plan that helps keep its reputation intact.
Scope and Impact
Reputation is a driving basis for revenue in today's economy, and organizations cannot afford to underestimate it. "Firms with strong positive reputations attract better people," wrote Robert Eccles, Scott Newquist, and Roland Schatz in a Harvard Business Review article. "They are perceived as providing more value, which often allows them to charge a premium. … Moreover, in an economy where 70% to 80% of market value comes from hard-to-assess intangible assets such as brand equity, intellectual capital, and goodwill, organizations are especially vulnerable to anything that damages their reputations." In a 2019 survey of 2,000 executives by global communications and marketing solutions firm Weber Shandwick, researchers found that reputation accounts for approximately 63% of a company's market value.
In financial services, much of that reputation is built on trust — and due to the sensitive nature of the assets financial institutions are responsible for, it does not take much for that trust to be breached. "Reputation can be affected by a news story or something on social media, but I think reputational risk in financial services — or any organization — really stems from the idea of whether the product produced is ethically created," says Dana Lawrence, senior director of Compliance and Internal Control at Azlo, a San Francisco-based online bank for small businesses. "For example, encouraging your sales staff to meet sales objectives that are not necessarily in line with the customer's best interest, or not properly handling more complex processes for something such as defaults on mortgage foreclosure collections — these are typically the root cause of reputational deterioration."
With regard to these issues, financial institutions already stand on somewhat perilous ground. In a 2019 study from J.D. Power, customer perceptions of retail banks having a good reputation and being customer driven are lower than they were 10 years ago. "Customers have long memories and their brand image ratings for bank reputation decline dramatically when they experience problems," the study says. "Reputation declines further when customers perceive that problems are unresolved or resolved in a manner [that puts] the bank's interests ahead of theirs."
Lawrence also cites the impact of who interacts with the institution's products as a significant source of risk. "Financial institutions must be aware of the impact of offering services to certain types of companies," she says. "Even if it is legal, how would such a relationship look in the paper? This doesn't mean not to initiate the relationship, but it does mean being aware of the risks of being associated with different customer types." One such example might be an investment firm's relationship with an oil and gas company — an industry that has come under recent scrutiny as environmental, social, and governance topics have come to the forefront of the global conversation.
"Who decides what your reputation is?" asks Reto Kohler, partner at consulting firm Marakon and former managing director and head of strategy for Investment Banking at Barclays. "When you operate in a legal environment, you know what the law is, you know what your boundaries are. However, in this area of reputation risk, it's not as clearly defined, which makes it very difficult. One person's morals are different from another's, and one might object to something you do, whereas the other might not."
The concept of ethical product production encompasses internal issues, as well. Stories of harassment, workplace discrimination, information from whistleblowers, or perceived inaction addressing social injustices can be extremely damaging, especially in today's charged political environment. Fallout cannot only result in revenue loss but loss of incoming talent. According to a recent study by Deloitte, 44% of Millennials and 49% of Gen Zers "made choices over the type of work they are prepared to do or organizations they'd work for based on personal ethics."
Measuring the Risk
Facing such a broad yet intangible risk, the first task internal auditors should undertake is measuring it in a way the risk committee and the board can consider in relation to other organizational risks. Lawrence recommends starting with geography. "It's useful to think of how many people are going to be paying attention," she says. "Is the risk local or global?"
From there, auditors can also make scale estimates in relationship to variables that relate to moral or ethical topics. "Although it's difficult to score or illustrate with any metric, you can cite, for example, if there have been any lawsuits, major customer complaints, or regulatory issues on a particular area of focus in the last 12 or 24 months," Lawrence says. "This kind of evidence allows boards to have a more comprehensive conversation in the reputational risk committee."
According to Lawrence, more concrete evidence can also be uncovered with the help of external tools such as a net promotor score, which is derived from surveys that determine a percentage of organization "promoters" versus "detractors." Basic searches through Google and social media can also prove beneficial, as can internal statistics such as recent trends of employee losses or abrupt departures from key positions.
Developing an Audit Plan
Dedicated reputational risk audits are rare, but just as the risk itself is so dependent on other risks, it can be adequately addressed in conjunction with many other kinds of audits. For example, Lawrence says, auditors can assess adherence to the code the conduct. If any updates may be necessary, they can test the effectiveness of the organization's whistleblower process, examine the marketing review process to ensure considerations are being made to identify material that may be perceived as offensive or misleading, and review the organization's social media management policy. Each of these examples is a risk unto itself, but all play a role in establishing, maintaining, or deteriorating an organization's reputation.
Reputational risk can also be communicated as internal audit takes a consultative role in helping the organization hone an effective crisis management plan. According to Kohler, evidence of the scale of the risk collected by the audit team in conjunction with the experience of executive management and the C-Suite can play a significant role in identifying potential crisis scenarios and predicting a plan's probability of success. "We always thought about scenario planning in terms of reputation," he says. "Our risk framework quite explicitly demanded evidence that when we thought about a new strategy or whatever it may be, conduct and reputation risk was taken into account." When all applicable parties have a clear picture of what may be at stake from a reputational risk, he says, the importance of understanding each party's role in executing the established plan becomes that much clearer.
Rebuilding After an Oversight
Even the best-laid plans of mice and men can go awry. And when they do, internal audit should play a role in assuring that reputation is rebuilt in a way that is both organic and ethical. For example, when assessing the organization's online reputation management program, internal audit can focus on policy covering responses to negative comments or reviews.
"There are always going to be some negative reviews, and it's interesting how companies respond," Lawrence says. "To counteract two- or three-star reviews, there are some who will just have human resources write more five-star reviews. Obviously this in unethical, but it also does little to address the underlying problem, whether that is a process error or workplace culture issue." When assessing such policies, she says, internal audit can recommend responding to negative feedback positively and assuring applicable parties are aware of the issue so adjustments can be made to avoid it being replicated.
Like many other risks, proactively minimizing reputational risks comes down to a few simple principles: awareness, communication, and process. "I think it's really just a matter of making sure that people are following their process, like any other audit," Lawrence says. "And if processes change, people must be made of aware of the changes to avoid gaps."
No plan can eliminate reputational risk entirely, but adhering to these ideas can go a long way in assuring the organization's name is built to last.