Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Reputation and Reputation Risk – Part II

Comments Views

​Last week, I posted the first in a short series on this topic. "Reputation and Reputation Risk" pointed out that there are multiple dimensions to any individual's or organization's reputation.

Simplifying the discussion to one about brand is not giving the discussion sufficient attention.

Addressing one dimension of reputation (such as a reputation for intolerance for violation of corporate ethics) can actually harm another (such as a reputation for being a good place to work where free speech is protected). I am thinking of a situation where a long-term employee is arrested for suspected domestic violence and is promptly fired — before any trial, let alone conviction. The perception among co-workers is that this was unfair treatment, but among the broader public the perception is that the enterprise was adhering to its social responsibilities.

This week, I want to talk about the nature of reputation risk.

When we talk about reputation risk, we generally are talking about events or situations (including decisions) that can affect (usually negatively, but there can be positive effects as well) one or more dimensions of our reputation.

Yet, the definition of risk that I like (from ISO 31000:2009, but COSO is similar) is that risk is the effect of uncertainty on objectives.

Reputation is an asset, not an objective. So why would we be concerned about risk to this particular set of assets (considering each dimension of reputation as a separate asset)?

Our reputation can enable or inhibit our achievement of our objectives. Harm to our reputation as a good place to work can inhibit our ability to hire. Improvements in our reputation for quality design and safe products can enhance our ability to drive revenue.

But it is only after we understand the nature and value of each dimension of our reputation that we can understand how risks to reputation can affect the achievement of objectives — remembering that multiple objectives can be affected.

I consider events or situations that can affect our reputation as sources of risk. To assess the effect of these sources of risk (i.e., the risk to objectives), we need to understand which dimension(s) of reputation are potentially affected and how the changes to reputation would affect our ability to achieve specific objectives.

Measuring the value of our brand is not measuring our ability to achieve our objectives.

I have no problem with measuring the level of each dimension of our reputation. I would even encourage it, where that is an important and valuable asset to achieving specific objectives.

But we need to move the discussion from brand to the achievement of objectives. Harm to our brand in a single country only affects revenue in that country.

So to measure reputation risk:

  1. Taking each enterprise objective in turn (i.e., using a top-down approach), how and by how much would a change in one or more specific dimensions of our reputation affect its achievement?
  2. How likely is that effect?
  3. What are the sources of change (i.e., sources of risk) to each dimension of our reputation?
  4. How likely is it that a source of risk to a reputation dimension could lead to a significant change in that dimension (recognizing that there is a range of effects and likelihoods)?
  5. After completing the above, assess each source of reputation risk based on the likelihood of it leading to a specific level of effect on the achievement of objectives.

A similar approach, reversing some of the steps, can be taken in a bottoms-up approach:

  1. For each source of risk, which dimension of reputation would be affected?
  2. Assess the likelihood of a certain level of change in that dimension.
  3. How would that affect one or more specific objectives?
  4. What is the likelihood of that effect (given that there is a range of possible consequences)?
  5. After completing the above, assess each source of reputation risk based on the likelihood of it leading to a specific level of effect on the achievement of objectives.

Do you agree? If you agree, can we change the discussion of reputation risk — and how?

I welcome your comments.

Please join the conversation by clicking Subscribe and adding your comments.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3