Reputation risk is the largest, scariest and least manageable of all operational risks, by far. Chief Financial Officers quake in fear alongside their Chief Risk Officers as they look at this monster at the top of their list. And it’s their own fault – after the financial crisis, they implemented Enterprise Risk Management, which allowed them to quantify Reputation Risk for the first time (and those numbers are invariably scary).  

We don’t have to look far to see this play out in real life, but, aside from the painful headlines, does a reputation crisis (the Reputation Risk monster coming to life) do lasting damage to the organization? Sure, the stock price dips, but often recovers the losses after a while. Sure, the CEO gets fired (usually), but the company moves on and we can be left with the sense that even some BIG reputation events end up being more of a bump in the night than a full-blown horror show.

Thankfully, the helpful analysts at The Economist took a hard look at eight big companies (BP, Petrobras, Volkswagen, Valeant, Wells Fargo, Uber (analysis done using estimates of its value as a private company), Equifax and United Airlines) that have seen their Reputation Risk monsters come to life since 2010.  Their conclusions:

  • Median share price down 33% (bottoming out anywhere from 2 weeks to 2 years in)
  • Almost all clawed back these losses over time…
  • BUT they are worth 30% less today than they would be if the scandal had not happened

So now we know why CFOs and CROs are so scared. Meanwhile, board directors find their seats getting uncomfortably warm with less and less confidence that their executives are even aware of what major reputation flare-up is around the corner (let alone lurking deep in social media).

Where are the risk models, insurance products and off-the-shelf mitigation plans? Maybe none of the traditional risk-smoothing tools work. That might explain Volkswagen – if a German manufacturer doesn’t have systems and processes for something, then it’s a safe bet that they don’t exist.

Why don’t they? First, keep in mind that companies usually become interested in doing something about reputation risk only in the wake of a major crisis. This results in additional resources for crisis management and maybe an attempt to better anticipate and manage future reputation risks through the existing (CFO/CRO-driven) corporate risk management process. Crisis management is, by definition, too late, and better (even scarier) spreadsheets do little to turn these massive risk monsters into manageable problems.

Why can’t the CFO or CRO just deal with reputation like they do all other risks? There are two primary barriers: (i) the subjective nature of reputation can be reduced through perception analytics, but it cannot be boiled down into a neat financial model; and (ii) reputation risk lives everywhere in a large organization and cannot be fully understood by a single functional expert. In fact, its ubiquity means the entire organization – every function and every market – needs to understand and have the ability to identify, evaluate and mitigate it. Traditional approaches to managing risk are not built to deal with something this broad or interconnected.

So, let us turn to where progress has been made first, the ‘we-know-it’s-going-to-happen-so-let’s-minimize-the-damage-when-it-does’ approach, or crisis management. On the talent front, large public companies focus on employing (and occasionally listening to) seasoned chief communications officers (CCOs). These executives come with larger pay packages, bigger teams, and more agencies behind them than they did 15 years ago. They are very, very good – so much so that if a large enterprise bungles communication in a crisis, it is because the CEO chose not to listen to their CCO (like BP in the early days of the Gulf crisis or United Airlines more recently).

And the value of rapid, professional crisis-handling is quite tangible – in fact, for medium-sized companies who cannot afford to put top-tier crisis agencies on retainer, insurance companies have created products. Examples include AIG’s ‘Reputation Guard’ or Allianz’s ‘Reputation Protect’, all of which are best understood as ‘crisis agency gift certificate’ programs. The Allianz product description describes that it: “ensures your company is equipped with the necessary resources to mitigate the effects of a reputational risk crisis, should one occur”. Based on a protocol which rapidly determines if such a crisis has occurred, money shows up along with a top-tier agency to spend it. The actuaries base the value of this largely on 15 years of evidence that financial damage, both short and long-term, is minimized when the initial handling of the crisis is done quickly and professionally.

Wouldn’t it be nice if companies had a way to get in front of reputation risk too? It would need to address the subjective element and operate horizontally across the organization. This approach would also need to be anchored to the existing risk reporting and crisis management infrastructure. Imagine if there were a way for companies to systematically broaden the conversation about reputation risk and integrate it into board-level reporting and ongoing mitigation plans.

How would it work? It is not a solution-in-a-box. It would need to be low-tech, high-touch, process change – a cross-functional effort facilitated by the executive who understands reputation risk best: the chief communications officer. Imagine the CCO as the chair of a cross-functional team of leaders who meet regularly, charged with reputation risk: identification, evaluation, reporting and mitigation planning. When specific risks are discussed in these meetings, potential sources and multiple aspects (e.g., new initiatives, new products, HR issues, regulatory changes, customer shifts, etc.) would be brought to the table. The CFO’s representative would bring financial perspective, but that would only be a small part of the discussion.

Their efforts and the risk process they oversee would be critical for identification and evaluation, but they would need the added dimensions brought by the other functional experts. The CCO brings the broadest knowledge about any given risk and has the skill set to describe the anticipated scenarios in a way that the board can understand, but none of the depth that would be necessary to suggest (or execute) a mitigation strategy. The other functional experts participating in this process will not only bring their unique perspective to the conversation, but they will have eyes and ears into parts of the organization that are not visible to the CFO or CCO.

Initially, the participants might find these meetings outside of their comfort zone, but over time, the tangible reports and plans produced by them will create a discipline that cuts across the company. Perhaps more importantly, functional experts will return to their day job with a level of knowledge and awareness that will ultimately affect the day-to-day decision-making at the root of all reputation risk.

Much has been written about both the need for, and challenges of, cross-functional efforts inside large organizations. These silos are hard to break out of but put senior leaders from all of them in a room with the charge to produce something the board will see and watch what happens. With the CCO bringing their outside-in expertise to the facilitator role, they will be better able to play the strategic role every organization (and every board) needs them to.

Leading companies have already given up waiting for a magic financial formula to make their monsters go away and are turning to this type of systematic approach to reputation risk – when will yours?