@2011 Bibi Consulting Inc. All rights reserved. Page 1Reputation is the soul of any business.Without it there is, basically, no business.Many factors, internal and external, maylead to the destruction of reputation. Thesefactors are called risks.Professionals have been debating whetherthere is such thing as reputational risk(category of risk by itself), or simply thereare risks to reputation .In this article, I willattempt to shed some light on these twoschools of thoughts.Before I start the discussion, let’s familiarizeourselves with the related terminologies:What is reputation?Rep·u·ta·tion/repyəˈtāSHən/NounThe Merriam Webster dictionary definesreputation as “overall quality or characteras seen or judged by people in general”.Would this simple definition apply tocorporate reputation as well? And what isthe difference between reputation,corporate identity, image and brand?Peter W .Roberts and Grahame R. Dowlingdefine corporate reputation as follows:"A perceptual representation of acompany’s past actions and futureprospects.”In other words, reputation is created when anorganization’s experience meets or exceedsstakeholders’ expectations.Corporate identity, image and brand are allingredients of corporate reputation.www.bibiconsulting.comReputational Risk or Risks to Reputation?By: Wa’el Bibi, CPA, CIA, CISAAudits That WorkReputation = experience - expectationsOonagh Mary Harpur“It takes 20 years tobuild a reputation andfive minutes to ruin it. Ifyou think about that,you’ll do thingsdifferently.”Warren Buffet
@2011 Bibi Consulting Inc. All rights reserved. Page 2What is risk?Risk is the possibility of an event occurringthat will have a negative impact on theachievement of objectives. Risk is measuredin terms of impact and likelihood.What is reputational risk?The Committee of European BankingSupervisors defines reputational risk as follows:“Reputational Risk is the current orprospective risk to earnings and capitalarising from adverse perception of theimage of the financial institution(organization) on the part of customers,counterparties, shareholders, investors orregulators.”Does reputational risk exist?Some risk managers believe that reputationalrisk is a risk of itself ( standalone category) andthat it can be isolated and measured.Greg Shields, Partner at Mitchell SandhamInsurance Brokers in Toronto, writes in his blog:“My support would go to the ‘standalonecategory’. Damage to reputation is a veryreal secondary risk to every primary risk,however, since it can also be a direct loss,with no primary risk cause, the risk has tohave its own policies, procedures,measurements (prioritize if not quantify)and unique solutions. This means, crisismanagement plans, dedicated ‘categoryowners’, internal (separate from) externalcommunication plans, oversight/policing ofReputational Risk Management componentof every divisional/category RiskCommittee, involvement in executive levelReputation Planning (includingestablishment, maintenance andmonitoring.)On the other hand, there are those who donot believe that reputational risk is acategory by its own right, among them is Dr.Jean Paul Louisot, Professor of RiskManagement at the Sorbonne University,who says:“There is no such thing as reputational risk,only risks to reputation.” He adds: “Theterm ‘reputational risk’ is a convenientcatch –all for all those risks, from whicheversource that can impact reputation. Thesource could be legal, non-compliance, adata security lapse, an unexpected profitwarning or unethical behavior in theboardroom.”There is no such thing asreputation risk; rather all risksmay have an impact on anorganization’s reputation.Dr.Jean Paul Louisot“Reputational risk is thestarting point of all risks.”Dr. Guruswami Raghavan
@2011 Bibi Consulting Inc. All rights reserved. Page 3And there are those who believe thatreputational risk status is determined bythe organization’s ability to identify andmanage first-tier risks, an example of thisopinion is represented in a Deloittepublication, it reads as follows:“Notwithstanding the fact that the majorityof reputational damage can be described asa second order impact, a number ofreputational risks can nevertheless beclassified as ‘independent risks’ meaningthat reputational damage could beconsidered as a first order impact. Theseindependent risks can often be associatedwith ethics. Organizations that do not abideby high ethical standards and that ignoreprinciples of market conduct are vulnerableto losing their customers’ trust andconfidence. In short, each organization hasa social responsibility that it cannot ignoreand that it must address in its corporategovernance.”A 2005 Economist Intelligence whitepaperfurther explains this:“Risk managers are divided on whetherreputational risk is an issue in its own rightor simply a consequence of other risks. Thelatter view predominates where there is atradition of well structured riskmeasurement and management .Inindustries where risk managers feel theyhave identified the key first-tier risks facingtheir business, they may be more inclinedto consider reputational damages as simplya failure to manage these risks properly. Incontrast, in sectors where first-tier risk isless quantifiable they are more likely to seereputational risk as a class in their ownright.”According to same study, 52% ofrespondents consider reputation risk as arisk by itself, while 48% consider it as aconsequence of other risks.What do I think?In researching for this article, I have read alarge volume of materials concerningreputational risk. I have concluded that allrisks may have an impact on reputation andthat reputational risk, in most cases, is aconsequence of other risks.When I think about the demise of ArthurAndersen, I am a former partner, I remindmyself that what destroyed the firm’sreputation was a regulatory risk. Using thesame argument, what tarnished BritishPetroleum’s reputation recently was anenvironmental risk.So What?What difference does it make if reputationrisk is considered a separate risk or not?Risk is risk regardless of what you call it orhow you classify it. Isn’t this just a formalityand we should look at substance over form?The difference is in the organization’sresponse to this risk and how it is managed.If the reputational risk is categorized as arisk of itself, management may tend not tointegrate it within the Enterprise RiskManagement (ERM) or any other riskmanagement framework, but rather treat it
@2011 Bibi Consulting Inc. All rights reserved. Page 4as a public relation issue and assign it topublic relations to manage it. If this is thecase, one would expect a reactive reactionto risk in the form of damage management.Although communication with stakeholdersis a key to a successful reputational riskmanagement, it should not be the only one.Reputational risk is the responsibility ofevery one. This applies to an employeeposting his/her status and thoughts onsocial websites to the dealings and behaviorof management.Reputational risk management should beintegrated with the organization’s riskmanagement plan.Key elements of managing reputationalrisks are:● Prompt and effective communicationswith all categories of stockholders.● Strong and consistent enforcement ofcontrols on governance ,business andlegal compliance.● Continuous monitoring of threats toreputation.● Ensuring ethical practice throughout thesupply chain.● Establishment and continual updating ofcrises management plan andestablishment of a crises managementteam, empowered with specific powerand authority.A white paper by Deloitte suggests that“Traditional risk management techniquesaren’t adequate for countering today’s killerrisks, because they focus almost exclusivelyon risk avoidance and an inside-outperspective on threats.” The paper calls for anew approach it calls “ outside - inperspective of threats”. Under this approach,effective management of risks to reputationinvolves a three-step process of internaldiscovery, analysis of stakeholder andmarketplace threats and opportunities, andproactive management of actions designedto protect and enhance reputation andvalue.Role of Internal AuditorsAn article published in the IIA’s internalauditor magazine in June 2009 provides acomprehensive view on the internalauditors’ role in managing reputational risk:“Internal auditors have long been involvedwith reputational risks at companies,monitoring these risks in ongoing auditengagements and in ad hoc consultingactivities. With the growing prominence ofreputational risks to organizations, internalauditors should ensure their level ofWhat is new today is the need for a 360-degreerisk overview that effectively incorporates anoutside-in risk perspective with inside-out RiskIntelligence.Deloitte ..
@2011 Bibi Consulting Inc. All rights reserved. Page 5involvement is adequate to assist theorganization in dealing with these risksappropriately. There are several ways inwhich internal auditors can accomplish thislevel of involvement: Identifying risk championsthroughout the organization, whoseroles include monitoring andreporting on reputational risks Having a place at the table when thecommittee in charge of riskmanagement in the organization isdiscussing reputational risks Regularly discussing reputationalrisk as part of the risk universe at anorganization Being aware of reputational risksand identifying areas that representthreats because they are not beingmanaged correctly Ensuring organizations examinereputational risks at the inherentlevel as well as at the perceivedresidual level Increasing monitoring of socialnetworking websites to track thepublic mood Maintaining awareness of changesto reputational risks; for example,environmental responsibility is arelatively new reputational riskimpacting organizations Updating and adjusting riskassessments throughout the year ascircumstances changeWhile new reputational risks are continuallycoming to light, other establishedreputational risks still exist and are oftenenhanced. Established reputational risksthat may increase due to the economicdownturn include fraud, theft, and qualitycorner-cutting. Furthermore, the economicdownturn has increased many reputationalrisks because companies may not be able torecover as quickly from the financialimpacts of a misstep.”The last Word!The reputation of an organization is veryimportant to its success and existence. Allrisks may have an impact on reputation ona way or another. The reputation riskmanagement is the responsibility of everyone with management having top lead onit. Internal auditors play an important rolein ensuring that reputational risks areidentified and managed on timely basis.Reputational riskmanagement is everyone’sresponsibility.