Reputation is one of an organization's most valuable assets – according to a 2012 study by the World Economic Forum, on average approximately 25 percent of a company's market value is directly attributable to its reputation. It's also an incredibly fragile asset: a good reputation built through years of dedicated effort can be destroyed almost overnight, especially in today's interconnected world where an organization's customers, operations, supply chains and internal and external stakeholders are scattered globally.
Traditionally, an organization's reputation suffers as a consequence of a failure, such as a financial or strategic problem. Defective products, poor working conditions, environmental damage, fraud or corruption and other problems can all have an impact on reputation. Often, such damage can far exceed that caused by the original problem. For example, organizations are required to disclose cyber breaches, and even a relatively small breach that captures only a few customer records or minor information can quickly draw both regulatory scrutiny and widespread negative public reaction.
Reputational damage can also result from risks outside the organization's direct control, such as a failure at a third-party supplier or partner, competitive attacks or natural hazards and other catastrophes.
In today's world of social media, a blow to an organization's reputation may go viral even without any actual wrongdoing by the entity itself – perhaps, as a result merely of a perception of inappropriate behaviour or even just the grievances of one or two individuals. Such attacks can have a domino effect, creating other risks – typically, impacts on revenue and brand value – that need to be mitigated.
Not surprisingly then, almost 90 percent of executives surveyed by Forbes Insights in 2014 on behalf of Deloitte say that reputation risk is their key business challenge. Because of its significance, the responsibility for managing reputation risk, according to survey respondents, resides at the highest levels of the organization: the c-suite and the board.
Given the rapid speed at which reputation problems can develop, many organizations are looking at ways to improve their capabilities for managing this risk. Technology, such as analytical and brand-monitoring tools, can help identify what matters most to an organization and its reputation. It can also monitor developments occurring at competitors, elsewhere within their industry, or among their business partners.
Others may be able to provide early warning of pending problems as well. Analysts and investors may provide their perceptions of the organization compared to its peers, and since customers and clients are one of the most important stakeholder groups for managing reputational risk, organizations should closely monitor their customer touch points, such as call centres, walk-in premises, and other points of interaction, to keep tabs on what customers think about them.
Organizations are also looking internally to strengthen their ability to detect and mitigate reputation problems. An effective whistle-blower program, for example, can help bring to light problems within the organization that may be compromising its reputation. Some organizations are considering appointing a reputation risk officer to manage reputation risk on a day-to-day basis, while implementing crisis management strategies, including risk scenario planning and response rehearsals, can improve the organization's effectiveness at quickly resolving reputational issues when they do arise.
The board has a role to play in helping to oversee and advise management and the organization in understanding the potential reputational risks associated with strategic decisions. Independent directors should bring their external perspectives to assist in this process. In some organizations, management presents the strategy by modeling different paths of action and then analyzing the associated risks and opportunities created by different scenarios. The board plays an active role in this discussion by providing perspective and feedback that could lead to changes to the strategic path and the associated identified risks and opportunities.
Organizations need to understand the full parameters of their risk environment. Once an event becomes publicly associated with a company – even if it has no legal connection to that event – it may still suffer reputational damage. Many organizations, therefore, prepare global risk agendas that identify key risks at various levels: by country, corporate level, business unit, etc. Boards should ask management to share its risk agenda and assessment with them, and make reputation risk at least an annual item for discussion.