Quantifying Reputational Risk

Trying to explain, measure and report on reputational risk has always posed a challenge for every IT organization that I have encountered.  IT understands technology, and most of the risks associated with technology.  They struggle for the most part with business risk, and although they will agree reputation is important, can’t seem to figure how to factor it in, or what it means to the organization.

Reputational risk is defined by The Federal Reserve System’s Commercial Bank Examination Manual as “the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.”  Reputational risk is one of the Federal Reserve System’s categories of safety and soundness and fiduciary risk (credit, market, liquidity, operational, legal, and reputational) and one of three categories of compliance risk (operational, legal, and reputational). While it may be a defined risk, reputational risk remains difficult to identify and quantify.

Michelle Dennedy has a good article on McAfee’s Privacy Matters blog that scratches the surface of reputational risk, and suggests a simple method for estimating and tracking it.  Although not an accurate measurement of an organizations specific reputational risk, it does provide a yardstick, which is better than just ignoring it.

Michelle’s proposed workflow is to:

  • Notice topics that relate to your risks.
  • Count the number of times these topics are mentioned in headlines or news stories.
  • Create a spreadsheet: rows are the topics, columns are the dates. In each cell, note the number of headlines or significant mentions. If you think it’s going to be important, start to capture dates and publications (use links if you can) so you can back up your ideas.
  • Once a month, use the spreadsheet’s charting function to generate a “heat map,” an assessment of which topics have generated the most energy in the news.
  • If a relevant topic has generated significant coverage in insider publications, there’s a good chance it will reach the mainstream press. If you think this might happen, summarize your findings in a concise note to your boss and your security team. Include an overview of what the issue is, what the coverage has been so far, what the impact would be on your business, and what efforts might be appropriate to mitigate these risks.

“Voila. You have quantified reputational risk.”

Not so fast, this isn’t a quantification of risk, it is at best an estimation that can characterize the general risk landscape as it relates to reputation.  For it to be a quantification in context to your business, you need to factor in your business’ unique elements and apply the equation to your unique circumstances.

You need to look more closely at the industries that the impacted companies are in, where they rate reputationally compared to your own company, and you would be wise to know what the financial implications were as a result of the incident that is being reported to validate that their reputation was in fact impacted.  Could be stock price comparisons pre and post incident, investor confidence rating, or some other metric.  Otherwise, all of the evidence remains anecdotal.  Even with these monetary items factored in, the impact may still be influenced by myriad external factors, like M&A discussions, P&L announcements, earnings, revenue, etc.

Reputational risk, in my opinion, remains extremely difficult to quantify and measure.  I like Michelle’s idea, but continue to search for a firmer yardstick.  To arrive at a composite risk rating, the following criteria are typically used when assessing risk:

  • Level of inherent risk – high, moderate, or low
  • Adequacy of risk management – strong, acceptable, or weak
  • Trend of risk direction – decreasing, stable, or increasing

Many items and areas ned to be considered when assessing the risk rating criteria.  For reputational risk, examiners might review press releases, stock message boards, and stock analyst comments, to gain an initial indication of reputational risk.  Also consider an organization’s responsiveness to customers, whether stock analysts recommend buying or selling, and why, and what shareholders, employees, or the general public are saying about the organization.

Is board and management oversight adequate?  Are policies and procedures tailored to the company?  Talk to both employees and management to get a feel for things like whether a consistent message on the importance of ethics is being conveyed, and whether risk management practices are mature.  Is the company’s expertise adequate, and are controls in place to manage growth?  Lax oversight and controls leave an institution open to security breaches and employee theft, which again could result in unfavorable media attention and may damage the brand’s name and erode public confidence.

Finally, determine whether there have been historical violations of consumer law.  Has the company been involved in unfair or deceptive practices?  Reimbursing consumers for errors could be embarrassing and tarnish your reputation.  Not doing so could be even more costly.  Excessive violations could result in class action suits, civil penalties, or other regulatory actions.

Building a corporate reputation may take years, but it can be damaged or even destroyed in minutes.  Reputational risk exists in a combination of factors.  Boards of directors and senior management are responsible for measuring and monitoring reputational risk and must remain vigilant and active in providing the safeguards to prevent loss of reputation.  The best way in my opinion to manage a company’s reputational risk is to focus on the integrity of the company and its employees, ensuring that a proactive, risk-aware culture exists within the company. Company’s that are able to prove they operate with integrity and have a good culture will be in a much better position to mitigate any impact on their reputations than those that cannot.