Reputational risk management considerations and practices
Thomas Brandt, Chief Risk Officer/Director, Office of Planning and Risk, Federal Retirement Thrift Investment Board
Below is an insight into what can be expected from Thomas’s session at Vendor & Third Party Risk USA 2023.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Why is it important to classify reputation as a risk type?
Defining reputational risk is a good starting point. Reputational risk is any event that could damage stakeholders’ confidence, trust, and respect towards an organization. It is the potential for negative publicity, public perception, or uncontrollable events to have an adverse impact on an organization’s reputation.
Reputational risk is generally not viewed as a direct exposure, it is an outcome or consequence of another risk-related event. Examples of incidents that can create reputational risk include cyber-attacks, privacy breaches, employee or executive misconduct, negative customer experiences, compliance, or regulatory lapses, etc.
Reputational risk is not a new concern. Most organizations have always had some concern about their reputation. What has changed however, is the complexity in managing reputational risk and the pace at which seemingly minor incidents can escalate into a full-blown crisis, especially in an era of social media, misinformation, and the 24 hour a day news cycle.
The consequences of reputational risk are also not always immediate. A series of small infractions can create cumulative damage over time or explode when a pattern of misbehavior or missteps suddenly appear. As such, it is worth devoting resources to tracking and managing reputational risk as part of an overall Enterprise Risk Management program.
Should institutions look to include managing reputation risk as part of a third-party risk management program?
Reputational risks emanate not only from within an organization, but increasingly arise from actions of third parties, particularly those providing critical products and services or with access to data and systems. Any organization that works with third-party vendors or relies on contractors needs to have a line of sight into their risks, hence the growth in third party, supply chain and vendor risk management programs that aim to provide a sense of the risk exposure, and overall management and risk practices of key vendors.
Taking a risk-based approach to vendor management can help limit potential reputational risk events associated with third parties. Some key vendor risks that can also pose reputational risk and should therefore be monitored regularly include:
Cybersecurity risk: Cybersecurity risk is concerned with any potential losses resulting from a cyber-attack or breach of your organization’s systems, especially those containing customer and/or employee records.
Compliance risk: Compliance risk arises from violations of the laws, regulations, and internal processes your organization follows to conduct business.
Financial risk: Third-party financial risk occurs when vendors fail to meet the fiscal performance requirements established by your organization.
Strategic risk: Strategic risk occurs when a vendor’s actions or business decisions do not align with your organization’s strategic goals.
How can organizations integrate reputational risk management into their overall business practices?
Through the establishment of effective governance, risk management, incident response plans, training, and communications capabilities, organizations can equip themselves with the ability to better manage reputational risks while also enabling greater resiliency to recover from any such events were they to occur. Below are some recommended practices for effective reputational risk management:
- Establish leadership and governance oversight: Effective risk management requires ongoing leadership attention and buy-in. When establishing a reputational risk management program or capability, coordinate with the organization’s risk management committee on strategy and policy decisions. The goal is to create a system that allows for ongoing communication between risk management teams, the risk committee and leadership.
- Integrate your reputational risk strategy into strategic and business planning: Integrating your reputational risk management strategy with core business processes ensures that it is incorporated into business planning. To gain the most from these risk management strategies, it is important that managers and executives understand how their work contributes to the organization’s overall approach and methods for managing reputational risk.
- Maintain effective internal controls. An internal control system is the process that an organization uses to provide reasonable assurance that its goals and objectives will be achieved. Unfortunately, ineffective, missing, or overlooked internal controls are often cited as a root cause to many crises that have created reputational harm to organizations. The internal control system should be designed to discourage occurrences of errors or irregularities and to identify, within a reasonable time frame, errors or irregularities that may occur.
- Create incident response plans: While risk management programs help limit reputational risk exposure, no strategy is completely effective at preventing a reputational risk event from occurring. Should a reputational risk event occur that poses risk to your organization’s reputation, it is essential to have an incident response plan in place.
- Provide training: A sound training and awareness program for all staff is an essential control to prevent reputational risk events from occurring. All employees can be a source of reputation risk, as their errors or missteps could trigger a reputational event and thus, they must be made aware of the impact their actions can have on the organization’s reputation.
Ignoring risks doesn’t make them go away, and in today’s environment, reputational risks are growing in likelihood, impact, and velocity. Consequently, all organizations should be better attuned to reputational risk and have methods in place to regularly assess, monitor and manage these risks. By adopting and implementing effective reputational risk management practices internally and also for third parties, organizations can be better prepared to ideally detect and prevent, or at least minimize the impact of reputational risk events.