Getting to Grips with Reputation Risk

"It takes twenty years to build a reputation and five minutes to ruin it," Warren Buffett once remarked. "If you think about that, you'll do things differently." With the examples of the Société Générale fraud and assorted subprime implosions freshly before us, you have to wonder if this is one bit of Buffett wisdom that's pretty much universally ignored.

The reality is, though, that companies are increasingly aware of the need to protect their reputation; it's just that they have a hard time figuring out how to do it. Reputation risk is perhaps the most pervasive threat that businesses face, and it's also the most elusive. It can take so many different forms that it's hard to know where to start measuring and mitigating it.

A new white paper from management and technology consulting firm BearingPoint tackles the issue head on. The report takes as its starting point the insight that reputation risk arises whenever stakeholders have an interaction with the company that deviates from their expectations. A single event can impact multiple stakeholders, including current and potential customers, suppliers and partners, employees, lenders, and government regulators.

BearingPoint recommends a four-phase risk management process that provides insights into potential negative stakeholder experiences:

1. Identify the risk. Companies can use forward-looking exercises such as peer analysis and scenario analysis to pinpoint and describe potentially damaging events and their likely effect on stakeholders and the media.

2. Measure and assess the risk. In this phase, companies start by developing and documenting key stakeholder information such as customer value and trends in shareholder behavior. The next step is to quantify each risk's probability using Monte Carlo analysis, Black-Scholes, or similar methodologies. Next, project leaders should assess the controls that the organization has in place against the risk, and consider whether new investments are in order.

The outcome of this phase is a set of risk management recommendations based on assessments of the costs and benefits of making changes (or doing nothing).

3. Control the risk. The goal in this step is to translate the findings of the earlier phases into a plan of action, and then implement it. Action steps may include, for example, process and product enhancements, process reengineering to prevent potentially damaging events, and strategic changes.

At this point the organization should also ensure that its public relations strategy is up to the task of protecting its reputation in the aftermath of a negative event or even a mischaracterization in the media. Nowadays, blogs and Internet portals can spread negative perceptions like wildfire, the study notes.

4. Monitor the risk. The company should install a solid risk-management process to track changes in the risk and control environment on an ongoing basis. This should include monitoring stakeholders' experiences, perceptions and actions as well as media coverage. For example, a financial services company might monitor its investor stakeholders' experiences by regularly comparing its share performance against that of industry peers, reviewing analyst sentiment and reports, and following coverage of the company in the financial media, blogs, and investor message boards.

Click here to access the complete BearingPoint report (requires free registration).