Board Oversight of Reputation Risk

Protiviti Board Perspectives
Board Oversight of Reputation Risk

Reputation risk is the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. To one author, it is “the loss of the value of a brand or the ability of an organization to persuade.” To our right, we explore 10 essential keys for managing reputation risk. 

While reputation is hard to define in terms of exactly what it really is, everyone agrees it’s a precious enterprise asset and recognizes when a reputation has been damaged beyond repair. Reputation is fragile. What takes decades to build can be lost in a matter of days. 

Key Considerations 

We see 10 keys to the board’s oversight of reputation risk management, and classify them in five critical areas: strategic alignment, cultural alignment, quality commitment, operational focus and organizational resiliency.

10 Keys to Managing Reputation Risk

Strategic Alignment: 

  1. Effective board oversight: Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution and transparent reporting is vital to effective corporate governance, a powerful contributor to sustaining reputation and the ultimate checkpoint on CEO performance. For example, the board’s oversight of risk is important because effective identification and management of risk can reveal major threats to reputation and ensure that they are reduced to an acceptable level. 
  2. Integration of risk into strategy-setting and business planning: The board must ensure that risk is not an afterthought to strategy-setting and business planning. Integrating risk with these core management processes makes risk a relevant factor at the decision-making table, facilitates a strategic view to undertaking risk and intersects risk management with performance management. In an effort to make the strategy more robust, directors should understand the critical assumptions underlying the strategy; ask tough, constructive questions to challenge assumptions; and consider reasonable scenarios that could render one or more assumptions invalid. It is critical to define the inherent soft spots, incongruities, and opportunity and loss drivers that could impact the execution of management’s plan and dramatically affect performance. Also, the budgeting and forecasting processes supporting the business plan must be effective in managing liquidity risks that could threaten the organization’s viability during the planning period. 
  3. Effective communications and image- and brand-building: Building brand recognition unique to a business is vital and, when all else is working well, augments reputation. A good story is easy to tell, but every savvy board knows that some companies are better at telling their stories than others. Therefore, directors need to understand management’s image- and brand-building game plan. Typically, the best companies are customer-focused; understand their value proposition; develop powerful and distinctive messaging; listen well and act to improve their processes and products continuously; establish accountability for results with metrics, measures and monitoring; employ social media effectively; and passionately live up to their brand promise every day. The messages that the press, analysts and others communicate about the company through print and electronic media and word of mouth are influenced by good marks on the other nine keys to managing reputation risk. 

Cultural Alignment: 

  1. Strong corporate values, supported by appropriate performance incentives: The notion that, if tone at the top is good, the organization’s culture must be good, doesn’t always hold. Lower-level employees often pay more attention to the messaging and behavior of their supervisory middle managers than to communications from the organization’s leaders. Boards need to ensure that executive management implements a strong tone at the top, effective escalation processes, and periodic assessments of the tone in the middle and tone at the bottom. To that end, the alignment of performance incentives with corporate values down through and across the organization has a strong influence on instilling the desired behaviors. Also, directors need to pay attention to the warning signs posted by independent risk management functions and in audit reports. 
  2. Positive culture regarding compliance with laws, regulations and internal policies: Few incidents undermine reputation more than serious compliance violations dragged through the mud by the media. Directors should ascertain that effective internal controls over compliance matters are implemented and executive management: “walks the talk” with respect to compliance; maintains strong compliance administration and oversight across the organization; periodically conducts a comprehensive risk assessment; refreshes the compliance program for changes arising from new regulatory developments; and understands the players and third-party agents in countries in which the organization does business and monitors their dealings closely. Robust compliance training and certification should be implemented and adequate documentation of compliance-related communications to, and training of, employees should be maintained. Effective auditing and monitoring capabilities to evaluate compliance effectiveness should be in place, as should escalatory processes for reporting wrongdoing and suspected violations, along with effective follow-up procedures on receipt of allegations meriting investigation.

Quality Commitment: 

  1. Priority focus on positive interactions with stakeholders: The board should ensure that there is a passionate focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders and other stakeholders have with a company as a result of its business operations, branding and marketing. These interactions constitute moments of truth for any company. If internalized and acted upon, they are a powerful driving force for improving and sustaining reputation. To illustrate, organizations that really know their customers, align company goals with customer needs and act to ensure a distinctively different experience for customers are going to be noticed in the marketplace. 
  2. Quality public reporting: When public companies restate previously issued financial statements for egregious errors in the application of accounting principles or omissions or misuse of facts, investors notice. For companies contemplating an initial public offering, a well-designed financial close process, effectively functioning internal financial reporting controls and an understanding of what not to say when talking with the press are important. For established companies, vigilance in both maintaining internal control over financial reporting and in deploying effective disclosure controls and procedures is important to ensure reliable public reports. The markets take quality public reporting at face value. Once a company loses the public’s confidence in its reporting, it’s tough to earn it back. These points suggest that a strong audit committee is an imperative. 

Operational Focus: 

  1. Strong control environment: A critical component of internal control, the control environment lays the foundation for a strong culture around achieving the organization’s operational, compliance and reporting objectives. In addition to the board’s oversight and the organization’s commitment to integrity and ethical values, which we’ve mentioned previously, the control environment consists of: the organizational structure and assignment of authority and responsibility; the processes for attracting, developing and retaining competent people; and the rigor around setting the appropriate performance measures, incentives and rewards that drive accountability for desired results. Because embarrassing control breakdowns can tarnish reputation, every board should expect and demand a strong control environment. 
  2. Company performance relative to competitors: Even if a company does everything else right, its reputation will suffer if its business model is not competitive. Market recognition of success is a huge validation of a company and its management team. Recognition of differentiating strategies, distinctive products and brands, proprietary systems, and innovative processes are intrinsic sources of value that can translate into superior quality, time, cost and innovation performance relative to the company’s competitors. On the other hand, significant performance gaps can diminish reputation if not addressed in a timely manner. These factors should weigh heavily on a board’s evaluation of company performance over time. 

Organizational Resiliency: 

  1. World-class response to a high-profile crisis: Sooner or later, every company is tested. No company is immune to a crisis. As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to risk assessment, particularly for high-impact risks with high velocity, high persistence and low response readiness. The board should ensure that the risk assessment process is designed to identify areas where preparedness is needed. If a crisis management team doesn’t exist or isn’t prepared to address a specific sudden crisis scenario, a rapid response will be virtually impossible. Fires cannot be fought by committee. Response teams should be supported with robust communication plans emphasizing the importance of transparency, straight talk and the effective use of social media. The response team should update and test the rapid response plan periodically.

While a one-size-fits-all approach does not exist, attention to how a company addresses these 10 keys will help shape its reputation over time. Reputation risk management is inextricably linked to the risk management and crisis management disciplines, as well as to the organization’s alignment of strategy and culture and its commitment to quality and operational excellence. From a board oversight standpoint, the 10 keys offer a framework for focusing on what’s really important when overseeing how the organization manages reputation risk. 

Questions for Boards 

Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations: 

  • Is the board satisfied that executive management is focused on the appropriate fundamentals for enhancing and preserving the enterprise’s reputation? 
  • Does the risk assessment process take into account significant threats to the company’s reputation and identify areas requiring consideration of response plans to improve preparedness and rapid response? Is there a rapid response plan for appropriate crisis scenarios? 
  • Is there adequate focus on the critical enterprise risks that could impair the enterprise’s reputation if not managed effectively? Does management apprise the board in a timely manner of significant changes in the enterprise’s risk profile, and is there a process for identifying emerging risks? 

How Protiviti Can Help 

Protiviti assists boards and executive management with assessing the enterprise’s risks and implementing strategies and tactics for managing the most critical risks, including those that can threaten the organization’s reputation and brand image. 

(Board Perspectives: Risk Oversight - Issue 83)

Click here to access all series