Ten Keys to Managing Reputation Risk

Ten Keys to Managing Reputation Risk

With today’s electronic media, the news cycle reporting on the downward spiral of a once-proud organization that has suffered severe reputation impairment is not a pleasant one to watch. Applied to a business, reputation represents an interpretation or perception of an organization’s trustworthiness or integrity. While the truth ultimately prevails long term, reputation can be based on false perceptions in the near term. If accurate over time, reputation provides a barometer of how an organization is likely to respond in a given situation. However one defines “reputation,” everyone agrees it’s important and recognizes a reputation that has been damaged beyond repair.

Reputation risk is the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. To one author, it is “the loss of the value of a brand or the ability of an organization to persuade.”1 It is tough to compete without a solid reputation. This issue of The Bulletin explores 10 essential keys for managing reputation risk.

Ten Keys to Managing Reputation Risk
Strategic Alignment
​1.    Effective board oversight
2.    Integration of risk into strategy-setting and business planning
3.    Effective communications, image and brand
Cultural Alignment
4.    Strong corporate values, supported by appropriate performance incentives
5.    Positive culture regarding compliance with laws and regulations
Quality Commitment
6.    Priority focus on positive interactions with key stakeholders
7.    Quality public reporting
Operational Focus
8.    Strong control environment
9.    Company performance relative to competitors
Organizational Resiliency
10.    World-class response to a high-profile crisis

While we acknowledge that some believe in measuring reputation to identify gaps, we assert that these measurement-driven techniques may not source all of the threats to reputation hidden deep within a company’s organization and processes. The 10 keys we explore herein address the “nuts and bolts” of managing reputation risk. We organize them into five categories: strategic alignment, cultural alignment, quality commitment, operational focus and organizational resiliency.

Strategic Alignment

Strategic alignment with a focus on a sustainable reputation begins at the top, with board oversight, strategy-setting, business planning, image building and branding.

No. 1: Effective Board Oversight

Strong board oversight on matters of strategy, policy, execution and transparent reporting is vital to effective corporate governance, a powerful contributor to sustaining reputation and the ultimate checkpoint on the chief executive officer’s (CEO) performance. For example, through the risk oversight process, the board determines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks and that this process is improved continuously as the business environment changes.

The board’s purpose when directing questions to executive management regarding risk and risk management is to (1) understand the risks inherent in the corporate strategy and the risk appetite of management in executing that strategy; (2) understand the critical assumptions underlying the strategy; (3) be alert for organizational dysfunctional behavior that can lead to ethical breaches, losing line of sight on the company’s brand promise or taking risks beyond the board’s understanding of management’s risk appetite that neither the board nor investors would approve; and (4) determine whether the entity has the appropriate strategies and capabilities in place to manage its key risks. The board’s risk oversight lays an important foundation for managing reputation risk.

No. 2: Integration of Risk into Strategy-Setting and Business Planning

Integrating risk with strategy-setting and business planning makes risk a factor at the decision-making table and facilitates the intersection of risk management with performance management. To integrate risk into strategy-setting, define the assumptions underlying the strategy, develop contrarian statements for the most critical assumptions, analyze scenarios that could make the highest-impact contrarian statements happen, and articulate the implications of high-impact contrarian statements. The idea is to provide an opportunity to knowledgeable managers and directors to think strategically and challenge key strategic assumptions constructively.2

To integrate risk into business planning, it is critical to define the inherent soft spots, loss drivers and incongruities that could adversely impact execution of the plan and dramatically affect performance. The budgeting and forecasting processes supporting the business plan must be effective in managing liquidity risks that can threaten the organization’s viability during the planning period. An effective planning process deploys the strategy at the level of greatest achievability and accountability and incorporates the risk management capabilities needed to address the critical risks inherent in the plan.3

Integrating risk into core management processes facilitates better decision-making and enhances the effectiveness of risk management by increasing the focus on the risks that matter. The company becomes more proactive and adaptive as it stress tests its strategy and business plan against different scenarios to identify the most critical factors impacting the business so they can be monitored over time to position the organization to secure advantages as an early mover.4

No. 3: Effective Communications, Image and Brand Building

Building brand recognition unique to a business is a good thing and, when all else is working well, augments reputation. While a good story is easy to tell, some companies are better at it than others. Typically, these companies are customer-focused; understand their value proposition; know how to develop powerful and distinctive messages; listen well and act to improve their processes and products continuously; establish accountability for results with metrics, measures and monitoring; and, most important, passionately live up to their brand promise every day. A reality that cannot be ignored is that messages the press, analysts and others communicate about the company through print and electronic media and word of mouth are influenced by the good marks on the other nine keys to managing reputation discussed herein.

The evolution of social business is a game changer for image and brand building. Communities are established through highly accessible media that have transformed how brand awareness is managed; customer collaboration is established and sustained; products and services are developed, marketed and sold; and operational effectiveness is improved. Social media provides an environment where customers and other parties drive the dialog, so companies engage in dialog with their customers versus talking to their customers. Organizations ignore the emergence of social business at their own peril, risking becoming laggards as they cede to competitors the ability to brand their products and services distinctively in the public eye, as well as obtain continuous product and process improvement insights.5

Cultural Alignment

In establishing a sustainable reputation, cultural alignment can be as important as strategic alignment. Since the financial crisis, the importance of responsible business behavior has never been more evident. A strong culture to manage compliance in a proactive, holistic manner can also contribute to lowering costs, increasing effectiveness and sustaining reputation during times of trouble.

No. 4: Strong Corporate Values, Supported by Appropriate Performance Incentives

With the Internet and social business communities facilitating the rapid exchange of information, and legislation and regulators encouraging whistleblowers, transparency has increased on bad corporate behavior. Fair or not, word gets around fast. The focus on values providing the foundation for sustaining reputation is much more than drafting a list of values and posting them on the company website. The only test that matters is whether management and employees live the values.

The willingness to listen to customers, employees and other stakeholders,6 understand their needs, and deal with them responsibly and fairly is what values are about. Furthermore, compensation structures incent employees to behave the way they do. To compensate employees in a way that conflicts with the organization’s values leaves employees confused and can drive behavior leading to unintended consequences that could tarnish the company’s reputation. For example, cost and/or schedule issues can be used to override safety standards, exposing the organization to a high-profile incident without the knowledge of executive management or the board.

Ever since “tone at the top” was coined by The Treadway Commission, there has been much discussion regarding how an organization’s leadership creates an environment fostering ethical and responsible business behavior. The trickle-down notion that if tone at the top is good, the organization’s culture must be good, doesn’t always hold. The reality is, if the behavior of middle managers undermines the messaging and values communicated by the organization’s leaders, it won’t take long for lower-level employees to notice. That is why executive management and directors should make every effort to:

  • Implement a strong tone at the top.
  • Ensure the organization has a variety of effective escalation processes.
  • Consider conducting a periodic assessment of the “tone in the middle” and “tone at the bottom.”
  • Pay attention to the warning signs in audit reports that the “tone of the organization” is inconsistent with executive management’s view of the “tone at the top.”7

No. 5: Positive Culture Regarding Compliance with Laws and Regulations

Another aspect of how culture impacts reputation is the extent to which the organization strives to implement effective internal controls. While perfection is impossible, a record of having made a strong effort is important if problems should occur. In 2012, the U.S. Department of Justice’s (DoJ) public acknowledgement that it had declined to bring any enforcement action against a global financial services firm sent a powerful message that the firm had attained the elusive “reasonable assurance” threshold and that, in effect, the employee in question went rogue in his behavior. While the context was bribery and corruption, the DoJ’s decision provided insights that could apply to other areas of compliance as well.

The lessons learned from the DoJ’s decision merit a careful read as they provide insights on creating a positive culture around compliance with laws and regulations and offer specific examples of the benefits of cooperating with regulators.

Briefly, the lessons learned include: leading with a strong tone at the top with management “walking the talk”; maintaining strong compliance administration and oversight; conducting a comprehensive risk assessment; refreshing the compliance program for change arising from new regulatory developments and industry guidance; understanding the players in the countries in which the organization does business and requiring them to report their dealings; and closely monitoring the use of third-party agents. In addition, companies should have effective auditing and monitoring capabilities in place to evaluate compliance effectiveness, as well as an effective system (e.g., an anonymous, confidential hotline) available to employees who should be encouraged to use it to report wrongdoing and notify the company of suspected violations of the company’s policies and applicable laws and regulations. Upon receipt of any allegations, the proper individuals within the organization should take immediate and decisive action, including seeking advice from appropriate experts, investigating the allegations, disciplining or terminating employees participating in illegal acts, notifying the appropriate authorities and disclosing the matter to shareholders. Another lesson was the importance of robust compliance training and certification and the maintenance of adequate documentation.8

Compliance executives should study the DoJ’s rationale to consider, in light of the company’s specific circumstances and risks, whether any adjustments to the compliance infrastructure are needed to enhance the culture as it relates to compliance.

Quality Commitment

All companies with a strong reputation are noted for their commitment to quality. Quality is built through quality people, quality processes, and quality products and services. Companies committed to quality have a strong discipline to improve continuously.

No. 6: Priority Focus on Positive Interactions with Key Stakeholders

Consistent with the organization’s values, a passionate focus on improving stakeholder experiences is a powerful approach to improving and sustaining reputation. Stakeholder experiences are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders and other stakeholders have with a company as a result of its business operations, branding and marketing.

To illustrate, organizations that take the time to really know their customers and align their goals and processes with customer needs and act to ensure a distinctively different experience in dealing with the company are going to be noticed in the marketplace. Interactions with customers are what Jan Carlzon, the former CEO of Scandinavian Airlines, called “moments of truth.” This occurs when a customer has an opportunity to form or change an impression about the company when interacting with customer-facing personnel.

Carlzon should know what he’s talking about because in a year’s time he took the airline from heavy economic losses to healthy profits by transforming it into a customer-driven organization. He flattened the hierarchical pyramid, empowered his people to solve problems and engaged his employees by listening to what they had to say concerning passenger feedback. As a result, his airline was the first to implement business class and flew smaller planes to provide a more flexible schedule and on-time departures while other airlines compressed flights they offered using larger planes. Clearly, an organization that is able to inculcate a “moments of truth” philosophy into its operations is going to build and sustain a positive reputation.9 This philosophy underlies an enterprise-wide commitment to quality.

No. 7: Quality Public Reporting

As dictated by the securities laws in the applicable country, quality public financial reporting is something investors have a right to expect. If management doesn’t deliver it, it may take a long time for the markets to “forget and forgive” in terms of pricing the company’s stock.

Public reporting is like the sleeves of a shirt. If the shirt is well-laundered and looks nice, no one notices. Stain one of the sleeves with food and no one can take their eyes off it. When public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of facts or continuously report material weaknesses, investors notice. For companies contemplating an initial public offering, a well-designed financial close process, effectively functioning internal financial reporting controls, and an understanding of what not to say when talking with the press is important. For established companies, vigilance in maintaining effective internal control over financial reporting and disclosure controls and procedures is important to ensure reliable public reports. The markets take quality public reporting at face value. Once a company loses the public’s confidence in its reporting, it’s tough to earn it back.

Operational Focus

A strong operational focus is vital to managing reputation risk. A strong control environment and superior quality, time, cost and innovation performance in the marketplace over time contribute significantly to a sustainable reputation.

No. 8: Strong Control Environment

A critical component of internal control, the control environment lays the foundation for a strong controls culture. The control environment consists of the standards, processes, structures and technologies that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control through their actions, decisions and awareness. Management reinforces expectations at the various levels of the organization.

The control environment comprises the organization’s commitment to integrity and ethical values; the oversight provided by the board of directors in carrying out its governance responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing and retaining competent people; and the rigor around performance measures, incentives and rewards to drive accountability for performance. Without a supportive culture and an effective tone at the top for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation.

No. 9: Company Performance Relative to Competitors

Even if a company does everything else right, its reputation will suffer if its business model is not competitive in the marketplace. Profitable market recognition is a huge validation of a company’s value proposition and its management team. How else can an organization retain the best employees and serve the best customers if it does not enjoy an unquestioned reputation as a high-performing organization? Recognition of differentiating strategies, distinctive products and brands, proprietary systems and innovative processes are intrinsic sources of value that can translate into superior performance relative to the company’s competitors. Superior, top-quartile performance is hard to miss in the market. On the other hand, significant performance gaps relative to competitors can diminish reputation if not corrected in a timely manner.

Organizational Resiliency

A company’s reputation risk management is inextricably linked with the resiliency provided by its risk management and crisis management. Effective identification and management of the company’s risks can identify major threats to reputation and ensure they are reduced to an acceptable level. In addition, effective response plans and teams can minimize reputation damage when threatening events occur. Together, these two disciplines are fundamental to managing reputation risk.

No. 10: World-Class Response to a High-Profile

Crisis Sooner or later, every company faces a crisis and is tested. One author asserts that there are six key areas of business performance that underpin reputation. They are ethics, innovation, quality, safety, sustainability and security. Company culture drives choices in each of these areas that ultimately shape stakeholder expectations. Reputation-impairing crises are often consequences of operational failures in one or more of these six processes.10

To intersect risk management with crisis management, the risk assessment process needs to consider the impact of occurrence of an event and three other factors:

  • The velocity or speed to impact, including whether the event can occur without warning (i.e., does it smolder or is it sudden?)
  • The persistence of the impact (i.e., the duration of time the event and its impact continue to remain visible in the headlines)
  • The resiliency of the company in responding to the event

Likelihood of occurrence is not listed above because it may not be as significant a factor in evaluating exposure to catastrophic events as the enterprise’s response readiness. Often, the process of developing traditional risk or heat maps leads to a de-emphasis of the so-called “high impact, low likelihood” risks because of their low probabilities and the false sense of security arising from the lack of historical precedence. The irony is that these events are often the ones that cause the most damage if and when they occur.

They are potential “black swans.” To manage their impact, proactive preparation is vital.

As a crisis event is a severe manifestation of risk, crisis management preparation is a natural follow-on to risk management, particularly for high-impact risks with high velocity, high persistence and low response readiness. Therefore, the risk assessment process should be designed to identify areas where preparedness is critical. If a crisis management team doesn’t exist or isn’t prepared to address a potential crisis, rapid response to sudden, unexpected events will be virtually impossible. Fires cannot be fought with a committee.

Because most organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. Simply stated, early preparation improves an organization’s ability to respond to a crisis, reduces damage to the company’s brand image and reputation, and minimizes regulatory sanctions, penalties or fines.

A response team should authorize a pool of individuals who are trained to serve as spokespeople to speak to the media on behalf of the organization in times of crisis, internally at employee meetings and/or externally at public meetings. The response plan should emphasize the importance of transparency, straight talk and effective deployment of social media. The rapid-response team should ensure the crisis management plan is updated and tested periodically. The plan should be supported by a communications strategy complete with appropriate holding statements, prepared with the assistance of public relations and pre-approved by legal, to express concern for the safety and well-being of any victims and buy time for the response team to investigate the incident and take appropriate steps to reduce the chances of another occurrence. Key internal and external stakeholders who matter most to the organization should be identified, and a reliable system to notify them when a crisis emerges should be in place.

Johnson & Johnson’s response to the Tylenol crisis is the textbook case for what constitutes a “world-class response.” In the fall of 1982, someone replaced Extra-Strength Tylenol capsules with cyanide-laced capsules, resealed the packages and deposited them on the shelves of at least a half-dozen pharmacies and food stores in the Chicago area. The poison capsules were purchased, and seven unsuspecting people died.

Upon learning of this tragedy, the Johnson & Johnson chairman immediately charged the company’s response team with two tasks – first, protect the people and, second, save the product. He didn’t make this up on the fly; the company’s credo challenged it to put the needs and wellbeing of the people it served first. The company acted swiftly to avoid further loss of life by immediately alerting consumers across the nation, via the media, not to consume any type of Tylenol product. The company told consumers not to resume using the product until the extent of the tampering could be determined. They stopped production and advertising of Tylenol, and withdrew all Tylenol capsules from the store shelves in Chicago and the surrounding area. After finding two more contaminated bottles, Tylenol realized the vulnerability of the product and ordered a national withdrawal of every capsule. By undertaking drastic measures in such a decisive manner, even though there was very little chance of discovering more cyanide-laced capsules, Johnson & Johnson demonstrated clearly that they were not willing to take a risk with the public’s safety, no matter the price of its actions. The end result was the public viewing Tylenol as the unfortunate victim of a malicious crime. Ultimately, further loss of life was avoided, the Tylenol product was saved, and the company’s reputation was enhanced.11


The 10 keys to managing reputation risk and how a company or institution addresses them will help shape the company’s reputation over time. They represent the essential “nuts and bolts” of managing reputation risk. Through strategic and cultural alignment, a commitment to quality, a strong operational focus and increased resiliency, companies can lay the foundation for building and sustaining a strong reputation. It is this persistent attention to what’s really important that offers the best approach to reducing reputation risk to an acceptable level.

1Governance Reimagined: Organizational Design, Risk and Value Creation, by David R. Koenig, John Wiley & Sons, Inc., page 160.
2“Assessing Risk: A Strategic Perspective,” Board Perspectives: Risk Oversight, Issue 30, April 2012, available at www.protiviti.com.
3“Integrating Risk with Business Planning,” Board Perspectives: Risk Oversight, Issue 41, March 2013, available at www.protiviti.com. 
4“Is Your Organization an Early Mover?,”The Bulletin, Volume 4Issue 7, July 2011, available at www.protiviti.com.
5“Leveraging Social Business for Results: Moving Beyond Media,” The Bulletin, Volume 4, Issue 12, October 2012, available at www.protiviti.com.
6Includes suppliers, creditors, shareholders, regulators and the international, national and local communities.
7“Focus on the ‘Tone of the Organization’,” Board Perspectives: Risk Oversight, Issue 38, December 2012, available at www.protiviti.com.
8“Fine-Tuning Your Corruption Risk Management,” Board Perspectives: Risk Oversight, Issue 42, April 2013, available at www.protiviti.com.
9See Moments of Truth, by Jan Carlzon, Ballinger Publishing Company, 1987.
10Reputation, Stock Price and You: Why the Market Rewards Some Companies and Punishes Others, by Dr. Nir Kossovsky, Apress Media, 2012, pages 5-6 and 241.
11Crisis Communications Strategies, “Case Study: The Johnson & Johnson Tylenol Crisis,” U.S. Department of Defense.

The Bulletin (Volume 5, Issue 2)

Click here to access all series

Ready to work with us?