Reputational Risk: With Ownership Comes Great Responsibility
Like technology, reputation is an issue that’s rapidly evolving, connected to all parts of an enterprise.
It is difficult to believe in today’s digitally driven world that technology was not always a concern for boards and senior management teams. Not so long ago, technology would typically surface as an issue when a printer jammed or an email disappeared.
That changed in a big way with the advent of the internet and software applications. As the world became more digital, technology grew more important for boards and management. Senior leaders realized that someone needed to “own” this rising issue and provide insight on enterprise-wide decisions. Many organizations added chief information officers to the executive team and made sure a board member had relevant knowledge or experience.
I believe reputation is on a similar track. Like technology, reputation is an issue that’s rapidly evolving, connected to all parts of an enterprise, and requires a dedicated leader who has the ear of upper management and the board.
The Rise of Reputation
An organization’s reputation has always been important to business leaders. But as the world becomes more connected, issues go viral through social media, and reputational risks proliferate, many organizations are changing their approach to reputation—moving it from the realm of public relations or communications and into the purview of top leadership.
Today, reputation is a top tier risk for many organizations, and for good reason. In my view, it’s one of an organization’s most valuable assets. But who should “own” it? It’s a critical question to answer.
Get it right and you have a better chance at managing current or emerging strategic risks.
Get it wrong and you face the increased possibility of a major crisis and even a missed opportunity.
Leading Practices in Ownership
Based on a recent influential survey, there’s no doubt that reputational risk should reside at the highest levels of an organization. According to Deloitte’s Reputation@Risk1 report—which surveyed 300 executives from organizations representing every major industry and geographic region—36 percent said reputational risk responsibility resides with the CEO, followed by the chief risk officer at 21 percent, and the board of directors at 14 percent.
As is the case with Deloitte, I believe that the chief risk officer (CRO) is in the best position to accept responsibility for reputation. Just about every risk that an organization faces—cyber, third party relations, ethics and integrity, regulatory, etc.—are connected to its reputation. If, for example, employees try to take confidential information as they leave the organization, that’s an ethics and compliance risk, but it can also be a reputational risk if they’re successful.
The CRO understands the connections among reputational risk and other business risks and can articulate that impact to senior leaders. Organizations that understand reputational risk are able to adjust and mitigate enterprise-wide strategies and potentially turn risks and market disruptors into opportunities, hitting reputational risk head-on.
Addressing Risk Governance
Organizations should strongly consider establishing a risk committee of a board, rather than only having a finance and audit committee. The tendency and scope of a risk committee would be on strategic risks that impact reputation, not just matters impacting operational and financial risk. Furthermore, it forcers conversations on analytics and metrics that measure reputation rather than just financial materiality.
Board interaction and support can be significant for a CRO. Having a strong board risk committee with members who have diverse perspectives enables the CRO to address a wider range of strategic issues and to put in place world-class practices. Personally, I’ve found the discipline of having to prepare for a board risk committee meeting on a regular basis helps to ensure that the businesses are providing the information I need to manage risk. It has also led to better transparency between management and the board.
Well-established and frequent communications between the board and the CRO allow an organization to continuously improve its management of risk, by asking the right questions and establishing a collaborative environment, with clear expectations and no surprises.
Reputational risk ownership and structure can be different depending on industry, geography, and size. But it’s safe to say that—like technology—reputation will likely continue to be a top-of-mind topic for senior leaders at many organizations. From a business perspective, protecting, preserving, and enhancing your reputation can be a matter of survival or extinction.
Source: 1 Reputation@Risk, Deloitte’s 2014 global survey on reputational risk.