Nowhere to hide

Reputation is one of the most intangible but fundamental drivers of business performance. Damage to reputation can arise from a wide range of causes, and have widespread adverse impacts. For financial services firms, effective management of reputational risk is an increasingly important priority, as Thomas Kaiser explains.

Over the last year it has become apparent that the economic crisis has severely damaged trust and confidence in financial services, a situation which now needs urgent attention¹. Financial institutions depend on mutual confidence. Stakeholders ranging from shareholders to counterparties to customers, base their behavior on perceptions of a company's soundness, reliability and performance - all those factors which together contribute to the intangible but vital concept of brand identity. One of the fundamental underpinnings of a brand is reputation, and effective management of reputational risk is increasingly being recognized as crucial to rebuilding a successful corporate strategy.

Damage to corporate reputation can arise from a range of events, from adverse trends in core financial performance to poor customer service, excessive customer complaints and regulatory infraction. Its consequences can be profound. In a competitive market with many broadly comparable products on offer from similar suppliers, shareholders and customers alike can switch allegiance rapidly. At the extreme, a collapse in share price or a run on a bank can destroy an institution or make it prey to hostile takeover. Internally, too, a weak reputation can severely hamper the recruitment and retention of talent. Getting brand reputation right is a foundation for future success².

Reputational risk interacts in complex ways with other sources of risk facing a financial institution. Many events which are primarily seen in terms of credit, market or operational risk are likely to have adverse spin-off impacts on reputation as well. Examples such as large financial losses, widespread customer defections or major systems failures show this clearly. Equally, damaging reputational risk events which result in business detriment will also impact on core business performance, credit rating, market position and so on. Sustaining a positive reputation, and avoiding it being threatened, are an essential defense.

This is not simply a matter of self-interest. Regulators are showing much greater interest in ensuring that all material risks which institutions face are adequately managed and covered; in the aftermath of the crisis, with heightened sensitivity to market volatility and systemic risk, regulatory pressure will only increase. Already, capital adequacy requirements are being imposed to reflect the effectiveness of an overall risk management framework. Germany's financial supervisory authority, BaFin, requires insurance companies to implement a reputational risk management framework. The China Banking Regulatory Commission has recently issued guidance on implementing reputational risk management as an integral part of corporate governance and a comprehensive risk management system.

However, implementing an effective management framework is not straightforward, partly because the concept of reputational risk is itself complex. Reputation management is comparatively simple. Traditionally a responsibility of marketing, public relations and external communications, developing a desired reputation depends on creating a sustainable connection between target characteristics of features such as quality, price and service and external perceptions of these. Reputational risk management focuses on identifying potential threats to the desired reputation - whether objectively justified by company performance or not - and either preventing their occurrence or mitigating their consequences.

A further complicating factor is that quantifying reputational risk is harder than quantifying market or credit risk. There is little sense in the concept of a particular level of reputational risk preference, a quantum of risk for which the reward can be predicted and the price acceptable. Reputational risk is qualitatively different, and has to be managed in a more subtle and judgmental way, rather than according to a mechanical framework.

But benefits flow from this characteristic too. In particular, eliciting the desired attitudes and behavior among staff can often be more successful against the background of an explanatory, qualitative perspective than a set of numerical targets. Equally, this implies that reputational risk management depends on an understanding of the business as a whole and its exposure to a range of risks, and that while it remains the specific responsibility of the risk management function, it needs attention by everybody in the business.

Successful reputational risk management therefore depends on effective cooperation and communication: cooperation between senior management (defining the target reputation and the overall risk strategy), centralized risk management functions (owning the methodologies and processes for any risk management framework, including reputational risk), corporate communications (which are key to mitigating reputational risk and also play an important role in identifying and assessing it) and last but not least the business (which on the one hand can generate risk, for example by designing flawed products, but can also mitigate it through careful analysis, proper communication with customers etc).

The reputational risk management process needs to encompass the following steps³:

• identification: recognizing potential reputational risk as a primary and consequential risk
• assessment: qualitative and, where applicable, quantitative assessment of reputational risk and its consequential risks
• reporting: regular, action-oriented reports for the managing board and department heads
• management: introduction of preventative measures as well as appropriate reaction to actual events (communication and crisis management)
• monitoring: regular tracking of mitigation actions and their effectiveness.
  

Since many of the core concepts are similar, formalizing a reputational risk management framework where there is no such specific function, can most easily begin by extending existing risk identification and assessment methodologies; for example in the operational risk field. Once the relevant risks are defined, specific reputational risk mitigation measures can be put in place. The necessary organizational linkages to business lines, senior management etc will drive the development of appropriate reporting and communications mechanisms.

It is less important who 'owns' reputation risk, and where it sits in a corporate structure, than that effective risk management processes are put in place, and the resulting assessments and mitigating strategies are communicated to relevant decision-makers.

The ultimate aim is a reputational risk management framework which aligns with the institution's strategic objectives and applies on a company-wide basis. Such a system will be capable of monitoring and controlling the overall condition and effectiveness of company-wide reputational risk management. In this, it will realize the benefit of generating real value for the business rather than simply ensuring compliance with regulatory requirements.

Article Author

Thomas Kaiser
Director
KPMG in Germany +49 69 9587 4114 Thomas Kaiser View all articles by this author

1. See: 'Addressing the trust gap: Renewing confidence in the financial services industry', frontiers in finance, KPMG International, June 2009.
2. See: 'How do you want to be seen?' frontiers in finance, KPMG International, September 2009.
3. 'Rules of honour', Kaiser, T. OpRisk & Compliance, www.risk.net/oprisk-and-compliance, June 2008.