Ignorance Is No Defense

In his latest blog post, Tom Walsh, RDC’s CEO, explores the importance of managing reputational risk in an increasingly transparent global economy.

When it comes to enterprise-wide risk management, most risks are relatively easy to define. If you’re in manufacturing and one of your key tools breaks down, it’s an operational risk. If you’re a mining company operating in a high-risk jurisdiction, potential governmental breakdown can lead to physical security risks for your staff. The term reputational risk is all together more ambiguous. Historically, businesses have tended to see it as the combined risk of other risks to the public profile of the company. And as such, it has been seen as more difficult to manage or mitigate.

The Growing Value of Reputation

Based on conversations with clients, I see the traditional approach to reputational risk beginning to shift. Senior leaders are less relaxed about leaving risks around public perceptions as a secondary priority, and they’re starting to get proactive about making reputational risk a key part of overall risk management culture. There are many reasons for this. Certainly, as the domain of risk management becomes more mature it’s natural enough that businesses look to better manage previously under focused areas. But more importantly, there is a growing desire to be on the right side of the collective social conscience. Impressively, senior leaders I speak with are most interested in doing the right thing rather than simply being seen as doing the right thing. As a result, reputational risk is a topic getting far more board time than in the past.

There’s also no getting away from the potential impact of a declining business reputation on market and brand value. A World Economic Forum (WEF) study estimated that 25% of a company’s market value comes from its reputation. The multiplication of social media, news sources and investigative and citizen journalists means that just about any potentially damaging event is likely to appear online to a global audience at a speed that was hard to imagine at the time most risk programs were implemented. If your firm has a problem, then you can’t cover it up or ignore it, even if you want to. It’s more difficult than ever before to say we didn’t know.

Third-Party Reputational Risk

The traditional areas of reputational risk tended to be internal to a company, around financial management and performance and product and service quality; in other words, risks which affect how well the company delivers for its customer. But the concept is widening to consider other areas affected by the growth of the digital economy, such as how well a firm protects and respects its customers’ data security and privacy, for example. And as I have found talking to clients, reputational risk is also increasingly focusing on third party concerns about association with business partners, vendors and suppliers and even some major customers who have their own reputation issues.

It’s a story that we at RDC know well.  For over a decade large banks have faced well documented investigation and regulatory fines in response to inadequate client due diligence. But the risks of reputational contamination go much wider than just the financial sector, as social media platforms recently found when linked to the potential misuse of personal data by partners. The short-term consequences of these events are considerable with rapid drops in users and share price yet the more compelling impact is the market hangover effect which executives from these companies are forced to address over many years to come.

Looking for Solutions

The scandals that have emerged from third-party risk are direct results of a failure of due diligence when acquiring a firm, onboarding a client, building a new business partnership, or procuring a new vendor. In financial services and other sectors obligated by Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) laws and regulations, there are already requirements that partially deal with this problem. Banks must identify and verify who a customer is, how they made or make their money, and whether they are potential political or sanctions risks. However, the obligated sectors don’t have to check for a wider range of reputational risks, and other sectors such as social media companies are not currently required to make any such checks at all.

But necessity is not the same thing as sufficiency. I suggest that it’s in the interests of any company to consider the third-party reputational risks most germane for to their business. This isn’t to suggest that companies should blindly screen all customer and supplier cohorts in the same way, that’s clearly not proportionate or cost effective. Businesses need to take a Risk Based Approach (RBA) to what reputational risks they might face, depending on their business, client and vendor profiles. They also need to stay sensitive to changes in society that might pose new risks which means any program must have the ability to be dynamic and changeable as environments change. For example, we are finding that financial services clients have shown growing concern about reputational stigma from servicing legal marijuana-based businesses that have now developed in several US states and Canada. We at RDC are seeking to respond to these kinds of concerns, and in this case, we have already developed specific data sets to help our clients screen for potential linkages to this still immature, but expanding, market.

Necessity and proportionality are the key.

So my take on this is – do a proper risk assessment for your business, and screen accordingly. Screening isn’t a panacea for reputational risks, but it’s hard to imagine any kind of strategy to tackle them that does not include a high quality and dynamic platform as part of the solution. Helping the market find the precision and flexibility in screening solutions is what we at RDC are all about, focused on the risks that matter most to you and your business and ensuring that collectively we are all part of the solution.

Until next time,