GREATEST THREAT TO AN ORGANIZATION

Rough Notes, Apr 2005 by Moody, Michael J

Reputation risks may be the most serious threat to a corporation's market value

Enterprise risk management (ERM) continues to gain acceptance within corporate America. Over the past few months, there have been a number of Chief Risk Officer (CRO) appointments. While many of these newly installed CROs have been in the financial services sector, activity in other sectors is also occurring. Additionally, Forrester Research indicates that the movement to CROs is just beginning. In their recently released study "Trends 2005: Risk and Compliance Management," they predict that by 2007-just a short two years away-75% of all large, critical infrastructure companies (health care, finance, energy, transportation, utilities and telecommunications) will have established a formal enterprise risk management office with a CRO in charge.

New CROs will find that today's corporations face a wide variety of risks, and it is sometimes difficult to determine the ultimate impact of each risk on the organization. It is therefore hard to select one risk that represents the greatest threat to the organization's market value. However, the CROs will soon find that with increasing frequency, corporations have begun to recognize that reputation risks are a strong candidate for this title. As a result, reputation risk has been steadily rising on the corporate agenda of many companies, and it will be a major challenge for any risk manager.

View from 25,000 feet

While advancement of the ERM concept will continue, some corporations persist in taking a silo approach to their risk management programs. As a result, many managers are left to deal with only the risks with which they are directly involved. Thus, these corporations have no one looking at the risks across the entire enterprise. Advocates of the ERM methodology continue to challenge this silo approach. The ERM approach gives an organization a holistic or 25,000-foot view of the enterprise's operations and thereby a more complete picture of the risks facing the company. The emergence of reputation risk as a serious threat makes it critical to move to the 25,000-foot view, as this may be the only way to get a handle on this increasingly important risk.

According to Carlo di Florio, director in the Governance, Risk Management & Compliance Practice at PricewaterhouseCoopers (PwC), "Reputation risk is an aggregation of discrete events and risks that, taken individually, may not be apparent to the risk manager." He goes on to say, "Unless these events and risks are viewed in the aggregate, they may not be seen as significant to the enterprise." Proper reputation risk identification, assessment and management are totally dependent on viewing the organization from a holistic perspective that is simply not available in the silo risk model.

Sources of reputation risks

There are three primary sources of reputation risk to an organization, according to PwC. The first is a weak control environment or organizational culture and a failure to meet stakeholder expectations. It is not enough today to strive for regulatory compliance; rather, an organization must create a "values-added culture of compliance and ethics," says di Florio. Companies must be willing to go beyond the regulatory compliance issues and instill a top-down culture of doing the right thing so that they meet not only regulatory requirements and expectations, but also the expectations of other key stakeholders. For this reason, it's important for corporations to determine who their stakeholders are and what their expectations are. It's often the failure to meet stakeholders' expectations and the company's own internal standards of business conduct that result in reputation risk and a loss of brand value.

Identifying and prioritizing all of an organization's stakeholders can be a daunting task, made even more complicated by a recent trend of holding companies accountable for the business conduct of the "extended enterprise," including suppliers and business partners. Today's business models do not allow an organization to limit its compliance responsibilities to itself, but rather broaden the focus to the extended value chain. This results in corporations having to extend their governance, risk management and compliance standards to business partners, joint venture partners, suppliers, customers and the like.

An example of this extended accountability model is the new anti-money laundering regulations that require a financial institution not only to "know its customers," but also to "know its customers' customers," so it will be able to effectively identify and report suspicious activity to authorities. The sweatshop and child labor issues are another example of the extended accountability model. This will become a growing source of reputation risk in the future because, as di Florio points out, "it places increased expectations that an organization's risk management standards and processes will be consistent with and cover the 'extended enterprise.'"