Note: In the following guest post, Rob Fleming of the Clark Nuber consulting firm provides some guidance on how to manage one of the many "uninsurable" risks: reputational harm. We appreciate Rob's willingness to contribute a guest post to our blog! - Seth
Companies face complex risks each and every day. Not all of these risks are mitigated by insurance products. Risk managers face an increasing universe of risks that are not really insurable. Natural disasters, loss of a key decision maker or cyber-attacks can be insured against—but how do companies minimize exposure for new regulations, new presidential executive orders, or changes in the political or economic landscape? And how can companies respond when these events are often happening at the same time?
Risk managers do their best to identify company exposures not only for insurable risks but also for uninsurable risks, and then work to reduce their exposure. Risk management, or Enterprise Risk Management (ERM), typically involves identifying particular events or circumstances that could cause harm to an organization, and then assessing potential events in terms of company risk tolerance, likelihood and magnitude of impact, possible response strategies, and finally the monitoring progress.
There are ample reference materials describing the risk management process. The five risk areas most often addressed within this framework are risks related to assets, revenue, data, key personnel, and reputation.
This last risk—reputational risk—is getting special attention recently because of how fast news can spread (particularly through social media), whether accurate or not. And the resulting harm can be very damaging. Let’s take a closer look at reputational risk.
Reputational risk is the risk of loss resulting from damage to a firm's reputation, causing lost revenue, increased operating costs, or even loss of stock value. Adverse events typically associated with reputation risk include ethics, safety, or data security breaches, and product quality failures. Extreme cases may even lead to bankruptcy (as in the case of Arthur Andersen). The reputational damage may not always be the company's fault, as in the case of the Tylenol murders which left seven people dead in 1982.
We have all seen how reputational risk can jump out of nowhere—such as the wrong envelope recently given out by the accounting firm PwC at the Oscar awards, or someone capturing videos of a passenger being removed from an airline.
A company’s reputation is often said to be its most valuable asset. No amount of money can restore reputation once it has been lost. Therefore you must have a proactive approach to managing even minor situations with the public.
Warren Buffett once wrote in a letter to his top managers: “We can afford to lose money—even a lot of money. But we can’t afford to lose reputation—even a shred of reputation.”
Five Things You Can Do Now to Protect Your Reputation
Review current insurance coverage
Insurance coverage should be reviewed to make sure it covers new developments, to the extent possible. New developments can result from emerging risks (such as cyber-attacks) or new court decisions that increase liability risk. Having insurance can mean money is available to resolve a claim before it hits the papers and damages reputation. Consult with your insurance providers and advisors to make sure your insurance is adequate and current.
Organize an ERM process
The ERM process is simple: understand the risk tolerance of your company, identify risks based on interviews and observations, quantify risks as to impact and frequency, and mitigate/monitor the identified risks. When quantifying risks, watch for impact more than frequency. Generally impact or magnitude is much less predictable than frequency but can be much more devastating to the organization. For example, consider the BP Gulf oil spill.
Organize a Safety Committee.
The purpose of a Safety Committee is to help reduce the risk of workplace injuries and illnesses and ensure compliance with federal and state health and safety regulations. Establishing workplace-safety committees is one way management can encourage employees to participate in implementing and monitoring the company’s safety program.
Add board members with specialized skills
Risk-taking lies at the heart of all entrepreneurial activity, and monitoring management’s efforts to identify, monitor, and manage risk is a key responsibility of the board of directors. The board has a vital role to play in assisting management to:
- Focus on the risks associated with corporate strategies and the ever-changing business and geopolitical environment
- Determine the company’s risk appetite
- Devote appropriate resources to risk identification and monitoring.
Identifying and understanding both emerging and long-term risks can be difficult. Boards should press management to continually scan the environment and think about both the immediate future and the longer-term outlook. Many boards have added directors with specialized skills to help navigate unique risks associated with their companies.
Implement strong policies and procedures
Some risks, such as those resulting from inappropriate or unethical behavior, can be reduced by having strong policies and procedures. Companies should have policies addressing behavior such as an updated HR policy manual, Conflict of Interest Policy, and a Whistleblower Policy.
Robert Fleming, CPA, is a consultant with Clark Nuber PS, an accounting and consulting firm located in Bellevue, WA. Rob has over 30 years’ experience advising and consulting with privately owned and tax exempt organizations. He can be reached at firstname.lastname@example.org.