Despite the clickbait title, the messages are in the article are important to the risk profession and are purely practical. First few caveats, corporate reputation is important, even a perception of wrongdoings can affect funding, sales and cost of doing business. Importance of reputations for both profits and non-profits is not up for a debate. Second caveat is that reputational risk in this article is just an illustration, the same underlying principles apply to all other “marketing” risks like ESG, geopolitical and whatever bs consultants will come up with next.
Taleb calls it X and f(X)
One thing that dislike in risk management in financial services is the fact that regulators siloed risks into separate categories. Separate risk reporting for market risks, credit risks and operational risks, etc. Sure, it still all comes together for the capital adequacy assessment but the damage is already done. Risks and not decisions / objectives became the corner stone of methodology. Separate teams, methodologies, regulatory requirements for each risk category.
This is what Taleb calls X and f(X). Sure we can quantify any risk, build a loss exceedance curve and even make important conclusions related to the mitigation of that specific risk. This is called X. But it is so much more useful to measure the effect of risk on a decision or an objective instead. This is called f(X) or function of risk.
So this is the first issue with reputational risk. Unless there is a mature and liquid market for reputational risk mitigation, like hedging in market risk, bank guarantees for credit risk and insurance for operational risk, there is little practical use to measure, assess and treat reputational risk as a standalone risk. By the way, if you didn’t get the irony, there isn’t a market for reputational risk mitigation, so no real reason to treat it as a risk.
What’s then? f(X) on the other hand makes a lot of practical sense. When doing risk analysis for decisions or as part of planning, budgeting or forecasting, it makes a lot of sense to treat reputation as one of the factors affecting assumptions making them more expensive, less favourable or completely unavailable. The trouble with this paragraph is that it only works in RM2, where risks are assessed not as events with likelihood and impact but as volatility of assumptions and scenarios. Here is an example.
In RM2, scenarios associated with the effect of reputation on cash flows are assessed regularly and yet the reputational risk as a standalone risk is superfluous.
A risk is a risk when it can be aggregated and the aggregation leads to mitigation
The second issue I have with reputational risk is that it is an umbrella marketing concept, just like ESG or geopolitics, that actually houses hundreds of specific and quite tangible issues and risks. For example market risk is actually price risk + interest rate risk + FX risk. Price risk in turn includes price risks associated with different products, different geographies, different indices, etc. This aggregation is quite artificial and driven purely by regulator and maybe by the fact that mitigations are similar. Unlike market risk, which has been defined by regulators, there is no regulation for reputational risk, so it is a hodgepodge. Anyone can claim anything is a reputational risk, because in a way it is, every risk on the planet has some reputational consequences. We see the same silly situation in ESG where it is 1000s of unique risks but the media mainly cares about climate change.
So while we technically can develop a methodology to assess all examples of reputational risks and even aggregate them into a single loss distribution. Ironically NOONE who makes their living on selling the sexy topic of reputational risk would have even the slightest clue how to do it. The real question should be – why bother? Without even doing the calculation I can tell you reputation@risk will be a subset of cashflow@risk because not all forecasted volatility is associated with reputational events. So what? What does this tell you? Does your mitigation maybe depend on the reputational VaR? It doesn’t. Most mitigations these gurus propose are training, disclosure and other very basic and intuitive measures. Things companies can and should be doing regardless of how significant the risk is.
In summary, reputational risk is only useful for marketing brochures and empty conference talks, there is no practical application of the idea to manage reputational risk as a standalone risk. Prove me wrong in the comments.
RISK-ACADEMY guides and templates:
Check out other decision making books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Alex,
I have garnered significant value from your materials, and thank you again for last week’s Charity Risk Awareness conference…fantastic. On to reputation risk, I once was in complete agreement with you and would present a like position at conferences and training seminars. However, with the aggressive activities disrupting businesses with the stroke of a keypad, advancing false or misguided propaganda to damage a company via the various social platforms at their disposal, I view reputation risk as both a stand-alone risk and an outcome due to another risk(s) event(s) being realized that directly impact a company’s reputation. Keep the thought leadership coming.
Don Owens
What practical value will you get if you knew reputational risk was $200 million or high, disregarding the fact that it would actually take you months to calculate the aggregate risk?
Thank you for the interesting blog, Alex. I always had a problem with measuring reputational risk and normally deferred to the highest risk rating scored for other risk factors. However, if there was a need to categorise it, I would prefer Adverse Media risk as a better way to understand and measure reputational risk. Reputational risk is the result of adverse media (MSM, internet, and social) – no adverse media concerning an issue at your organisation, no problem with reputation. And adverse media can be caught early, measured, and mitigated against.
That’s one of probably a hundred risks that are usually bundled under the umbrella of reputational risk. That being said, what would quantifying the adverse media risk do for you?
I’m not a Risk professional, my experience was really limited to some regulated financial service business remediations, which included business risk assessments, and these were done a few years ago, so I was just musing on what you had written. I understand the logic of Adverse media as just one of many risks bundled under Reputational risk but, because there is such a correlation between them, me, as a layman, thought that adverse media risk might serve as something that could actually be used as a measure when trying to assess reputational risk
It could be used to measure a portion of the risk, the point of the article is something else entirely though. But doesn’t matter, thank you for the comments
Alex, I don’t always agree with you 100%, but in this case you are absolutely right. Reputation risk is best viewed as f(x) and it really can’t be measured in any meaningful way. Events and conditions that affect reputation re important, but reputation risk by its self is nonsensical.
I too think so
That was a very insightful article.
While I do agree that quantifying reputational risk would become a silly activity, there’s plenty of companies that don’t even address it properly. For those specific cases, presenting reputational risk as a priority might lead them to drive efforts for better reputational risk controls, even though the mitigation and the residual risk itself would be unmeasurable.
It makes more sense to talk about social media etiquette given reputational impact, product quality given reputational, marketing given reputational impact, etc. F(X), not X
Hi Alex, I am stoked to see this discussion on Reputational Risk. I remember long ago discussions whether reputation should be categorized as a stand alone risk yet, it looks like it has migrated that direction. I get how quantifiable assessments are the desired methodology for clear, clean outcomes in good decision making. I have found in my professional career, qualitative inputs emphasize more agile impact/likelihood outcomes for an enduring reputation. The measurement of success is not strictly a monitory value, more a societal value.