Despite the clickbait title, the messages are in the article are important to the risk profession and are purely practical. First few caveats, corporate reputation is important, even a perception of wrongdoings can affect funding, sales and cost of doing business. Importance of reputations for both profits and non-profits is not up for a debate. Second caveat is that reputational risk in this article is just an illustration, the same underlying principles apply to all other “marketing” risks like ESG, geopolitical and whatever bs consultants will come up with next.
Taleb calls it X and f(X)
One thing that dislike in risk management in financial services is the fact that regulators siloed risks into separate categories. Separate risk reporting for market risks, credit risks and operational risks, etc. Sure, it still all comes together for the capital adequacy assessment but the damage is already done. Risks and not decisions / objectives became the corner stone of methodology. Separate teams, methodologies, regulatory requirements for each risk category.
This is what Taleb calls X and f(X). Sure we can quantify any risk, build a loss exceedance curve and even make important conclusions related to the mitigation of that specific risk. This is called X. But it is so much more useful to measure the effect of risk on a decision or an objective instead. This is called f(X) or function of risk.
So this is the first issue with reputational risk. Unless there is a mature and liquid market for reputational risk mitigation, like hedging in market risk, bank guarantees for credit risk and insurance for operational risk, there is little practical use to measure, assess and treat reputational risk as a standalone risk. By the way, if you didn’t get the irony, there isn’t a market for reputational risk mitigation, so no real reason to treat it as a risk.
What’s then? f(X) on the other hand makes a lot of practical sense. When doing risk analysis for decisions or as part of planning, budgeting or forecasting, it makes a lot of sense to treat reputation as one of the factors affecting assumptions making them more expensive, less favourable or completely unavailable. The trouble with this paragraph is that it only works in RM2, where risks are assessed not as events with likelihood and impact but as volatility of assumptions and scenarios. Here is an example.
In RM2, scenarios associated with the effect of reputation on cash flows are assessed regularly and yet the reputational risk as a standalone risk is superfluous.
A risk is a risk when it can be aggregated and the aggregation leads to mitigation
The second issue I have with reputational risk is that it is an umbrella marketing concept, just like ESG or geopolitics, that actually houses hundreds of specific and quite tangible issues and risks. For example market risk is actually price risk + interest rate risk + FX risk. Price risk in turn includes price risks associated with different products, different geographies, different indices, etc. This aggregation is quite artificial and driven purely by regulator and maybe by the fact that mitigations are similar. Unlike market risk, which has been defined by regulators, there is no regulation for reputational risk, so it is a hodgepodge. Anyone can claim anything is a reputational risk, because in a way it is, every risk on the planet has some reputational consequences. We see the same silly situation in ESG where it is 1000s of unique risks but the media mainly cares about climate change.
So while we technically can develop a methodology to assess all examples of reputational risks and even aggregate them into a single loss distribution. Ironically NOONE who makes their living on selling the sexy topic of reputational risk would have even the slightest clue how to do it. The real question should be – why bother? Without even doing the calculation I can tell you reputation@risk will be a subset of cashflow@risk because not all forecasted volatility is associated with reputational events. So what? What does this tell you? Does your mitigation maybe depend on the reputational VaR? It doesn’t. Most mitigations these gurus propose are training, disclosure and other very basic and intuitive measures. Things companies can and should be doing regardless of how significant the risk is.
In summary, reputational risk is only useful for marketing brochures and empty conference talks, there is no practical application of the idea to manage reputational risk as a standalone risk. Prove me wrong in the comments.