© Jacka 2019 Memphis IIA Professional and Student Annual Development Day October, 2019
© Jacka 2019
Memphis IIAProfessional and Student Annual Development Day
October, 2019
© Jacka 2019
© Jacka 2019
Why Reputation is Important
Reputation Risk Defined
Reputation Risk Management
Crisis Management
The Role of Internal Audit
© Jacka 2019
Why Reputation is Important
© Jacka 2019
It takes twenty years to build a reputation and five minutes to destroy it
If you think about that – you’ll do things differently
Warren Buffet
© Jacka 2019
Why Worry About Reputation?
Part of the format; not a reputation issue
© Jacka 2019
A decrease in 1 Star Rating can equate to a 10% reduction in revenue
An increase in rating by 1 Star Rating can equate to a 5 - 9% increase in revenue
© Jacka 2019
© Jacka 2019
© Jacka 2019
1. Damage to reputation/brand2. Economic slowdown/slow recovery3. Increasing competition4. Regulatory/legislative changes5. Cyber crime/hacking/viruses/malicious codes6. Failure to innovate/meet customer needs7. Failure to attract or retain talent8. Business interruption9. Political risk/uncertainties10. Third party liability
Global Risk Management Survey 2017 – AON Risk Solutions
© Jacka 2019
1. Economic slowdown/slow recovery2. Damage to reputation/brand3. Accelerated rates of change in market factors4. Business interruption5. Increasing competition6. Cyber attacks/data breach7. Commodity price risk8. Cash flow/liquidity risk9. Failure to innovate/meet customer needs10. Regulatory/legislative risk
Global Risk Management Survey 2019 – AON Risk Solutions
© Jacka 2019
1. Business interruption2. Cyber Incidents3. Natural catastrophes4. Regulatory/legislative changes5. Market developments6. Fire/explosion7. New technologies8. Climate change/increasing volatility of weather9. Loss of reputation or brand value10. Shortage of skilled workforce
Allianz Risk Barometer – Top Business Risks for 2019
© Jacka 2019
Factor/Impact Negative PositiveStock or other value Average 7% drop in
stock valueAverage 13.5% net appreciation of stock when restoring value
Investor Loss of quality investors
Attract quality investors
Third Party Worse third party terms
Better third party terms
Costs & Expenses Extra cost of liability, legal, compliance
Lower liability, legal, compliance costs
Time & Resources Loss as workforce involved in investigations and litigation
Resources focused on developing and doing business, value creation
Adapted from The Reputation Risk Handbook –Bonime-Blanc
© Jacka 2019
Factor/Impact Negative PositiveInvestigations One investigation
leads to anotherTransparency avoids and minimizes investigations
Personal reputations Everyone’s reputation damaged, especially executives and board members
Reputations intact
Business/mission Restructuring or demise of business
Resilience of business and business lines
Consumer Dissatisfaction leads to sales, volume, and pricing losses
Satisfaction leads to increased sales, volume, and premium pricing
Adapted from The Reputation Risk Handbook –Bonime-Blanc
© Jacka 2019
Factor/Impact Negative PositiveEmployee General
dissatisfaction, malaise, defection
Satisfaction, positive culture, esprit de corps
New Talent Hits recruitment, loss of good talent, lost jobs
More jobs, attract and retain coveted talent
Regulators Bad to worse relationships in multiple locations
More forgiving when/if problems arise
Media Under the media microscope
Good media coverage, if any
Social media The watch is on and uncontrollable, under the super-microscope
Coverage is positive & useful in enhancing reputation
Adapted from The Reputation Risk Handbook –Bonime-Blanc
© Jacka 2019
Reputation Risk Defined
© Jacka 2019
The possibility of an event occurring that will have an impact on the achievement of
objectives
IIA International Professional Practices Framework
© Jacka 2019
Reputation is what people expect us to do next. It's their expectation of the quality and character of the next thing we produce or say or do.
We control our actions (even when it feels like we don't) and our actions over time (especially when we think no one is looking) earn our reputation.
Seth Godin
© Jacka 2019
The emotional connection between stakeholders and organizations
The Reputation Institute
© Jacka 2019
© Jacka 2019
The potential that an event will impact the organization’s reputation in a way that will adversely impact that organization’s objectives
© Jacka 2019
© Jacka 2019
All RiskIs
Reputation Risk
© Jacka 2019
Reputation risk is an amplifier risk that layers on or attaches to other risks…adding negative or positive implications to the materiality, duration, or expansion of the other risks on the affected organization, person, product, or services.
The Reputation Risk Handbook – Bonime-Blanc
© Jacka 2019
Managing Reputation Risk
© Jacka 2019
Reputation Leaders Study 2016 – Reputation Institute
© Jacka 2019
Difficult to define Some organizations define it as an impact, not a risk Little information on how to manage Difficult to measure Defined by external perceptions
© Jacka 2019
Tone at the Top Understand Potential Reputation Risks Governance PR & Communications Integration Front Line Integration Crisis Plan Measure Monitor
© Jacka 2019
An appropriate culture and associated processes will minimize the potential for crises
to occur in the first place
© Jacka 2019
Culture◦ CEO is in charge◦ Visibly principled leaders who
communicate values, then live them Structure◦ Strong and integrated governance◦ Existing risk assessment program
© Jacka 2019
Speak-up Culture◦ Encourage early problem detection◦ Hot-line, ethics line, problem resolution
method Incentives◦ Values-based assessments and rewards◦ Support employees to guard reputation
© Jacka 2019
Approaches◦ Entity-wide surveys◦ Structured entity-level interviews◦ Gathered in all conversations
Resources◦ Best Practices: Evaluating the Corporate
Culture (Roth)◦ Enterprise Risk Management: Achieving and
Sustaining Success (Sobel & Reding)
© Jacka 2019
Risk Identification◦ Design system to identify and address areas of potential
exposure◦ Understand interdependent risks (fraud, IT, regulatory,
financial, etc.) Team integration◦ Cross-functional approach◦ Governance◦ ERM◦ Three lines of defense◦ Use internal and external resources
Strategic Integration◦ Strategy will drive reputation; reputation will drive strategy
© Jacka 2019
Executive oversight◦ High-level◦ Coordinate with experts◦ Knowledgeable
Board oversight◦ Standard discussion in board meetings◦ Built into strategic risk management, annual
planning, and long-term strategic planning
© Jacka 2019
Establish communication plan◦ Part of crisis management◦ Established policies and guidelines
PR & communications response teams◦ Identify teams for larger and smaller “mini”
crises. ◦ Information on when to escalate◦ Training for all teams
© Jacka 2019
Front-line business teams◦ Supervisors equipped to identify and deal
with reputation risk issues◦ Supervisors know what to do
Policies and guidelines◦ Addressed in relevant documents, policies,
procedures, etc. (e.g. code of conduct, hot-line protocols)◦ Clear and actionable language◦ Accessible
© Jacka 2019
Education and training◦ Understanding the basics of reputational
risk◦ Sufficient knowledge to recognize potential
crises and how to respond◦ Sufficient knowledge to provide input on
potential risks◦ Learning from mistakes
© Jacka 2019
Plan integration◦ Reputation risk issues integrated in crisis plan◦ Crisis team in place◦ Crisis management training
Rapid deployment force◦ Quickly focus on root cause◦ Necessary internal and external resources◦ Right team for identified root cause
Post-event SWOT◦ Debrief and lessons learned◦ Integrating lessons into updates
© Jacka 2019
Measure how reputation is perceived externally Sets the starting point Compare as a part of monitoring Measuring the Impact – an example◦ Any losses in shareholder value beyond
general market fluctuations which cannot be accounted for by financial costs from the event itself are pure reputational losses
© Jacka 2019
Essential to understanding how external stakeholders perceive the organization Monitor on an ongoing basis Monitor across all markets Monitor on a global basis Invest in staff, resources, technology◦ Full range of channels – traditional and
social media
© Jacka 2019
MessagingWhat you say
Word of MouthWhat people say
PerceptionsWhat people see
BehaviorWhat you do
GAP
GAP
GAP
GAP
GAP
© Jacka 2019
Crisis Management
© Jacka 2019
“I want my life back”Tony HaywardFormer CEO - BPTony Hayward
Former CEO - BP
© Jacka 2019
Even with the best reputation management, crises will happen.
If done correctly, crisis management can actually enhance the brand and reputation.
Companies are judged not on the crisis itself, but on the response.
© Jacka 2019
Deadly Blow◦ Organization/product/service/leader
“disappears” Enron, Lehmans, Arthur Anderson, Barings
Recoverable Hit◦ Organization/product/service/leader regroups
and recovers Siemens, BP
Enhancement Event◦ Organization/product/service/leader builds
reputational equity Johnson & Johnson
© Jacka 2019
Quick and agile (minutes not days) Predetermine when to mobilize a response Keep everyone informed – transparency in communications Role of the board◦ They should ask for a crisis management plan;
they should know the plan◦ They are not the spokespeople◦ Predetermine what events they need to know
© Jacka 2019
Build a Crisis Team Identify and Plan for Potential Crises Develop a Crisis Plan Develop Communication Protocols◦ Stakeholders◦ Spokesperson
Train, Re-Train, Keep Training Conduct Simulations
© Jacka 2019
Short and practical Consider all scenarios Who does what, when, and where List the team Internal and external contact details Crafted messages Proven ability to implement Develop a process to allow for flexibility
© Jacka 2019
Providing no response Replying “No Comment” Offering disorganized, conflicting statements Issuing a verdict before examining the facts
© Jacka 2019
Candor Explanation Affirmation Declaration Contrition Certification Commitment Restitution
© Jacka 2019
© Jacka 2019
June 2, 2015 – Two cars crashed The Spokesperson Compensation Ensure Safety Existing Dialogue Business Model
© Jacka 2019
Have a plan Train for it Test it
© Jacka 2019
The Role of Internal Audit
© Jacka 2019
The C-Suite◦ Conversations with the board◦ Conversations with the C-Suite
Assurance providers◦ Governance, ERM, Three Lines of Defense
Audits of other assurance providers
© Jacka 2019
Strategic-level audit◦ Is there a strategy?◦ What are the goals?◦ Are they being achieved?◦ What is the message?
© Jacka 2019
Operational reviews◦ Overall risk management approach◦ Policies and procedures◦ Monitoring processes◦ Crisis plan
© Jacka 2019
Lifecycle of Reputation Risk Management◦ Beginning Strategy Development Risk Assessment◦ Middle Policies and Procedures Monitoring◦ Outcomes Crisis Management Post Mortem
© Jacka 2019
Consider reputation risk for annual assessments Include in all relationship meetings Consider in all audit projects◦ Risk assessment◦ Considerations at management level◦ Understanding at all levels◦ Understanding of crisis management roles
© Jacka 2019
Has reputation risk been assessed? Is reputation risk a part of all risk assessment activities? Is there a crisis management process? Has it been tested? Do people understand the impact of their processes/operations/jobs on reputation?
© Jacka 2019
Defining and Managing Reputation Risk: A Framework for Risk Managers◦ AIRMIC
The Reputation Risk Handbook◦ Andrea Bonime-Blanc
Best Practices: Evaluating the Corporate Culture◦ James Roth
Enterprise Risk Management: Achieving and Sustaining Success◦ Sobel & Reding
© Jacka 2019
QUESTIONS?