Enterprise Risks have causal relationships, and they ALL impact Reputation Risk

On the topic of Corporate Governance, I stumbled across an article today that I wrote for Business Day - South Africa’s biggest and best business news daily - all the way back in 2003 already! It was entitled “Corporations Look At Risk in Broader, Strategic Manner”, which was an outline of the increasing role of Enterprise Risk Management for the Board of Directors in listed companies, but specifically talking about one of the major shortcomings of Enterprise Risk Management from the Chairman's perspective. 

Sadly, the above shortcoming has not yet been addressed almost a decade later, the shortcoming of not quantifying risk, and therefore not being able to balance the expected impact of that risk with the costs of managing it! You may say that risk cannot be quantified. Well, it most certainly can - it happens in corporate finance all the time using simulation methodologies, an approach I have been using for a decade now to successfully quantify uncertainties in investment risk. But more on risk quantification in a later article. 

Coming back to the subject of this post, I wrote another article for Business Day that same year, talking about the causality of risks across the enterprise. This important issue is still not on the Enterprise Risk Management radar either, and yet it makes Reputation Risk so much easier to manage at the operating level, that is, way before it ends up making an embarrassment of everyone on national TV! Now while I have already explained why Reputation Risk Management is the Board of Directors' ultimate responsibility, I now want to emphasise how the risk builds up in an organisation (causality).

Reputation risk can begin in the following places

1. At the resource level, being capital, people, IT systems and infrastructure such as buildings. With apologies to people everywhere, these are basically "procurement" and asset management issues, based loosely on a specification and a price, some procured using capital, others procured as an operating expense, and still others obtained through accumulation such as customer data
2. At the process level, the engine room, which relies on the people, the technology and other elements of infrastructure and data, all organised in a particular way to make the business work
3. At the business model level, we have the manifestation of people, process and technology in the channel network, a product, and a market being a group of customers
4. At the output level, we have financial results, a social impact (e.g. customers), and an environmental impact.

Now at which level do we experience Reputation Risk? Well, before we answer that, it would be useful to define Reputation. Here's an older but still very useful definition: 

Reputation is a representation of a firm’s past actions and results that describe the firms’ ability to deliver outcomes to multiple stakeholders (Fombrun & Foss)

Given this definition, an external stakeholder can mainly make an assessment of reputation based on the outputs from the firm, i.e. at level 4, but the fact of the matter is that there are external stakeholder interactions at each of levels 1 to 3 as well. The difference is that the interaction with external stakeholders is as a result of:

• internal policies, procedures, standards and guidelines (PPSG) for levels 1 to 3, 
• while at level 4, it is an output of the firm as a result of all of its processing, being profit, contribution to society, and the extent of the impact of the firm's operations on the environment.

Of vital importance to realise, is that the risks materialised in level 1, impact the performance of level 2, which may raise its own risks. Risks materialised in level 2 impact the performance of level 3, which may again raise its own risks. Finally, risks materialised in level 3, impact the outcomes of the business, which may raise level four risks.

As an simple example illustrating the most extensive type of cause-and-effect risk manifestation, poor staff selection in level 1, can result in poor business discipline being applied in level 2, which can result in poor customer interaction in level 3, which results in a negative customer experience. The negative customer experience becomes a reputation risk, because the customer could communicate the poor experience within his/her community, or even to the media.

The point is that risk needs to be managed at each level, NEVER FORGETTING that a poor execution of risk management practice at one level may cause an entire chain of negative events to unfold, eventually manifesting as output-side reputation risk. However, remember that it is not only at level 4 that reputation risk becomes evident. It will already be evident at level 1 in the case of the example of the risk of poor staff selection materialising as high staff turnaround, which in turn will create a negative impression in the job market on potential employees, which too is a form of reputation risk! In other words, there is the potential for a DOUBLE reputational risk impact at each level of the organisation, the realisation of which will now keep many a chairman and CEO awake at night!

Ultimately, all risks are linked, and all have the potential to impact reputation risk, so it is the responsibility of every staff member, manager, director, executive, CEO and even the chairman to think of risk in this way. For those that thought PPSG was just administration, well perhaps you understand how the company's biggest risk is impacted by the quality of its PPSG! Unfortunately, probably the de facto risk management tool out there for corporates, BarnOwl, does not accommodate risk dependencies. If it did, a manager at a particular level would be wary of the input risks impacting his area of operation, and thus his performance, thereby increasing the cross-functional management of risks out there!