GRC Tuesdays: How Risk Management Helps Protect Your Brand Reputation
In anticipation of SAPinsider GRC2016 in Las Vegas in a few weeks, I wanted to share with you some highlights from one of the presentations that I’ll be delivering, Managing Reputational Risk to Protect Brand Value.
We’ve all heard the Warren Buffet quote, “It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
But there is another one that I think is even more appropriate: “Lose money for the firm and I will be understanding, lose a shred of reputation for the firm and I will be ruthless.”
A reputational impact can have many direct consequences including:
- Drop in sales >> customers no longer want to be associated with your brand
- Drop in share prices >> because of uncertainties on sales and revenue, investors shy away from the company
- Conflictual shareholders’ and board’s relationships >> with a drop in share price, shareholders’ interests are affected and they hold the board accountable
Reputational risk is therefore not just a marketing issue, it can be a credibility and a business killer.
One of the major issues with reputational risk is that it spans across numerous stakeholders – customers and investors of course, but also analysts, media, regulators and control authorities, NGOs, partners, third parties and (let’s not forget) employees themselves.
Until recently, its velocity – the speed at which it manifests – was quite manageable, because unless it was a major crisis published in a newspaper, it was spread by word of mouth. Replace this with today’s exponential social media reach and it becomes clear why this is now a critical risk to consider.
I don’t claim to have the absolute solution but I would suggest an approach to manage reputational risk. Use the Plan-Do-Check-Act Cycle that business continuity managers know very well.
Plan: Prepare Your Governance for Ethics and Compliance
In this first step, I would suggest assessing the current situation: what already exists? From there, formalize the governance structure that will issue the risk policies. In this phase, you would also prepare a crisis plan and communicate it to all stakeholders.
As for any policy, I would recommend not only ensuring acknowledgement, but also its understanding by all the recipients.
Do: Formalize Your Risk and Control Framework
This second step is about documenting what could go wrong – the risks and potential occurrence scenarios – and then defining a sound mitigation strategy to address each case depending on their criticality. If I had a suggestion here it would be to assess the effectiveness of each response. A communication plan will help you reduce impact over time, but it won’t prevent a deficient product from reaching shelves in stores in the first place…
Check: Continuously Monitor Threat Levels
Risk context changes all the time. Review the threat levels by taking into account any new incident or near miss recorded. Also, define appropriate indicators that can notify you of any adverse trend so that you’re never caught off guard.
Do people start propagating rumors about your company? Get to know soon, so that you can decide proactively what to do instead of being rushed into action.
Act: Take Action (or Not!) but Always Communicate
Give your executives, including marketing and communications managers, the tools they need to be able to perform a guided decision on up-to-date risk information. Keep all the stakeholders up-to-date on the decision and name a spokesperson. There is nothing worse than discordant messages.
Reap the Benefits!
It’s not just all negative. Companies with strong brands have repeatedly shown:
- Facilitated recruitment of talents
- Increased and sustainable investor and business partner confidence
- Customer loyalty
- Top management stability
What about you? How do you manage this critical asset?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!