Compliance Study_complet - pwc
Compliance Study_complet - pwc
Compliance Study_complet - pwc
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
16 © PricewaterhouseCoopers - Protecting the brand, May 2005<br />
inappropriateness for the business. There was also risk in not communicating appropriately with the regulator(s). Clearly, the<br />
most explicit concern in this respect was that regulators moved the goal-posts, retroactively. Respondents said that these<br />
concerns considerably increase uncertainty, and risk stymieing business.<br />
“[It] takes years to build it but can be lost in<br />
an instant”<br />
Reputation risk<br />
Many respondents said that management’s biggest fear was damage to reputation and brand. Often, however, “reputation<br />
risk” or “brand risk” were not defined, sometimes intentionally in order not to dilute judgement.<br />
Some respondents provided more granularity to a potential definition. Damage occurred when business behaviour, in<br />
any sense, was viewed as inappropriate by stakeholders, whether regulators, customers, other market operators, or - in<br />
certain businesses - the public at large. A German institution described it as “[..] broader than regulatory risk and is the risk of<br />
any activity that may impact the reputation of the business. It is not necessarily legal in nature.”<br />
Respondents highlighted the inability to quantify this risk, or even to mitigate it thoroughly in all circumstances,<br />
particularly where it arose through no wrongdoing on the part of the organisation. Reputations could be tarnished by<br />
association. There was also the materiality factor: a media “feeding frenzy” could cause serious damage, however minor the<br />
incident.<br />
Reflections<br />
Clearly, there was no overall consensus on a definition for these risks. The differences in the meaning and appreciation of the<br />
risks are understandable given the evolving nature of risk management, the different stages of evolution of compliance<br />
functions across organisations, the positioning of the compliance function within financial services organisations (legal, risk,<br />
operations) and the cultural receptivity towards regulation. However, the differences in the definitions point to the need for a<br />
common language and approach to compliance and regulatory risks, across sectors and between industry and the<br />
regulators. This would facilitate improved granularity in identifying and assessing compliance risks.<br />
Considering the study’s responses, the definition of reputation risk is more generic: an over-arching risk, to which all<br />
areas of the business are susceptible, both from the organisation’s own activities, or changing perspectives of external<br />
stakeholders which it fails to anticipate adequately. As a primary concern of management, reputation risk could, perhaps,<br />
provide a framework within which risks to the organisation can be correlated, and their interdependencies better<br />
appreciated. However, boards and senior management need to be realistic in terms of what the compliance function can<br />
achieve: it cannot mitigate reputation risk generally. Reputation risk can only be managed by the careful orchestration of the<br />
various control mechanisms within the organisation.