<strong>REPUT<strong>AT</strong>ION</strong>ALGOVERNANCEMind the gapEffective reputational risk management dependson strong governance. Because risks to reputationcan emerge from any corner of the business,companies need robust processes and reportinglines to ensure that key decision-makers areinformed as early as possible about emergingproblems. Among our respondents, fewer thanhalf (39%) think that they are very effective atputting in place governance structures to managereputational risk (see chart 4).Good governance starts with the board andmanagement team. Faced with a more severe riskenvironment, boards are becoming much moreactive in demanding assurance that reputationaloutcomes of risks and events are identified andmeasured. “Boards are requesting a lot moreinformation because they don’t necessarily have theintrinsic knowledge of the business to defend theirdecisions in the same way management would,”observes Mr Wittenberg.The CEO plays a critical role in reputational riskmanagement. Among our respondents, 57% agreethat ultimate responsibility for reputation risk lieswith the CEO or managing director (see chart 1). AsMichel Dennery puts it: “The CEO is the very firstrisk manager of the company.”But companies must ensure that there is absoluteclarity over where exactly the CEO’s responsibilitieslie. A common problem arises when a gap startsto open up between strategy and operations.“Boards and the CEO understand strategic risk andthe consequences of failing to execute effectivelyon strategy, but they may not be close enough tooperations to truly understand the reputationalconsequences of an operational failure,” saysMr Hurrell. “Often, there is a distinct separationbetween the board, which owns strategy, and thebusiness, which owns operations.”This highlights the importance for the CEO to playa co-ordination role in managing reputational risk.He or she should set the tone, lead by example andensure that everyone in the corporate hierarchyunderstands their role in managing reputationalrisk. The CEO may be ultimately responsible forreputational risk, but cannot manage it alone.Effective reputational risk management comes fromcomplete alignment across the entire business andfrom ensuring that every activity is carried out froma risk-aware standpoint.Role of the risk functionThe risk function plays an important part in thegovernance of reputational risk. A key part of itsrole is to serve as the conduit for risk information– collecting it from across the business, analysingit, and ensuring that it is passed onto the boardand management team in the right format andat the right time. “The board wants to knowthat the risk function is helping and supportingthe business in the way risks are reviewed andaddressed,” says Mr McGloin. “It’s about facilitatingcommunication and sharing new information sothe board can take the right decisions.”As the most senior executive in the risk function,the Chief Risk Officer (CRO) must be the “eyes andears of the CEO on reputation risks”, according to MrDennery. The CRO or senior risk officer can help theircompanies understand and define their risk appetite,and then put in place a strategy and efficientprocesses that reflect these attitudes to risk.Although many risk officers perform a veryvaluable role in managing reputational risks,they may be hampered by their position in thehierarchy. “heads of risk, even CROs, report to thefinance director or somebody below the financedirector and, from that position, they are unableto report on problems that come from abovethem, such as those related to culture, ethicsand leadership, which is where the root causes ofmany, if not most, reputational risks can be found,”says Mr Fitzsimmons of Reputability.All about cultureThe culture of an organisation sets the tone forthe way in which reputational risk is managed.20
<strong>REPUT<strong>AT</strong>ION</strong> <strong>AT</strong> RISKCompanies that develop and embed a strong riskculture, so that every employee understands theimportance of reputation and how easily it can becompromised, will be well placed to identify earlywarning signs and ensure that employees acrossthe workforce act in a way that will support, ratherthan damage, reputation.More than half of the respondents say that theircompany is very effective at instilling a culture ofreputational risk management throughout theircompany (see chart 4). “Leading companies arefocusing on trying to develop a culture of riskmindfulness across the company and embedding itamong the rank-and-file staff,” says Mr Wittenberg.and contractors. There needs to be a commonunderstanding of the risks confronting theorganisation’s reputation so that employees can actas successful “reputational ambassadors.” 3A commitment to quality helps to minimise therisks that can lead to reputational damage. AtAgfa-Gevaert, a company that produces analogueand digital imaging systems, a culture based aroundkeeping standards high and minimising faults,reduces overall exposure to reputational risk andbuilds a culture of excellence across the business.“Every individual in the company is using these skillsto deliver the best possible product,” says JohanWillaert, Corporate Risk Manager at the company.There are various pieces that, together, start tomake up a strong risk culture. First and foremost,a company needs a management team that iscommitted to driving a culture of risk managementthroughout the company. They should set the tonethrough their actions and behaviour, and use thisto embed certain processes and behaviours intothe business that help to support a risk culture.“ More than half of therespondents say that theircompany is very effectiveat instilling a culture ofreputational risk managementthroughout their company.”At HSBC, for example, employees are expectedto live up to certain behaviours and values, andthey will be measured on this in their performancereviews. “Everyone at HSBC is so conscious aboutreputational risk,” says Jeremy Sharpe, GlobalHead of Insurable Risk Management at HSBC<strong>Group</strong>. “If you don’t meet the behaviours andvalues of the group, you won’t get a good review.It’s very clearly articulated in the company.”This approach should also extend beyond thecompany into the broader supply chain. In the end,every individual working in or with a company sharesresponsibility for protecting and strengthening itsreputation, from the executive team to suppliers21