Reputation risk is everywhere these days. No business seems to be immune, with the papers always running stories that put you off dealing with one company or another: the failing banks that are paying out big bonuses
; Tesco employing “slave labour
”. Was it always like this? I suspect social media has a part to play in speeding, spreading and amplifying bad news.
Businesses are certainly worried by this intangible, emerging risk and with good reason. At a well-attended Risk Frontiers Emerging Risk seminar, organised by the magazine Commercial Risk Europe
and sponsored by Allianz, Alan Punter, visiting professor in risk management at Cass Business School, discussed the findings of a study carried out on behalf of Airmic entitled “Roads to Ruin
The study investigated 18 high profile corporate crises from 1999 to 2009, including companies such AIG, Arthur Andersen, BP, Cadbury Schweppes, Enron, Firestone, Northern Rock, and Société Générale.
In seven cases the company involved collapsed, in 16 cases the companies and/or executives were fined, in 11 cases the chairman/CEO lost their job, and in four cases, executives went to jail. Most of the companies saw a loss of capitalisation, an impact on their share price, and damage to their reputation and brand.
But there were lessons to be learned.
The first lesson relates to board skills, dysfunctional boards and “NEDs”. Professor Punter said that boards did not appear to be in control of the business, or did not understand the fatal flaw in the business model, or did not stand up to dominant CEOs. “The leaders were lacking the skills necessary to exercise oversight of the business,” he said. He pointed in particular to non-executive directors, or as he calls them, “non-effective directors”.
Boards’ risk blindness was another observation. “Boards are not focusing on the important risks, including threats to reputation and to the licence to operate. Boards are not setting and controlling risk appetite. And there is a failure to appreciate the risks presented by complexity, and its ability to cause and exacerbate events,” he said. He added that there was also a failure of board leadership on ethos and culture. “A lot of the problem lies in the UK/US model of corporate governance. It seems that boards are not fit for purpose,” he said.
The study found that too often there is an inadequate flow of important risk information across or up and down the organisation. Professor Punter said there was often a risk glass ceiling, which he described as an inability or unwillingness of risk management or internal audit to report on risks up to C-suite executives and non-executive directors. This was especially the case where risks were not the normal insurance or operational risks, but risks that stemmed from strategy, behaviour or culture. Risks that the risk manager maybe thought he didn’t have the brief to report on.
Professor Punter said that firstly, risk professionals need to be able, and feel confident, to report on risks that may not be (or perceived by them or the company not to be) within their area of responsibility, especially in relation to the activities and behaviour of their leaders. “Risk professionals need to feel able to report and discuss what they find up to the board level. And there needs to be a rethink from the board down about how to capture emerging risks related to the company’s strategy, culture and behaviour,” he said.
He concluded that companies should think about outcomes rather than just perils, and then work back from significant outcomes and identify the risks that could cause that outcome.
Phil Ellis, CEO of the global solutions consulting group at Willis, told the seminar that Willis’ own research of 600 publically-held companies revealed that, on average, a company faces an event that damages its reputation every seven years. The research showed that these 600 companies had faced 1,853 crisis events, of which 50% were due to a failure of the company’s strategy or business model.
Ellis said that crisis events happen to the best companies, are difficult to predict, and resulted almost universally in an executive job loss and more importantly, a liquidity issue, and a potential stock price slide. Lines of credit dry up, he explained, and new lines of credit are only available at unfavourable rates.
What neither of them mentioned was the role of the chief risk officer in all this. It is encouraging that more big corporations are appointing CROs. A bad reputation “outcome” should never happen to a corporation with a CRO. That’s because an effective CRO should have the qualities and the enterprise wide purview to cover all the shortcomings identified by Professor Punter.
Of course businesses have to take the CRO position seriously and not simply pay lip service to the trend when they create job. In that sense they would do well to look to the insurance industry and the way big insurers in Europe and North America have moved to appoint CROs with access to all corners of the business and - most important – a direct line to the board of directors.