The consequences of reputational damage can be overwhelming. Warren Buffett, a man with a quote for every season, has wisely noted that: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Sir David Walker, the incoming chairman of Barclays Bank, is clearly preoccupied with this question of culture and reputation. In his evidence to Andrew Tyrie’s Parliamentary Commission on Banking Standards, which has just begun its work, Sir David regretted that he had not said much on the topic in 2009, when he led a review of banks’ corporate governance for the Financial Services Authority. The commission is closely interested as well.
But which “things” need to be done differently, and precisely how? Sir David is by no means alone in finding this a difficult problem to address. The Basel Committee on Banking Supervision has noted that many banks failed to recognise the reputational risk associated with some of their business practices in the lead-up to the financial crisis, and that “the art of protecting reputation is poorly developed and understood”.
Unfortunately, banks think they are better at reputational risk management than their regulators do. They seem to recognise the problem: a recent survey conducted by the insurers Aon showed that financial institutions identified reputational risk as the third-biggest threat to their business, after the risks of economic downturn and changes in regulation. (For global companies overall, it is fourth on the list, though second in the UK, which may say something about our media.) Yet surprisingly, given the high-profile reputational disasters of recent years, 65 per cent of financial institutions think they have the issue well under control. Somehow that statistic is not reassuring.
There is no shortage of high-minded advice available to banks on how to behave well and maintain their reputation. One example is a well-intentioned paper on “Ethical Concern and Reputational Risk Management” published by Arthur Andersen in 2001, just before the Enron scandal blew up. It is not the only company where there has been a gap between aspiration and performance.
A key reason is that reputational risk, unlike harder-edged risks such as market and credit, is hard to measure and even harder to manage directly. There are no Excel spreadsheets for analysts to populate with spuriously accurate value at risk numbers. Reputational damage is usually a derivative of another problem, and often magnifies it: research published by the Federal Reserve Bank of Boston shows that the share price losses from reported cases of internal fraud are far higher than the sums lost by the fraud itself. Indeed, reputational risk may arise even where there are no losses: the Fed’s definition is the “potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reduction”.
A consequence is that it is not sensible to charge one individual or department with defending the bank’s reputation. Nor is it wise to try to manage reputation directly. Holding the press and public relations departments responsible for reputation is a doomed strategy. Indeed the more an institution is perceived to be attempting to manage public perceptions, in a way detached from the reality of the business, the less successful this is likely to be.
Case studies of relatively successful reputational risk management in other industries suggest that a better approach is to begin by identifying the different groups whose behaviour and perceptions contribute to a company’s reputation. They clearly include employees, customers, suppliers (as NatWest bank recently discovered) and third-party agents, who may be the prime interface with customers, investors and regulators. The views of media and politicians, which will influence opinion, will typically be shaped by these groups that are more directly involved.
Companies need different reputational risk relationship managers for each of these different groups – although they will certainly not carry that title on their business cards. Both supervisors and human resources managers must bear responsibility for the behaviour of their employees. Business line managers should take primary responsibility for treating customers fairly, but the performance of support functions such as information technology, whether inhouse or outsourced, is also crucial. So awareness of reputational risk must be built into the terms of contracts, and into resilience and service standards.
There is a role for press officers and for investor relations folk. But they cannot be expected to make an editorial silk purse out of the sow’s ears of IT disasters, unearned telephone number bonuses or egregious cases of customer exploitation.
Perhaps the most overused phrase in this territory is “tone at the top”. It is both a cliché and a truth. Finely drafted codes of conduct are easy to ridicule. I imagine Enron had one, and maybe even Bernie Madoff too. The chief executive’s commitment to high ethical standards is indispensable, but in any large company it will not carry far beyond the corner office unless it is buttressed by a well-articulated risk management system, assigning responsibility for the different dimensions of reputation to the right places.
This article is co-authored by Maria Zhivitskaya, who is preparing a PhD in risk management at the London School of Economics