The effect of GDPR, Data Privacy and IT risks on the corporate reputation

The business reputation is the perception of stakeholders about the company’s past and future ability to deploy its strategy to meet their expectations. Managing and forging this internal and external trust enhances the perceived quality of services, attracts talented leaders and business partners, improves performance, allows access to capital, creates differentiation, delivers sustained earnings, and increases the market value. The reputation is the final consequence of how ethical values permeated the corporate culture to be visible to stakeholders. Corporate values need more than being self-proclaimed to improve the image perceived by stakeholders.

How to manage the effect of risks on the corporate reputation received substantial attention since a decade ago. However, the risk to reputation has always been assessed by ERM practitioners. For instance, investing in public relationships, promoting the image of social responsibility and testing a crisis management protocol is well-known old control measures to reduce the risk impact on the intellectual capital and other intangible assets.

The reputational risk and impact

Is it better to manage reputational risk as a first or second-order risk?

The corporate reputation cannot be insulated in a single variable since it is a derivative of intricate actions and communications with stakeholders. Since reputation is the outcome of such activities and interactions, the concept of “reputational risk” may not be useful in ERM Enterprise Risk Management as a meaningful distinguishable category. Dealing with the impact of operational and compliance risks on the reputation may be easier to understand, in particular for the risk owners. The risks affecting the reputation are usually those related to business interruptions, customer dissatisfaction, fraud, corruption, compliance and personal data breaches, inadequate product testing, and environmental damages. Reputation is the risk of risks, and it can be elusive to link with an action plan to control specific risk factors or managed as an individual item.

Even linking the reputation to the impact of another tier-one risk, some ERM practitioners apply the concept of “reputational risk” to deal with the gap between the current and the target reputation. The actions of this approach are not oriented to crisis management but to proactively manage the expectations of stakeholders as part of the company strategy. This non-derivative approach may cover risk factors unrelated to operational risks, for instance, attacks from a particular interest group, cases of extortion or unfair treatment by the media.

When assessing the risk of unjustified public attacks, for example, by rumours or negative publicity, there is not a primary operative or compliance risk to treat, but a competition or political risk. It also better covers the objectives of marketing, communication, corporate social responsibility, public affairs, investor relations and ultimately to the Board and C-level. Dealing with reputation, both as a risk and an opportunity, may require having a distinct category. However, the action plans under this approach may be challenging to implement and coordinate.

How to assess the reputational impact?

A leading topic at nearly every risk management conference is how to value the reputational impact. Reputation is so intangible, qualitative and unique that it’s hard to value its depreciation as an asset. However, boards and risk owners need to define a quantitative measure to manage. It is essential to quantify reputational risk regarding its likelihood and financial impact.

The economic implications for reputation are usually quantified by using:

• Return on investment of communication program
• Customer acquisition and retention rates
• Procurement terms
• Financing terms
• Employee hiring and retention rates
• Compliance and regulatory investigation costs
• Lawsuits and litigation costs
• Business opportunities in mergers, acquisitions and partnerships
• Market value

The risk factors affecting the reputation may have an external origin as a result of a failure in the supply chain or outsourcing. The impact of the Pakistani textile factory collapse, the Rana Plaza, on European retailers is a clear example of how subcontracting may harm the reputation. Even the risk factors may be external; risks to the reputation cannot be externally transferred. It limits the action plans to preventive controls and few reactive incidence responses to be immediately taken. Protecting the reputation should lead to the efficient selection of suppliers and other business partners, as well as company leaders, customers, and investors.

The velocity of the impact is getting faster since the inter-connectivity of stakeholders, social networks, decreasing customer loyalty and the global mass media. Also, stakeholders’ beliefs and expectations are rapidly changing, and business practices should evolve to meet them.

Discussing academic aspects of risk management, such as whether the reputational risk has its category, should help organisations to protect the intangible assets and copping with damage to the reputation.

Source; Hernan Huwyler, MBA CPA

Director, Corporate Governance, Global Risk Management ERM, Compliance, Audit, SAP, Fraud & Security, SOX Controls