How companies can best tackle what many believe to be the biggest risk of all


Although reputation risk consistently tops major companies’ business agendas, well-documented crises continue to illustrate how poorly equipped even the most sophisticated corporations can be when handling widespread and highly damaging events.

The roll-call of VW, TalkTalk, PepsiCo and United Airlines reads like a rogue’s gallery of recent corporate misdemeanors. Regardless of the range of the events that triggered reputation damage – a diesel emissions cover-up, a cyber-attack, an ill-judged advertising campaign and passenger mistreatment – the impact of all were profound, financially damaging and ongoing.

But could better reputation management have minimised the damage these events caused, or even prevented them from occurring in the first instance?


To address this topic, let’s start by understanding what reputation is, and whether it is a risk in itself or a consequence of risk.

Corporate reputation is best defined as the combined perceptions of the stakeholders that matter most to a company. These perceptions are a mixture of emotions – trust, admiration, respect and positive feelings – underpinned by rational perceptions of a company’s core competencies, its leadership and the way in which it conducts itself.

Companies are reliant on stakeholders contributing their support when looking to achieve their business objectives: politicians granting licence to operate, institutions investing and providing capital, customers buying products and services, media reporting favourably and employees delivering on strategy. For stakeholders to provide this support, they need to trust, admire and respect a company. In other words, a company needs to have a good reputation to survive.


Reputation risk is an all-encompassing term that captures any issue or event that can compromise those feelings of trust, admiration and respect among stakeholders.

Reputation risks are risks in their own right, but importantly, they are not issues; neither are they the specific events that an issue can crystalise around. Instead, reputation risks are the intangible negative impacts that crises have on stakeholder perceptions.

All chief risk officers list risks in the form of issues, from market volatility to product recall and environmental impacts. However, to understand the reputation risk behind each of these issues, companies need to translate the issues into event scenarios.


Each corporate issue can have many reputation risks associated with it, and a number of tangible events can occur based on any given issue.

For example, if a retail bank is considering changing its business model from a branch-based delivery to a purely internet-based offering, job losses would undoubtedly be a reputation risk for consideration. In addition, further reputation risk exists in this scenario around trade union negotiations and potential client service issues as the new internet-based model is rolled out.

The first step to address reputation risk is therefore to work through the most likely issues to arise as result of current and future business plans and operations, governance and third party relationships, and not simply establish the tangible risk, but also scenario plan around how stakeholder audiences may react to each event.

Currently, only a limited number of companies are proactive in building and managing reputation risk frameworks which address scenarios like the one described above. There is still work to be done to build the right culture in companies at board level to understand the importance of reputation risk to the business.


Traditional risk management builds risk exposure profiles by measuring impact and likelihood. While this process is useful, it measures the two variables by obtaining data from internal stakeholders – such as heads of department - rather than external stakeholders. To give an example, a common method of traditional risk management involves asking an internal R&D expert to define and predict the impact of a product recall scenario.

This approach is undoubtedly limited when dealing with reputation impacts. A company does not own its reputation; rather, the perceptions of external stakeholders ultimately own this judgement. As such, the impact of each risk on reputation needs to be evaluated by the stakeholder and not by internal executives. This approach will yield the most realistic impact assessments of the reputation risk rather than internal ‘second-guessing’ alone.


One key hesitation in undertaking these external assessments is that many in the risk community believe there is no clearly defined, systematic framework to follow when it comes to dealing with reputation risk.

To address this gap in management tools, Reputation Institute has worked with clients, members, and industry experts to develop a systematic framework for risk professionals, corporate communicators and ultimately CEOs - not only to understand and anticipate reputation risk, but also to develop clear mitigation strategies to put in place if the worst happens.

This turns intangible concerns into tangible and addressable business risks. And as we all know, what gets measured gets done.

The process is clear and simple:

● Quantify the impact of potential issues to your company’s reputation by measuring how stakeholders perceive the issue;

● Build the competencies inside the organisation to be ready to manage reputation risk, then;

● Monitor the business environment to identify potential risks emerging.

Using Reputation Institute’s measurement model RepTrak, companies can break down reputation risks into seven tangible dimensions (products & services, innovation, workplace, governance, citizenship, performance and leadership) and quantify the potential negative impact of an issue to business success.


With this in hand, we can then apply standardised risk management approaches to the challenge.

This three-step process is grounded in the principles of Impact, Readiness and Monitoring:

1. Impact: Determining the severity of an event on the reputation of a company or organisation.

In this context, it is important to understand the different types of reputation risk and their ‘multiplier’ effect, which typically vary from industry to industry. This stage of the process requires a clear assessment of the impact of reputation risk on key internal stakeholders, especially when it comes to identifying risks and assessing their likelihood of crystalising.

2. Readiness: Establishing appropriate controls and procedures to respond to a reputational event.

How mature is a company in its reputation risk management processes? Does it have an established response to manage a negative event – regardless of magnitude? As part of addressing these questions, interviews with key internal stakeholders need to be conducted to understand alignment and capabilities.

3. Monitoring: Understanding the effect on reputation over the long term.

A company should adopt a process that tracks progress towards managing and mitigating reputation risk over time - reputation risks can certainly be managed and mitigated, provided companies adopt a proactive, systematic approach to this high-profile area.

Take control of the current risk register and explore the potential negative events that could occur. Next, understand external stakeholder sentiment using a robust reputation model, cross-referenced against some of the most likely scenarios. Start small, through a market test approach to better understand risk exposure profile. This in turn will allow appropriate prioritisation of the mitigation plans that need to be put in place.

By following these simple steps, companies are able to anticipate risk and, while preventing crises from happening is often impossible, they can at least mitigate the overall damage made to the business.