Brand damage often arises from a wide range of events that can impact on an insurer’s reputation


Long-term success for an insurer is typically aligned to strong brand recognition and value. While the key risk to an insurer’s brand is poor financial performance and a weak capital position, in an increasingly connected society where customers are well informed and their expectations drive corporate success, brand damage often arises from a wide range of events that can impact on reputation.

Sources of reputational risk
Reputational damage is a by-product of failures in other risk categories, making it harder to identify and assess reputational risk. For example:

  • · Good business conduct, and ensuring fair customer outcomes, are key to maintaining a strong reputation. FCA regulation has raised the bar in expectations for business conduct and assisted in maintaining reputation where the regulations are complied with;
  • · Operational risks, most notably technology and/or information security failures, could damage reputation. Often, reputation is damaged by a security breach regardless of the actual impact on customers: even if no data is lost, customers are concerned by the failure itself because of the perceived lack of control; and
  • · Socio-environmental risks can also damage reputation, evident from the increased focus on corporate social responsibility statements and policies.

Managing reputational risk
Despite their nebulous nature, reputational risks need careful management, which can be achieved through directive, preventative and detective measures.

Establishing policies, procedures and governance for reputational risk management, such as:

  • · Ensuring that the risk management framework separately identifies and manages reputational risk alongside the more traditional insurance, financial and operational risks;
  • · Ensuring the insurer appropriately identifies reputational risk, including the bottom-up escalation and management of reputational risks and the top-down articulation of key reputation risks from the board; and
  • · Appropriate application of risk management and governance over reputational risks within outsourced activities and others in the insurer’s supply chain.

The ‘three lines of defence’-model should be applied to manage reputation. The first line of defence is responsible for the day-to-day identification, measurement and management of reputational risk. The second line of defence (risk, legal and compliance) provides oversight and challenge to reputational risk management and assists with the identification of emerging/new reputational risks. The third line of defence (internal audit) ensures that sources of reputational risks are considered in risk-based audit planning decisions and provides assurance on the effectiveness of the reputational risk management framework.

Preventative measures ensure that processes and controls are in place to prevent reputational damage. This is done by:

1. Establishing a clear risk appetite statement for reputational risk

2. Ensuring the tone is set from the top

3. Adequate identification of horizon risks that may impact on reputation

It is fundamental that reputational risk is fully and routinely considered at all layers of decision making, whether it be decisions relating to an acquisition/disposal, new products, new IT infrastructure or a new outsourced arrangement.

Detective measures ensure that mechanisms are in place to provide for the timely identification, escalation and management of events that may impact on reputation. Insurers increasingly test the firm’s reaction and response for reputation management by running simulations based on a range of likely risk events, testing the internal and external communication processes and ensuring that all relevant individuals are engaged in the response. Such tests help ensure a speedy and complete response and a calm head should a real-life brand damaging event occur.

As ever with risk management, an appropriate culture is key to embedding reputational risk management: making reputational risk management a responsibility of every employee and ensuring role profiles for business leaders clearly articulate responsibilities for this. In defining such a framework, it is possible to increase the visibility of what is often considered the invisible risk.