Companies once relegated the management of reputation risk to the public relations or communication functions, often in response to a specific crisis. The time for such narrow thinking has long passed.
Today, because of the enduring costs of a crisis, effective reputation risk management requires a broad understanding of the possible risks and liabilities facing a company in light of its business mix, strategic objectives, and interested stakeholders. It requires an authority that can spur action within boards and among upper management enterprise-wide.
Based on their typical scope of duties and experience, chief legal officers are well suited to manage reputation risk. A chief legal officer has the necessary depth and breadth to help build an appropriate risk management framework, to oversee an enterprise-wide intelligence gathering and reporting process (controls), and to support the company’s adherence to strong reputation risk management principles.
The reputation of an organization manifests itself in several ways, from the businesses and activities it engages in, to how it communicates, to the actions taken by its employees, advisors and suppliers. Reputational issues may arise from actions taken or statements made, but also if a company remains silent.
The gap between expectations (what stakeholders want) and outcomes (how stakeholders experience what companies do) causes reputational risk — the threat to reputational value from angry, disappointed stakeholders.
Social media amplifies stakeholder emotions, thus the need for a company to respond to issues quickly and thoughtfully. Stakeholders are not monolithic in their expectations, and companies may need to choose between competing positions that cannot be reconciled. Moreover, expectations often change over time.
With reputational value linked to a wide range of mission-critical activities, a company’s oversight of reputational risk has become a key governance matter. Failure to manage reputational risk effectively may lead to a decrease in stock price, increased cost of capital, disengagement of employees, impaired financials, regulatory opprobrium, and litigation.
The emergence of social media and other online venues as primary sources of “news” and information for large numbers of people — and the immediacy and influence of those sources — requires companies to implement preemptive strategic deterrence and mitigation strategies.
Reactive crisis communications efforts to “set the record straight” are always too late. Once set in the mind of stakeholders, anger is hard to displace. As Ben Franklin reportedly said, “glass, china, and reputation, are easily cracked, and never well mended.”
The focus on environmental, social, and governance (ESG) issues and the pressure on companies to establish a reputation for ESG-awareness by engaging on social and public policy matters places them in a precarious position. The perils extend beyond compliance and regulators’ expectations.
Companies need to understand all stakeholder expectations, anticipate fulfillment gaps, and be prepared to act in real time. Some have the governance, leadership, controls and insurance structures to do so. Many others may be making pledges without the structures in place to live up to them. Disappointment in such situations may be inevitable, but anger is not. Exploiting this distinction to build reputation resilience is the strategic goal of reputation risk management.
The SEC has said it is now considering more detailed and meaningful disclosures related to corporate ESG activities — an area that poses significant compliance and reputational risk. As it stands now, too many companies, viewing ESG ratings as a proxy for reputation enhancement, are raising stakeholder expectations. ESG puffery has begun to raise the ire of the SEC. In late August, the Wall Street Journal reported that US and German authorities were probing Deutsche Bank’s DWS asset management arm over sustainability claims.
Other mission-critical activities replete with reputational risk, such as assuring the security of personal information, are receiving SEC scrutiny. In June of this year, the SEC issued the first-ever penalties for deficient cybersecurity risk controls against First American Financial Corporation (FAFC), a title insurance company, for deficient disclosure controls and procedures related to cybersecurity risks.
It is unquestionably perilous with equity investors — a clear lesson from the costly US$240 million settlement of the In re Signet class action litigation (which resulted, in part, from alleged ethical lapses and culture issues under the heading of #metoo at a large jewelry company). Not surprisingly, the plaintiffs’ bar has taken notice and courts are increasingly holding corporate boards of directors accountable for financial setbacks related to reputational damage — upholding pleadings arguing that reputation is mission critical and, therefore, within the scope of a director’s duty of loyalty.
In addition to its regulatory issues, FAFC is facing derivative litigation as well as a number of purported consumer class-action lawsuits. Last year saw a nearly 60 percent increase from the prior year in federal lawsuits mentioning reputation, according to Agenda.
Risk management in action
More and more major financial institutions recognize the need for effective reputational risk management. BlackRock and Vanguard, the world’s top two asset managers, have each stated that they will take reputation risk into account as part of their evaluation of portfolio companies. Bond raters S&P, and Fitch all factor reputation risk management into their credit risk models; Moody’s reported factoring it into 85 percent of their 8,700 private sector ratings in 2020.
An obvious implication of all this attention from the capital markets is that disclosures of authentic, enhanced, well-validated reputation risk management will be rewarded. Testing this concept, Apollo Global Management (NYSE:APO) recently took the very public step of detailing its enterprise reputation risk governance and management systems. Apollo took a principled approach by authenticating its processes in a report written by a respected third party, an outside law firm — thus distinguishing it from typical marketing statements.
The development and release of this report was a strategic success. Shareholders the next day increased Apollo’s equity value by 7.2 percent. Equity market momentum over the next two weeks sustained the increase to 11 percent, which added a total of US$1.1 billion to Apollo’s market capitalization.
The key success elements of Apollo’s strategy included upgrading reputation risk oversight at the governance level, developing an integrated cross-functional enterprise-wide reputation risk management executive process, authenticating the strategy and its execution by a third party, and disclosing the whole of it publicly.
CLO as risk steward
Increasing numbers of companies are now susceptible to real damage if they fail to understand and address reputation risk management with strategies designed to meet the challenges of the current environment.
Chief legal officers are uniquely positioned within the organization to lead this effort. Boards trust counsel to guide them, and as boards increasingly find their oversight of reputation risk tested by regulators, the courts, politicians, and the ever-shifting winds of cultural change, many are turning to counsel for guidance. This is especially true in firms with large compliance operations, ESG-centered strategies, and an appetite for M&A activities.
Effective reputation risk management requires ongoing enterprise-wide intelligence gathering and analysis of mission-critical business processes that substantiate a firm’s reputation for ethics, safety, security, sustainability, or quality. Processes through an integrated reputation leadership team comprise reputation controls. CLOs typically have a wide span of control across the company. This perspective puts them in a better position to recognize early warning signs control failures within an organization — such as increases in complaints, ethics investigations, enforcement actions, or legal disputes.
Counsel are also ideally suited for this role because they are already deeply involved in risk management generally, particularly when it relates to litigation risk. They are accustomed to preemptive strategic planning on mitigating crises, scenario planning, and protecting the enterprise from a broad range of perils. They are trained and have experience in managing war rooms, operational planning, and directing multi-disciplinary teams in a crisis. They are credible and authoritative voices in communicating with boards, risk committees, and management.
With counsel engaged in reputation risk management, there are several best practices they can follow to both mitigate these risks and help their companies achieve the type of “reputation premium” Apollo saw after its recent announcement.
Reputational risk management framework
The reputation risk management framework comprises controls and oversight. It should be rigorous and balanced, and tailored to the company. It should take the interests of shareholders and other stakeholders into account and should balance expectations, behaviors, and economics.
The framework should engage the board of directors at the appropriate level — providing actionable insights without parading an unending stream of issues and potential threats in front of the directors to the detriment of their strategic oversight responsibilities.
Any metrics used for controls and oversight to measure reputational value should be validated in the market. Increasingly, boards demand it. Consider, for example, the metrics used over nearly 20 years by stock indexes like RepuSPX and RepuVar that help to identify and predict which companies will outperform their peers based on their reputational resilience. Clear metrics and quantitative rigor demonstrate credibility and authenticity by meeting the expectations of institutional investors and regulators.
A strong reputational risk management framework benefits from candid conversations and retaining outside counsel may help to facilitate such conversations under the protection of attorney-client privilege. Third party consultants and underwriters can also provide subject matter expertise, risk quantification, insurance, or financial risk transfer, while underscoring to stakeholders the organizational importance of managing reputation risk.
In many commercial sectors, reputation risk is one of the top business perils today. There are proven metrics for measuring the risk, models counsel can use to manage and mitigate it, and products for validating the process and transferring financial risk. CLOs who play a leading role in shepherding the required intelligence gathering and creating an authentic story for marketing, communications, and investor relations to tell, can lead their companies toward reputational resilience. It’s a strategy the capital markets today are rewarding.