When it comes to the potential risks that can impact a business, the risk of reputational damage ranks at or near the very top of the list.
In a recent study by Deloitte and Forbes Insights, 300 executives (C-suite and board directors) were surveyed. One revelation? They consider brand reputation as the highest strategic risk area for a company. This finding even ranks above other high visibility factors like business model, competition, and the impact of economic trends.
What is reputational damage?
The world has changed dramatically over the last 20 years. Gone are the days when your only news sources were the daily newspaper and the six o’clock evening news. Through the power of social media, any kind of news (good or bad) can go viral and reach global proportions in minutes.
A company’s reputation can receive a damaging blow instantly, thanks to an unhappy consumer getting media coverage, or a news report of unethical behavior. Or because of an employee saying something inappropriate on social media, or the announcement of a company breach that’s exposed users’ personal data the company had promised to protect.
What are the most common types of risks associated with reputational damage?
The use (or misuse) of social media, either by an unwary employee, an agency or the company itself can be a double-edged sword can be the cause of reputational damage. Or how followers and the public use it in response to company actions or events can be a catalyst for that negative impact.
From the employee making a racially charged comment on social media to the CEO being charged with sexual misconduct, everyone in a company should be considered a potential risk. There’s a strong case to be made that employee actions represent the biggest risk to a company’s reputation.
Services & Pricing
Regardless of its business model or sector, if a company underperforms, or overcharges, or practices shady sales techniques, they’ll suffer reputational damage once any of these things come to light.
3 devastating examples of reputational damage
Why is there so much attention given to reputational damage? The negative effects can literally decimate a company. Reputation Management describes its impact this way:
“(Reputational damage) harms client and investor trust, erodes your customer base and hinders sales. A poor reputation also correlates with increased costs for hiring and retention which degrades operating margins and prevents higher returns. Furthermore, reputation damage increases liquidity risk which impacts stock price and ultimately slashes market capitalization.”
Here are three recent cases that really drive the consequences and costs home:
2018 was a tough year for Uber from a reputational damage perspective. It started off with claims of sexual harassment from one female engineer, and that dominoed into 56 other claims of sexual harassment, resulting in a $1.9 million settlement. The sexual harassment investigation then uncovered other reputation-killing issues like minority discrimination and the existence of an unethical and hostile workplace. It seemed like Uber was making headlines nearly every week – and definitely not the kind of headlines a company wants to be making.
All in all, Uber shelled out over $20 million in settlements, had mass company leadership firings, high-level resignations, and removal of its CEO, not to mention the backlash among users uninstalling their apps and switching over to Lyft because they were so disgusted with the company’s newfound reputation. Uber has been in serious damage control ever since, hiring new leadership and implementing new salary structures, overhauling the performance review process, publishing a Diversity & Inclusion report, delivered leadership and diversity training to thousands of employees globally, and developing a new employee promotion assessment process.
When you’re a financial institution in charge of people’s money and finances, the need for an impeccable and ethical reputation is paramount. Unfortunately, Wells Fargo is learning the hard way what happens to a financial institution when systemic unethical behavior permeates it. It’s mind-boggling to think about just how many different unethical practices were underway at Wells Fargo, from creating fake customer accounts to modifying mortgages without customer authorization and charging customers for insurance they didn’t need.
Just in regulatory violations alone, Wells Fargo is paying over $1 billion in fines, not to mention the billions more in settlements of the multiple lawsuits against them. Furthermore, things grew so bad their growth was even restricted by the Federal Reserve. Profits, loans, deposits, and revenue have all been on the decline ever since this debacle was uncovered.
The CEO and other management personnel throughout the organization were fired, and Wells Fargo has been trying to rebuild their reputation, starting with the hiring of a new leader of the Board – Elizabeth Duke. To Wells Fargo’s credit, they have been very transparent about the trust they had and lost with their customers, and they’ve been actively and openly trying to rebuild it, as seen in this commercial.
Mark Zuckerberg and his team have had the rockiest 2018 imaginable, starting with the Cambridge Analytica scandal where Facebook failed to protect the private and personal data of over 87 million of their users. Investigations into how this breach could occur led to some very intense scrutiny over Facebook’s policies & procedures around data privacy and protection.
This even snowballed into revelations about how the Cambridge Analytica data was used to influence the 2016 presidential election, and how foreign countries were using the Facebook platform to spread fake news. Facebook had to shut down well over 300 Facebook and Instagram accounts linked to a Russian propaganda group, pages that reportedly reached over 10 million users.
Aside from the largest stock market drop in value in history – $120 billion, with a $17 billion loss for Zuckerberg personally – Facebook also faced a huge backlash from a reputational point of view. People became increasingly angry as they began grasping the details about how the company had mishandled their private data.
The (big) numbers on 2018 data breaches
According to Risk Based Security (RBS), over 6,500 incidents resulted in compromised data last year, affecting 5 billion records.
Facebook has been trying to stem the damage since last year, laying out out a slew of new policy and procedures changes to restrict access to user data. As one example, apps may no longer use login info to collect user’s personal information, including details like their religious or political views, relationship status, education, work history, and more.
10 key steps to mitigating reputational damage risk
Now that we’ve been painfully reminded of the risks and ramifications of reputational damage, let’s take a look at some ways to help mitigate those risks.
Corporate Compliance Insights offered their view of the top 10 key strategies a GRC team should follow to proactively head off reputational risk and brand damage:
- Strong and effective board oversight – When it comes to the management of reputational risk, it needs to start at the Board of Directors level. Active and diligent Board oversight as it relates to the development of the strategy, the execution of that strategy, and the development and enforcement of the policies associated with it are mandatory.
- Integrating risk into business planning and setting strategy – Risk needs to be at the forefront of thought when it comes to business planning and setting the strategy. When risk is factored into strategy and business planning as an integral component, it fosters a more strategic view of undertaking risk.
- Effective communications, image and brand building – Telling your company story and building your unique brand is a critical component to succeeding in the market.
- A culture of ethics & compliance – There needs to be a culture of ethics & compliance that starts at the top and permeates throughout the entire organization. Included in this culture must be policies, procedures, escalation processes, and periodic pulse checks that gauge the tone especially in the middle and the bottom.
- Leaders should lead by example – The Board needs to be active and involved in making sure that there are proper and effective controls implemented for compliance matters. All eyes will be on executive management to see if they are leading by example or if they’re just paying lip service.
- Ensure a passionate focus on improving stakeholder experiences – This means that any exchanges or interactions with employees, suppliers, customers, shareholders, and other stakeholders need to prioritize delivering positive experiences.
- Solid public reporting – Investors keep a close eye on issues having to do with public reporting of financial statements. Things like restatements, factual discrepancies, and bad accounting practices are all things that give investors doubt and cast a negative shadow on a company.
- Strong control environment – To achieve a true culture of ethics & compliance, the control environment plays a pivotal role in helping an organization achieve its objectives around reporting, operations, and compliance.
- Performance vs. competitors – Bottom line, you have to have a competitive business model if you want to be recognized as successful in the marketplace. If you’re not competitive, your company and management team will be questioned, and your reputation will take a hit.
- Decisive response to high-profile crises – This is a natural extension of risk assessment and management. How your company plans for and responds to a crisis will have a definite impact on reputation.
An 11th step? Mount a tech defense against reputational damage
It may seem like a tall order to implement all these measures. The Corporate Compliance Insights list lacks one strategy, though, that can help empower many of them: Adopting GRC technology solutions to make it feasible to extend a culture of compliance across the entire organization.
As we saw at last year’s SCCE CEI event, there’s an “Ethics Rising” movement afoot within more organizations, who see the value of setting a foundation for a culture of ethics. Doing so efficiently and cost-effectively across even a mid-sized organization, however, means turning to purpose-built technology. Trying to accomplish it using traditional processes and tools is a recipe for failure, and leaves an organization exposed to risk. The complexities, number of risk factors, and pace of change in the business environment are just too much for yesterday’s approaches.
As for the costs of new technologies and other initiatives to build compliance? They’re almost a moot point when we consider that the true costs of non-compliance were revealed years ago in a landmark study by Ponemon Institute. Among the companies analyzed, non-compliance costs were 2.65 times higher than the costs of compliance efforts.
Technology is an unparalleled enabler for organizations trying to reach new plateaus of maturity and visibility into the performance of their compliance programs. For them and regulators alike, that maturity and transparency is crucial. Reputational damage can arise on any number of fronts, and the tactics to combat it and its impact – employee education, timely policy and procedure dissemination and attestation, data governance, confirmed audit trails, and high levels of embedded security – can only be realized by making GRC tech adoption an essential eleventh key strategy for safeguarding your enterprise.
Everyone has to be on board
It’s easy to understand why reputational damage is a top concern for leaders in any organization, given how quickly any situation can spin out of control and go viral. Why does that happen? Because brand reputation is inherently about trust. Trust that a company is protecting the best interests of its employees and customers and is operating ethically, honorably, and competently. When people feel that trust has been betrayed, they take the “betrayer” – in their eyes, the company – to task, even if it’s an unfair rush to judgment.
The difficulty for any company looking to protect themselves from reputational damage is understanding that there is no single defense against it. Protection requires a multi-layered and multi-pronged approach that starts at the executive board and leadership level. From there, it has to migrate downwards, to eventually become a culture and mindset that’s adopted and practiced by everyone in the company, from the CEO to the last employee on the company roster.
In risk management, a “3 lines of defense” strategy involves lines of defense at various levels of a business. To defend against reputational damage. those three lines consist of corporate leadership, managers, and front-line staff.
Leadership will define what constitutes a “culture of ethical behavior” for the organization. They’ll also provide the processes and procedures directing managers and employees in how to best handle risk scenarios and prevent unintentional incidents. Or stop them from spiraling into bigger issues through poor incident response.
But as Hui Chen, the former Compliance Counsel Expert at the U.S. Department of Justice (DOJ) explains, it’s vital to have everyone participate in developing that culture:
…if a top-down approach does not reflect the values of your employees and stakeholders, it can only go so far. A truly effective top-down approach is a reflection of the values of all the stakeholders involved. In order to know what those values are, you have to start with a bottom-up approach.
Protecting your company reputation has to be planned for and strategized at the highest levels. That plan and strategy have to be communicated to, and bought into by, the various management and employee ranks throughout an entire organization, to the point where there’s a measurable and definable change in mindset and behavior. Only when everyone is aware and protective of your company’s reputation can you really begin to breathe a bit easier.