Introduction: Why is RepRisk management important?
Although the impact of a loss of reputation can be immense, management and active steering of reputational risk is still in its infancy compared to other well-known risk types.
Regulatory pressure to implement RepRisk management has increased recently.
The EBA paper on SREP (supervisory review and evaluation process; EBA/GL/2014/13) mentions reputational risk in the context of assessing operational risk and clearly classifies reputational risk assessment as a significant part of risk management.
Consequently, it is time to act: RepRisk should be assessed, monitored and managed thoroughly. Especially since EBA announced that adequate implementation in the institutions will soon be audited by competent authorities.
Definition: What exactly is RepRisk?
In simple terms, reputation is the way an institution is perceived by its relevant stakeholders like clients, employees, shareholders, rating agencies or the general public in terms of its expertise, integrity and trustworthiness . Furthermore, supervisors state that “reputational risk means the current or prospective risk to the institution’s earnings, own funds or liquidity arising from damage to the institution’s reputation”. Therefore, deviations will result in severe impacts on the banks’ business and their P&L.
Similarly to legal, compliance or cyber risk, RepRisk aspects were usually subsumed under OpRisk in the past. Nevertheless, due to increasing relevance of those risks in the recent years, banks and supervisors have started to acknowledge them as individual risk categories which have to be monitored and steered accordingly.
It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.
History shows plenty of examples for reputational risks: One of the most familiar is certainly a large German bank that recently came under public criticism about their trading strategies related to staple foods. Other examples include, for instance, certain operational risk events with a high recognition in the public sphere: Leaking client data to German tax authorities has been a serious reputational issue for some foreign (mostly Swiss) banks, usually well known for their banking secrecy laws.
As a matter of fact, banks are facing a long list of potential sources of reputational risks, which are generally linked to severe business impacts (i.e. reduced refinancing capabilities or decreasing business opportunities).
Based on the intensity of a reputational risk event, this can lead to serious stress situations. Trust—which might be just another word for reputation—is an important asset if it comes to refinancing, as shown by the Lehman Brothers case during the recent financial crisis. Once the reputation is ruined, it gets harder and harder to recover. Bad reputation often results in a vicious circle.
Taking countermeasures to reverse the implications requires an immense effort and significant budget. This points out that it is necessary to avoid a bad perception right from the start.
In other words: Manage and mitigate your reputational risks proactively! Based on the supervisors’ current attention, capital allocation mechanisms (as performed for OpRisk in general) will certainly be in focus soon.
Identification and assessment
Setting up an effective reputational risk management process is crucial for institutions to avoid costly recovery. Traditional quantification processes used for classic risk types do not work properly for reputational risk. Due to the lack of data and experience as well as the high complexity to differentiate RepRisk from other risk types, sophisticated quantification methods have not been established so far.
It is often difficult to identify the underlying reasons for materialized reputational risks. Therefore, the key is not to focus on steering or measuring the risk, but to reduce the exposure to reputational risk by implementing mitigation measures and to deal with residual risks by setting up adequate risk buffers. Defining an identification and assessment strategy in order to decide whether to mitigate or cover RepRisk potentials is crucial.
To identify reputational risk potential, it helps to look at typical risk drivers, such as social standards, your own financial performance, quality of internal processes or customer satisfaction—just to mention some examples.
For this reason, a regular as well as an ad-hoc hazard analysis is advisable in order to identify threats throughout the whole organization.
Of course, reputation is strongly connected to the (social) media, its reporting and the resulting external recognition. Therefore, a separated identification approach might be helpful:
- Outside-in (e.g. customer survey, external reputational risk studies or databases)
- Inside-out (e.g. internal expert judgments)
When focusing on the inside-out view, an institution should know whether there are business divisions or competence lines that bear (a high) potential for reputational risk. Retail banking divisions are exposed to reputational risk in a different way than investment banking or controlling divisions. Carrying out self-assessments and identifying different risk potentials will be crucial for reputational risk management (expert judgements).
The internal RepRisk potential can be assessed based on a predefined framework (Figure 1). It is useful to assess the risk potential within the internal organization in different dimensions and is meant as a tool to identify, categorize and rank the potential reputational threats.
Once those threats have been identified, it is crucial to cover risks in day-to-day business. Therefore, it is necessary to define RepRisk as an integrated part of the whole organization and enhance existing control systems with RepRisk aspects.
As mentioned earlier, contrary to other risk types, there are no well-established methods to quantify reputational risk. Nevertheless, the described framework can be used for a high-level assessment of the risk potential. It contains a roughly estimated P&L effect as well as a probability/frequency figure of the risk. Based on those parameters a simple quantification approach can be chosen by multiplying the estimated P&L effect with the estimated probability of the risk. This approach can be used for internal steering purposes to derive capital allocation across business units and other departments according to their individual RepRisk exposure.
Handling RepRisk exposure
Once the reputational risk potential has been identified and assessed, reliable and useful handling processes need to be developed.
Reputational issues should always be considered when dealing with new processes or products (new product processes) in order to make a conscious decision whether to take the risk or not. Through a special focus on corporate social responsibility, image cultivation could be driven and reputational risks mitigated along the way. This is closely linked to questions related to creating a sound risk culture within an organization (see article “No comprehensive risk management without risk culture”).
Furthermore, the so called index-based approach can be used to monitor RepRisk drivers. This way, selected indicators (e.g. number of negative news on the institution in the last month) can be assessed individually and added up to a single index. Continuously monitoring the index makes the level of reputation comparable over time.
The total bank stress testing framework should be enhanced with a reputational crisis scenario, and the influence of reputational losses (i.e. business and liquidity risks) needs to be considered in the existing stress scenarios as well.
In order to be well prepared for crisis situations, contingency plans should be developed. A special crisis management committee has to analyze the reasons and determine countermeasures to the increasing reputational risk as well as manage active stakeholder communication. Remembering Warren Buffet’s words “reputation could be ruined within minutes”, banks absolutely have to establish structured processes for crisis decision-making (e.g. involvement of the senior management and Public Relations).
Finally, it is important to gather as much data as possible in any case. One of the main reasons why we cannot measure RepRisk today is the lack of information. Even if it takes a few years to use this data, any information will be helpful. Whenever it comes to risk calculations, historical data is essential.
As stated in SREP (under 6.4. Assessment of operational risk), reputational risk has a strong link to operational risks and the differentiation between these two risk types is not always straightforward. Therefore, it is necessary to evaluate whether it is efficient to integrate reputational risk processes and organizational frameworks into the existing structures of operational risks and enhance them, where necessary, as outlined in Figure 2.
By integrating RepRisk and OpRisk management (Approach 2 and 3), the institution can benefit from synergy effects and use well-known existing structures and knowledge at the same time.
Adding reputational risk to the institution’s overall risk strategy is a basic step for creating risk awareness. It is advisable to create governance guidelines with a clear definition of reputational risk and guiding principles.
When drafting the guidelines, special attention should be paid to avoid incentives for decisions makers to take reputational risks. In terms of responsibilities, it has to be ensured that no conflicts of interest arise between management and control of reputational risks (segregation of duties).
Besides a sound (Rep)Risk culture, a control function has to be established. While reputational risk identification and assessment is a joint task of business units and risk management, monitoring is solely performed by risk control.
Additionally, the Public Relations and Communications departments must be involved in establishing an effective reputational risk management. Therefore, the interfaces between the involved departments/divisions have to be (re-)defined. Close cooperation of decision making and resulting actions/measures will save time and lead to a better understanding and mitigation of risks.
Although reputational risk is a relatively new and hardly explored field of risk management, using existing governance structures of operational risk management reduces (organizational) complexity. Integration pays off in many ways: Not only is the institution prepared for meeting further regulatory requirements, it will also benefit from a more solid risk management framework and an increased awareness of reputational aspects in day-to-day business.
With the release of the final guidelines on SREP on December 19, 2014, the first step of the supervisory authority towards an increased focus on reputational risk has been taken. Now, it is time for institutions to set up processes and gain experience for actively managing reputational risks.
Due to the challenges in quantification and the highly complex differentiation from other risk types, focusing on reputational risk mitigation is essential. This requires a well-defined identification, assessment and mitigation framework as well as a sound RepRisk awareness or risk culture. Based on the existing OpRisk organization, an institution can benefit from structures that have already been proven successful in the past: This pragmatic approach will secure a sound RepRisk management and help to fulfill upcoming regulatory requirements in the future.