- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Resolver Modified September 20, 2021
I consider myself extremely fortunate to have been working in the Canadian banking industry for almost a decade now. Working in fraud operations, insurance (claims), and in various risk management areas that include operational risk, market risk, credit risk, model risk, and technology risk, I have learned things that are both interesting and, to be frank, fun! However, it was not until I started teaching Risk Management courses at a local college that I truly understood the importance of my field.
Through comprehensive discussion in my classroom, my students always came to the realization that it was great to manage all risk types, but nothing was more important than managing the public’s perception of your organization—your reputation. The Risk & Insurance Management Society defines reputational risk as “an intangible asset, a key determinant of future business prospects, resulting from a collection of perceptions and opinions, past and present, about an organization that resides in the consciousness of its stakeholders.” What customers (stakeholders) think about the organization they’re purchasing from is everything to a business. If customers are not buying products as a result of a bad reputation, companies are not making any money.
The industry often references three common tips for managing reputational risk:
Any organization is going to be subjected to incidents or events that will put their reputation on the line. When these incidents occur, it is extremely important to manage communications with both internal and external stakeholders. Mitigating reputational risk issues through effective crisis communication actions, including:
A communication plan is not something that is thought-up on a whim when an incident occurs. In fact, it takes an incredible amount of preparation for incidents to be managed appropriately through proper communication, which encompasses aspects of business continuity. Operational or enterprise risk management departments need to liaise with internal public affair groups to implement programs and predetermined responses for when incidents occur. Having these preparations in place ensures the following:
With these pieces in place, it is easier for organizations to not only communicate effectively with all stakeholders but also have documented action plans which explain to the appropriate internal and external stakeholders that issues will be resolved.
Having a crisis communication plan in place, and departments trained to manage incidents, are both steps in the right direction but it will mean nothing if organizations are not willing to “own” or acknowledge that incidents are actually occurring. Generally speaking, organizations do not have to do anything if there are internal reports of major reputational risk issues on the horizon. However, the organizations willing to disclose reports of internal issues to the general public or regulatory bodies proactively are more likely to succeed in managing their reputational risk. Why? Because it shows that they care, they’re transparent, and they’re acting in good faith through sound business judgment.
To put it simply, a company is more prone to public scrutiny when they’re caught with their pants down. Responding to allegations, conducting an investigation, and then devising a solution after an issue is made public makes you look unprepared. Protect reputational risk by owning up to a mistake and showing that you’re already prepared with a solution. Considering this, it is important for organizations to own any type of crisis so that they can manage it effectively, rather than allow third parties, such as regulatory bodies or the media, manage it for them.