How risk managers can make intangible risks tangible

When 40 million credit and debit card records were stolen from US retailer Target as a result of a data hack, the company’s once-envied reputation suffered a significant blow.

Customers who fell victim to the theft became subject to potential fraud after malware, which was installed into point-of-sale systems in some 1,800 stores in 2013, siphoned their banking details. It later emerged that encrypted debit card PINs were also compromised and personal information belonging to a further 70 million customers, including names, addresses, telephone numbers and email addresses, were stolen in the same attack.

The incident caused the company’s reputation to dwindle almost immediately. Recorded as the fifth largest global data beach, the attack led to Target’s brand losing credibility more than any other US retailer in 2014, according to a survey by the Reputation Institute, which measured stakeholders’ perception of the brand following the data breach.

For example, in 2013, before the attack, Target was ranked eighth out of 24 US retailers for its reputation, but after the incident it dropped 14 places to 22, ahead of only Wal-Mart and Sears.

In sales terms, profits plummeted by nearly 50% in its last fiscal quarter of 2013 – the attack took place between 27 November and 15 December 2013. That’s not to mention the 80 or so lawsuits against the company, investigations it faced from the US federal state into how it responded to the attack and the millions of dollars it spent in compensation, as well as legal fees and other expenses to deal with the aftermath.

Although Target’s reputation has bounced back – it is now ranked 14th in the Reputation Institute’s 2015 league table – the data breach shows how in today’s digital age, where information spreads in a matter of seconds, a company’s most prized asset can be tarnished faster than ever.

Number one concern

It is attacks such as these that have created an air of worry among the risk management community, who view reputational risk as their number one concern, according to a recent survey by UK risk management association Airmic.

The survey is particularly telling of a risk manager’s struggle in managing potential brand damage and scoping out risk transfer solutions. Although ranked as the top risk, only one-third of 1,100 Airmic’s members – who between them buy about £5bn of insurance a year – said they were confident about managing reputation risk. The vast majority (93%) also said they do not buy cover because it is either not available or fails to meet their needs.

The problem is that reputation risk has long been considered by the insurance industry as unquantifiable and uninsurable because the triggers to a potential loss are unclear and underwriting data is lacking. For risk managers, reputational threats are hard to identify and the losses hard to measure. Ultimately, the problem lies in a lack of understanding among insurers and risk managers, says Kasper Ulf Nielsen, executive partner at the Reputation Institute.

 

 

“Currently, risk managers don’t have a clear method for measuring reputation risk and quantifying the losses arising from brand damage,” he says. “This is why there is little data that tells risk managers that if X,Y or Z happens, the cost to the business will be X amount of money.

“Second, risk managers don’t have a clear and structured framework for implementing a reputation risk management plan that helps them identify and prevent reputational damage.”

However, by breaking down a company’s brand into measurable components, risk managers can “make the intangible tangible,” claims Nielsen.

The measurable components in question are seven metrics that form part of reputation measurement framework – entitled RepTrak – which helps to identify threats that could affect reputation. The framework has been used to measure the strength of 5,000 brands in more than 25 industries across 50 countries, including BMW, Lego, Canon, Sony and Intel.

How does it work?

It is important to define what reputation means, says Nielsen. It is “the emotional feeling that stakeholders, customers or the general public have of the company, how much they trust the company, how much they admire and respect the company, and how much they have a good feeling about the company.

“There are direct links between these four areas and customers’ willingness to buy products and services, the regulator’s willingness to issue an operating licence, financial institutions’ willingness to invest in the company, the media’s willingness to report on the firm’s point of view, and employees’ willingness to deliver on the company’s strategy,” Nielsen explains.

To identify any potential areas from which brand damage could occur, risk managers need to measure, according to Nielsen’s definition, the level of trust, admiration, respect and good feeling that each stakeholder, including customers, general public, regulators (as relevant to the company) has about the firm.

RepTrak’s seven components describe the business outputs that lead to good or bad reputation:

• products and services
• innovation
• workplace
• governance
• citizenship
• leadership
• financial performance.

If an incident arises that reduces trust in any of these measurable components, the company is at risk.

Next, Nielsen recommends working off the company’s ERM or risk map and assessing these risk priorities against each of the framework’s seven components.

“Risk managers will assess risks in terms of two key metrics – likelihood and financial impact – to determine a list of threats to prioritise. The assessment will throw up a number of risks – for example cyber, accounting malpractice and product recall,” he says.

“Adding a further metric – reputation – to each of these risks or risk scenarios will help to assess the level of reputational risk of each threat on the company’s risk register.”

 

 

Assessing the impact

A point system can then be used to ascertain the impact a given risk scenario could have on the seven areas of a business’s output. From 1 to 7 (1 means little impact and 7 high impact), risk managers can assess the level of reputation risk by asking seven questions below:

To what extent will this risk scenario reduce people’s belief that

your organisation:

• offers high-quality products and services?
• is an innovative company?
• treats its employees well?
• behaves ethically and is open and transparent in its business dealings?
• supports good causes and protects the environment?
• is a company with strong leadership and a clear vision?
• delivers good financial results?

The exercise should be repeated for each risk and each stakeholder (see figure above).

“The framework helps risk managers ‘play the scenario’,” says Nielsen. “Let’s take, as an example, customers as the stakeholder, with accounting malpractice of a bank as the risk scenario. Working through the seven dimensions, risk managers should ask: ‘to what extent does accounting malpractice reduce customers’ belief that the organisation can offer high-quality products and services?’. This will probably score low.

“Moving on to point 4, however – ‘to what extent will accounting malpractice reduce customers’ belief that the organisation behaves ethically and is open and transparent in its business dealings’ – will gain a higher score, marking it out as an area that could result in severe reputational damage.”

He adds: “This exercise will help determine the areas of business that matter most to all stakeholders, helping to make the intangible tangible because risk managers will now know that if a particular risk occurs, it could affect a stakeholder’s perception of one or more of the seven components,” says Nielsen.

Interestingly, risk managers believe that reputation risks are likely to arise within the governance of the organisation, according to a survey that Airmic conducted of its members. It found that 60% of risk managers are concerned that a given risk could reduce the perception of their business as open, honest and fair in the way they do business. More than 50% of respondents believed issues may arise from the delivery of their products and services, and 44% were concerned about reputational issues arising from the leadership of the organisation.

So what next? “Now that the business has a clear and structured way for measuring reputation risk, risk managers can now put in place the right mitigation plans to prevent and control any risks before they turn into a crises.

“For instance, if openness and transparency is key to customers, then the business should consider sharing all relevant information publicly. If corporate social responsibility and citizenship is important to stakeholders, business should make a concerted effort to use legal labour.”

While this framework is a start in helping risk managers deal with reputation risk, insurers will need substantial data before they can agree that reputation risk has become, in Nielsen’s words, an intangible tangible.