© Jacka 2019

Memphis IIAProfessional and Student Annual Development Day

October, 2019

© Jacka 2019

© Jacka 2019

Why Reputation is Important

Reputation Risk Defined

Reputation Risk Management

Crisis Management

The Role of Internal Audit

© Jacka 2019

Why Reputation is Important

© Jacka 2019

It takes twenty years to build a reputation and five minutes to destroy it

If you think about that – you’ll do things differently

Warren Buffet

© Jacka 2019

Why Worry About Reputation?

Part of the format; not a reputation issue

© Jacka 2019

A decrease in 1 Star Rating can equate to a 10% reduction in revenue

An increase in rating by 1 Star Rating can equate to a 5 - 9% increase in revenue

© Jacka 2019

© Jacka 2019

© Jacka 2019

1. Damage to reputation/brand2. Economic slowdown/slow recovery3. Increasing competition4. Regulatory/legislative changes5. Cyber crime/hacking/viruses/malicious codes6. Failure to innovate/meet customer needs7. Failure to attract or retain talent8. Business interruption9. Political risk/uncertainties10. Third party liability

Global Risk Management Survey 2017 – AON Risk Solutions

© Jacka 2019

1. Economic slowdown/slow recovery2. Damage to reputation/brand3. Accelerated rates of change in market factors4. Business interruption5. Increasing competition6. Cyber attacks/data breach7. Commodity price risk8. Cash flow/liquidity risk9. Failure to innovate/meet customer needs10. Regulatory/legislative risk

Global Risk Management Survey 2019 – AON Risk Solutions

© Jacka 2019

1. Business interruption2. Cyber Incidents3. Natural catastrophes4. Regulatory/legislative changes5. Market developments6. Fire/explosion7. New technologies8. Climate change/increasing volatility of weather9. Loss of reputation or brand value10. Shortage of skilled workforce

Allianz Risk Barometer – Top Business Risks for 2019

© Jacka 2019

Factor/Impact Negative PositiveStock or other value Average 7% drop in

stock valueAverage 13.5% net appreciation of stock when restoring value

Investor Loss of quality investors

Attract quality investors

Third Party Worse third party terms

Better third party terms

Costs & Expenses Extra cost of liability, legal, compliance

Lower liability, legal, compliance costs

Time & Resources Loss as workforce involved in investigations and litigation

Resources focused on developing and doing business, value creation

Adapted from The Reputation Risk Handbook –Bonime-Blanc

© Jacka 2019

Factor/Impact Negative PositiveInvestigations One investigation

leads to anotherTransparency avoids and minimizes investigations

Personal reputations Everyone’s reputation damaged, especially executives and board members

Reputations intact

Business/mission Restructuring or demise of business

Resilience of business and business lines

Consumer Dissatisfaction leads to sales, volume, and pricing losses

Satisfaction leads to increased sales, volume, and premium pricing

Adapted from The Reputation Risk Handbook –Bonime-Blanc

© Jacka 2019

Factor/Impact Negative PositiveEmployee General

dissatisfaction, malaise, defection

Satisfaction, positive culture, esprit de corps

New Talent Hits recruitment, loss of good talent, lost jobs

More jobs, attract and retain coveted talent

Regulators Bad to worse relationships in multiple locations

More forgiving when/if problems arise

Media Under the media microscope

Good media coverage, if any

Social media The watch is on and uncontrollable, under the super-microscope

Coverage is positive & useful in enhancing reputation

Adapted from The Reputation Risk Handbook –Bonime-Blanc

© Jacka 2019

Reputation Risk Defined

© Jacka 2019

The possibility of an event occurring that will have an impact on the achievement of

objectives

IIA International Professional Practices Framework

© Jacka 2019

Reputation is what people expect us to do next. It's their expectation of the quality and character of the next thing we produce or say or do.

We control our actions (even when it feels like we don't) and our actions over time (especially when we think no one is looking) earn our reputation.

Seth Godin

© Jacka 2019

The emotional connection between stakeholders and organizations

The Reputation Institute

© Jacka 2019

© Jacka 2019

The potential that an event will impact the organization’s reputation in a way that will adversely impact that organization’s objectives

© Jacka 2019

© Jacka 2019

All RiskIs

Reputation Risk

© Jacka 2019

Reputation risk is an amplifier risk that layers on or attaches to other risks…adding negative or positive implications to the materiality, duration, or expansion of the other risks on the affected organization, person, product, or services.

The Reputation Risk Handbook – Bonime-Blanc

© Jacka 2019

Managing Reputation Risk

© Jacka 2019

Reputation Leaders Study 2016 – Reputation Institute

© Jacka 2019

Difficult to define Some organizations define it as an impact, not a risk Little information on how to manage Difficult to measure Defined by external perceptions

© Jacka 2019

Tone at the Top Understand Potential Reputation Risks Governance PR & Communications Integration Front Line Integration Crisis Plan Measure Monitor

© Jacka 2019

An appropriate culture and associated processes will minimize the potential for crises

to occur in the first place

© Jacka 2019

Culture◦ CEO is in charge◦ Visibly principled leaders who

communicate values, then live them Structure◦ Strong and integrated governance◦ Existing risk assessment program

© Jacka 2019

Speak-up Culture◦ Encourage early problem detection◦ Hot-line, ethics line, problem resolution

method Incentives◦ Values-based assessments and rewards◦ Support employees to guard reputation

© Jacka 2019

Approaches◦ Entity-wide surveys◦ Structured entity-level interviews◦ Gathered in all conversations

Resources◦ Best Practices: Evaluating the Corporate

Culture (Roth)◦ Enterprise Risk Management: Achieving and

Sustaining Success (Sobel & Reding)

© Jacka 2019

Risk Identification◦ Design system to identify and address areas of potential

exposure◦ Understand interdependent risks (fraud, IT, regulatory,

financial, etc.) Team integration◦ Cross-functional approach◦ Governance◦ ERM◦ Three lines of defense◦ Use internal and external resources

Strategic Integration◦ Strategy will drive reputation; reputation will drive strategy

© Jacka 2019

Executive oversight◦ High-level◦ Coordinate with experts◦ Knowledgeable

Board oversight◦ Standard discussion in board meetings◦ Built into strategic risk management, annual

planning, and long-term strategic planning

© Jacka 2019

Establish communication plan◦ Part of crisis management◦ Established policies and guidelines

PR & communications response teams◦ Identify teams for larger and smaller “mini”

crises. ◦ Information on when to escalate◦ Training for all teams

© Jacka 2019

Front-line business teams◦ Supervisors equipped to identify and deal

with reputation risk issues◦ Supervisors know what to do

Policies and guidelines◦ Addressed in relevant documents, policies,

procedures, etc. (e.g. code of conduct, hot-line protocols)◦ Clear and actionable language◦ Accessible

© Jacka 2019

Education and training◦ Understanding the basics of reputational

risk◦ Sufficient knowledge to recognize potential

crises and how to respond◦ Sufficient knowledge to provide input on

potential risks◦ Learning from mistakes

© Jacka 2019

Plan integration◦ Reputation risk issues integrated in crisis plan◦ Crisis team in place◦ Crisis management training

Rapid deployment force◦ Quickly focus on root cause◦ Necessary internal and external resources◦ Right team for identified root cause

Post-event SWOT◦ Debrief and lessons learned◦ Integrating lessons into updates

© Jacka 2019

Measure how reputation is perceived externally Sets the starting point Compare as a part of monitoring Measuring the Impact – an example◦ Any losses in shareholder value beyond

general market fluctuations which cannot be accounted for by financial costs from the event itself are pure reputational losses

© Jacka 2019

Essential to understanding how external stakeholders perceive the organization Monitor on an ongoing basis Monitor across all markets Monitor on a global basis Invest in staff, resources, technology◦ Full range of channels – traditional and

social media

© Jacka 2019

MessagingWhat you say

Word of MouthWhat people say

PerceptionsWhat people see

BehaviorWhat you do

GAP

GAP

GAP

GAP

GAP

© Jacka 2019

Crisis Management

© Jacka 2019

“I want my life back”Tony HaywardFormer CEO - BPTony Hayward

Former CEO - BP

© Jacka 2019

Even with the best reputation management, crises will happen.

If done correctly, crisis management can actually enhance the brand and reputation.

Companies are judged not on the crisis itself, but on the response.

© Jacka 2019

Deadly Blow◦ Organization/product/service/leader

“disappears” Enron, Lehmans, Arthur Anderson, Barings

Recoverable Hit◦ Organization/product/service/leader regroups

and recovers Siemens, BP

Enhancement Event◦ Organization/product/service/leader builds

reputational equity Johnson & Johnson

© Jacka 2019

Quick and agile (minutes not days) Predetermine when to mobilize a response Keep everyone informed – transparency in communications Role of the board◦ They should ask for a crisis management plan;

they should know the plan◦ They are not the spokespeople◦ Predetermine what events they need to know

© Jacka 2019

Build a Crisis Team Identify and Plan for Potential Crises Develop a Crisis Plan Develop Communication Protocols◦ Stakeholders◦ Spokesperson

Train, Re-Train, Keep Training Conduct Simulations

© Jacka 2019

Short and practical Consider all scenarios Who does what, when, and where List the team Internal and external contact details Crafted messages Proven ability to implement Develop a process to allow for flexibility

© Jacka 2019

Providing no response Replying “No Comment” Offering disorganized, conflicting statements Issuing a verdict before examining the facts

© Jacka 2019

Candor Explanation Affirmation Declaration Contrition Certification Commitment Restitution

© Jacka 2019

© Jacka 2019

June 2, 2015 – Two cars crashed The Spokesperson Compensation Ensure Safety Existing Dialogue Business Model

© Jacka 2019

Have a plan Train for it Test it

© Jacka 2019

The Role of Internal Audit

© Jacka 2019

The C-Suite◦ Conversations with the board◦ Conversations with the C-Suite

Assurance providers◦ Governance, ERM, Three Lines of Defense

Audits of other assurance providers

© Jacka 2019

Strategic-level audit◦ Is there a strategy?◦ What are the goals?◦ Are they being achieved?◦ What is the message?

© Jacka 2019

Operational reviews◦ Overall risk management approach◦ Policies and procedures◦ Monitoring processes◦ Crisis plan

© Jacka 2019

Lifecycle of Reputation Risk Management◦ Beginning Strategy Development Risk Assessment◦ Middle Policies and Procedures Monitoring◦ Outcomes Crisis Management Post Mortem

© Jacka 2019

Consider reputation risk for annual assessments Include in all relationship meetings Consider in all audit projects◦ Risk assessment◦ Considerations at management level◦ Understanding at all levels◦ Understanding of crisis management roles

© Jacka 2019

Has reputation risk been assessed? Is reputation risk a part of all risk assessment activities? Is there a crisis management process? Has it been tested? Do people understand the impact of their processes/operations/jobs on reputation?

© Jacka 2019

Defining and Managing Reputation Risk: A Framework for Risk Managers◦ AIRMIC

The Reputation Risk Handbook◦ Andrea Bonime-Blanc

Best Practices: Evaluating the Corporate Culture◦ James Roth

Enterprise Risk Management: Achieving and Sustaining Success◦ Sobel & Reding

© Jacka 2019

QUESTIONS?

© Jacka 2019