Reputational risk and crisis management

Transcription

1 Reputational risk and crisis management

2 Reputational risk and crisis management The nightmare scenario for a CEO might be a tainted product, a deadly accident or a humiliating scandal. Within days, or perhaps even within a few short hours, a carefully cultivated brand is threatened and a sparkling corporate reputation is at risk of being ruined. Bad things happen to even very good organizations, but it isn t necessarily the bad things themselves that destroy reputations. Bad things happen to even very good organizations, but it isn t necessarily the bad things themselves that destroy reputations. Often the deciding factor is how a company responds when something goes wrong. If the crisis is managed badly, the company may never recover. If handled well, the company may even enhance its reputation. Companies with superior reputations have been shown to have sustainable competitive advantages and enjoy materially higher average annual stock price increases. In some industries, reputation can be a company s single most valuable asset. But reputations also can be fragile. Thanks to the Internet and the 24/7 news cycle, bad news, including rumors, misinformation and libelous attacks, can spread across the globe in an instant. Adversaries such as activists, disgruntled customers and angry former employees can launch potentially damaging attacks through blogs, message boards and dedicated websites. Companies with strong reputations may simply deflect many reputational challenges. Additionally, threats often can be nipped in the bud through proactive reputation management. But some extreme events can overwhelm a company s defenses and deeply damage or even irreparably destroy its reputation. In a full-blown crisis, a range of high-intensity crisis management procedures must immediately be implemented. Companies that are best prepared to deal with a potentially ruinous situation are those that have developed and rehearsed a comprehensive crisis management plan. Reputational risk and reputational risk management Reputation is not an attribute of an organization; reputation exists solely in the minds of others. A company may possess a good reputation, but what it actually owns is the benefit of a positive consensus about its conduct. Many companies seek to actively manage their reputations by instilling and reinforcing positive associations in the minds of those who are important to the success of the company, especially customers and investors. Managing a reputation also requires monitoring external perceptions and responding quickly and effectively to threats. The possibility that events may undermine trust in a company is called reputational risk. Reputational risk arises from a wide array of actions, including failure to comply with regulatory or legal obligations, failure to deliver expected standards of service and product, unethical practices, failure to hit financial performance targets, labor unrest and environmental breaches. Reputational risk also arises from external factors such as the actions of a competitor that cast a cloud over an entire sector. Activities that can help prevent reputational damage, or help mitigate the consequences of a damaging event, collectively are called reputational risk 1

3 management. At the heart of reputational risk management is overall good corporate governance companies that are managed well might typically avoid activities that undermine trust, and they have a reservoir of good will to help cushion occasional bad news. Many senior executives, however, are not content to rely exclusively on good corporate governance as a defense against a damaged reputation, and insist on proactive steps to manage reputational risk. Specific activities can include: collecting and analyzing customer feedback; monitoring the media, including Internet blogs and message boards; managing the company s relationship with the media; investor relationship management; diligence in regulatory compliance and managing relationships with regulators; tracking business, economic, social and regulatory trends that may spawn new risks; and managing relationships with potentially adversarial special interest groups. These highly unlikely, but extremely powerful, events present enormous potential reputational damage and can often redefine the career of the leader in charge at the time. Reputational risk management activities typically are distributed among a number of departments and individuals, making it challenging to develop and execute a cohesive strategy. While the optimal means of coordinating reputational risk management may vary by industry, company size, structure and corporate culture, companies should consider embedding reputational risk management within an enterprise risk management (ERM) program that addresses all aspects of an organization s risk profile. In addition to providing a platform for managing reputational risk across the organization, ERM helps companies avoid strategic surprises that can threaten reputations, and aids in identifying emerging risks, according to Calvin E. Beyer, head of the Manufacturing segment of the Middle Market Commercial Group of Zurich North America. ERM also helps pinpoint interdependencies and contingent risks situations that can produce the chain reactions that are the precursors of catastrophic losses. Crisis management Companies face frequent challenges to their reputations, and well-regarded organizations that engage in reputational risk management activities usually fend them off without lasting damage. But occasionally exceptional events overwhelm companies usual reputational risk defenses. These highly unlikely, but extremely powerful, events present enormous potential reputational damage and can often redefine the career of the leader in charge at the time, according to Mr. Beyer. The types of disasters that can destroy a company s reputation vary by industry. A financial services firm may be the victim of a data breach that compromises sensitive customer information. An airline may be grounded for safety violations. A chemical company may expose a community to toxic substances. A manufacturing company may need to recall a dangerously defective product. Some types of disasters transcend industry groups. Any company could be the victim of financial fraud. 2

4 When disaster strikes, the companies that fare best are those prepared to quickly execute a thorough and well-rehearsed crisis response plan. Crisis response plan Most organizations are not well-prepared to respond quickly in a crisis. A 2005 survey of senior risk managers by the Economist Intelligence Unit found that less than half of respondents said their firms are good at crisis management while 11 percent rated their firms as poor. Large firms are more likely than smaller ones to have a well developed crisis management plan. For many companies, crisis management is a reactive process scrambling to seize control of the situation after a crisis occurs rather than a proactive discipline. Making crisis management a proactive discipline means developing and rehearsing a crisis response plan. Such a plan necessarily involves many levels of an organization, from the CEO down, and may include outside experts. It should take in consideration all important stakeholders, including customers, investors, employees and regulators. Important elements of a plan include: The core crisis management team has been identified and each member knows his or her role; The most threatening vulnerabilities have been identified and timeline scenarios addressing each have been developed; Key stakeholders/audiences have been identified, along with their likely concerns related to the most threatening vulnerabilities; The most effective communication channels for each category of stakeholder have been identified and plans are in place to quickly access each channel; A company spokesperson has been appointed and trained; The plan has been rehearsed; The plan is periodically reviewed and updated. Large companies often use outside consultants to help develop crisis management plans and to assist in the event of a crisis. Smaller companies are far less likely to call on consultants, though companies of every size can benefit from expert advice. Some types of insurance policies, such as cyber liability policies, make crisis management services available for certain types of events, enabling a broader spectrum of companies to benefit from crisis management expertise. What should happen when a crisis occurs? Two things must happen right away when a crisis erupts: the problem must be fixed, and communication with stakeholders must be quickly established. Fixing the problem. According to nearly three-quarters of global business leaders surveyed by public relations firm Weber Shandwick and KRC Research, a key step in the reputation recovery process is announcing specific actions the company is taking to fix the problem. 3

5 Only rarely can a serious problem be fixed immediately. A dangerously defective product can be recalled, but injuries may continue to mount. A financial fraud may be identified and the perpetrators arrested, but it may take years for the company to return to pre-fraud financial health. But even if there is no quick fix, management must be seen as moving decisively to remedy the problem. Actions seen as superficial or ineffectual are likely to be more damaging than helpful. Communicating with stakeholders. Rarely does it pay to try to cover up or minimize a serious event. Companies fare best when they acknowledge the seriousness of the situation, display regret and concern for consequences of the event, assert commitment to make things right, and demonstrate that senior management is in control of the situation. Quickly and effectively communicating with the full range of stakeholders is vitally important to help mitigating damage. Companies must stay on top of communications about the event, otherwise the media and other organizations will take control of the story. Quick and forceful communication helps companies define the agenda and reinforces the impression that management is in control of the situation. It also can help generate good will with stakeholders. Companies must stay on top of communications about the event, otherwise the media and other organizations will take control of the story. If not the very first, one of the first categories of stakeholder to be notified after an event is the company s employees. Communicating quickly and openly with employees reassures them that the situation is under control, enables management to sympathize with their concerns, imparts important information to help bring the rumor mill to a halt, and permits management to lay down rules as to what can and cannot be communicated to outsiders, and who is authorized to speak for the company. Depending on the nature of the event and the size of the company, communications outside the company can take the form of press releases, press briefings, face-toface meetings with regulators or other key stakeholders, updates posted on the company s website, television or newspaper advertising, or s. Some companies have leveraged the enormous popularity of social networking websites such as Facebook and Twitter to get their messages out. A vitally important communication network is the company s sales force, which should be recruited to deliver scripted messages individually to important customers and prospects. While a company should designate a spokesperson to handle most routine communications with the media, the CEO almost always should be highly visible throughout the process. The CEO is the public face of an organization, and is expected by all stakeholders to demonstrate leadership at a time of crisis. Subsequent actions. Repairing a reputation can take years, and companies may be judged on their activities relative to a crisis long after the event triggering the crisis has passed. Depending on the nature of the crisis and the type of company involved, ongoing activities may be required for months or even years after the initial crisis has passed. For example, an environmental mishap may require regular testing of contaminated property or health check-ups for people exposed to toxic chemicals. Similarly a data breach may necessitate credit monitoring for victims for a period of time. 4

6 Transforming a crisis into a reputation win. Most often, companies consider themselves fortunate to survive a crisis with their reputations intact or only slightly battered. Companies that are highly prepared to respond effectively to a crisis, however, occasionally emerge with newfound respect from stakeholders. Companies that turn a disaster into a net gain in reputation almost always are those that respond quickly and decisively, taking full responsibility for mistakes and executing an action plan that remedies the problem and makes whole or at least as whole as possible those damaged in the incident. Conclusions Nearly two-thirds of executives participating in a reputational risk survey by Weber Shandwick and KRC Research said they believe it is harder to recover from reputation failure than it is to build and maintain a reputation. These same executives estimated it takes, on average, between three and four years for a company to recover from serious reputational damage. Some companies never recover. Senior executives widely acknowledge the importance of reputational risk management, but comparatively few effectively plan for a crisis. As a result, when a crisis occurs, companies typically scramble to take control of the situation, and often make serious missteps. A well-conceived crisis management plan, and an organization rehearsed in executing the plan, can not only help avoid a crisis becoming a reputational disaster, it may be the foundation to turn a very bad situation into a net gain in respect from customers and investors. 5

7 Zurich 1400 American Lane, Schaumburg, Illinois A A (09/10) The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy Zurich American Insurance Company