Background
Warren Buffett, a man who knows something about value, observed that it takes 20 years to build a reputation and five minutes to ruin it . That thought runs through a recent significant survey. Eisner Amper is one of the largest consulting and accounting firms in the United States . For the past few years it has conducted an annual board of directors’ survey of concerns about the risks confronting boards and companies . The size and background of the survey population mean its conclusions merit close consideration.
Reputation or compliance?
Last year reputational risk overtook regulatory compliance risk as the primary concern. Confirming the trend revealed in the second (2011) Annual Concerns report, reputational risk was again identified as being of most concern. Regulatory risk or compliance failure again ranked as the second greatest concern. Reputation or brand matters because it is hard-wired to company value. In the market-place, the advertisers and marketers will freely tell you that it accounts for up to 80% of a company’s value on the street. Treat it lightly at your peril. Hence the critical importance of company ethos, a value set, policy frameworks, clear communication and procedural guidance around issues such as integrity, fraud, use of company information and social media as these are critical defences of reputation.
Other movers
Both IT risk and privacy risk showed increases from the last survey and both can arguably be linked with reputational risk because failures in systems security inevitably lead to attacks upon a company’s reputation, often by the statements or actions of politicians, the media and public opinion. The exponential spread of social media has turned everyone into a journalist or broadcaster. Nothing travels faster than bad news, a sensational photograph or a manager or prominent person caught misbehaving. The fall-out from an event at Sydney University in late 2012 is testimony to this. Cloud computing and mobile applications are systems revolutions that will require significant investment as they carry real reputational risk in the event of misuse or failure.
Dealing with shocks and change
In a similar fashion, crisis management, which was added as a category this year and scored a very strong 47 percent, is itself also an indicator of reputational concern. To this mix might be added succession planning, where the lack of a cogent plan can lead to real difficulties. Several directors cited succession planning as a looming problem. This is a situation commonly seen in Australia away from the top tier companies. The bottom line is that a series of risks and destabilising shocks can so easily destroy a reputation in double quick time – and in many cases it has been years of hard work to craft it.
Drilling down
Survey results showed that the three major areas of concern as far as reputation were product quality, liability and customer satisfaction. Then followed concerns about integrity, fraud, ethics and the bribery of foreign officials. On reflection, this all makes sense. You cannot separate concerns about company products from integrity, or from IT security, or your marketing. Major IT security failures, where company’s entire customer lists have been hacked or inadvertently disclosed have proved disastrous for a number of companies.
Who patrols your defences?
It was noted earlier that policies, procedures, strategies and contingency planning are essential defences of a company’s reputation. As a Chief Executive or a manager, you rely on a group of people to monitor these vigilantly and ensure there is compliance. A key question is whether the skills necessary to perform the various functions (compliance, internal audit, IT security, fraud investigation, human resources) exist within the company? A risk management approach should be taken to determine this, which would include undertaking a cost/benefit analysis on various outsourcing or partnering arrangements. It should not be thought that succession planning is a consideration reserved for positions such as CEO, CFO or COO only. Succession planning carries through middle management to those small pockets of expertise, where particular skills are uniquely blended and not easily replicated. Internal audit may be one of these. A properly prepared business impact analysis in the course of business continuity planning will be a powerful guide to those pockets.
Regulatory compliance carries a particular risk as it may involve local, national and global dimensions, depending on the spread of the company. That demands a lot of time and expertise, with differing requirements and timeframes involved in the different operating environments – from spamming to the release of market sensitive information. It may cost a deal but it is both unavoidable and critical. The quality of your defences is determined by the calibre of those patrolling them.
The management team and the board are key elements in reputational protection through their responsibility to oversight risk. No more obvious example can be cited than work, health and safety, where the obligations of ‘persons conducting a business or undertaking’ are clearly stated and the penalties for failure to exercise those responsibilities are severe. The composition of the management team and the board and their ‘licence’ to question, discuss and disagree with management proposals will be a measure of their effectiveness and their value in protecting the company against the risks discussed here. Also, they may want some independent program to provide them with the level of comfort they wish in relation to some of those risks. That should not be resisted and may dovetail with internal audit’s program.
The impact of the times
Another aspect highlighted by the survey was the focus that should be given to internal growth and internal controls as part of that focus in an economy that is recovering. While Australia’s GDP growth remains solid and on trend, many foreign economies with which Australian companies trade are still stuttering after the GFC. Many companies laid off staff during the GFC and some are still slim-lining, so the scope to analyse the risks associated with major new investment proposals may not exist. Again, the courage to acknowledge this and source another solution to the problem will be a test for CFOs and CEOs.
Gerard Walsh
Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.
Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.