How to manage and mitigate reputational risk

What is reputational risk?

Businesses must manage various risks at any given moment: operational risks, financial risks, compliance risks and risks to personnel. How a business deals with these issues goes a long way toward how it is perceived in the market, and mishandling any of them presents an entirely new risk: a tarnished reputation.

Damage to a company's reputation can negatively affect its brand and just about anything associated with keeping the business viable. For example, failure to implement strong cybersecurity practices might result in malware attacks and other incidents, which could make consumers reluctant to use that business.

It is essential that companies actively manage their position in their chosen markets as well as their ability to achieve -- and exceed -- the expectations of customers, business partners and other third parties, such as regulatory agencies.

Types of reputational risk

There are three types of reputational risk: direct, indirect and tangential. Each can occur separately or in combination with the others.

Direct risks. These arise from actions by the organization, such as experiencing a cyberattack that shuts down operations or distributing a product that causes illness in consumers. These are often the events that make headlines in social and other types of media.

Indirect risks. These risks stem from the actions of a company's employees, such as an employee causing a serious technology outage that affects hundreds or thousands of customers.

Tangential risks. Risks that arise from the actions of a third party, such as a partner organization or supplier, are considered tangential. This is probably the most likely type of risk, as the primary organization might have limited ability to control the actions of third parties.

Regardless of the types of risks affecting reputation, it is essential for company leadership to take these risks seriously and implement strategies to prevent them from happening.

Causes of reputational risk

Reputational risk is today viewed as a separate category of risk, even though it can be the result of failures in other areas of business risk. It can result from several factors, separately or combined, including the following:

• Actions or inactions by the organization or its employees.
• Ethical breaches that fail to maintain a high standard of integrity.
• Failure to meet social expectations, such as environmental initiatives.
• Behaviors and comments that don't align with the consumer base.
• Poor product quality.
• Poor customer service.
• Fraud or financial misdemeanors.
• Irresponsible data security, training and awareness.
• Disclosure of cybersecurity incidents due to lack of compliance.

Incidents of reputational risk can have immediate and severe consequences to an organization, such as a loss of sales, decline in the customer base, fines for noncompliance, costly litigation and financial damage.

Strategies to mitigate reputational risk

Mitigating or eliminating reputational risk starts by acknowledging that such a risk exists and understanding its effects. Conduct a risk assessment to fully understand what caused the issue and what can be done to mitigate the risk going forward.

A risk assessment identifies risks the company faces, determines their likelihood of occurring and defines their impact on the company. Organizations can use data provided by the risk assessment to develop and implement controls for preventing future reputational risks and mitigating the severity of existing ones.

It can also be useful to define key risk indicators that measure perceptions of the company by its customers and stakeholders. Examples of risk indicators include changes in media coverage, comments on social media and increases in customer complaints.

Third-party reputation risk management

Considering that reputational risks can occur from working with third-party organizations, it is essential to have a risk-based approach to vendor management. This is important for both new vendor relationships and established ones.

A third-party risk assessment helps to determine the controls that a provider has in place to ensure that its operations are not compromised. In particular, the emphasis should be on the vendor's security controls that prevent cyberattacks, unauthorized access and other disruptions.

To ascertain the vendor's level of protection, consider preparing a questionnaire based on cybersecurity standards, such as the NIST Cybersecurity Framework, and industry regulations, such as PCI DSS, HIPAA and GDPR.

Issues to research might include the following:

• Existing security controls.
• Storage and processing of sensitive data.
• Use of authentication.
• Frequency of data backups.
• Availability of an incident response plan.
• Emergency communications technologies.
• Efforts to ensure regulatory compliance.
• Availability of privacy and cybersecurity policies.

Organizations might then rank vendors based on the level of risk they present to better assess threat potential. It is also important to research the vendor's history and reputation. This can include identifying previous operational, financial, social and other issues, and how the vendor addressed them and reset its reputation.

Reputation management tools

Dozens of software tools are available to support reputational risk management.

In practice, reputation management software monitors and captures interactions associated with brands across multiple media outlets. It does this by analyzing communications provided by customers -- good and bad -- and alerts the company about them. A growing number of tools have AI capabilities to better analyze reputational data and provide recommendations.

Advisory firms are also available that provide reputation management assistance, both for improving and repairing an organization's reputation.

Some available reputation management products include the following:

• Birdeye.
• BrightLocal.
• DemandHub.
• NiceJob.
• Podium.
• ReputationDefender by Norton.
• Reputation Experience Management.
• Reputation Rhino.
• Swell.
• Yext Digital Presence Platform.

Note that some of these tools are designed to help the customer improve their standing online, while others help recover and repair a damaged reputation. Some tools address both situations.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.