Reputation: the burning platform Reputation is the bedrock of every organisation. As such, it has always been a top priority in managing risk. Now, as faith in once-trusted institutions has plummeted, reputation has become a burning platform – a powerful driver of economic and strategic change. Reputation-based online exchanges that were once on the fringes of commerce are now global behemoths. And the role of digitally-based, multi-channel consumption in driving growth is rapidly expanding, not least in the enormous Chinese economy. Other emerging markets are also coming online. Consumers, particularly the millennial generation, have found their voice in the digital age. Armed with social media tools and instant ratings platforms, they take their business elsewhere at a click. It’s no surprise that reputations are made and broken with astonishing speed. This has brought a new recognition of the economic power of reputation into the heart of the financial and industrial establishment. In short, the reputation economy is now in full swing – and institutions that don’t pay attention to managing reputational risk in this dynamic environment are at its mercy. In Australia, the interim report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has been damning of banks and regulators, not only for allowing greed and profit to trump the law, but also for ignoring reputational risk. It said that long-term advantage, as distinct from short-term gain, entailed preserving and enhancing the reputation of an enterprise as one that engaged in its activities ‘efficiently, honestly and fairly’. ‘To preserve and enhance this reputation, the enterprise must do more than not break the law. It must seek to do “the right thing”.’ [Vol1, p55] It also observed that the banks had treated regulatory compliance ‘as a cost of doing business’ rather than as a foundation that informed and underpinned how the business must be conducted. [Vol1, p67] Reputational risk should not be corralled into the ‘C-suite’. It must be a first-order corporate priority and a compelling concern for everyone from the board down. A wider landscape The reputational risk landscape continues to widen. Beyond the banks, we are seeing how other institutional failings have ruined people’s lives –student safety on campus, the #MeToo movement, child exploitation, and increasingly and urgently, a tsunami of privacy violations in both the private and public sectors, particularly through the theft or misuse of data, and cybercrime more broadly. The government has announced a royal commission into the aged care sector and flagged another into energy providers. To add salt to reputational wounds, Australia’s reputation for integrity internationally is falling. In Transparency International’s latest annual Corruption Perceptions Index of perceived public-sector corruption, Australia ranks as the equal thirteenth least corrupt nation, equal with Hong Kong. It has slid from its position of seventh least corrupt in 2012. In contrast, New Zealand ranks number one – the world’s least corrupt nation. Reputational capital As risk advisors, we view the architecture of risk in the reputation economy as having three pillars: choice, security and trust. It is no longer feasible to argue, as some economists have in the past, that reputational capita is a fictitious commodity. What is not fictitious is the cost to business of losing it. That is, the cost of failing to do the right thing; of becoming an organisation that people do not trust; and of having customers, empowered by digital tools and ratings platforms, able to compare products and switch consumer choices instantly. A 2012 World Economic Forum study found that more than 25% of a company’s value was, on average, directly attributable to its reputation. The 2014 Deloitte Reputation at Risk survey rated reputational risk as the top strategic business risk and said there was an 80% per cent chance of a company losing 20% of its value, over and above the market, in any single month over a five-year period as a consequence of a crisis in reputation. Moreover, that loss was sustained. The biggest impacts of a ‘negative reputation event’ were on revenue (41%), loss of brand value (41%) and regulatory investigations (37%). The latter was higher (46%) in financial services. The underlying drivers of reputational risk related to ethics and integrity (55%) such as fraud, bribery and corruption; security risks (45%), both physical and cyber; and product and service risks (43%). In effect, these are the three pillars of reputational risk: trust, security and choice. Ironically, while 76% of global companies were confident that their reputations were strong, only 19% gave themselves top marks for their ability to manage reputational risk. This hardly suggests that they were striking the right balance. Four years later, changes in societal expectations coupled with more powerful consumer voices and multiple real-time platforms for exposing wrongdoing are demonstrating that in the absence of good reputational risk management, many of the 76% must have been dangerously over-confident. Some might argue that the storm will pass because the recent reporting season has shown continuing big profits returned to some institutions that have displayed the worst conduct. The Commonwealth Treasury commented on this in a submission to the Royal Commission, saying: ‘Of course, when misconduct affecting consumers threatens profitability and reputation, the response of shareholders can be quick and strong.’ [Background Paper 24, July 13, 2018] Treasury also put boards of financial institutions on notice – to prioritise oversight of employee conduct to ensure it is lawful; ensure their risk management systems effectively identify when this conduct causes harm or risk; sufficiently challenge management about inadequate addressing of issues; and to always ensure they have the information they need to discharge their duties. Companies that resist societal and consumer demand for change are putting their businesses at risk in the reputation economy. Those who do not want to look forward are in danger of remaining stuck in expensive cycles of repeat remediation. Risk insights are most valuable when predictive. We see predictive risk intelligence as the key to helping prevent future failures and their inevitable damage to reputation. Risk ownership In the reputation economy it is proving vital to establish clarity about who owns risk. In a nutshell, who is responsible for the performance of an organisation? This has direct consequences for boards and the executive. Whatever governance responsibilities boards may delegate to the ‘C-Suite’, societal norms and tougher rules demand that boards take the lead in stamping out the cultural behaviours that are detrimental to reputation and market value. When a chief executive falls, attention turns to boards. So, as boards see reputational risk occurring outside areas of tolerance, they may become more risk averse. They may need to dig deeper into the business to fulfill their responsibilities, including appointing their own risk advisers. The result might be an expansion of the traditional three lines of defence model – management; risk and compliance; and internal audit – to a fourth line, the board itself. If this were to occur, there would be a need to manage the information overload that is already onerous for board members, bringing advanced analytical and predictive tools into play at board level. Being risk intelligent We are now seeing risk thresholds that cannot be solved by people alone. The volume of data has grown – in effect, there is too much data and not enough insight. The ‘reg tech’ industry is rapidly expanding, using artificial intelligence, natural language processing, sensing and machine learning to automate regulatory monitoring, reporting and compliance functions and to tailor a firm’s data set to its risk based approach. Established technology can pick up regulations, read them, format them to enable compliance registers to be built quickly, and to then draw data to assess compliance within prescribed tolerances. Machine learning and natural language processing can scrape digital documents, select key phraseology and extract requirements. This is saving half the previous amount of human effort, enabling skilled people to be redeployed into activities that require more intellectual firepower. In some organisations that have already invested in expensive technology to build libraries or compliance registers, analytics and machine learning are being used to make those holdings more efficient and streamlined. For example, it is possible to identify where the same activity might have been worded in six ways in the system because it was created by six different units, and reduce it to a single, transparent descriptor and, better still, a single way of controlling risk. Simulations or ‘war gaming’ of emerging risk scenarios are a key part of building organisational understanding and resilience. The trusted adviser Despite the white noise around ‘reg tech’, it does not remove the need for a trusted adviser. No technology is a silver bullet. As the field of predictive analytics develops, it carries emerging risks of its own, including machine bias, exaggerated accuracy and the inclusion of programmers’ personal values or unconscious biases into the design of algorithms. There are also complex ethical and social considerations, such as in the automation of government decision-making and regulatory functions that directly affect citizens’ lives, including those outsourced to the corporate sector. In five years’ time, risk will largely be a data and digital business, but it will be augmented by the expertise and imagination of people. Risk managers of the future will not be spending the bulk of their time on compliance – advanced automation will be the key to that – but will be looking over the horizon to assess and predict how adverse risk events will affect their firm’s reputation. What is certain is that no organisation can simply trade on past reputation, let alone use it to camouflage breaking the law. The past offers little comfort in the reputation economy, whose restless dynamic is reflected in the language of disruption, innovation, transformation and post-truth. There can be no ‘set and forget’. Every business needs to manage reputational risk actively across all areas of risk management, and to continually strengthen its three pillars of trust, security and choice.