Asking the right questions In the reputation economy, businesses need to answer key questions across all areas of operation: Are you confident that your risk appetite reflects your business needs and strategic objectives and that you are operating within this appetite? How are you preparing your people and leveraging tools and technology to create insights and inform effective risk management? Is risk being effectively managed across the ‘three lines of defence’? What role does the board play in the equation? Is the risk culture you have the risk culture that you need, in order to ensure your organisation does ‘the right thing’ now and in the future? Recognising the rapidly evolving reputational environment, entities’ appetite for risk management needs to be aligned to the value of their assets. It’s likely that most organisations under-invest – or invest inappropriately – in reputational risk management given the relative value of the asset and the ease with which that value can be lost. It is not viable, for example, to continue spending millions of dollars throwing large teams of people into risk management and compliance – the second of the traditional ‘three lines of defence’ model of risk – without considering better ways of driving the right risk outcomes. To embed a culture of properly managed reputational risk, ‘old’ skills and approaches need to be updated on the people side, in areas such as training and communications and in the adoption of new tools and skills. There is a need to leverage technology to improve risk management within acceptable cost constraints. In the reputation economy, the right risk outcomes must put consumers at least on an equal footing with shareholders and employees. Or, as the Royal Commission interim report said of financial advice: ‘… it is the voice of risk and the customer voice that must dominate.’ [Vol1 p144] People matter A research paper for the World Economic Forum has argued that we are entering a fourth industrial revolution, characterised by cyber-physical systems. It says: ‘Overall, the inexorable shift from simple digitization (the Third Industrial Revolution) to innovation based on combinations of technologies (the Fourth Industrial Revolution) is forcing companies to re-examine the way they do business. The bottom line, however, is the same: business leaders and senior executives need to understand their changing environment, challenge the assumptions of their operating teams, and relentlessly and continuously innovate.’ Managing reputational risk in this new environment, in which the physical, digital and biological worlds converge, requires the best people management that is available. Transparent data and sound processes are vital, but at the end of the day the integrity of organisational culture rises or falls with the people. From the boardroom to the mailroom, every person in a business needs to embody the key reputational pillars of trust, security and choice by doing, and being seen to do, ‘the right thing’. They must be educated to understand that risk is everyone’s business. Among other things, organisations must invest in continually upgrading and renewing the capabilities of their people. They must instill and reinforce the right corporate values by continually communicating them and leading by example; they must recruit and retain staff wisely and build response programs to answer and remediate customer complaints. They need to ensure that transparent accountability mechanisms underpin strong corporate governance and demonstrate compliance with the law by moving from a culture of ‘trust me’ to ‘show me’. Furthermore, they must establish real-time awareness of breaches and feedback to regulators; and ensure that external providers, partners and suppliers reflect the same values when representing the business. Leveraging data and technology The future of risk advisory in the reputation economy is already here. It lies in the careful application of advanced data analytics, sensing tools and augmented reality technology that will free up the risk advisor to take a proactive, forward thinking role. Advanced technology is the key to helping your people manage the ever-growing complexities of regulatory compliance, good business practice and corporate governance while looking over the horizon to sense the danger signals for the future. As risk advisors, our greatest successes are silent ones. They are the failures and crises that do not happen because we have helped put the right systems in place to prevent or short-circuit them. Of the three broad areas of risk monitoring – reactive, integrated and predictive – reactive remediation, important though it is, should always be the last resort. It costs the most; it is finite and it deals with problems of the past rather than those of the future. Organisations that are good at learning lessons and have a growth mindset are highly motivated to prevent failures from happening again. Fear of regulation and the recognition of the importance of brand reputation drive them to be forward thinking. They want to predict and prevent future problems.