The influence of reputation risks on risk appetite
KEVIN VAN SCHAGEN
University of Groningen, Faculty of Economics & Business MSc. Business Administration
Specialization: Organizational & Management Control
University supervisor: prof. dr. D.M. Swagerman Assessor:
Kevin van Schagen s2358700
Eendrachtskade 10d10 9726 CW Groningen
[2]
Summary
[3]
Abstract
This paper has the aim of exploring the relationship between reputation risk and risk appetite. Risk appetite can be seen as the willingness of management to take risks in order to pursue business objectives. The focus lies on how reputation risk plays a role when an organization determines her risk appetite. Based on twenty-two semi- structured in-depth interviews, this study tries to determine how this relationship is seen by risk management experts. The study's exploratory character allows that every new insight and pattern can be treated as a new conclusion. The results show that most organizations take reputation risk into account when a risk appetite is determined. Furthermore, reputation risk is seen as a risk that is hard to manage and organizational culture can have influence on the reputation of an organization. Finally, the analysis of theory and interviews resulted in some propositions for future research that can help in creating new empirical literature.
Keywords: reputation, risk management, risk appetite, reputation risk, exploratory research, semi-
[4]
Table of contents
Summary ... 2 Abstract ... 3 Introduction ... 5 Research question ... 5 Purpose ... 6 1. Theory section ... 6 1.1 Risk appetite ... 6 1.2 Reputation ... 9 1.3 Reputation risk ... 14 1.4 Overall reflection ... 19 2. Research design ... 21 2.1 Data collection ... 21 2.2 Selecting respondents ... 22 2.3 Data analysis ... 23 3. Results ... 243.1 Role of reputation risk ... 24
3.2 Managing reputation risk ... 28
3.3 Developments regarding reputation risk ... 32
3.4 Reputation risk and organizational culture ... 35
3.5 Analysis of results ... 37
4. Discussion ... 39
4.1 Interpreting interviews ... 39
4.2 Combining interviews with theory ... 42
5. Conclusion ... 44
5.1 Limitations ... 44
5.2 Suggestions for future research ... 44
References ... 45
Articles ... 45
Publications ... 48
Appendix ... 50
Appendix 1: Interview guide ... 50
[5]
Introduction
Warren Buffett, CEO of Berkshire Hathaway, stated that ‘‘It takes twenty years to build a reputation and five minutes to ruin it”1. This means that reputation is a vulnerable object and can easily disappear by any organizational action. Furthermore, this is one reason why we believe that reputation risk should play an important role in determining an organization's risk appetite. In the last twenty years, there has been much debate about reputation risk management but not about the place of reputation risk an organization's risk appetite. Reputation risk is mainly viewed as an operational risk and it can influence entire industries (Aula, 2010), yet some call it a strategic risk because risks are created by business strategy decisions2. However, there are still some improper
defined influences in the field of reputation risk management. For example, the financial crisis of 2008 had enormous impact on the reputations of all sorts of organizations, financial institutions in particular, still it is not clear whether organizations are putting more effort in the determination of reputation risk when they are determining their risk appetite.
According to Ernst & Young (2013), the financial service industry placed much more emphasis on reputation risk than in 2012. They further stated that a core challenge is to embed risk appetite in business decisions. Furthermore, risk appetite must be broadened to encompass reputation and operational risk (Ernst & Young, 2013). Ernst & Young (2013) also showed that Chief Risk Officers placed reputation risk at the twelfth place (21%) regarding risk issues they give attention to. In general, an organization’s board ranks the importance of reputation risks even lower (Ernst & Young, 2013). This seems strange because reputation risk can be highly influenced by the (social) media (Aula, 2010). One explanation is that reputation risk is experienced to be more difficult to manage than other risk category (ACE, 2013).
The focus on reputation risk is important because four out of five executives believe that an organizations’ reputation is its most valuable asset (ACE, 2013). Moreover, they argue that globalization and regulation can be seen as the biggest sources of reputation risk (ACE, 2013). Even though ACE (2013) addresses the importance of dealing with reputation risks, there seems to be not enough attention of importance of reputation risks when determining an organization's risk appetite.
Research question
This study beliefs that there is need for employees, managers and whole organizations to become aware and to understand the importance of reputation risks. In this way, reputation risk can
1
http://business.time.com/2010/03/01/warren-buffetts-boring-brilliant-wisdom/. Seen on June 16th, 2014.
2 http://deloitte.wsj.com/riskandcompliance/2013/10/02/why-reputation-risk-is-a-strategic-risk/. Seen on
[6]
eventually lead to one of the factors in an organization's risk appetite. The object of this study is to find out what the role of reputation risks is in organizations, what the developments are and how reputation risks play a role when an organization determines her risk appetite. Data is gathered by conducting interviews with risk managers and people who have a lot of experience in the field of risk management. This research purposes to increase the understanding of dealing with reputation risks and tries to create new empirical evidence whether reputation risk is indeed playing or needs to play a bigger role in the determination of the risk appetite. This study aims to answer the following research question: "What is the importance of reputation risk in an organization's risk appetite"?
Purpose
The aim for this exploratory research is to create new understanding and insights of the way reputation and reputation risk play a role in an organization's risk appetite. Theoretic analysis and twenty-two semi- structured in- depth interviews are used as methods to execute this study. What means reputation and reputation risk in practice, how is it influenced and in what way can organizations manage this type of risk? This study has the intention to come up with recommendations and new insights to improve organization's effectiveness in reputation risk management and to provide new handles for further research in this area. This paper is written from the aspect of risk management. Risk management is a very broad subject, so its scope has to be well-defined. This study will focus on three things; risk appetite, reputation and reputation risk.
The remainder of this paper is the following; the theory is set out in section one. This theoretic chapter gives a broader view of the concept and state-of-the-art of risk appetite, reputation and reputation risk. Section two contains the methodology and thus the way the theory was collected and the interviews were conducted. The third section describes the research results and on the basis of the interview questions the most important observations are described. The fourth section contains the discussion and finally, section five answers the research question and proposes new insights for future research.
1. Theory section
1.1 Risk appetite
[7]
Risk appetite can be seen as the willingness of the management to take risks in order to pursue business objectives (Anderson, 2011). Lentino (2012) defined risk appetite as the type and level of risks an organization is capable of and to accept in their organizational activities, with the commitments to stakeholders and organizational goals in mind. British standards of risk appetite contain more detail, which stated that risk appetite is the amount and type of risk that an organisation is prepared to seek, accept or tolerate (Anderson, 2011). We believe that risk appetite is not as much focused on boundaries, but that risk appetite is about tolerance and capability. Every organization takes risks to pursue her goals, but it is important that management knows how tolerant and what they are capable of when taking these risks. It is necessary to hold in mind that risk appetite is a subjective concept and therefore are tone at the top and risk perception strongly related to risk appetite. The willingness of the managers to pursue these objectives can be seen as a certain "tone at the top". According to NBA (2012) "tone at the top is the visible willingness (or absence thereof) by top management to prioritize corporate values above other values in decision making and to expect all others in the organization to do the same" (p. 5). We believe that tone at the top can be seen as an outcome of perception of the management to take certain risks, in other words risk perception. Risk perception can be seen a subjective assessment of the probability of a certain type of risk that occurs and how aware managers are with the consequences (Sjöberg et al., 2004). It is important that managers during risk perception also take the negative outcome in mind. A properly defined risk appetite translates risk metrics into business decisions, reporting and day-to-day business discussions. A risk appetite sets the boundaries which form a link between strategy, goals and risk management (Sabato, 2010). In fact, with a set of combined qualitative declarations and quantitative measures a risk appetite has to sum up the acceptable risk profile and the organization's strategy (Lentino, 2012). It seems that the function of risk appetite is quite similar seen by Sabato (2010) and Lentino (2012). We agree with both statements because we believe that a risk appetite always should relate to an organizational strategy.
[8]
the "fit" with the other organizational activities. Moreover, these factors combined with the risk capacity and risk measures enable a balanced risk appetite that need to be articulated and monitored. This paper agrees with the arguments of Barfield (2007) because we believe that before an organization can determine its risk appetite, it has to determine the risks that they are capable to take and that this capacity does not have negative influences on business results.
As said before, it is almost impossible to define one risk appetite for an organization. This is seen as one of the fundamental problems. Risk has an intangible nature and therefore organizations struggle to clearly define a risk appetite (Riley & Wilson, 2011). Normally, risk appetite has different gradations. Anderson (2011) describes simple terms that organizations can use to define their risk appetite; avoid (terminate risk), averse, conservative, receptive (take risk if expected reward warrants, within limits) and unlimited (take risk if expected reward warrants, unconstrained by limits). Simply stated, an organization that takes a lot of risks can be seen as risk hungry, and organizations that take less risks can be described as risk cautious. Risk appetite cannot be defined in totality for an organization using these simple one word labels (Anderson, 2011). If an organization does not take any risk it has almost no future, whereas the unlimited form of risk taking can easily result to bankruptcy of the firm. The gradations that Anderson (2011) described and in the same article sort of denied, are indeed to simple to set an organization's risk appetite. This research noticed that organizations use different framework to determine their risk appetite. In the COSO risk assessment model for example, impact of risks is combined with potential of risks (COSO, 2012). The risks that are present in this framework are depending on the business. This approach seems to be a better way of determining the organizations' most important risks. Furthermore, we believe that it is impossible to define an overall organization-wide risk appetite and that in this dynamic economy risk appetite should be defined per project or department.
Anderson (2011) stated that traditionally risk averse organizations, who decide they want to take certain risks and forget the need for retaining decent control levels, have a big chance of failure. Also, innovative organizations that decide that they are risk averse to a certain type of risk and forget to exercise or increase control levels, are equally likely to fail (Anderson,2011). It can be stated that an organization need to adapt her control level to the risk taking level. This last statement is one of importance because in a firm with tight control levels because we believe that employees in these surroundings probably do not have freedom to take much risk and vice versa.
[9]
situation. An interesting example in Sabato (2010) describes the situation of a bank in case of a well defined risk appetite framework. If a bank has his risk appetite defined well, "it provides internal senior management and external stakeholders with a clear picture of where it currently stands and how it wants to grow in terms of concentration and expected returns of its assets". What Sabato (2010) stated about the question of judgment is precisely what we see as the key to risk appetite. This question of judgment is related to a risk perception and tone at the top, both already earlier mentioned. Organizations cannot define or include every risk when determining a risk appetite. Credit risk and market risk are some frequently used standard risks still there are enough risks that are hard to define and are just a gut feeling from managers who define a risk appetite.
Organizations can have a taste for certain types of risk that other organizations may avoid (D'Arcy, 2009). This can have multiple reasons. One example is when a firm took risks in the past that paid off, so which resulted in a favourable past experience. Also, specialized expertise of an organization (for example in the oil and gas industry) that comes with different and specialized risks may be another reason for this different taste. D'Arcy (2009) further argues that few organizations would be willing to accept the possible loss of one million dollars, in return for a payment of a far lower amount. What D'Arcy (2009) forget to mention is that risk appetite can change over time. A favourable past experience can also be substituted for an unfavourable experience. If operational activities led to an accident and eventually resulted in additional rules to prevent, it can be argued that risk taking and risk appetite are decreased.
D'Arcy (2009) stated that risk appetite must consider the income statement for measuring the effect of risks on earnings, the balance sheet for determining the impact of risks on financial ratios, and all other items that could affect the financial position of an organization. Naturally, financial statements are important when determining a risk appetite. However, we argue that there are other aspects to be considered. When looking at risk appetite, organizational culture is an important aspect that can have influence on the risk appetite. In particular, when an organization is adjusting this appetite and need to convince employees to be aware of new risks and new risk appetite. Other types of risks that are often considered in a risk appetite are operational, strategic and compliance risks.
1.2 Reputation
[10]
stakeholder is the reputation of the CEO, which appeared to be "very important" by fifty percent of the respondents (Gaultier- Gaillard & Louisot, 2006). It seems plausible that the customer has the most influence on a firm because they can build and destroy a reputation. Failing of personnel or whistleblowers can also damage a reputation. Even if the reputation of the CEO is mentioned as the third most important stakeholder, we argue that it might be even more important than personnel. We argue that a CEO is the most important representative of an organization and is often a public figure. If we take a look at the tax fraud that arose with the building of the new KPMG headquarters3, it appeared there were highly important executives involved and the reputation damage is enormous. This damage is probably a lot higher if we compare this with disclosure fraud by regular accountants.
Gotsi & Wilson (2001) define a reputation as “a stakeholder’s overall evaluation of an organization over time” (p. 29). This overall evaluation is made up from the stakeholder's experience of the visible behaviour of the organization, the images based on the organization's communication and its symbolism compared to competitors and the market (Gotsi & Wilson, 2001). Another definition is described by Barnett et al. (2006), who see corporate reputation as the observers’ collective judgments of a corporation based on assessments of the financial, social and environmental impacts attributed to the corporation over time. Wartwick's (1992) view of corporate reputation is as "the aggregation of a single stakeholder’s perceptions of how well organizational responses are meeting the demands and expectations of many organizational stakeholders" (p. 34). Further interesting definitions are stated by Waddock (2000), who defined reputation as the perceived capacity that an organization has to fulfil their stakeholders' expectations and Sandberg (2002), who posited that "corporate reputation is about the predictability of behaviour and the likelihood that an organization will meet expectations" (p. 3). According to Gaultier-Gaillard & Louisot (2006) "reputation is built on the trust established with all stakeholders through past appropriate behaviour and it is a social construct that tends to rest on individuals’ beliefs and perceptions" (p. 425). All these different perceptions of stakeholders generate actions and reactions (Power et al., 2009). Scott & Walsham (2005) argue that reputation refers to the "standing of a person or collective and in its broadest sense reflects what is generally thought or said" (p. 308). Clardy (2012) concluded that reputation involves both beliefs and judgments held by people in general public or special niche groups outside the organization. As can be concluded from this different definitions, reputation is a matter of perception and organizations try to influence this perception through their financial, social and environmental behaviour. If we take the definition of Wartwick (1992) into account, a couple
3
[11]
elements of his definition are key to the whole concept of reputation namely, perception and meeting demands and expectations. Waddock's (2000) definition has its focus on exactly the same elements. It seems that in eight years, the definition of reputation did not change at all. In the new millennium Gotsi & Wilson (2001), Sandberg (2002), Fombrun (2002), Scott & Walsham (2005), Barnett et al. (2006), Gaultier-Gaillard & Louisot (2006) and finally Clardy (2012) did not changed the essence of the definition. We agree with all these different definitions because we believe that the focus of reputation lies on the behaviour of the organization, how they are seen by stakeholders and how they are going to meet these expectations.
Rayner (2001) described seven main drivers of reputation: financial performance; corporate governance and quality of management; social, ethical and environmental performances; employees and culture; marketing, innovation and customer relations; regulatory compliance and litigation; and communication and crisis management. All these drivers can contribute to generate reputation capital, which is the fluctuation of organization value (Fombrun et al, 2000). Other main attributes are argued in the paper of Gaultier-Gaillard & Louisot (2006): financial strength; financial morality; organization’s success; core know-how; quality of management; quality of strategy; combativeness; innovativeness; reference on home market; and quality of communication. Gyomlay & Moser (2005) argue that a good reputation has many drivers and that these drivers change over time to reflect the changes in business and society. Moreover, they stated that in modern times these drivers are extended with emotional appeal, social and environmental responsibility, treatment of employees, financial performance, products and services and vision and leadership (Gyomlay & Moser, 2005). When we compare the drivers of Rayner (2001), Gyomlay & Moser (2005) and Gaultier-Gaillard & Louisot (2006), they all include financial performance. Anyhow, this does not mean that this is the most important driver of reputation. We believe that the most important drivers are customer relations and strategy. The former because reputation is about perception and firms need to meet customers' expectations. In line with the literature, we also believe that strategy influences financial results. When a strategy is only focused on making profit and no attention is given to environmental factors or employee treatment, this strategic choices can potentially harm a firm's reputation.
[12]
performance. We agree with Gyomlay & Moser about managing an organization's reputation, since reputation damage can result from any source inside or outside a business. One thing we believe that management can do to reduce this chance, is to follow the suggestions of Gyomlay & Moser (2005) to be more transparent, consistent and authentic. In this way, we argue that an organization will get more credits from society and keep their reputation at a high level.
It is important to understand that reputation is a complex relational concept. Reputation can be defined according to three distinct clusters (Barnett et al., 2006), reputation as a state of awareness, as an asset or as an assessment. According to Fombrun et al. (2001), a corporate reputation includes reputation as an economic asset (reputation capital), a representation (image) and a judgment (reputation). A firm's reputation is part of its intangible assets. Intangible assets can be brand, human capital, goodwill etc. ACE (2013) argues due to this valuation of reputation, reputation risk is hard to manage. Reputation is such an important asset because loss of reputation can result in: increased scrutiny by regulators, insurers and society; reduced patronage by customers and investors; and lower employee morale (Dowling, 2006) Because reputation is an intangible asset, its directly affecting the market value of the firm (Gaultier-Gaillard & Louisot, 2006). If an organization is able to manage the risks to reputation, it can be a protection for its brands. Gaultier- Gaillard & Louisot (2006) posited that the managing inherent risks is transversal in essence. Furthermore, they also stated that reputation building is a long-term effort, a trust base on which the image of the firm is forged and organized (Gaultier-Gaillard & Louisot, 2006). When we compare the elements described by Barnett et al. (2006) and Fombrun et al. (2001), the latter description seems to be more clear. It is not clear what Barnett et al. intended with reputation as an assessment. Therefore, we prefer the idea of Fombrun et al. (2001). We also agree with the statement of ACE (2013) that reputation is hard to manage because of its complexity and that it can be influenced by a variety of sources. Gaultier- Gaillard & Louisot (2006) stated that it takes a long time to build a reputation and it also a matter of trust, this is another indication of reputation as complex concept. What Dowling (2006) mentioned can be related to the main drivers of reputation. We believe that he added the scrutiny option because reputation is an asset and decreasing assets inevitable lead to decreased financial performance. Therefore, we believe that a reputation indeed should be treated as an intangible asset because a declining reputation can, in our opinion, lead to declining revenues.
[13]
because reputation is seen as an effect for which the causes can be multiple and often obscure. If an organization has its primarily focus on reputation, it actually implies that it has its focus on blame (Hood, 2002). What Hood (2002) stated is that if an organization indeed incurs reputation damage, there will be searched for a victim. We do not believe that firms should primarily focus on reputation because reputation or reputation management has to be an overarching device spread throughout the whole organization. Siano et al. (2010) stated that an attack on a reputation can be an opportunity if an organization is modest and do not fight back with the same means. We argue that it is important to react quickly and to focus on positive points when addressing the organization to the public, but do not deny any eventual misconduct. The CEO plays an important role and this executive eventually needs to convince the stakeholders. The earlier suggestions of Gyomlay & Moser (2005) can be a guidance in this sort of situations. What is important to understand, is that a reputation cannot be seen as an attribute of an organization, reputation simply exists in the mind of others. Organizations can possess a good reputation, yet it actually owns benefits of a positive consensus about its conduct (AON, 2013). Moreover, AON (2013) uncovered that many organizations seek to actively manage their reputations by instilling and reinforcing positive associations in the minds of the stakeholders that are important to the business. An organization must be able to monitor external perceptions and responding quickly to threats if it wants to properly manage a reputation (AON, 2013).
Simply stated, a good reputation has positive influence on organizations and probably enhances the firm's business activities. On the other hand, a bad reputation has a lot of potential negative consequences on the behaviour of customers and investors. This weak reputation can lead to decline of firm value. We stated earlier that employees can influence an organization's reputation. When we look at the Greenpeace example in the box4, the behaviour of this employee can result in decreasing donations.
Greenpeace International issued an apology Monday amid reports the environmental organization lost 3.8 million Euros, or about 5.2 million Dollar, on foreign currency trades.
The group said a Greenpeace employee acted “beyond the limits of their authority and without following proper procedure” when entering into fixed rate currency exchange contract while the euro was gaining strength. The organization has since fired the employee responsible and says the employee did not benefit personally from the mistake. An independent audit of the error will be conducted.
“We offer a full apology to our supporters for the series of errors that led to the loss,” Greenpeace said in a statement. “We further wish to reassure people that every possible action is being taken to avoid the possibility
4
[14]
of such a loss ever occurring again in future.”
The loss will be reflected in the organization’s upcoming budget, which will reportedly show a deficit of 6.8 million Euros in 2013. To make up for the loss, Greenpeace says it will not take money from its environmental protection funds to cover the loss, but instead they will make amendments to its “infrastructure investments."
As mentioned before, reputation is about perception. It is not about what you have done, but what you are perceived to have done, or not done (Thirlwell, 2011). If the gap between the expectations and the reality gets too wide, a firm's reputation will suffer, so it is important to manage this gap and keep it as small as possible.
1.3 Reputation risk
Reputation risk is an important aspect of today’s business environment. Reputation risk are risks that potentially harm an organization's reputation. In every industry an example of reputation damage can be found. For example, as result of the Libor rate affair, Rabobank paid a 774 million dollars fine, however according to NRC5, the effect on their reputation is much higher than the effect on the financial stability of Rabobank. This article suggests that the customers were duped and this led to reduced customer trust and finally to reputation damage.
Dealing with reputation risks is important because reputation is a major risk for all organizations and according to research of CIMA (2007), it needs to be considered alongside all other major risks such as financial, operational and strategic risks. The majority of executives and investors see reputation risks as the most significant threat posed to an organization's business operations today (Tonello, 2007). We agree with the suggestion made by the CIMA (2007) because basically every risk can result in reputation risk. The statement made by Tonello (2007) can also count on approval because we believe that a bad reputation can have negative consequences for organizational activities.
There are quite some different definitions of reputation risk. Already in 1995, the US Federal Reserve described reputation risk as the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions. In general, a reputation risk is any risk that can potentially damage the standing or estimate of an organization in the eyes of third-parties (Micocci et al., 2008). CEA (2007) defined reputation risk as the risk that adverse publicity regarding an insurers’ business practices and associations whether accurate or not, will cause a loss of confidence in the integrity of the institution. Fombrun et al. (2000) define reputation risk as the range of possible gains and losses in reputation
5 http://www.nrc.nl/nieuws/2013/10/29/rabobank-krijgt-boete-van-774-miljoen-euro-voor-liboraffaire/. Seen
[15]
capital for a given firm. Basel Committee (2001) used a similar definition for the banking industry, stating that reputation risk is "the potential that adverse publicity regarding a bank’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution” (p. 7). Power (2009) argues that reputation risk is "the organizational label for diverse institutional pressures for visibility and accountability" (p. 316) and the definition by Kitchen & Schultz (2001) stated that reputation risks are "organization’s risk of suffering economic consequences caused by a deterioration of customer and stakeholder opinion and loyalty, following events which impact negatively on the impression and credibility of the organization within its market sector". We argue thatreputation risks can arise from every action or event taken by firms and stakeholders. Therefore, it is important that the sources of these risks are identified, analysed and finally managed. Let's take the definition of the US Federal Reserve as starting point. They emphasize on two main points, decline in revenue/customers and negative publicity. In this matter, Fombrun et al. (2001) only focused on possible gains and losses in reputation capital, this can be linked to the decline in revenues already mentioned in 1995. We argue that he description of Kitchen & Schultz (2001) is the most accurate because they include stakeholders opinion and loyalty which are indispensible for a reputation. Micocci (2008) and Power (2009) include the element of perception, which is a logic choice witnessing the definition of reputation in an earlier chapter. To conclude, all of these definitions make perfect sense and are clear, as long as the matter of perception and stakeholders are taken in to account.
[16]
Tonello (2007) indented with his statement that the triggering event creates other business risks, lies in the fact that reputation risks are in constant interplay with other risks such as operational, strategic and environmental risks. A strategic risk can cause reputation damage, but conversely as well. The determinants of Eccles et al. (2007) catches the most important ones. Damage to reputation or risks to reputation are resulting from the gap between expectation and reality. We believe that this is the primary source of reputation risk and we miss this particular source as driver within the main drivers according to ACE (2013). We argue that reputation risks can have many different origins and depending on the business type. In the financial services industry, exploitation of conflicts of interest is one of the main important sources of reputation risks (Walter, 2010).
Walter (2010) argued that reputation risk is not the effect of discrete events but rather the consequence of management processes. Moreover, the most important thing is to understand that reputation risks has many origins. Gotsi & Wilson (2001) stated that crisis can impact the reputation of a firm. Globalization, incomparable use of technology to exchange information and social media made a reputation hard to control (Jacob, 2012). Especially, social media is an underrated risk. Social media can serve as a marketing tool, yet it can also harm a reputation by the means of unsatisfied customers who use social media to express their displeasure. For example, furious social media users after the discrimination case of a little girl who was forced to leave a KFC restaurant in Jackson, Mississippi6.
JACKSON, Miss. – The outrage came hard and fast after a 3-year-old girl badly scarred and wearing an eye patch because of a pit bull attack was apparently asked to leave a KFC restaurant.
Allegedly a restaurant employee said the girl’s appearance upset other customers.
Social media users opened fire on the restaurant, calling for a boycott, and the organization’s apology came soon after.
The organization said it will donate $30,000 to assist with the girl’s medical bills. “The entire KFC family is behind Victoria,” organization spokesman Rick Maynard said.
In the study of Micocci et al. (2008), executives ranked social media as the 40th most important risk. Jacob (2012) mentioned in her study that many social issues like labour practices and the environment are more visible, and these have a direct impact on reputation. Jacob (2012) and Micocci et al. (2008) came up with some interesting developments that make it even harder to manage reputation and increases the chance of reputation risks. Everything is visible nowadays,
6
[17]
people share information faster than ever and this can evolve from a bad treated employee into boycott of the organization's product. This is of course a dramatic example, but it shows how fast reputation damage can result in other types of risks. Furthermore, we have the feeling that the importance of social media is underestimated in Micocci et al. (2008). On the other hand, if that study was executed today, social media was probably ranked higher.
Senior executives find reputation risks harder to manage than other types of risks (Tonello, 2007). ACE (2013) shows various reasons why this is the case. First of all, reputation risk can arise from many different sources. Secondly, organizations also find it difficult to define and categorize reputation risks. Thirdly, seventy percent of their respondents have trouble finding advice of managing reputation risks. Gotsi & Wilson (2001) argue that a clear understanding of a corporate reputation is essential for good reputation risk management. When managing reputation risks, two fundamental objectives are involved: the minimisation of significant causes of reputation risk (Winter & Steger, 1998) and the minimisation of potential harm caused to reputation (Siano et al., 2010). To minimize the former, Albrecht (1996) stated that it has to involve action which reduce the chance of events that could harm a firm's reputation. Siano et al. (2010) posited that the latter has to involve implementation of crisis communication. This was already the conclusion of Brewer et al. (2006) who argue that if an organization is unprepared for reputation damage, the damage of this event can be a lot higher. It can be noticed that the approach to manage reputation risks did not change in the last years. ACE (2013) confirms the statement already made by Tonello (2007). We argue that these reasons are indeed the most important ones. What Gotsi & Wilson (2001) posit seems to make sense because when you do not understand something, it is impossible to manage. The two fundamental objectives mentioned by Winter & Steger (1998) and Siano et al. (2010) are logical yet hard to influence. Organizations try to reduce these kind of events, but as earlier mentioned, the causes of reputation risks come from many different sources. Therefore, we posit that the arguments made by Albrecht (1996) and Siano et al. (2010) are reasonable yet too static because it is not exactly clear what actions need to be taken. Albrecht (1996) has its focus on crisis, but actually we believe that organizations must try to take action before a crisis and avoid it. What Brewer et al. (2006) argue can be compared with Gotsi & Wilson (2001), an organization has to know their reputation and need to know that a reputation can be damaged. We argue that if this relationship is indistinct, they eventually have no idea how to respond to this damage.
[18]
account like social risks, environmental risks and compliance- related risks (Jacob, 2012). Managing this type of risk is both an inside -out and outside -in challenge (Rayner, 2009). Rayner (2009) stated that the inside -out component requires executives to have a decent vision, appropriate values and strategic objectives that will guide behaviours and actions throughout the whole business. Moreover, she argues that the outside -in component requires the constant scanning of the external environment by the organization and to explore the opinions of the stakeholders to ensure it is on the right track to held the support and confidence of stakeholders. Only systematic reputation risk management can help to ensure that the expectation do not exceeds reality, so that the stakeholders keep their confidence (Rayner, 2009). An organization can only in this way build her business, safeguard, and enhance a sustainable reputation in the long term (Rayner, 2009). Eccles et al. (2007) stated that effectively managing reputation risk involves five steps: assessing your organization’s reputation among stakeholders, evaluating your firm’s real character, closing reputation reality gaps, monitoring changing beliefs and expectations, and putting a senior executive below the CEO in charge. ACE (2013) came with other suggestions to manage reputation risk. A couple important suggestions are: put the CEO in charge of reputation risk, incentivize employees to guard your reputation, value your reputation capital and plan for the next crisis. An organization must realize that these reputation risks do not exist out of the blue yet are a result of other types of risk (KPMG, 2008). We already agreed with this statement because we believe that reputation risk is not a separate but an outcome of other types of risks. For example, when an employee dies because of bad work circumstances, the organization's reputation will suffer, however this does not imply to focus on the reputation risk yet the focus has on the failure of managing operational risks. The Bank of America case7 of the death of an intern is a perfect example in this matter.
The death of an intern working at the London offices of Bank of America Merrill Lynch has prompted calls for city firms to take more responsibility for the ambitious graduates who push themselves to the limit to secure jobs at the world's top banks.
Moritz Erhardt, collapsed at his London home in Bethnal Green on Thursday, after allegedly working until 6 a.m. for three days in a row at Bank of America Merrill Lynch's (BofA) investment banking division. The cause of his death is unknown.
London's Metropolitan Police confirmed they are not treating the death as suspicious, and said the post-mortem has yet to be completed.
Attracted to the glass towers of finance in London, New York and Singapore by the prospect of securing a full-time job and hefty wage, future "masters of the universe" often face 20-hour days in some of the most
7
[19]
adrenaline-soaked offices on earth.
Weekends at work and meals in the office are par for the course with anecdotal reports of the "magic roundabout" where interns get a taxi home after dawn and leave it waiting while they have a quick shower and then return to work.
But in the wake of Erhardt's death, a group that advises graduates hit out at employers who allow young interns to work punishing hours. In addition, recruitment agencies that deal specifically with interns called for an independent body to support young people working in the finance industry.
The statement made by Jacob (2012) fits exactly in the changing world because regulators pose more rules, the environment becomes more important and all these risks can harm a reputation. There might be a dozen other risks that need to be taken into account when managing reputation risks. When we compare the ideas of Eccles et al. (2007), Rayner (2009) and ACE (2013) there are differences. Where Eccles et al. (2007) argued to put an executive below the CEO in charge, ACE (2013) stated to put the CEO in charge. We suggest that a Chief Risk Officer needs to be installed as member of the board and make this person responsible for protecting the firm's reputation. Therefore, we agree with Eccles et al. (2007). All other steps in Eccles et al. (2007) are also understandable, with closing reputation reality gaps as most important one. As said before, we believe that reputation damage arises when an organization does not live up to its promises. Eccles et al. (2007) and Rayner (2009) agree on the fact that stakeholders are the most important aspect of reputation risk management and we follow this argument as well. Finally, Eccles et al. (2007) and Rayner (2009) are quite similar in approach and the five steps of Eccles et al. (2007) can be leading in approaching reputation risks.
1.4 Overall reflection
There is quite some literature about risk appetite, reputation and reputation risk. The different definitions of risk appetite are all quite similar. Researchers are quite aware what risk appetite is yet we believe that the subjective character of risk appetite is missing in these definitions. Although we seem to approach risk appetite as an objective concept, we keep in mind that this concept is
[20]
Reputation is a subject that is very well researched and researcher have quite similar definitions developed. What is missing, is the relationship with and the place in the risk appetite. Therefore, this study is going to research this interesting relationship. The definition of reputation has to include the behaviour of the organization, how they are seen by stakeholders and how they are going to meet these expectations. There is some consensus in the literature that the drivers of reputation can come from many different sources. Organizations can have different ways to deal with reputation. There is not much conformity along the literature and a lot ideas are given. It shows that reputation is a difficult thing to manage because the build-up is so complex.
If we take reputation risk into account, it shows that some papers already posit to see reputation risk equal in importance to financial risks. Even though there are some different definitions regarding reputation risk, we believe that it is important to emphasize on perception and stakeholders. There is still some disagreement what the main drivers of reputation risk are, yet we believe that the biggest risk is that you do not live up to the expectations of the stakeholders. As well as reputation,
reputation risk can come from multiple sources and the literature comes up with many. This also depends on the type of industry an organization operates in. We have the feeling that the impact of social media on reputation is underestimated. Fortunately, senior executives beginning to recognize the importance of reputation risks. The sole question remains: do they take this risks into account when a risk appetite is determined? The management of reputation and reputation risks are in general seen as a difficult task. Hence, there are some studies developed to help organizations with this task. We believe that all these studies has some good and weak points, and they are certainly not similar, but it is impossible to generalize these potential solutions for all organizations.
[21]
2. Research design
This research has the aim to explore the relationship between risk appetite and reputation (risk). This study is an exploratory research because nowadays not much literature can be found about this relationship and the problem is not defined. This means that the relationship still has to be constructed. Furthermore, this study uses an interpretive approach to understand how the interviewees see reputation in relationship with risk appetite. The reason for this is that an interpretative researcher seeks to describe and understand people's meanings and the implications that different meanings hold for social interaction (Gephart, 2004). The emphasis of this study is to understand specific situations, influences, perceptions and impressions of the interviewees and to conduct new empirical results about the relationship between reputation and risk appetite.
2.1 Data collection
A variety of methods is used in the attempt to answer the research question. This study used an analysis of semi-structured in-depth interviews and organizational documents, which is a good way to assemble rich, empirical data (Eisenhardt and Graebner, 2007). As mentioned before, this is an exploratory research and semi- structured interviews are used to provide further information about the research area8. By using this interviews we try to find out more about the relation between reputation and risk appetite and looking for new insights in risk management. During the interviews we used a non-directive approach to encourage the interviewees to talk freely about the events, behavior and their beliefs in relation to risk management. If we take a look from triangulation perspective, it is better to use multiple sources. Furthermore, all these different sources added more richness to the data and therefore the external validity will increase (Yin, 2014).
Internal validity was secured by following the approach of Gredler (2000). This research posited a standardized approach by firstly asking the questions of all participant in the same way. Secondly, to make them feel at ease we started with a general question about their function and the organization. Thirdly, we conducted all interviews at a familiar and comfortable place from the interviewee's point of view. Interviewees personally selected the location, so most of the interviews were conducted in their personal office. Finally, we ensured them that their particular answers cannot be linked back to them.
This study used semi-structured interviews because the aim was to get as much as impressions and insights of the interviewee. We used these type of interviews because every answer given by an
8 http://isites.harvard.edu/fs/docs/icb.topic851950.files/Research%20Methods_Some%20Notes.pdf. Seen on
[22]
interviewee can result in the opportunity of new questions (Myers, 2009). Furthermore, Blumberg et al. (2011) stated that these type of interviews have the advantage that it can elucidate certain interview questions. From this study's point of view, the reason for these semi -structured interviews because there was only one chance of interviewing an informant, and semi-structured interviews give freedom to the interviewees to express their view of the situation.
There was an interview guide developed that contained four subjects: risk appetite, risk appetite and strategy, culture and reputation risk. All of these questions were open-ended questions. The interview guide contained the four subjects researched by four people of the thesis project group. New insights obtained during the interviews resulted in a one-time adjustment in the interview guide by the modification of one question (Yin, 2014). Therefore, this modified question is added to the interview guide which can be found in appendix 1.
The interviews were carried out by two people and the formation of this duo was different every time. According to Eisenhardt (1989), a two- person interview team has several advantages such as dividing roles. This had several reasons: in the first place the interviewing with two people ensured that there was an interplay between the interviewers. Furthermore, if it was the case that the interview could not be recorded, there was one person that could take notes. In this way, the reliability of the research is not impaired. Before every interview we fully ensured that all insight and information was used anonymously and that this information was handled with care. Therefore, no names and names of organizations will be present in this study. Every interview was started by asking general questions about the overall process of risk management present in the organization.
As mentioned earlier, most of the interviews were recorded. Eighteen of the twenty-one interviews were recorded, this provides more accurate interpretation (Yin, 2003). The other interviews were executed in the way mentioned before. Interviews 3, 9 and 12 were not recorded. In general, the duration of the interviews lasted from thirty-five minutes to two hours. After the twentieth interview, we noticed that theoretical saturation has occurred. Finally, there was chosen not to use the twenty-second interview because a lack of useable information. In appendix 2, the different interviews are shown, with the industry and function of the interviewee.
2.2 Selecting respondents
[23]
order to eventually generalize the outcomes, we decided to include a lot of different businesses. By selecting risk experts from different industries (engineering, finance, oil and gas, technical services, communication, government- related organizations and a researcher in the field of risk management) which all served different markets (from B2C to B2B), different points of view were taken into account. The government- related organizations exist of one government agency, a municipality and one advisory firm who advices governmental organizations. The contact with the risk management experts was made via phone numbers or e-mail.
2.3 Data analysis
The hermeneutical approach9 was taken into account when analyzing the interviews. This study is looking for the meaning behind the answers of the experts and not per se for theoretical foundation of their answers. After listening interview after interview, we became familiar with the various insights and meanings of the interviewees. This lead to the understanding of every perspective of the interviewee and in this way we could search for overall patterns (Seidman, 2006).
The results are the beginning of the actual data analysis. We took the sequence of the interview guide as the way to build up the analysis. So firstly, the combination of reputation with the risk appetite. This is followed by reputation risk management, developments within reputation risk management and the link between culture and reputation. There is chosen for a distribution on industry-level to discuss the results. We decided to use quotes for illustrating important points from the interviews (Pratt, 2009).
In the discussion section we continue with the actual analysis. We compare all interviews with each other and try to see if there are certain patterns. The patterns can be industry specific but also general. A cross- interview analysis provides us with a way to generate conclusions and propositions from the data source. We also connect the theoretic foundation with the data source to see what the factual new conclusions really are. Because of the study's exploratory character, all new perspectives can be seen as conclusion to support the research question. We try to find new evidence in the field of reputation risk management. When we take a look at the research question: "What is the importance of reputation risks in the total risk appetite"?, it means that there is not yet an answer on that question today.
9
[24]
3. Results
The semi- structured interviews made it possible to get a broad view of the importance of reputation risk in determining a firm's risk appetite. By interviewing a variety of firms in various businesses, some differences and comparisons can be drawn. As stated earlier, we use quotes to illustrate important points of the interview. The quotes are framed to make them more visible and easier to read. The observation during the interviews provided extra information about the opinions of the interviewees and could be used to confirm or question their answers.
3.1 Role of reputation risk
Reputation risk is expected to have different roles in different industries because organizations have other strategic goals. This paragraph shows the differences of the importance of reputation risk and the way this is used by the firms.
Reputation risk plays a role in compliance- related issues in the electronics business. Compliance is included in the risk appetite framework and reputation plays a role in the decision making process. It appeared that the competitors of this organization see them as a perfect example in the way of integrating reputation risk in the risk appetite framework. In this way they can use this as an advantage. We have noticed that they explicitly do not want to have the image that their employees are not operating in a safe environment.
In the communication branch reputation risk is seen as a very important item, mainly because they are dealing with a lot of consumers. It is one of the subjects included in their risk appetite framework. They also have to maintain their reputation towards the government because they have the classification "critical service", one of the main needs of mankind. The fact the organization is listed and operates in a highly competitive environment are other reasons to keep their reputation high.
Reputation plays a role in the decision making process [...] When our organization got hacked, the risk appetite (of reputation risk) changed. Eventually, no data was stolen but it resulted in a new security department. The board of directors accepts less risks when it comes to (potential) reputation damage.
[25]
Reputation in the engineering business can play an important role. Everybody is familiar with the huge construction fraud in the Netherlands more than a decade ago. However, not every organization is convinced of the importance of reputation risk when a risk appetite is determined. In one organization, which serves the B2B market, reputation risk plays only a role in area management. They want to manage their operations in such a way that the environment does not suffer from their operations. We have noticed that they want to have the reputation that they take good care of the environment so that they can realize projects without resistance. In the other three organizations, reputation risk is extremely important.
In our organization, reputation is extremely important. And there we already have some issues. Our people are so passionate about their work that they do not understand the effects on the external stakeholders. The board and the communication department are very aware of the importance of reputation for the organization [...] If we do not deliver and keep getting poor performances, the government will not invest any of their money in our organization [...] The earlier mentioned departments are trying very hard to keep the reputation high (and protect it), but there are also people who are thinking too operationally.
(Head Risk Management, Engineering)
When we talk about reputations, even the slightest reputation damage is unacceptable. This has to be zero.
(Group Risk Manager, Engineering)
[26]
(The organization is risk averse). My personal life is based on the risk attitude within our organization. For example, I ride my poorly lighted bike and an acquaintance sees me. He knows I am working for this organization and this will harm my credibility and also that of the organization. Especially, because we are trying to work as safe as possible.
(Contractor HSE Management, Oil and Gas)
Reputation is very important and very vulnerable. An American colleague once told me: "Trust arrives on foot and leaves on horseback". It come slowly but you can lose it rapidly. We understand this very well. We carefully dealing with our reputation and do not execute projects that can potentially harm our reputation. On the other hand, there is sometimes the ugly truth were we should be transparent and talk about, only because it is the truth. We do not avoid this discussion (even if it has possible negative reputation damage) [...] Eventually gives (reputation) us access to countries and are people willing to work with us. It is important that our employees get a good feeling (about the reputation), and know that it is certainly something to be proud of.
(Executive Vice President SE & SP, Oil and Gas)
Organizations that have as core business technical services are mostly business- to -business (B2B) oriented. It shows that these type of organizations not have a primarily focus on reputation risk. The only important reputation aspect is the way they are perceived by the market. We remarked that they want to exploit themselves as a reliable party who operates durable and takes safety into account. In risk management, their focus is more on failing cost than on reputation. The manager did not have the idea that they are being punished by the market if their reputation is affected. When contracting a new client reputation risk is important, they mainly want to know if this new client can harm their reputation.
[27]
reputation plays a different role than in other organizations. Reputation risk plays certainty a role when determining a risk appetite, but not in an explicit manner. If we explicitly take a look at municipalities, they focus mostly on financial risk because the task of risk management is often delegated to the business controller.
We are working with a scale from 1 to 5, where 5 means that it is almost certain that this incident will occur [...] Reputation damage is always 5, no matter what [...] (It is so important) because every Euro spend is public money, we have to do this responsibly and controlled [..] It is our public duty to serve citizens as good as possible. If there are headlines in newspapers that state we have failed or accuse us of corruption, this influences our reputation. (When this occurs) it costs lots of time and money to get our reputation back on the line. Also, we need to explain everything to society [..] The worst thing is that the implementation of our process is disturbed and this costs (also) a lot of time and money to repair.
(Risk Manager, Government Agency)
I have noticed that municipalities are combining reputation with risk appetite. Not only that, but also on a lower level. We often receive the request if we, next to the financial risks, to estimate the potential reputation damage. This is very difficult. It is easy if there is money, but when is reputation damage high? We often use the criteria that if only one citizen is hampered it is at its smallest and when they are headlines in the news, it is the highest. In this case, everybody has the same feeling about reputation damage. It shows that aldermen are very interested in these kind of subjects. I believe that a lot of money is spend to prevent reputation damage.
(Advisor Risk Management, Advisory)
[28]
not exactly intrinsic motivation yet if you do not want to incur reputation damage, the focus has to be on society because eventually, the hardest hits are captured by the government and the poorest people. It appeared that reputation risks play a huge role in every financial organization.
Risk management plays a huge role in our organization because we only win the trust of society by showing that we do the right thing [...] Every aspect of a project can have influence on our reputation, like top managers or financial statements (of the client).
(Director Control, Finance)
In general, organizations do understand that reputation risk is a serious issue [...] Reputation is actually an outcome story, every risk that an organization takes has relations with their reputation. It does not matter if we talk about financial risks, operational risk or an accident, eventually these events can harm your reputation [...] Indeed, (risk appetite is something you compose to protect your reputation) and to make clear (to everybody) how you relate to reputation risks.
(Senior Manager Internal Audit, Risk & Compliance Services, Finance)
Yes ( we do take reputation risk into account when determining the risk appetite), in fact a lot. It is difficult to quantify the appetite for reputation. Reputation is more or less an outcome of certain events like giving a bad loan to a customer and thereby appear in the news [...] We take everything into account, even when we contract new clients. There are certain businesses where clients are more vulnerable for fraud [...] This potential fraud results in potential reputation risk. We only want to contract a limited amount of clients which have a "high risk label".
(Chief Risk Officer, Finance)
3.2 Managing reputation risk
[29]
The electronics organization introduced a new control system to protect their reputation. This way of preventing reputation damage is quite different compared to other industries.
Compliance issues result in risk, this risk will not be accepted. A couple of years ago we paid our dues as an organization (with a huge fine to the SEC). Unfortunately, you cannot exclude this problem for one hundred percent. We developed a new control system which ensures that problems will be detected in an early stage [...] If employees are guilty to this behaviour, they will be fired.
(Head Compliance, Electronics)
To manage their reputation, the communication organization is active on social media to solve problems for unsatisfied customers. On the other hand, with three million customers there is always one unhappy customer. So, this manager thought it is impossible to satisfy everyone. The interviewee thought they still can improve in managing this risk, especially in terms of transparency and openness. The organization's lawyers always try to deny failures because they are afraid of claims. He believed that they should admit their mistakes and in this way creating more public sympathy.
The type of organization matters (B2B versus B2C) depends on the way engineering firms manage reputations. It shows that B2B organizations do not really care about managing one's reputation compared to B2C organizations. What we observed in the B2B organization, is that they do not take any blame if a project fails. The blame is on their principal. This is a reason why they think they have to steer less on reputation risks. Of course, they do not want to end up in a news paper with some kind of scandal. In another organizations, we have noticed that in case of reputation risks, they allocate many people to the particular problem and try to remove this item from the media. They feel that giving world transparency, get our story straight and prevent it from happening again will eventually reduce reputation risk. Especially, the B2B organizations struggle with the fact that reputation damage costs them a lot of money. It is experienced as a difficult thing to manage.
[30]
society we have taking actions to protect our reputation, introduced new protocols and let the people know we act in a decent way regarding these issues [...] I do not believe it can be exterminated, yet we have to show the media that we have taken actions [...] I do not think that we really can reinforce our reputation because cases from the past cannot be rectified, however you always look for opportunities to strengthen it [...] Nowadays, we searching with a small group for opportunities in the market (to protect and reinforce our reputation).
(Risk manager, Engineering)
Reputation is also dependent on the people you ask, especially in the oil and gas industry where there are a lot of environmental counterparties. Furthermore, it is noticed that every action of an employee has influence on a reputation and it does not matter if this is business related or not. One organizations has the Dutch minister of Finance as shareholder. Therefore, they do not try to find the most beneficial tax system for the corporation because of their reputation. Eventually, shareholders going to ask questions and they have to explain our actions to the minister. The organizations in this industry try to do everything to create and retain their reputation.
I think our reputation management is very good compared to other corporations. Of course, in this type of business a reputation is more vulnerable, and we also act in that way. For example, before operating in Brazil we first examined our suppliers. When we discovered they were guilty of child labour, we immediately took action to exterminate this kind of misconduct [...] You have to take in mind, reputation is not one simple object [...] People have to comfortable with our business (we are socially involved to protect our reputation). Especially, the younger generation want to be part of something, so our reputation has to be high [...] This is also in our best interest, if we do not invest in society in countries we operate in, it is unthinkable that we can have a booming business in the next twenty years (in case of Iraq).
(Executive Vice President SE & SP, Oil and Gas)
[31]
wrong, ten good things need to happen to improve their reputation. On the other hand, they do not explain society what went wrong and what they did to fix it.
In government- related businesses managing reputation risks have other difficulties when we compare it with corporate businesses. They use public money so there is some kind of pressure from the government and the citizens to spend this money in the right way. And if there are some problems, it is sometimes hard to react in order to satisfy the citizens and the government. Other factors that can harm a reputation are information security or legal procedures. In these business there is a lot of confidential data and when this data is not handled well, this can cause huge reputation damage. Another example is sending a letter to a person who is deceased. This kind of mistake is easy to repair yet it shows that aldermen want to avoid these types of risk. It seems that government- related businesses do not know how to manage reputation risks. There also no conformity whether government- related organizations are putting much effort in protecting their reputation.
When something goes wrong, we do not have predefined scenarios. Instead, we move directly to crisis management to control the damage. [...] If there is an potential threat, we try to be as loyal as possible, especially at governance level. With our communication services, we try to reduce and manage this threat (of potential reputation damage).
(Concern Controller, Municipality)
Yes, (they are actively trying to manage reputations). Reputation damage is even more sensitive than financial damage. Aldermen and people working in municipalities are willing to take lesser risks when it can possible harm their reputation.
(Advisor Risk Management, Advisory)
