Could a focus on reputation risk promote all-round more effective enterprise risk management?
Recent events at Thomas Cook has highlighted, in exceptional and tragic circumstances, where failures in Enterprise Risk Management (ERM) and especially Safety Management Systems (SMS) led to the very worst outcome in any risk management plan: serious injury and multiple fatalities.
As a direct result of oversights in effective risk management within their organisation, as well as an avoidable loss of life, Thomas Cook's reputation has taken a nose dive which was exacerbated by their ill-advised response to the incident. Indeed, Thomas Cook is now in a form of crisis management mode – trying to mitigate the effect of recent events on their reputation, post occurrence - all down to a single low probability, high impact event.
This article however, does not aim to critically analyse the loss of reputation in such circumstances, nor does it intend to criticise Thomas Cook; it instead endeavors to learn from maladaptive methods in large-scale management within enterprises, and tries to promote an all round increased focus on how reputation risk awareness, prior to an undesired event occurring, can lead to much better enterprise risk management, and hopefully reduce the prevalence of similar events erupting in the future.
There is no doubt that Thomas Cook is a well-trusted brand and well-ran organisation – millions of us each year travel with them, loss and harm free, enjoy ourselves, and, using Trip Advisor as a reference point; are largely more than satisfied by the service. Indeed, they are in amongst the most 250 successful companies in the United Kingdom. Moreover, there is equally no doubt that they do take health and safety extremely seriously – statistics alone show they have an extremely high degree of safety in their aircraft fleet, holiday operations and overall business practises. Considering the monumental numbers of risk events managed over multiple domains, disciplines and directives, this is quite an achievement.
However, an isolated event; namely, an individual faulty boiler in one of their tens of thousands of serviced hotels, apartments and rooms has caused tragedy. A single event in the millions of usually-well-managed risk events within the organisation; the odds are minuscule to the degree of hundreds of millions to one. Perhaps this is the point. Is it possible to manage so many domains and entities to the same high degree of safety and maintain consistency and robustness throughout? Yes, it is, but it requires stringent, coordinated risk management systems that are closely monitored and controlled.
In risk management you either accept, reduce, eliminate or transfer the risk. If the risk is life threatening you eliminate it or at the very least add multiple controls to reduce the risk to as low as reasonably practicable (ALARP). In the case of 'boiler management' within the Thomas Cook destination portfolio, the company have strict regimes in order to manage and verify appliance safety. Despite the fact there was third party involvement in verifying the integrity of boiler serviceability, the large portion of neglect has to stick with Thomas Cook as they are the main stakeholder and service provider in the agreement.
Could this high impact event happen to us as business owners? Perhaps not to the same extremes, but as soon as you delegate safety-critical or indeed any risk-important tasks to third parties, you are at risk; however it is your absolute responsibility to ensure the risk is reduced or eliminated by having stringent risk management systems in place – at the very least check the work has been done to your own standards.
In this case, Thomas Cook has trusted someone else to carry out a task properly, without carrying out robust enough verification themselves. However, we all trust other people in business, we have to, and as is the case here, it can have dramatic connotations on our public image if your trust in another person or organisation proves detrimental.
Indeed, as is the case with Thomas Cook, it can harm your reputation. If you need visual proof of how the reputation of Thomas Cook was damaged – from fiscal observations at least - then look at the graph below depicting the share price of Thomas Cook following their day in court. It isn't so much the amount the share price dropped to, it is more the rate of descent that is the important indicator here.
The recent Thomas Cook incident has prompted me to look into exactly where reputation fits into our risk management plan, and to get to the point, I came to the conclusion that reputation is actually the overarching emotional response of anyone who has any interaction whatsoever with our business. Indeed, reputation is all encompassing and as shown below is a powerful governor and innate spokesperson of our overall company output, and importantly, our Enterprise Risk Management plan.
In humans, emotions are powerful entities; ask the PR, Marketing, Sales and Advertising groups in your organisation and they will tell you this. Indeed, the term “brand” is typically mostly about an emotional response to a company and this why billions are spent developing, promoting and protecting the positive emotional responses to them.
As Risk Managers who deal with facts, figures, impacts, likelihoods, forecasts and other numerical predictions based on the balance of probabilities, we ought to think a little bit harder about how emotion in the form of reputation fits into our risk management regime.
Reputation after all can completely undermine the hard work we have accomplished to keep our company and/or our employers away from risk in the traditional sense. Indeed, reputation embodies itself within, above and beyond all elements of our enterprise risk management plan because without a prosperous reputation, there is no viable business.
I' m going to start addressing this by dissecting the components of ERM. At Risksoft we split Enterprise Risk Management into the following:
Risks associated with how your business carries out its fundamental activities and processes on a day to day basis.
Risks concerned with the long term planning of your business
Acknowledgement of how your business relates to rules, laws and regulations within the industry it operates in and the risk associated with non-compliance.
Risks arising as a result of financial affairs, investments, liabilities, creditors and debtors.
Risks oriented around how your organisation handles and develops current and future interactions with other ventures that could add value to your business.
The key question remains though: Where does reputation fit in to the above five key components of Enterprise Risk Management?
To answer this, i've drawn on some real life examples from each contingent of the ERM specifically looking at reputation risk (where there is an emotional response to some degree):
An employee is seriously injured as a result of failure in a safeguard from a motor in one of your processing departments.
Associated reputation risk:
Public view you as unsafe because your company is mentioned in a HSE press release/safety bulletin.
You have decided to expand your business by building premises on a piece of land based on the assumption of growth in other neighbouring industries. Unfortunately, most of the other enterprises moved away.
Associated reputation risk:
your staff and contractors lose faith in your planning abilities.
As a result of business expansion, you are now exporting to Australia however you have not fully understood the customs legislation in Australia and they have sent the goods back.
Associated reputation risk:
Australian company view you as a risky supplier and will not chance your products or processes again.
You complete 3 months of work on a high rate, backed up by a loan from the bank but during that time your client has gone bust and they cannot pay you.
Associated reputation risk:
Your bank is reluctant to lend you money again on the same terms.
You have been carefully negotiating with a potential client over many months but have missed a key requirement in their manifesto which gets leaked to the LSE.
Associated reputation risk:
your shares drop in value as shareholders withdraw money and confidence.
All components of ERM can affect your business reputation. Reputation risk per se cannot be held specifically within any of the ERM factors, which means mathematically and systematically that reputation risk spans your entire ERM system. Reputation risk is an artefact of ERM and therefore reputation risk is a common downstream component of the ERM plan. Because reputation risk is downstream of all the ERM components, it means that a single blip in reputation from either of the ERM factors can override all the others – essentially, we need to take reputation risk seriously.
At Risksoft we like to add values to our risk management plans. Risk quantification makes the process more accurate, manageable and communicable and we are more easily able to prioritise and control risk when we have a good idea of the probability and impact of risk events.
The problem with such an entity as reputation is that reputation is an emotional response; adding a value to an emotion is tricky to say the least. An emotional response of one person is entirely subjective. Consider the cliché: “On a scale of 1 to 10 how do you feel?” Whose scale? The scale is entirely in context to the beholder. In terms of accurate risk management it is more or less meaningless. Had a question been asked “What does the temperature read on that mercury thermometer?” that would be a different story.
So, how do we interpret reputation risk? Indeed, in what way is reputation risk inferred?
What we do know, as humans, is when there is a negative emotional response in the form of loss of reputation there is high impact – to put it bluntly: when people feel anger, resentment, mistrust or even slight annoyance, they really do feel it and as fallible human beings we are not shy of actively showing it or passively making our point known, and in the case of negative emotion or bad reputation toward your company, this ultimately means loss of sales, and the more people who feel this way, the harder the hit.
It goes without saying that the larger you are as a company, the more you are open to an untimely assault caused by bad reputation. Indeed, In the case of Thomas Cook – we would have unlikely heard of their actions if they were not in the FTSE 250 group. Moreover, as you increase in size, the number of risk events increases as well, leading to an increased chance of negative events ocurring.
What we can deduce is that a negative emotional response (bad rep) is a high risk event and as we have already ascertained that ERM is upstream of reputation, as risk managers, we have to acknowledge the fact that emotional responses, largely unquantified, can override our prudent risk management algorithms when it comes to protecting our businesses and employers from loss.
Human Factors and Common Cause Failure
Ok, so we've deduced that ERM is upstream of reputation, and reputation risk can, if left unchecked, undo all the hard work you've done in your ERM paradigm to protect yourself against loss of value.
When I look at how systems of any kind can fail, I always look for common cause failures (CCF) – these are the fundamental points of initiation in the risk cascade that start the chain of events leading to numerous downstream problems. Good risk managers will find CCFs early and adequately control them. So what is the common cause failure in reputation risk? We have discussed how the emotional response by humans, largely unquantifiable, can rapidly blunt all the quantifiable work carried out in your ERM glossary through reputation risk, and therefore in reputation risk our CCF is actually human interaction with our company at all levels, both internal and external. Unsurprisingly, the mitigation steps therefore involve minimising the negative emotional response of human beings towards your organisation at every stage.
So which people do we need to think about when considering our reputation risk plan? The answer, quite simply is literally anyone who has any dealings with your company whatsoever, the stakeholders, including:
- Staff and contractors
- Customers and clients
- Suppliers and distributors
- General public
- Your bank
- The media
The take home message is straightforward: at all times, and in the context of your Enterprise Risk Management system, always take into account how another human being may react emotionally to your business activities – because fundamentally, these emotional reactions are collectively known as your reputation, and a bad reputation can ultimately lead to the unraveling of your company, despite your best efforts of minimising operational, compliance, strategic, opportunity and financial risk through stringent Enterprise Risk Management.