Reputational Risk Management

Ask the Chief Executive Officer, Founder or Chairman of an organization about his key concerns and one thing which will never skip the list is the ‘Reputational Risk’. It is certainly a very challenging task to protect a firm’s reputation given the increasing competition in the market on one end and dynamic social and economic conditions of global market on the other.

Imagine a Rolls Royce standing in the street without a garage! I know it’s difficult to imagine that, but considering the value of an asset, ‘reputation’ or ’goodwill’, and the kind of risks it is exposed to, it is very much similar to the previous scenario. Tremendous development of global media and other communication channels, increased levels of regulatory controls are some of the issues which expose an organization to Reputational Risk.

The factor which leaves risk managers baffled about ‘Reputational Risk’ is that it is not possible to easily categorize and compute them. It is widely agreed that the root causes of the risks impacting the reputation of an organization are primarily derived from the market, operational or capital risks. While the root causes are still widely debated, it is more likely that the reputation takes a big hit primarily because of inefficient adherance to regulatory and legal requirements which is growing with time and ever increasing number and complexity of regulatory and legal requirements. Due to the numerous cases of immoral actions taken in the organization (in many cases by a very small group of influential individuals), it is can be considered as a major root cause of reputational risk. While legal, regulatory and unethical practices are certainly the forerunners, the quality of delivery of the product or service too follows closely in scenarios where failure to deliver to the basic industry standards leads to very high proportion of customer dissatisfaction multiplying the negative impact on the reputation. Being an ‘Employer of choice’ is also one of the critical aspects for an organization to survive with a clean reputation.

Effective and timely communication is the most important remedy which will prevent or repair the impact of reputational risk. There are several instances when incidents leading to reputational risk have been managed with minimal impact through clear and appropriate communication. This not only helps manage external factors but also the critical and fluid asset in the form of employees. While the leadership team plays a very important role in the task of effective communication, it is equally important for an organization to make an appropriate investment in a formal and independent risk management body which can monitor all the above factors and recommend necessary preventive or mitigating steps to manage the reputational risk.

Key Risk Indicators (KRI’s)

Even though KRI is one of the most familiar terms used amongst the senior management and risk managers, it has not been given its due share of importance amongst other such risk measurement tools. This article focuses on highlighting the typical challenges experienced in organizing a good KRI system.

Some of the key challenges in having an efficient risk indicator are incompatible languages used by different sources, usage of different terminologies, timeliness of reporting the risk profiles to the management, appropriate authority to take necessary mitigating steps and finally clearly defining the risk thresholds.

Incompatible languages
Incompatibility in the language refers to two different dimensions, where one relates to the risk controller in understanding the various evolutions in the market practices and integrating them in the internal risk control framework. This is commonly attributed to the skills and tools or information sources one has access to. The other one pertains to the process of assigning a unified scale for measurement of the inputs received from the various risk indicators since most indicators are specific to individual businesses or processes and generally uncommon in nature.

Use of different terminologies
Often there are disconnects between the operations management teams and operational risk teams on the term ‘Risk Metrics’ and ‘Process Metrics’. The Operations team views their process metrics and in some cases their Service Level Agreements (SLA’s) as the key metrics and holds true as a risk indicator also. A good risk controlling group would consider those factors as risk metrics, which would result in a high impact financial or non-financial loss and it is not uncommon to have some of the process metrics or SLA’s form the sub-sets of risk metrics. Another interesting fact is that one person’s KRI is another’s performance indicator (KPI) and a third person’s service level indicator. Thus, these terminologies differ based on the different perspectives of the users and the activity in which they are engaged.

Timeliness of reporting
This might sound very generic but when you add the essence of risk management, this has the potential to alter the overall outcome of an event. To give a reference from history, imagine the changed scenario if the fax informing US authorities of an attack on Pearl Harbor was reported even a few hours earlier instead of a day late! In the real time corporate environment where every bit of your action is recorded and used in the performance appraisals, there will always be some amount of resistance towards declaring the errors or issues in the system. It is hence very crucial to design the system in such a manner that all such errors or issues are flagged in the best possible timelines. Many times, the operations and risk management groups need to predict the possibilities based on the inter dependability of factors amongst each other.

Right authority
Issue of authority in risk management is one of the major under-currents which has not surfaced much or is not discussed openly in public forums. It is very important for a risk controller or manager to have access to necessary authority to push the right lever at the right time. Unavailability of such authority slowly leads to deterioration of the control effectiveness and thus leads to major losses through undetected or delayed actions on critical risk exposures.

Defining risk thresholds
Risk thresholds can represent or misrepresent the actual risk exposure. This is why it is important to understand that an organization is defining these thresholds not based on the industry benchmark but based on their real time risk appetite. Both the Operations Managers and the Risk Managers need to review it based on a neutral and independent manner. It must be in the common interest of the authorities to define these risk thresholds in a manner that they flash the Red or Amber code also. Many times, it would help to revisit those metrics which are continuously sitting in the Green zone as they might do so because of relaxed risk threshold definitions.

I believe these typical and real time challenges might sound familiar to many of you managing the Operations or Risk portfolios, but with few careful actions and precautions, this tool will work wonders in helping you hit the ‘Bulls eye’ while managing risk in operations.

Challenges in Operational Risk

Some of the key challenges which the risk managers come across as far as operational risk is concerned are:

Early identification of risk exposures
With the ever increasing complexity, irrespective of the sector an industry is catering to, it is always a challenge to detect the potential operational risks in the system. While not all have robust systems or processes which will raise an alarm as soon as an operational factor goes wrong and it is very evident that not all the professionals would want to willingly share the mistakes they did in this highly pink-slip driven world, lays the challenges for the Operational Risk Manager. Many a times there are no second chances to be able to fix the risk from recurring!

Proper categorization of risks
Wondering what further categorization in the Operational risk category? Yes, it is true that there are specific categories within the Operational risk domain, which are based on risk events namely ‘internal events risk’, ‘external event risk’ and ‘business event risk’.

The name itself suggests the meaning of each of these risk characteristics but what is normally overseen is that a risk which is resultant of an external event might eventually turn in to a business event risk and similarly an internal event risk might potentially cause a wide spread external risk which might impact a particular business segment or multiple segments in very high impact cases. Thus, an Operational risk manager needs to be smart and quick in understanding the movements or intentions so to say of any such event risks and take appropriate control measures to prevent it. The word ‘mitigation’ sounds very much embossed on the Operational risk framework, but the best risk manager is one who controllers the risk exposures in a manner which will not lead to the scenario where one has to take mitigating steps.

Methods used for data collection and analysis
This particular challenge is experienced by the operational risk managers in both large scale and small scale organizations in different fashions. The logic is similar to the one between the rich and poor. Like the rich has too much money, and often struggles to find the best use of it the large scale companies too have too much data and at times have too many different sources or methods or tools of collating data that a lot of times they spend developing systems which will integrate all the complex and diverse process divided not just functionally but also in geographies. In case of the small scale industries, like the poor, has to struggle to get relevant data or information to process and perform the necessary assessment. Thus, an operational risk manager, irrespective of the strength of his / her organization, constantly faces the challenge of getting relevant information using which they can understand the risk exposures in their true colours.

Being a ‘Devils Advocate’
It is unfortunate but true that all or many of the risk managers are looked upon as the devils advocate and in some scenarios as actual devils for not approving a lucrative project or for making the busy employees fill a series of check lists and certify their work! It is often a key challenge for an operational risk manager to put forward his point in a forum of senior executives who too are equally keen in the development of their organization, only in a different angle. Many times the operational risk manager’s act based on the treatment he / she will receive for being the devils advocate.

Spreading Operational Risk awareness
It is often said that the operational risk manager has to do so and so things to assess and identify the potential risks. While this is true, the most important factor which proves to be very helpful is the operations team involved in the delivery of their respective products or services to their internal or external clients. As many in operations management feel that their performance is directly proportional to their performance appraisal, it is one of the most common and I believe one of the unavoidable challenges an operational risk manager has to face.

So has all the above inspired you to be an ‘Operational Risk Manager’? If not, I hope the article would have at least helped you in providing the perspective of the Operational Risk Managers in a different light… Happy working!