You could argue that trust is what holds our society together – without it we have no personal credibility, our companies have no value and our Governments no authority to govern. We have been treated to a series of macro case studies over the past few months showing how the simple loss of trust from key stakeholders can bring down, or undermine an entire system. The Greek, Irish and Portuguese governments have experienced this and so too, to a certain extent, has News International which chose to close down the UK’s most profitable and widely distributed daily newspaper following revelations about the use of phone hacking.
So it appears that trust matters but who decides when trust has been lost and how do we measure its impact before it goes? The answers to both of these questions are absolutely fundamental to an organisation’s risk management arrangements, but are often overlooked in the risk assessment process. I am frequently asked to review risk management approaches on behalf of our clients and I can count on one-hand the number of times I have found a good example of where reputational impacts are adequately measured.
It should not be hard but I guess it is easier to focus on quantitative data – hard financial figures, number of casualties etc, rather than engage in a debate that, unchecked, can become a little nebulous. Perhaps this says more about the mind of the average risk professional.
Risk management in many organisations has come to resemble an engineering process with strict rules and methods that are enforced from the centre and applied verbatim. Where reputation is quantified you often see the impact being linked back to quantitative statistics – a defined amount of negative reporting in the press, sanctions imposed by a regulator etc. Where do our customers come in? Surely they deserve to be recognised for the ultimate dependence we have on them, rather than measuring a secondary or tertiary impact. Ultimately, if you mess up, your customers will look elsewhere – the fines from a regulator or the bad press you receive are just symptoms of an impact that have already materialised.
The problem with this is that risk management can too easily become a compliance exercise with risk registers being completed with little thought being given to the end result. In addition, methodologies are often skewed towards measuring impacts, particularly reputation, that have occurred in the past meaning assessments can never really be adequately applied to address future risks.
I started this blog by talking about the inadequacy of many risk methods in addressing reputational impacts of risk. However, the principles of much of what I have said can be carried forward to improve the measurement of other risk impacts. By reducing the emphasis on a rules based, statistics heavy process and moving towards, and this may be unpalatable for some, the feelings of our customers and stakeholders to gauge the impact of reputational damage, risk assessments can become more real and finely linked to the needs of our customers.