■ by Daniel Diermeier, Dean of the Harris School of Public Policy, University of Chicago

An Increase In Reputational Risk

CEOs and board members routinely list reputation as one the company’s most valuable assets. Yet, every month a new reputational disaster makes the headlines, destroying shareholder value and trust with customers and other stakeholders. Banking and financial services have been particularly hard hit. Recent lawsuits and regulatory action resulting from the 2008 and 2009 financial crisis have received the most attention, but rogue traders, money laundering, and IT security breaches have also made news.

In every single case, observers have pointed out how senior management made specific mistakes and offered advice on how to avoid similar disasters. But while such idiosyncratic factors may be important in any individual case, a narrow focus on the case-specific details runs the risk of missing broader trends. Trust is now an essential part of business success. Yet, trust is not a given. Business can no longer rely on a trust reservoir. Rather, trust needs to be earned. These trends are particularly worrisome in the banking and financial services industry, now routinely at the bottom of trust indices.

These developments warrant a broader explanation, and three factors figure most prominently. The first is the increase in public scrutiny due to the rise of 24-hour global media coverage. Companies now operate in an accelerating news cycle, driven by intense competition between 24-hour news channels, wire services, and online news providers. Today, user-generated content, from blogs to Twitter, Facebook and YouTube can now bubble up and explode into the headlines. These developments mean that companies have far less control over their messages, shifting the balance of power from companies to a disaggregated and user-generated media environment.

The second factor is the emergence of complex value chains, often crossing national boundaries. The outsourcing revolution, originally triggered by a desire of many companies to focus on their core competencies, has led to complex supply chains of goods and services. These developments have increased efficiency and lowered operating costs, but also have led to unanticipated risks ranging from product safety, as in the case of toys made in China, to labor standards, as in the case of the collapse of a Bangladeshi garment factory, and IT services as in the case of the Target data breach where a supplier allegedly provided the access point for the hackers.

Complex supply chains have increased reputational risk in at least three dimensions. First, the monitoring of business practices is much more difficult in arms-length relationships. Second, once an incident occurs, it takes longer to acquire and process the relevant information. Third, once a crisis has occurred, the interests of the supplier and corporate customer may no longer be aligned. Legal and reputational concerns may trump the incentives to collaborate, and former business partners may start pointing fingers at each other. Importantly, contractual precautions are insufficient to manage such risks. Companies can “outsource” legal, financial, and operational risk, but not reputational risk. If a leading financial institution suffers a severe data breach, it will be held accountable even if the fault lies with a supplier. Customers and the public will immediately question the company’s judgment and competence in selecting and managing its supplier base. Reputational risk typically exceeds the legal boundaries of a company.

Notice that the rise in supply chain risks means that B2B companies are not isolated from reputational risks. Even if vendors are only known to subject matter experts, a reputational crisis at a corporate customer with broad brand recognition will draw them into the spotlight as well. To make matters worse, their fate now largely is determined by the action of their high-profile customer who may decide to jettison the relationship in order to protect their own reputation.

Third, expectations about corporate conduct and performance are ever increasing. Customers have always held companies responsible to deliver on their brand promise. But increasingly these expectations expand towards basic operational functions that are not core to a company’s brand. IT security is not part of Target’s brand promise, but a data breach still lead to a reputational crisis. Indeed, such expectations operate like “hygiene goods” such as cleanliness in a hotel room. Companies get little credit for exceeding standards but will be blamed severely if they fall short. More generally, public expectations about business responsibility are increasing. In the 2011 Edelman Trust Barometer, more than 85% of all respondents in the U.S. agreed with the statement: “Corporations need to create shareholder value in a way that aligns with society’s interests, even if that means sacrificing shareholder value.” The corresponding numbers in Germany were 91%, 89% in the UK, 89% in China, and 74% in India. Companies are responding to these concerns as demonstrated by the explosive growth of corporate social responsibility reports, sustainability programs, and socially responsible investing. Some critics have dismissed these trends as passing fads, but this assessment may be short-sighted. In addition to typical business issues such as quality and product safety, reputational crises increasingly arise out of political or ethical concerns. Labor conditions, sustainability, and animal welfare are just some of the best-known examples.

The Target Data Breach

As an example of all these factors acting in consort, consider the recent data breach at Target during the 2013 holiday shopping season that resulted in the exposure of approximately 40 million debit and credit card accounts impacting 70 million individuals. After Target was notified by law-enforcement authorities of the suspicious activity, it closed the access point used in the data breach and worked with third-party forensics firms to investigate the incident. Target then notified payment processors and card networks; it also prepared stores and call centers. A few days later, the Target data breach was reported by security expert Brian Krebs in a blog post. Target subsequently confirmed the data breach and released additional information. In January, Target raised its estimate of potentially affected customers to about 70 million customers.

The nature of attack was highly sophisticated and employed malware on point-of-sale (POS) devices that captured credit card data briefly stored in the POS device’s memory once cards had been swiped on infected devices. Similar malware can be bought on cybercrime forums for about $2,000. The perpetrators accessed Target’s system by using electronic credentials that were stolen from Fazio Mechanical Services, a third-party vendor that provided refrigeration and HVAC (heating, ventilation, and air conditioning) services. Sources stated that the credentials were stolen in a malware-laced email phishing attack believed to have taken place at least two months before the data breach at Target. The access via stolen third-party credentials allowed the perpetrators to infect approximately 62,000 POS devices with malware.

Target was criticized both for its lack of data preparation, such as unnecessary storage of sensitive customer data, as well as its delay in notifying customers. Moreover, in addition to substantial payments to banks and the cost of the investigation, reissuing cards, increasing call center staffing etc., Target was hit by lost customers and a declining stock price. CEO Gregg Steinhafel resigned in May of 2015.

The Target case illustrates each of the three risk factors. The data breach was first reported on a security blog leading to immediate widespread media attention. It involved vulnerability at a third-party vendor, here a heating and cooling company. Finally, customers and the media accused Target of failing to live up to best-in-class standards of IT preparedness and communication.

Heroes — Villains — Victims

While there are genuine concerns about Target’s preparedness and crisis response, what was lost in these discussions is the fact that Target was the victim of a crime committed by highly sophisticated criminals in a premeditated and meticulously planned fashion. Yet, nobody feels sorry for Target. This response to Target and other companies is so immediate that it feels completely natural. But, suppose instead an individual or charitable organization (say, Habitat for Humanity) had been targeted by the hackers. We would almost certainly feel a strong sense of sympathy towards the affected individual or charity. Such sentiments are entirely lacking when the victim is a large company.

There are systematic reasons underlying this response. Research in social psychology has shown that entities are blamed as perpetrators to the extent that they are seen as capable of thinking and intending their actions. Meanwhile, entities are perceived as victims to the extent that they are seen as capable of suffering. Normal human adults are seen as capable of having both intentions and feelings, but other kinds of entities are not. Inanimate objects, such as rocks, are seen as having neither. As a result, we don’t feel sorry for kicking them, and we certainly don’t put them on trial if they cause the death of a climber. On the other hand, babies and certain animals, especially cute mammals, are viewed as having a more limited ability to think but are ascribed as having an ability to experience pain. As such, we feel sorry for them, hugging and soothing them when they have been victimized, but we refrain from blaming them as harshly when they are perpetrators. While babies and cute mammals are seen as capable of feeling but not thinking, intelligent machines and cyborgs are seen as capable of thinking but not feeling. Our responses in these cases are slightly unsettling and the subject of various science fiction films from “2001: A Space Odyssey” to “Blade Runner”.

Where do companies fit in? Recent research1 has shown that they fall firmly in the cyborg category. Observers ascribe companies with the capacity to think but not to feel. Consequently, observers blame companies for their actions, but do not feel sorry for companies when they are victims. In general, as perpetrators, companies and people are viewed alike. That is, perceived perpetrators are being blamed whether they are individuals or companies. But as victims, participants only felt sorry for the humans, not the companies.

In practice, this means we tend not to feel sympathy for companies, even if they were harmed by criminals. Thus, we do not usually view companies as victims. In the classic Hollywood script, that leaves two possible roles: the villain and the hero. Companies usually start out as the villain. Rather than hoping for sympathy, they are well advised to act as heroes instead and come to the rescue of the perceived victims; in the case of Target that means customers who fear their data have been compromised. This is not always an easy decision for leaders. They may feel innocent and, perhaps, even a little sorry for themselves. But they have to understand that hardly anybody else shares their view, and this insight should guide their response.

Understanding Public Perception

The hero-villain-victim scheme is just one example of how the principles of public perception shape reputational risk. Other important factors include risk perception or moral outrage. In the area of risk perception, the public’s attitudes towards risk do not match objective risks. Risks that are new, uncontrollable, exotic, or have particularly severe consequences tend to be overestimated, especially if they are currently in the news. A report on the data breach at Target will lead to a spike in customer concern, even panic, even though the objective risk for customers may be low.

Similarly, the public may experience moral outrage if they believe their fundamental moral beliefs have been violated. Those include fairness concerns, the avoidance of harm against innocents, rights or deeply held values. The outrage over the retention payments to members of AIG’s Financial Products Division in 2009 can be explained by a perceived violation of a fundamental moral principle that morally good behavior should be rewarded, morally bad behavior punished. The AIG retention payments or general bailouts are usually perceived as violating such a principle even if there are good economic arguments that may benefit the general public. Therein lies a clash between economic efficiency considerations and morally charged emotions. Unless managed carefully, emotions will gain the upper hand.

Few companies have systematic processes to anticipate or manage the forces that drive public perception. This deficiency is particularly worrisome, as companies find themselves in an environment of higher expectations matched with higher scrutiny leading to higher reputational risk. In other words, while reputational risks have risen significantly, reputation management capabilities have not kept up. But an increase in risk without a matching improvement in prevention and preparation capabilities will lead to more and more severe incidents.

Developing a Capability

Who should own reputation management? Many executives answer: everyone. That sounds reasonable enough, but it is easy for things that are owned by everybody to actually be owned by nobody. Questions about decision rights, reporting, and accountability still need to be answered. Locating reputation management in the organizational structure of a company can be tricky, even for companies that “get it.”

Most experts would agree that it belongs squarely on the agenda of senior management, including the CEO. But it is worth pondering the role of the CEO in more detail. After all, there are many problems and issues that demand the CEO’s attention. Does reputation deserve this prominence? To be successful, reputation management needs to be inextricably linked with a company’s business strategy. But couldn’t that still be accomplished at a lower level of management?

The reason why reputation management belongs on the CEO’s agenda is that not only is reputational risk one of the main risks facing the company, but the company’s reputation is also one of the few sources of sustained competitive advantage. Companies with stellar reputations can charge premiums and are difficult to imitate.

One of the CEO’s main tasks is to integrate reputation management into the operational processes of the business. One approach to accomplishing this task has been to create a separate corporate function: a chief reputation officer (CRO) or chief reputational risk officer (CRRO). This approach works only if the position carries weight and if the company can avoid creating yet another corporate officer with little budget and less influence. The danger in this approach is that it could create additional barriers to an integration of reputation management and business strategy and actually hurt the process rather than help it.

An alternative is the creation of a corporate reputation council (CRC). This is a cross-functional unit composed of senior executives with actual decision-making authority. The actual composition of the council needs to mirror the organizational structure of the company. For example, a matrix organization based on global territory and product line would have representatives from both the major territories and the business lines. In addition, the main corporate functions (marketing, finance, supply chain, HR, communication, legal, government relations, and so on) need to be represented, as reputational problems are almost always multidimensional. The decision structure must be designed to handle the complexity of such issues.

Good governance and decision-making structures are necessary for effective reputation management, but even these alone are not sufficient. Companies may fail to adopt effective strategies simply because they are unaware of the imminent danger. In other words, even perfectly designed governance and decision-making structures will be ineffective if they lack critical intelligence: decisions are then made in the dark.

This is the business case for investing in intelligence capabilities. Since reputation is driven by many ever-changing actors, the strategic landscape is frequently diffuse and unclear. Successful reputational strategies need to be designed before a crisis occurs, because simply surveying customers, investors, or other business partners will not do. Once customers or investors start to worry, it is too late—the deck is already stacked against the company. Therefore, in many cases, traditional business research tools such as surveys and focus groups can only measure the damage rather than prevent it in the first place. Proactive reputation management is impossible without good intelligence.

Governance structure and intelligence capabilities need to be integrated. The CRC governs the Reputation Management System. It needs to represent the various business segments and critical corporate functions. Ideally, it should mirror the organizational structure of the company. In some businesses, it makes sense to extend the jurisdiction of the CRC to include regulatory and political developments as well as macroeconomic ones. In that case, it effectively becomes the corporate relations council.

The governance structure needs to be closely connected with the intelligence function. This means that the CRC provides strategic direction to the intelligence function and receives actionable intelligence that is directly connected to the corporate strategy. The intelligence function provides the core capabilities of issue identification, evaluation, and monitoring. The goal is both to function as an early warning system and to be able to assess the impact of corporate actions through a feedback mechanism. Without an intelligence function, the CRC will be operating in the dark and making decisions based on intuition rather than data. A company’s intelligence function may range from informal monitoring of various media sources and proactive stakeholder outreach to the creation of a fully developed internal intelligence capability with its own staff and budget.

In sum, a strategic mindset needs to be supported by effective processes. First, companies must develop a proper governance structure that should mirror the company’s organizational structure. A cross-functional council is preferable to a separate corporate function unless that function is endowed with sufficient influence and resources. Second, companies need an intelligence capability. In contrast to many other corporate capabilities, an intelligence system is not optional; it is essential. Reputational challenges can emerge from anywhere in the company’s operations or external business environment. The lack of intelligence capabilities means that the company either acts in the dark or loses its ability to manage such issues proactively.

People

Business leaders also need to understand that even the most advanced reputation management system is implemented by people. They need to assess the situation, evaluate its risk and then make the appropriate decision. Getting this right requires not only a strategic mindset but also values and culture to provide guidance to individuals. We cannot expect each employee of a company to correctly assess the reputational risk of an issue, but we can expect him or her to raise a red flag when something does not “look right.” It is here where the leadership of the company’s CEO matters most.

Acting as corporate steward does not mean only doing right by customers, employees, and suppliers. It requires the ability to think strategically. This implies, on the one hand, viewing reputational decisions not solely as PR issues, but as decisions that are tightly connected to the company’s strategy, its core competencies and values, and its distinctive position in the marketplace. On the other hand, it requires the ability to view even a familiar business decision from the point of view of people who are not specialists, but still may have strong opinions on an issue. More often than not, these opinions are not just driven by cool reason, but involve powerful emotions and passionate views of what is right or wrong behavior.

A strategic mindset also requires situational awareness. Reputation is essentially public. It is driven by third parties who have their own agenda. Understanding and anticipating the motivations and capabilities of these actors is essential for situational awareness. Reputational challenges are not simply the consequence of wrong decisions, accidents, or bad luck; they frequently are created by activists, interest groups, and public actors with the goal of forcing changes in business practices through “private politics.” Activists are competitors for the company’s reputation. They need to be treated as seriously as competitors in the marketplace.

The last component of a strategic mindset is to avoid the expert trap. Becoming an expert means learning to see the world in a particular way. A doctor, for example, learns to identify symptoms and decide on a diagnosis. Similarly, a poker player learns to identify “tells” of opponents that provide critical information on the strength of their hand, and a music enthusiast can pick a pianist from dozens of recordings of the same piece. Acquiring and using expertise in a coordinated fashion is, of course, tremendously valuable and is at the root of the efficient organization of business processes. But in the context of reputational challenges, it can lead us astray.

When a company collapses as a result of an earnings restatement, a trained accountant may focus on the fact that no accounting rules were violated, while everybody else will be affected by images of crying employees leaving their office for the last time. A safety engineer will point to his company’s industry-leading safety standards and may be bewildered when the media focus on one specific victim. A loan officer may view missed mortgage payments as lost revenue, while the borrower may experience them as the fear of losing the family home. The difficulty lies in the public nature of reputational challenges where company actions are evaluated by non-experts through the filter of the media. This requires decision-makers to set aside their expertise and see the situation from the point of view of laypeople in a heightened emotional state.

In summary, reputation management is not a corporate function, but a capability. It requires the right mindset integrated with the company’s strategy, guided by its culture and values, and supported by carefully designed governance and intelligence processes. Developing this capability is as challenging as developing customer focus or the ability to execute business strategy. Today’s companies need to embrace this challenge. ■