How to minimise reputational risk to your business
Historically, there has been a poor understanding of the potential sources of reputational harm but risk management is moving up the executive agenda with new, proactive approaches
Four days after Vladimir Putin’s soldiers invaded Ukraine, the price comparison website Compare The Market pulled its TV ads on news bulletins featuring the animated Russian billionaire meerkat Aleksandr Orlov and his faithful sidekick Sergei.
The popular price comparison website’s owner, BGL Group, said the fictional meerkat characters have no association with Russia and the current situation, and that it was continually reviewing its advertising.
The speed of the action would suggest a defensive move to distance the company from any association with Russia, as the world looked on aghast at Putin’s attack on his neighbour.
Reputational damage caused by whatever risk – accounting scandal, data breach or supply-chain issues – can ultimately destroy a company if the management does not handle it well. Historically, risk management – including reputational risk – has been overseen in a silo separate from executive leadership. In recent years, however, it looks as if executives are finally taking reputational risk seriously.
“They’ve pre-emptively decided not to put themselves in a situation where they can be reputationally damaged” Tricia Fox, of Cunningly Good Group, says of Compare The Market’s move. “That makes sense. That implies that there are companies that take reputational risks very seriously and act upon it.”
Compare The Market’s decision is a modern-day example of how to tackle reputational risks before they become an issue. But few organisations have such a proactive communications division with a direct line to the boardroom. So, how should leaders act if faced with a damaging reputational event and how can they mitigate this risk?
Identifying potential issues and building a risk register are the first critical steps. Next, is devising a risk management strategy and ensuring that all those responsible for this aspect of the business, including the communications department, are up to date. The level of each risk will change depending on internal and external factors, so the need to monitor the risk register and strategy regularly is critical. It must be a dynamic process.
“In general, there is a poor understanding of the sources of reputational risk and how to manage them. Situational awareness is everything. Monitor evolving threats and test their potential impact. Ask ‘what if?’ in relation to the current landscape, forward risks, historical issues and unforeseen ‘black swan’ events,” says Ryan McSharry, head of crisis and litigation at PR firm Infinite Global.
Compliance is also vital. “The most effective way to mitigate reputational risks is to build a culture of compliance and resiliency. This means ensuring everyone knows what is expected of them by having a clearly articulated policy and procedure,” says Lauren Kornutick, solutions manager for compliance at Fusion Risk Management.
Often, when an organisation comes up against a risk, it only becomes a reputational issue when it hasn’t been handled swiftly, clearly and honestly. In today’s world of social media and citizen journalism, the so-called “golden hour” no longer exists. So, irrespective of whether the company’s leaders know all the facts, it’s critical that they publicly acknowledge the issue and explain how they plan to deal with it.
“Tell it first, tell it fast and tell it clearly. If you become aware of the issue and can head it off at the pass before the media gets wind of it, then do so. Take the initiative and, in doing so, you can control the message,” says Paul MacKenzie-Cummins, founder and managing director of Clearly, a reputation management and public relations agency.
If, however, the issue becomes public first, management can still recover control by acting quickly and honestly. “In this instance, the advice is to acknowledge it and explain what steps are being taken to remedy the situation. Whatever you do, don’t go into hibernation mode and hope it will go away – that will only fan the flames and exacerbate the damage to the organisation’s reputation,” MacKenzie-Cummins says.
Customers, employees and stakeholders are savvy. If they feel that they have been deceived, the damage to reputation can spiral downwards quickly. Take the data breach at TalkTalk in 2015, when the company failed to publicly acknowledge the problem of hackers stealing thousands of customers’ personal details, including bank accounts. At the time, the company faced a record fine and, ultimately, its CEO, Dido Harding, handed in her resignation.
Recently, in the wake of a reputationally damaging incident, business leaders have tried shifting the negative public focus by adopting a new “favourable purpose” in its recovery. If this is a genuine, well-managed core strategy of change within the business, it can work. But often, companies choose this route of purpose for inauthentic reasons, which today’s shrewd consumers and investors will quickly uncover.
“Consumers are an unforgiving bunch and will drop a brand or business in an instant if they feel misled. This is where responsible reporting is needed. Businesses need to hold themselves to account and demonstrate the tangible impact they are making, rather than paying lip service to it,” MacKenzie-Cummins says.
In a fast-moving, interconnected world of global business, prevention is always better than cure. It’s not uncommon for a company to lose as much as a third of its value because of a reputational risk. The investment a company makes in developing robust, well-monitored reputational risk management infrastructure is, ultimately, far less than the cost of responding to a crisis and the ensuing reputational fallout. It’s worth remembering that it takes years to build a good reputation but minutes to destroy it.
SolarWinds and how it fixed a major reputational risk
In 2020, SolarWinds, a large US information technology company – with customers including the US Department of Homeland Security and Treasury Department – was hit by the most sophisticated and biggest data breach cyberattack at the time.
Sudhakar Ramakrishna, its CEO and president, took up his new job just days before the data breach went public. Despite having the option of walking away, Ramakrishna decided to take on the challenge of resolving the breach, fixing the reputational damage to the company and restoring trust.
Remarkably, just over a year into his role, the CEO has achieved those goals, with the company now moving back towards its historical 90% range of customer retention, which had dropped to 80-85% following the software supply-chain attack. The company has also recently been acquiring new clients again. As a result of Ramakrishna’s swift actions, the damage that the hack could have created ended up being far less severe than was feared at the time.
Ramakrishna stabilised the company and fixed the breach by following a strict framework he devised, called “secure by design”, which focused on three key things: what happened, how it happened and “what we are doing about it”.
Coupled with the framework, Ramakrishna followed the strict operational principles of transparency, “relentless communication”, humility, belief in a solution and collaboration.
“Our focus was our customers and our business, while dealing with the press, PRs, regulators and government. If the government wants to know something, collaborate with them, do not try to hide the issue and do not wish the problem goes away,” Ramakrishna says.
Then he spent months working with worried customers. “They have a right to be confused. They have a right to be angry. So, don’t brush it off, work towards engaging them.”
SolarWinds fixed the issues that allowed the original breach to occur, publicised the changes and communicated them to customers and the industry. Today, arguably, SolarWinds is among the most secure companies in the world.