Reputational Risk Management

Reputation risk management is a part of risk management that deals with the control and limitation of reputational risk .

Reputational risk is part of corporate risk and must be covered by risk management, which is required from both a business and a legal perspective.

In the regulatory minimum requirements for risk management in insurance companies (MaRisk VA) valid from 2009 to 2015 , reputational risk was seen as an independent risk category. It is defined as the "risk that results from possible damage to the company's reputation as a result of negative public perception (e.g. by customers, business partners, shareholders, authorities)."

In the regulatory minimum requirements for the risk management of banks (MaRisk BA) , reputational risk is not (yet) defined as an independent risk category, but it is mentioned in the general requirements for the management of liquidity risks (BTR 3.1 No. 2). Accordingly, "the effects of other risks [...] (e.g. reputational risks) [...] must be taken into account."

Importance of reputational risk management

According to the “Risk of Risks” study by the Economist Intelligence Unit, reputational risk is considered by risk managers to be the most significant and, at the same time, the most difficult risk to manage. The reputational risk management of a company must ensure that the existing reputational risks are identified, assessed and aggregated at an early stage on the basis of a reputational risk strategy using a systematic and continuous procedure. Reputation risk management also includes the fulfillment of the documentation obligations according to IDW PS 340 and the monitoring of the reputational risk management system.

Reputational risk strategy and goals

Upstream of the actual reputational risk management process is the reputational risk strategy, which contains the company's fundamental risk policy orientation with regard to reputational risks. For this reason, the reputation risk strategy is also referred to as the company's reputation risk policy principles - “reputational risk management framework”. They document the commitment and commitment of the company management to enforce the critical and conscious handling of reputational risks (so-called "commitment").

Reputational Risk Management Process

The reputational risk management process consists of a sequence of process steps that are named differently in various publications on risk management. The following designation of the individual process steps therefore only represents one possibility. It is more important that it is a continuously running process that does not end after one run, but has to be run through again and again.

Reputation risk
identification The aim of the identification phase is the complete and systematic identification of potential reputational risks as primary and secondary risks. Furthermore, in the identification phase, reputational risks should be differentiated into primary and secondary risks.

With the help of monitoring and early warning systems, companies are alerted if their communication moves in a danger zone. Such tasks can be carried out by social media monitoring , media response analyzes or reputation risk radars.

As a result of this phase, the identified reputational risks - systematized according to categories - are documented in a reputational risk catalog.

Reputation risk
assessment The objective of this phase is the qualitative or quantitative assessment of the reputation risks and their consequential risks as well as the classification into risk classes, whereby interactions (correlations) or (one-sided) dependencies as well as the aggregation of the reputational risks should be taken into account.

In corporate risk management, all risks are assessed with regard to their probability of occurrence and their amount of damage / impact. In order to be able to meet the requirement for the ability to connect reputational risk management to corporate risk management, all reputational risks must be assessed using the same logic. The so-called expected damage value can be determined by multiplying the probability of occurrence and the amount of damage.

On the basis of the assessment of the reputation risks using a four to five level relevance system, the extent of the reputation risks must be determined (= relevance system or risk classes), e. B. insignificant, medium, significant, serious and existence-threatening risks. The last category is particularly important in order to be able to meet the requirements of Section 91 (2 ) AktG . This demands that “developments that endanger the continued existence of society can be identified in good time.” From the classification of reputational risks, it must also be possible to identify when a crisis is spoken of and when the crisis communication tool takes effect.

There is no uniform procedure for assessing reputational risks. Evaluation procedures are also propagated that follow a two-stage approach.

Reputation risk management
The aim of this phase is to initiate communication measures to prevent the occurrence of reputational risks and to respond appropriately to risks that have occurred (crisis communication).

The object of reputational risk management is thus to actively influence the reputational risks identified in the identification and assessment phase by taking control measures. Reputation risk management strategies can be distinguished, e. B.

As part of reputational risk management, measures are defined by those responsible locally and assigned to the reputational risk targets.

Reputation risk
reporting The aim of this phase is the regular creation of action-oriented reports for those responsible in the operational areas, the company management and the supervisory bodies.

As part of its organizational powers, the company management has to ensure that it is made aware of all relevant risks and thus also the reputational risks of the company as part of regular reporting. Reputation risk reporting with different report formats and defined thresholds (“traffic light function”) should be installed, which differentiates between regular reports and ad-hoc reports.

Reputation risk
monitoring The aim of this phase is the regular monitoring of the countermeasures initiated by corporate communications and the review of the effectiveness of these with regard to the achievement of the reputational risk targets set.

A distinction must be made in risk monitoring:
a) Risk monitoring in the narrower sense (i. E. S.), d. H. the ongoing monitoring of the individual reputational risks to check the effectiveness of the risk control measures,
b) risk monitoring in the broader sense (in the broader sense), d. H. the monitoring of the reputational risk management system by an independent supervisory body.

Organization of reputational risk management

Only through constructive cooperation between corporate communications, corporate risk management and the operational units (departments) can an effective and efficient reputational risk management system be established in the company. The following roles are regularly defined in company practice, but they are described differently from company to company:

Corporate communications employee
Reputation risk officer of the departments
Reputation risk manager in corporate communications
Area and department head of corporate communications
Reputational Risk Committee
Reputational Risk Controllers (and Corporate Risk Controllers)
Internal audit and auditor

In addition to the methods used and the organizational structure, the process organization (processes and sub-processes) must also be documented in the reputation risk management manual. The ICV also recommends that the process performance of the risk management process be measured and controlled on the basis of the parameters of time, costs and quality.

Documentation and review of the reputational risk management system

The reputation risk management system should meet the requirements of the auditing standard (PS) 340 of the Institute of Auditors (IDW) in terms of its functionality and documentation , provided that the company's risk management system is subject to auditing according to Section 317 (4) HGB . Coordination with the auditor is definitely recommended.

Individual evidence

↑ BaFin, Circular 3/2009, MaRisk VA, page 9.
↑ BaFin, Circular 11/2010, MaRisk BA, BTR 3.1, No. 2.
^ "Risk of Risks" study by the Economist Intelligence Unit from 2005, page 5.
↑ See BearingPoint GmbH (Ed.), Management of Reputationsrisiken, 2008, page 14 ff .; see. Schierenbeck, H. / Grüter, MD / Kunz, MJ, Management of Reputational Risks in Banks, 2004, page 21 ff.
↑ See International Controller Association (ICV), ICV statement "Process-oriented risk management", page 41.

[1] BaFin, Circular 3/2009, MaRisk VA, page 9.

[2] BaFin, Circular 11/2010, MaRisk BA, BTR 3.1, No. 2.

[3] "Risk of Risks" study by the Economist Intelligence Unit from 2005, page 5.

[4] See BearingPoint GmbH (Ed.), Management of Reputationsrisiken, 2008, page 14 ff .; see. Schierenbeck, H. / Grüter, MD / Kunz, MJ, Management of Reputational Risks in Banks, 2004, page 21 ff.

[5] See International Controller Association (ICV), ICV statement "Process-oriented risk management", page 41.