REPUTATION RISK ON THE RISE

Similar documents
Risk Management Policy and Procedures.

THE ROLE OF THE BOARD IN RISK MANAGEMENT

Risks and uncertainties facing the business

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Key risks and mitigations

RISK MANAGEMENT FRAMEWORK OVERVIEW

RISK MANAGEMENT FRAMEWORK

Risk Management Framework

Day 2: Session 2 Tax governance, risk and control

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

RISK MANAGEMENT FRAMEWORK

Merrill Lynch Kingdom of Saudi Arabia Company. Pillar 3 Disclosure. As at 31 December 2016

Risk Management Policy and Framework

Merrill Lynch Kingdom of Saudi Arabia Company. Pillar 3 Disclosure. As at 31 December 2017

Kidsafe NSW Risk Management Plan. August 2014

Goodman Group. Risk Management Policy. Risk Management Policy

M_o_R (2011) Foundation EN exam prep questions

Enterprise Risk Management process at Dragon Oil

Risk Management Policy Coface Singapore

RETURN ON RISK MANAGEMENT. Financial Services

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Delivering Clarity to Credit Unions Through Expertise and Experience

Your defence toolkit. How to combat the cyber threat

Fundamentals of Project Risk Management

Perpetual s Risk Management Framework

Risk Management Strategy

Risk management policy

APPENDIX 1. Transport for the North. Risk Management Strategy

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

IT Risk in Credit Unions - Thematic Review Findings

Driving corporate sustainability through risk management

Pillar 3 Disclosure November 2016

BUSINESS CONTINUITY MANAGEMENT

CYBER REPORT CYBER REPORT 2018

Fraud risk management. Oil and gas sector

Principal risks and uncertainties

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Fraud Investigation & Dispute Services Corporate misconduct individual consequences

Energize Your Enterprise Risk Management

REPUTATIONAL RISK MANAGEMENT MODULE

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

The Business Continuity Blueprint. A practical guide to. business continuity planning. PART 1 An Introduction

Pillar 2 - Supervisory Review Process

HANDLE WITH CARE POINT OF VIEW A DIAGNOSIS OF THE CHALLENGES IN CORPORATE CLAIMS MANAGEMENT. Financial Services

Financial Services SOLVENCY II UNDER STARTER S ORDERS

Pillar 3 Disclosure ICAP Europe Limited

NOT PROTECTIVELY MARKED. Public SPA Board Meeting Date Tuesday 19 December 2017 City Suite, Apex City Quay, Dundee

SEI Investments (Europe) Limited Pillar 3 Disclosure

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Risk Management Policy

PST Board Assurance Framework

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Pillar 3 Disclosures. Invesco UK Limited

Office of the Comptroller of the Currency (OCC) Regulatory Development: Recovery Planning Guidelines

JFSC Risk Overview: Our approach to risk-based supervision

CAPITAL REQUIREMENTS DIRECTIVE

Risk Management Strategy

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Regulating financial services

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

CASE STUDY DEPOSIT GUARANTEE FUNDS

Risk Management Framework

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

New Risk Management Techniques The Way Forward EDUARDO DUERI JLT Aerospace Latam MAY 2017

Risk Management. Policy and Procedures

Risk Management Strategy

UK Tax Strategy December 2017

Risk Management Policy

Basel Committee on Banking Supervision. Consultative Document. Pillar 2 (Supervisory Review Process)

RISK REGISTER POLICY AND PROCEDURE

Taking the stress out of operational-risk stress testing

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

RISK MANAGEMENT POLICY AND STRATEGY

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

An introduction to enterprise risk management

Version: th November 2010 RISK MANAGEMENT POLICY

ICBC LONDON Tax Strategy

How to review an ORSA

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Enhancing Our Risk Appetite Framework. A Case Study

REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 1698 SESSION MAY HM Treasury and Cabinet Office. Assurance for major projects

Principal risks and uncertainties

Short, engaging headline

Anti-money laundering Annual report 2017/18

POLICY RISK MANAGEMENT AND REPORTING. Introduction

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Financial Services. Bad bank strategy. It s harder this time

The Components of a Sound Emerging Risk Management Framework

The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) Completion Guidance 22 February 2018

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

Talent and accountability incentives governance Risk appetite and risk responsibilities

How we manage risk. Risk philosophy. Risk policy. Risk framework

The Basel Core Principles for Effective Banking Supervision & The Basel Capital Accords

Risk management culture focused on integrity and good conduct

Chief Executive s Review. Delivering our Strategic Objectives

Scouting Ireland Risk Management Framework

Amadeus Global Report 2016 A business, financial and sustainability overview. Corporate risk management

Effective Assurance Frameworks

Department for International Development: investing through CDC

Integrated Risk Management Framework Sept Page 1 of 17

Transcription:

Financial Services POINT OF VIEW REPUTATION RISK ON THE RISE AUTHORS Tom Ivell, Partner Hanjo Seibert, Principal Joshua Marks, Engagement Manager

REPUTATION RISK ON THE RISE Reputation risk is generally understood as the risk arising from adverse perception of an institution by its stakeholders. In the financial services industry, the aftermath of the global financial crisis has seen a proliferation of non-financial risks. Reputation risk is one topic that has grown in prominence, with headlines around the world highlighting the importance of effective reputation risk management. In yet another negative story to beset the industry, the Panama Papers have recently led to allegations of several firms facilitating tax avoidance and public corruption. Mis-selling has led to mass demonstrations in a European capital; bankers have been summoned before parliamentary committees to justify their business practices; and payment system outages and increasingly frequent cyber attacks have resulted in regulatory fines, media attention and considerable brand damage. Often tough to manage, and even more difficult to measure, some firms have done little to actively manage reputation risk. However, they can no longer afford to neglect this area. Heightened public scrutiny of the financial services industry, and the amplification of relevant issues through social media, suggest that this risk is likely to grow. Leading players are adapting to this new reality, drawing on the lessons learned from other industries (such as aviation), and from an emerging group of peer best practices. It takes 20 years to build a reputation and five minutes to ruin it. If you think about that you ll do things differently. Warren Buffett Copyright 2016 Oliver Wyman 2

REPUTATION MATTERS: IMPACT ON EARNINGS AND CAPITAL Measuring the cost of reputation risk is difficult, in part because it can arise as a secondary consequence of other risks. One way in which it can be measured is through changes in stock prices, which are well placed to capture the many indirect effects of reputation damage through their reflection of lost future earnings. Such projected shortfalls in earnings might then inform capital planning. The effect of reputation damage on stock prices is very real. Following the disclosure of a sanctions violation, the implied loss of earnings for one bank was six times the size of the fine, when the change in market value was compared to that of a representative set of peers. This episode is illustrated in Exhibit 1. Regulators have responded to such events with increased scrutiny. The Financial Conduct Authority (FCA) in the United Kingdom formally recognises reputation risk within their overall supervisory approach. 1 The Office of the Comptroller of the Currency (OCC) in the United States revised its risk assessment guidance in 2015 to incorporate both the quantity of reputation risk and the quality of reputation risk management. 2 Similarly, the Supervisory Review and Evaluation Process (SREP) questionnaires of the European Banking Authority (EBA) require formalised policies and processes for the identification, management and monitoring of reputation risk, and the existence of contingency plans to deal proactively with reputation issues. 3 At an international level, the recent G30 report, Banking Conduct and Culture, recommends that boards should build a reputation, values, and conduct risk tolerance dashboard. 4 As a result, reputation risk is increasingly becoming an agenda item for boards and senior management. Exhibit 1: Share value of affected institution vs. representative peer-set following a sanctions violation SHARE VALUE 104 102 100 98 96 94 Actual market value of the bank during the days before and after the disclosure of the fine the implied loss of earnings was ~6x the size of the fine! Expected market value in the absence of the disclosure, calculated by multiplying the bank market value on the day before the reported loss by a daily stock price projection, based on the rate of change of the stock market and the historical bank Beta value 92 90 1 2 3 4 5 6 7 8 9 10 DAY 1 FCA FG15/4:Social media and customer communications; Risk management encompasses all relevant risks, including legal and reputation risk, as well as regulatory risk 2 OCC, Updated Guidance on Risk Assessment System 3 EBA/GL/2014/13 Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) 4 G30 report on Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform Copyright 2016 Oliver Wyman 3

MANAGING REPUTATION RISK Reputation risk arises from a broad range of potential events, and has an impact on an array of stakeholders. Given the distributed nature of both sources and impacts, the management of reputation risk has to become part of the day-to-day life of every employee of the firm. Indeed, such a responsibility cannot be centralised in one unit in the same way that financial firms typically manage credit, insurance or market risks (see Exhibit 2). Successful approaches are designed with this conclusion in mind by: Promoting a shared understanding of reputation risk across the whole organisation. Focusing risk management on where real business decisions are made. Recognising the need for prioritisation to make the problem manageable. Putting in place effective crisis management. Creating management information that permits senior leadership oversight. Exhibit 2: Example role of reputation risk management, connecting risk sources with impacted stakeholders Risk sources Other 2nd Line of Defence functions Functions interfacing with stakeholders Impacted stakeholders Internal Internal Business Employees Technology Clients Corporate governance Corporate communications Compliance Credit Risk Rep. Risk Corporate Comms. Investor Relations Employees External Management Operational Risk Human Resources Customers Investors External Press Social media networks Shareholders General public and media Regulators NGOs NGO reports Competitors Counterparties Governments Regulators/ government Future employees Enhance existing risk management frameworks for priority risk events from reputation risk perspective Combine and interpret changes across stakeholder perception Copyright 2016 Oliver Wyman 4

A shared definition of reputation risk which should cover both sources and impacts is critical in promoting a shared understanding and awareness across the firm. A clear articulation of risk appetite is equally important in allowing risks to be escalated effectively. One important question firms need to decide is whether reputation risk should only be deemed material when it has reasonably direct financial consequences (for example, on margins, volumes and funding). Reputation risk management should be focused on real business decisions. These range from the strategic (such as closing retail branches in rural areas) to the operational (such as defining limits on downtime for mobile banking). In practice, this means that reputation should, as far as possible, be included in existing risk identification and assessment. Reputation risk can then be considered as a potential impact alongside remediation cost, regulatory fines and so on. Reputation risk management thus becomes an integral part of business decision processes, ranging from new product approval and credit decisions to procurement. It can involve explicit tools and checklists, such as those used to restrict lending to sensitive sectors or prevent exploitation of workers at third party companies. Some firms use clear escalation channels, with governance structures in place that involve the relevant stakeholders in preventing and minimising reputation risk. Such measures could include blocking a new product or voting to syndicate a deal, rather than having the bank as the sole sponsor. As firms seek to embed reputation risk management into their business decisions, robust prioritisation is required. To prioritise, the reputation risks inherent in business decisions can be grouped into three categories: 1. The financial and reputation impacts of a risk are highly correlated. For example, firms have market risk limits in order to protect them from market price induced losses. Since the reputational damage from such a loss is directly proportional to its magnitude, if market risk is managed well, so is reputation risk. A risk tolerance discussion should be held that captures the appetite for reputation risk, which may be below the financial loss that the balance sheet could sustain. 2. The financial and reputation impacts diverge. For example, a technology outage may be inexpensive to resolve internally but may still cause significant reputational harm with counterparties and clients. Here, additional controls may be required to ensure the specifications reflect this concern when designing the relevant systems. 3. The reputation risk exists without a corresponding financial impact. This applies only to selected areas but has given rise to dedicated specialist disciplines in the industry such as disreputable lending and responsible investment. Copyright 2016 Oliver Wyman 5

In our experience, it is the latter two categories that require the bulk of work when implementing reputation risk management to a consistent standard. In prioritising the work, it is important to define which stakeholder groups should take priority. For example, a firm may decide in the short term to place higher importance on its standing with regulators and investors than with graduate recruits. Such prioritisation allows targeted due diligence in areas of heightened risk. A cyclical review schedule, similar to an audit plan, can be put in place to ensure continued adherence to the defined risk appetite. Besides improving those controls designed to prevent or limit the fallout from adverse events, it is equally critical to have the right crisis management processes in place to deal with such events as they unfold. Leading firms have established event management protocols and action plans, designed to cover breaches of the reputation risk appetite. This allows the firm to respond quickly to mitigate potential damage to its reputation. Some of the best approaches we have observed draw on lessons learned from the aviation industry, where planned responses minimise the decision making required in the heat of crisis. In the case of financial institutions, a great deal of decision making can be predetermined, thus avoiding the risks of vacillation and inaction. Such responses might, for example, include a war room set-up, in which senior executives of relevant functions gather to help steer the firm through the crisis. This setup is periodically tested in a simulated fire drill to ensure that it is up to date, to identify potential weaknesses and to train the relevant parties for the real incident. Effective management information distils key risks and tracks the perceptions of the firm s most important stakeholders (see Exhibit 3). Leading institutions have put reputation risk radars in place that look to combine both the internal and the external view of a firm s reputation, thereby facilitating senior management engagement and oversight. Exhibit 3: Example of a sanitised reputation risk dashboard at a leading universal bank Aggregate scoring of consumer engagement from customer survey 6 5 1 4 2 3 1. Customer perception (Country A) 2. Customer perception (Country B) 3. Employee relations Tracking of relative satisfaction index from Group report 4. Investor perception Comparison of buy-hold-sell ratings of analyst reports from set group of banks 5. Media perception Weighted scoring of positive, neutral, and negative media reports 6. Corporate/social responsibility perception Average of external CSR reports Copyright 2016 Oliver Wyman 6

HOW TO GET STARTED In order to get the reputation risk management process started, we recommend the following steps: Establish a clear and consistent understanding of reputation risk. Assign a single leader to coordinate risk management efforts. Involve the business in identifying critical decision points. Insert reputation risk considerations into existing risk management tools, processes and controls, and launch targeted remediation efforts where gaps need to be filled. Establish a crisis management protocol, coordinating with all interested parties. Design management information to engage senior governance bodies. Firms progress in developing an effective approach to reputation risk has been extremely varied to date. What is consistent is the significant long-term damage that such events can have on brand and customers. The rapidly changing and uncertain world in which we live today means that it is no longer viable to take a reactive approach. Reputation risk is an increasing concern for senior management and we expect ambition levels to increase dramatically in the near term. A failure to invest and improve at the current time is a false economy. Rather than simply hoping that the worst won t happen, firms need to put in place effective risk management. This will help to minimise the likelihood of future events and will also steady the ship if and when a reputation crisis hits. Those who have done the most to develop frameworks have often been reacting to a significant event they have faced and wished they had acted earlier. Copyright 2016 Oliver Wyman 7

Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation. For more information please contact the marketing department by email at info-fs@oliverwyman.com or by phone at one of the following locations: AMERICAS +1 212 541 8100 EMEA +44 20 7333 8333 ASIA PACIFIC +65 6510 9700

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback