How to Manage Reputational Risk

By John Thackeray

As Warren Buffett once said, “It takes 20 years to build a reputation and five minutes to ruin it.”

This can be especially true today, as high-profile crises including cyberattacks, product recalls, and damaging social media posts become more prevalent.  Reputation represents an interpretation or perception of an organization’s trustworthiness or integrity. Reputation risk is the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. Reputation equals integrity and integrity equals social responsibility, which is about sustaining the “social license to operate”—ensuring that business practices, operating procedures, and corporate behaviors are acceptable to employees, stakeholders, and the public. In fact, this social responsibility, aka “the trust factor”, will drive corporate governance just as much as regulations.

In order to understand and address reputational risks the organization first needs to determine the identification, ownership, management, and risk/reward in order to put forward a sustainable plan that can mitigate reputational risk. Once these questions are addressed the management of reputation risk can be addressed by three lines of defense: strategic alignment, cultural alignment, and operational focus.

Strategic Alignment

Effective board oversight: Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution, and transparent reporting is vital to effective corporate governance, which is a powerful contributor to sustaining reputation. Market recognition of success is a huge validation of a company and its management team. Managing reputational risk doesn’t typically fit neatly into a single function. Ultimately governed by the board, reputational risk management may require clear accountability, leadership, and engagement across numerous teams.

Integration of risk into strategy setting and business planning: The board and executive management must ensure that risk is not an afterthought to strategy setting and business planning.  Reputation risk must be considered a material risk and strategic risk. Reputation risk management is inextricably linked to the company’s risk management and crisis management disciplines, as well as to the alignment of strategy and culture with the enterprise’s commitment to quality and operational excellence. The roles and responsiveness of both board and senior management should ensure  adequate focus on the critical enterprise risks that could impair the enterprise’s reputation, appraisal of significant changes in the enterprise’s risk profile, and a process for identifying emerging risks on a timely basis.

Priority focus on identification of risks through stakeholders’ lens: The executive team and board of directors should ensure that there is a focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders, and other stakeholders have with a company as a result of its business operations, branding, and marketing. If internalized and acted upon, they are a powerful driving force for improving and sustaining reputation within the marketplace.

Ten years from now, no organization or brand will be able to succeed without doing good and doing well — i.e., delivering financial performance while also making a positive contribution to society. Social purpose will need to be embedded into the very fabric and heart of the enterprise.

Effective communications, image, and brand building: Building brand recognition unique to a business is vital to market success and, when all else is working well, augments reputation. A good story is easy to tell. Typically, the best companies have  powerful and distinctive messaging; establish accountability for results with metrics, measures and monitoring; work social media effectively; and passionately live up to their values every day.

Crisis planning/operational resilience/risk assessment plans/scenario planning:

Formalize a crisis response program and practice. Effective management of a crisis event can mitigate potential reputational damage. Establishing an effective crisis management framework can allow organizations to integrate the right processes, roles, and governance into existing contingency plans. Knowing when to mobilize a crisis response, how to manage decision-making, what information to communicate to which stakeholders, and how to coordinate communications across different teams often takes practice. Companies can test processes and gain experience by running crisis simulation rehearsals based on the most critical reputational risks.

Cultural Alignment

Strong corporate values supported by appropriate performance incentives: Boards need to ensure that executive management implements a strong tone at the top, a variety of effective escalatory processes, and periodic assessments of the tone in the middle and tone at the bottom. To that end, the executive team needs to ensure alignment of performance incentives with corporate values to shape and influence the corporate culture end to end.

Also, executives and directors need to pay attention to the warning signs posted by the independent risk management function and in audit reports evidencing the possibility of dysfunctional behavior.

Positive culture regarding compliance with laws, regulations, and internal policies: 

Few incidents undermine reputation more than serious compliance violations with the attendant headline effect of the brand being dragged through the mud by the media. Senior executives, with board oversight, should ascertain that effective internal controls over compliance matters are implemented.

In addition, effective auditing and monitoring capabilities to evaluate compliance effectiveness should be in place to ensure the above capabilities are functioning as intended.

Operational Focus

Strong control environment:

A critical component of internal control, the control environment lays the foundation for a strong culture and management’s commitment to integrity and ethical values—and the oversight provided by the board of directors in carrying out its responsibilities. Embarrassing control breakdowns, especially in the arena of public reporting, can tarnish reputation. Every board should expect and demand a strong control environment.

Early warning system

Embedding risk sensing into an organization’s risk governance program can allow companies to continually identify emerging threats. To spot potential risks, many leading companies perform 24/7 monitoring of traditional and social media outlets as well as internal data sources. This can require a human- and technology-enabled capability that allows companies to analyze and interpret data to inform business decisions. Monitoring teams can support daily reputational threat sensing as well as the organization’s crisis management response process.


John Thackeray is a chief risk officer who has held risk positions in both Europe and the U.S. He now runs his own consulting company ( which specializes in the writing of risk documentation. He can be reached at