Don’t get framed by the competition, trust our solid reputation.

Regulators, industry groups, consultants, and individual companies have developed elaborate guidelines over the years for assessing and managing risks in a wide range of areas, from commodity prices to natural disasters. Yet they have all but ignored reputational risk, mostly because they aren’t sure how to define or measure it.

Executives know the importance of their companies’ reputations. Firms with strong positive reputations attract better people. They are perceived as providing more value, which often allows them to charge a premium. Their customers are more loyal and buy broader ranges of products and services. Because the market believes that such companies will deliver sustained earnings and future growth, they have higher price-earnings multiples and market values and lower costs of capital. Moreover, in an economy where 70% to 80% of market value comes from hard-to-assess intangible assets such as brand equity, intellectual capital, and goodwill, organizations are especially vulnerable to anything that damages their reputations.

Most companies, however, do an inadequate job of managing their reputations in general and the risks to their reputations in particular. They tend to focus their energies on handling the threats to their reputations that have already surfaced. This is not risk management; it is crisis management—a reactive approach whose purpose is to limit the damage. This article provides a framework for proactively managing reputational risks. It explains the factors that affect the level of such risks and then explores how a company can sufficiently quantify and control them. Such a process will help managers do a better job of assessing existing and potential threats to their companies’ reputations and deciding whether to accept a given risk or to take actions to avoid or mitigate it.

The Current State of Affairs

Regulators, industry groups, consultants, and individual companies have developed elaborate guidelines over the years for assessing and managing risks in a wide range of areas, from commodity prices to control systems to supply chains to political instability to natural disasters. However, in the absence of agreement on how to define and measure reputational risk, it has been ignored.

“It takes many good deeds to build a good reputation, and only one bad one to lose it.”—Benjamin Franklin

Consider the 135-page framework for enterprise risk management (ERM) proposed in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group of professional associations of U.S accountants and financial executives that issues guidelines for internal controls. Although the framework mentions virtually every other imaginable risk, it does not contain a single reference to reputational risk.

Nor does the Basel II international accord for regulating capital requirements for large international banks. In defining operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” the Basel II framework, issued in 2004 and updated in 2005, specifically excludes strategic and reputational risks. That’s mainly because of the difficulty of factoring them into capital-adequacy requirements, most banking-risk professionals would say.

Given this lack of common standards, even sophisticated companies have only a fuzzy idea of how to manage reputational risk. A large U.S. pharmaceutical company reflects the current state of practice among well-run organizations. It has an ERM system for managing operational and financial risks, as well as hazards from external events such as natural disasters, that is loosely based on the COSO framework. The firm’s vice president of risk management oversees the system. However, the company manages reputational risks only informally—and unevenly—at the local and product levels. Its leaders consider reputational risk only when they make major decisions such as those involving acquisitions. (The company’s due-diligence process includes the evaluation of problems that could affect reputation, including pending lawsuits, weak product-testing procedures, product-liability concerns, and poor control systems for detecting management fraud.) The risk management VP says that reputational risk is not included in the long list of risks for which he is responsible. Then who is responsible? The CEO, the vice president surmises, since that is who oversees the firm’s elaborate crisis-response system and is ultimately responsible for dealing with any events that could damage the company’s reputation. This pharmaceutical firm is not alone. Contingency plans for crisis management are as close as most large and midsize companies come to reputational-risk management. While such plans are important, it is a mistake to confuse them with a capability for managing reputational risk. Knowing first aid is not the same as protecting your health.

Determinants of Reputational Risk

Three things determine the extent to which a company is exposed to reputational risk. The first is whether its reputation exceeds its true character. The second is how much external beliefs and expectations change, which can widen or (less likely) narrow this gap. The third is the quality of internal coordination, which also can affect the gap.

Reputation-reality gap.

Effectively managing reputational risk begins with recognizing that reputation is a matter of perception. A company’s overall reputation is a function of its reputation among its various stakeholders (investors, customers, suppliers, employees, regulators, politicians, nongovernmental organizations, the communities in which the firm operates) in specific categories (product quality, corporate governance, employee relations, customer service, intellectual capital, financial performance, handling of environmental and social issues). A strong positive reputation among stakeholders across multiple categories will result in a strong positive reputation for the company overall.

Reputation is distinct from the actual character or behavior of the company and may be better or worse. When the reputation of a company is more positive than its underlying reality, this gap poses a substantial risk. Eventually, the failure of a firm to live up to its billing will be revealed, and its reputation will decline until it more closely matches the reality. BP appears to be learning this the hard way. The energy giant has striven to portray itself as a responsible corporation that cares about the environment. Its efforts have included its extensive “Beyond Petroleum” advertising campaign and a multibillion-dollar initiative to expand its alternative-energy business. But several major events in the past two years are now causing the public to question whether BP is truly so exceptional. (See the exhibit “BP’s Sinking Image.”) One was the explosion and fire at its Texas City refinery in March 2005 that killed 15 people and injured scores of others. Another was the leak in a corroded pipeline at its Prudhoe Bay oil field in Alaska that occurred a year later and forced the company to slash production in August 2006. BP has blamed the refinery disaster on lax operating practices, but federal investigators have alleged that cost cutting contributed as well. Employee allegations and company reports suggest that the root cause of the Prudhoe Bay problem may have been inadequate maintenance and inspection practices and management’s failure to heed warnings of potential corrosion problems. As media coverage reflects, these events and others have damaged BP’s reputation.

BP’s Sinking Image

Media coverage plays a large role in determining a company’s reputation. The changing mix of positive and …

To bridge reputation-reality gaps, a company must either improve its ability to meet expectations or reduce expectations by promising less. The problem is, managers may resort to short-term manipulations. For example, reputation-reality gaps concerning financial performance often result in accounting fraud and (ultimately) restatements of results. Computer Associates, Enron, Rite Aid, Tyco, WorldCom, and Xerox are some of the well-known companies that have fallen into this trap in recent years.

“Character is like a tree and reputation like its shadow. The shadow is what we think of it; the tree is the real thing.”—Abraham Lincoln

Of course, organizations that actually meet the expectations of their various stakeholders may not get full credit for doing so. This often occurs when a company’s reputation has been significantly damaged by unfair attacks from special interest groups or inaccurate reporting by the media. It also can happen when a company has made genuine strides in addressing a problem that has hurt its reputation but can’t convince stakeholders that its progress is real. For example, Chrysler, Ford, and General Motors improved their cars so much that the quality gap between them and the vehicles made by Japanese companies had largely closed by 2001. Yet, much to the frustration of the Big Three, consumers remain skeptical.

Undeserved poor or mediocre reputations can be maddening. The temptation is to respond to them with resignation and conclude: “No matter what we do, people won’t like us, so why bother?” The reason executives should bother—through redoubled efforts to improve reporting and communications—is that their fiduciary obligation to close such reputation-reality gaps is as great as their obligation to improve real performance. Both things drive value creation for shareholders.

Changing beliefs and expectations.

The changing beliefs and expectations of stakeholders are another major determinant of reputational risk. When expectations are shifting and the company’s character stays the same, the reputation-reality gap widens and risks increase.

There are numerous examples of once-acceptable practices that stakeholders no longer consider to be satisfactory or ethical. Until the 1990s, hostile takeovers in Japan were almost unheard of—but that was partly due to the cross-holding of shares among the elite groups of companies known as keiretsu, a practice that undermined the power of other shareholders. With the weakening of the keiretsu structure during the past ten to 15 years, shareholder rights and takeovers have been on the rise. In the United States, once-acceptable practices now considered improper include brokerage firms using their research functions to sell investment-banking deals; insurance underwriters’ incentive payments to brokers, which caused brokers to price and structure coverage to serve underwriters’ interests rather than customers’; the appointment of CEOs’ friends to boards as “independent directors”; earnings guidance; and smoothing of earnings.

Sometimes norms evolve over time, as did the now widespread expectation in most developed countries that companies should pollute minimally (if at all). A change in the behavior or policies of a leading company can cause stakeholders’ expectations to shift quite rapidly, which can imperil the reputations of firms that adhere to old standards. For example, the “ecomagination” initiative launched by General Electric in 2005 has the potential to raise the bar for other companies. It committed GE to doubling its R&D investment in developing cleaner technologies, doubling the revenue from products and services that have significant and measurable environmental benefits, and reducing GE’s own greenhouse emissions.

Of course, different stakeholders’ expectations can diverge dramatically, which makes the task of determining acceptable norms especially difficult. When GlaxoSmithKline pioneered the development of anti-retroviral drugs to combat AIDS, its reputation for conducting cutting-edge research and product development was reinforced and shareholders were pleased. They were initially on board when GSK led a group of pharmaceutical companies in suing the South African government after it passed legislation in 1997 allowing the country to import less expensive, generic versions of AIDS drugs covered by GSK patents. But in 2001, GSK shareholders did an about-face in reaction to an intensifying campaign waged by NGOs and to the trial proceedings, which made GSK and the other drug companies look greedy and immoral. With its reputation plunging, GSK relented and granted a South African company a free license to manufacture generic versions of its AIDS drugs—but the damage was already done.

Sometimes, particular events can cause latent concerns to burst to the surface. One example would be all the questions about whether Merck had fully disclosed the potential of its painkiller Vioxx to cause heart attacks and strokes. Merck is embroiled in thousands of lawsuits over the arthritis drug, which it pulled from the market in 2004. The controversy has raised patients’ and doctors’ expectations that drug companies should disclose more detailed results and analyses of clinical trials, as well as experience in the market after drugs have received regulatory approval.

When such crises strike, companies complain that they have been found guilty (in the courts or in the press) because the rules have changed. But all too often, it’s their own fault: They either ignored signs that stakeholders’ beliefs and expectations were changing or denied their validity.

In addition, organizations sometimes underestimate how much attitudes can vary by region or country. For example, Monsanto, a developer of genetically modified plants, was badly burned by its failure to anticipate Europeans’ deep concerns about genetically modified foods.

Weak internal coordination.

Another major source of reputational risk is poor coordination of the decisions made by different business units and functions. If one group creates expectations that another group fails to meet, the company’s reputation can suffer. A classic example is the marketing department of a software company that launches a large advertising campaign for a new product before developers have identified and ironed out all the bugs: The company is forced to choose between selling a flawed product and introducing it later than promised.

The timing of unrelated decisions also can put a company’s reputation at risk, especially if it causes a stakeholder group to jump to a negative conclusion. This happened to American Airlines in 2003, when it was trying to stave off bankruptcy. At the same time that it was negotiating a major reduction in wages with its unions, its board approved retention bonuses for senior managers and a big payment to a trust fund designed to protect executive pensions in the event of bankruptcy. However, the company didn’t tell the unions. Furious when they found out, the unions revisited the concessions package they had approved. The controversy cost CEO Donald J. Carty his job.

Poor internal coordination also inhibits a company’s ability to identify changing beliefs and expectations. In virtually all well-run organizations, individual functional groups not only have their fingers on the pulses of various stakeholders but are also actively trying to manage their expectations. Investor Relations (with varying degrees of input from the CFO and the CEO) attempts to ascertain and influence the expectations of analysts and investors; Marketing surveys customers; Advertising buys ads that shape expectations; HR surveys employees; Corporate Communications monitors the media and conveys the company’s messages; Corporate Social Responsibility engages with NGOs; and Corporate Affairs monitors new and pending laws and regulations. All of these actions are important to understanding and managing reputational risks. But more often than not, these groups do a bad job of sharing information or coordinating their plans.

Coordination is often poor because the CEO has not assigned this responsibility to a specific person. When 269 executives were asked in 2005 by the Economist Intelligence Unit who at their companies had “major responsibility” for managing reputational risk, 84% responded, “The CEO.” This means that nobody is really overseeing the coordination process. Yes, the CEO is the person ultimately responsible for reputational risk, since he or she is ultimately responsible for everything. But the fact of the matter is, the CEO does not have the time to manage the ongoing process of coordinating all the activities that affect reputational risk.

Managing Reputational Risk

Effectively managing reputational risk involves five steps: assessing your company’s reputation among stakeholders, evaluating your company’s real character, closing reputation-reality gaps, monitoring changing beliefs and expectations, and putting a senior executive below the CEO in charge.

Assess reputation.

Since reputation is perception, it is perception that must be measured. This argues for the assessment of reputation in multiple areas, in ways that are contextual, objective, and, if possible, quantitative. Three questions need to be addressed: What is the company’s reputation in each area (product quality, financial performance, and so on)? Why? How do these reputations compare with those of the firm’s peers?

Various techniques exist for evaluating a company’s reputation. They include media analysis, surveys of stakeholders (customers, employees, investors, NGOs) and industry executives, focus groups, and public opinion polls. Although all are useful, a detailed and structured analysis of what the media are saying is especially important because the media shape the perceptions and expectations of all stakeholders.

Today, many companies hire clipping services to gather stories about them. Text- and speech-recognition technologies enable these services to scan a wide range of outlets, including newspapers, magazines, TV, radio, and blogs. They can provide information on such things as the total number of stories, the number per topic, and the source and author of each story. While useful in offering a real-time sample of media coverage, these services are not always accurate in assessing whether a story about a company is positive, negative, or neutral, because of the limits of the computer algorithms that they employ. They also tend to miss stories that cite a company but do not mention it in the headline or first few sentences.

Therefore, the old tool of clipping services needs to be supplemented with strategic media intelligence. This new tool not only analyzes every line in a story but also places the coverage of a company within the context of all the stories in the leading media (those that set the tone for the coverage of topics, companies, and people in individual countries). Since the reputation of a company is a function of others’ reputations in its industry and the relative reputation of the industry overall, having the complete context is essential for assessing volume and prominence of coverage, topics of interest, and whether the view is positive or negative.

Establishing a positive reputation through the media depends on several factors or practices, according to research by the Media Tenor Institute for Media Analysis (founded by coauthor Roland Schatz) in Lugano, Switzerland.

First, the company has to land and remain on the public’s radar screen, which involves staying above what we call the “awareness threshold”: a minimum number of stories mentioning or featuring the company in the leading media. This volume, which must be continual, varies somewhat from company to company, depending on industry and country but not on company size.

Second, a positive reputation requires that at least 20% of the stories in the leading media be positive, no more than 10% negative, and the rest neutral. When coverage is above the awareness threshold and is positive overall, the company’s reputation benefits from individual positive stories and is less susceptible to being damaged when negative stories appear. If coverage is above the awareness threshold but the majority of stories are negative, a company will not benefit from individual positive stories, and bad news will reinforce its negative reputation. All companies—large or small—should care about staying above their awareness threshold. Even if a small company has a very strong reputation among a small group of core investors or customers, it runs a high risk of suffering considerable damage to its reputation if its media coverage is below the awareness threshold when a crisis hits.

A company’s reputation is also vulnerable if the media are focused on just a few topics, such as earnings and the personality of the CEO. Even if the coverage of these topics is extremely favorable, a negative event outside these areas will have a much larger negative impact than it would have if the firm had enjoyed broader positive coverage.

Third, managers can influence the mix of positive, negative, and neutral stories by striving to optimize the company’s “share of voice”: the percentage of leading-media stories mentioning the firm that quote someone from the organization or cite data it has provided. Media Tenor’s research suggests that a company needs to have at least a 35% share of voice in order to keep the proportion of negative stories to a minimum in normal times. Strong relationships and credibility with the press are crucial to attaining a large share of voice and are especially important during a crisis, when a company really needs to communicate its point of view. In such times, management’s share of voice needs to be at least 50% to ensure that critics of the company don’t prevail. Merck’s travails after the problems with Vioxx illustrate the consequences of a company inadequately managing its position in the media. (See the exhibit “Merck: The Perils of a Low Profile.”)

Merck: The Perils of a Low Profile

Merck was ill prepared to defend its reputation when the Vioxx crisis hit. In the 33 months prior to Merck’s …

Evaluate reality.

Next, the company must objectively evaluate its ability to meet the performance expectations of stakeholders. Gauging the organization’s true character is difficult for three reasons: First, managers—business unit and functional heads as well as corporate executives—have a natural tendency to overestimate their organizations’ and their own capabilities. Second, executives tend to believe that their company has a good reputation if there is no indication that it is bad, when in fact the company has no reputation in that area. Finally, expectations get managed: Sometimes they are set low in order to ensure that performance objectives will be achieved, and other times they are set optimistically high in an attempt to impress superiors or the market.

As is the case in assessing reputation, the more contextual, objective, and quantitative the approach to evaluating character, the better. Just as the reputation of a company must be assessed relative to competitors, so must its reality. For example, performance-improvement targets based only on a company’s results for the previous year are meaningless if competitors are performing at a much higher level. The importance of benchmarking financial and stock performance and processes against peers’ and those of companies regarded as “best in class” is hardly a revelation. However, the degree of sophistication and detail as well as the accuracy or reliability of benchmarking data can vary enormously. The reasons include transcription errors (a big problem when a large amount of data in paper documents has to be manually entered into electronic spreadsheets), for instance, and the inability to determine whether the way competitors report information in an area is consistent. One company might include customers’ purchases of extended warranties in its revenues, while another might not.

Some new tools should help address these issues. One of the most noteworthy is Extensible Business Reporting Language (XBRL). A version of the Internet standards technology Extensible Markup Language (XML), XBRL allows each piece of information in a financial statement to be electronically tagged so that it can be quickly and cheaply pulled into analytical software. These tags are contained in dictionaries, or “taxonomies,” based on sets of standards such as the U.S. generally accepted accounting principles. XBRL-formatted financial statements are already available from companies such as EDGAR Online, but these early offerings have limitations. Taxonomies for specific industries must be developed; software for downloading and analyzing XBRL data is still at an early stage; and EDGAR Online’s offering includes European companies only if their shares are listed on a U.S. exchange (although an XBRL taxonomy does exist for international financial reporting standards, used by all members of the European Union and a number of other countries). Christopher Cox, the chairman of the Securities and Exchange Commission, is determined to address such limitations and accelerate the widespread adoption of XBRL. Toward that end, he announced in September 2006 that the SEC will invest $54 million in an interactive data system based on XBRL, which “will represent a quantum leap over existing disclosure technologies.” (For more detail, see the HBR List item “Here Comes XBRL,” HBR February 2007.)

Another valuable new tool for managing reputational risk is visualization software, which uses colors, shapes, and diagrams to communicate the key points in financial and operating data. These displays are a big improvement over the spreadsheets now widely used, which often make it difficult for even the most financially sophisticated executives to spot important anomalies and trends. Because it takes so much time to make sense of spreadsheets, executives tend to focus on the largest business units even though the greatest risks to reputation may reside in smaller ones—such as a struggling foreign subsidiary that has begun to employ questionable means to meet budget targets. (See the exhibit “One Drug Company’s Dashboard for Spotting Potential Risks” for an example of a simple but effective use of visualization software to highlight whether business units and products are on track to meet year-end goals.)

One Drug Company’s Dashboard for Spotting Potential Risks

A Europe-based pharmaceutical company uses this dashboard to track variances in performance that …

Close gaps.

When a company’s character exceeds its reputation, the gap can be closed with a more effective investor relations and corporate communications program that employs the principles of strategic media intelligence discussed above. If a reputation is unjustifiably positive, the company must either improve its capabilities, behavior, and performance or moderate stakeholders’ perceptions. Of course, few companies would choose the latter if there were any way to accomplish the former. If, however, the gap is large, the time required to close it is long, and the damage if stakeholders recognize the reality is likely to be great, then management should seriously consider lowering expectations—although this obviously needs to be done in careful, measured ways.

Monitor changing beliefs and expectations.

Understanding exactly how beliefs and expectations are evolving is not easy, but there are ways to develop a picture over time. For instance, regular surveys of employees, customers, and other stakeholders can reveal whether their priorities are changing. While most well-run companies conduct such surveys, few take the additional step of considering whether the data suggest that a gap between reputation and reality is materializing or widening. Similarly, periodic surveys of experts in different fields can identify political, demographic, and social trends that could affect the reputation-reality gap. “Open response” questions can be used to elicit new issues of importance—and thus new expectations—that other questions might miss. It is generally useful to supplement these surveys with focus groups and in-depth interviews to develop a deeper understanding of the causes and possible consequences of trends.

Influential NGOs that could make the company a target are one group of stakeholders that should be monitored. These include environmental activists; groups concerned about wages, working conditions, and labor practices; consumers’ rights groups; globalization foes; and animals’ rights groups. Many executives are skeptical about whether such organizations are genuinely interested in working collaboratively with companies to achieve change for the public good. But NGOs are a fact of life and must be engaged. Interviews with them can also be a good way of identifying issues that may not yet have appeared on the company’s radar screen.

Finally, companies need to understand how the media shape the public’s beliefs and expectations. Dramatic changes in the amount of coverage influence how fast and to what extent beliefs and expectations change. The large volume and prominent display of stories on the backdating of stock options in recent months is one example of how the media can help set the agenda. The sharp drop in stories about insurance brokers’ getting incentive payments from underwriters illustrates how the media can help relegate a hot topic to the back burner.

Put one person in charge.

Assessing reputation, evaluating reality, identifying and closing gaps, and monitoring changing beliefs and expectations will not happen automatically. The CEO has to give one person responsibility for making these things happen. Obvious candidates are the COO, the CFO, and the heads of risk management, strategic planning, and internal audit. They have the credibility and control some of the resources necessary to do the job. In general, those whose existing responsibilities pose potential conflicts probably shouldn’t be chosen. People holding top “spin” jobs, such as the heads of marketing and corporate communications, fall into this category. So does the general counsel, whose job of defending the company means his relationship with stakeholders is often adversarial and whose typical response to media inquiries is “no comment.”

The chosen executive should periodically report to top management and the board on what the key reputational risks are and how they are being managed. It is up to the CEO or the board to decide whether the risks are acceptable and, if not, what actions should be taken. In addition, top management and the board should periodically review the risk-management process and make suggestions for improving it.• • •

Managing reputational risk isn’t an extraordinarily expensive undertaking that will require years to implement. At most well-managed companies, many of the elements are already in place in disparate parts of the organization. The additional costs of installing and using the new tools described above to identify risks and design responses are in the low to high six figures, depending on the size and complexity of the company. This is a modest expense compared with the value at stake for many companies.

A Framework for Managing Reputational Risk Understanding the factors that determine reputational risk enables a company to take actions to address them.

So the primary challenge is focus: recognizing that reputational risk is a distinct category of risk and giving one person unambiguous responsibility for managing it. This person can then identify all the parts of the organization whose activities can affect or pose risks to its overall reputation and enhance the coordination among its functions and units. The improvements in decision making will undoubtedly result in a better-run company overall.

Senior executives tend to be optimists and cheerleaders. Their natural inclination is to believe the praise heaped on their companies and to discount the criticism. But looking at the world and one’s organization through rose-tinted glasses is an abdication of responsibility. Being tough-minded about both will enable a company to build a strong reputation that it deserves.

A version of this article appeared in the February 2007 issue of Harvard Business Review.

Reset password

Enter your email address and we will send you a link to change your password.

Get started with your account

to save your favourite homes and more

Sign up with email

Get started with your account

to save your favourite homes and more

By clicking the «SIGN UP» button you agree to the Terms of Use and Privacy Policy
Powered by Estatik