September 1, 2019 by David Gambrill, Editor-in-Chief
Gone are the days when Joan Jett famously sang about not giving a damn about her bad reputation.
In the era of social media, bad corporate behaviour can become common public knowledge in seconds. Companies can lose face for any number of reasons: product recalls, data breaches, large-scale oil spills, accounting improprieties, insider trading, market price manipulations, unsafe labour practices by suppliers, and sexually inappropriate behaviour. For this reason, company executives have ranked reputational risk as among the Top 10 risks that keep them awake at night.
But is the damage caused by a company’s bad reputation insurable?
The force of reputational damage
XL Foods in Canada is often cited by risk managers as an example of how a damaged reputation can ultimately wipe out a company.
On Sept. 4, 2012, the Canadian Food Inspection Agency (CFIA) identified a positive E. coli O157:H7 sample in raw beef trimmings produced at an Alberta facility supplied by XL Foods Inc. Two weeks later, XL Foods found itself at the centre of Canada’s largest beef recall. About 1,800 products were ultimately removed from the Canadian and U.S. markets and 18 consumers became sick.
On Sept. 20, more than two weeks after the first positive test for E. coli, XL Foods Inc. began to notify its customers in Canada and the United States that it was recalling its beef trimmings. CFIA temporarily suspended the license of the XL Foods Alberta plant on Sept. 27. At the time, CFIA reported, “the company had not adequately implemented the agreed-upon corrective actions and did not present acceptable plans to address longer-term issues.”
The chain of events led to a $4-million settlement of a class action lawsuit against XL Foods. Brazilian company JBS ultimately bought the Alberta operations from XL Foods in January 2013.
During the crisis, XL Foods management, known to be a reticent group to begin with, remained largely silent, a fact that is not lost on Canadian risk managers. Many cite it as a textbook case of how not to manage reputational risk during a crisis.
What is reputational risk?
If something bad happens to a company, it’s usually because the event is “in some way inconsistent with society’s expectations of the respective entities, which in turn led to undesired reputational consequences,” as a 2013 report by the Risk and Insurance Management Society (RIMS) puts it. “Such events can quickly damage financial performance, product integrity and consumer confidence, and may also trigger heightened regulatory oversight, resulting in significant loss of value or more permanent destruction.”
Corporate boards are increasingly asking risk managers to find ways to protect their reputations. But important questions remain: What is a reputation? What is it worth?
Damage to a reputation is a nebulous, intangible thing, leading to some debate among risk managers as to whether it is, strictly speaking, a risk.
“There’s never a risk to your reputation,” says Christine Maligec, president of the Northern Alberta RIMS Chapter. “What happens to your reputation is an outcome. You do good things, good things happen, and people see you favourably. You do bad things, people see you unfavourably. It’s not a risk, it’s an outcome.”
Tina Gardiner, RIMS Canada Council president, sees Maligec’s point. But she still believes that reputational damage qualifies as a risk. “When I look at a corporation, and I look at the things that could go wrong — or that could lead to opportunities, if viewed properly — you have to follow the basic management steps,” Gardiner says. “You have to be able to identify what those potential risks or opportunities are. You have to analyze the likelihood and severity of something going wrong, and you have to be able to assess it and prioritize…. From that perspective, it’s a risk, because you are applying risk management techniques to control the outcomes.”
To underwrite a risk, you need to define it in an insurance policy. And that’s where things get tricky.
Carol Fox, vice president of strategic initiatives at RIMS, is among a group of risk managers who produced the 2013 report, Understanding Reputational Risk. She refers to the paper’s comprehensive definition of reputational risk: “Reputational risk can be defined as the uncertainty related to those internally- and externally-generated events, issues, perceptions and actions that could materially enhance or detract, either incrementally or abruptly, from the value of an organization’s assets including performance, core business practices, and management decisions within and outside of the organization.”
The paper goes on to note that “reputation is generally understood as the recognized standing of a business or entity — what we actually are seen to be.”
And who is doing the “seeing” (or judging) in this scenario?
An organization’s reputation can shift at any time in the eyes of its public shareholders, creditors, investors, regulators, politicians, consumers, business clients, media, supply chain partners, associates, and employees. And in today’s age of social media, whatever bad behaviours may be exposed, becomes readily apparent to everyone in the world with a simple tweet.
Is reputational risk insurable?
Can something so amorphous as “public opinion” lead to a quantifiable insured loss for an organization?
“When we look at insurance, we are really talking about financialization of risk,” says Gregory Eskins, who leads Canada’s FINPRO practice within Marsh. “We’re looking to quantify and price risk. That leads back to the question, ‘How does an organization view the value of its reputation?’ By extension, what inputs and variables go into making up the financial value of that reputation?”
Stock price is often cited as one of those variables or inputs, as noted by Darius Delon, president of Calgary-based Risk Management 101. “Let’s say your stock is at $30,” he explains. “Something happens tomorrow, and your stock is at $20. You can argue that your reputation was harmed to the tune of $10 [per share]. If the stock rebounds, then what is the actual damage to the reputation? You could look at the revenue: did the revenue rebound as the stock market came back up? There’s a lot of correlation there.”
But the measure is limited, Delon adds. It is more appropriate for large, publicly-traded firms than those of smaller, privately-owned companies.
And so how can you quantify a reputational loss?
It’s still relatively early days in the effort to assign numbers to the risk for the purpose of determining an insurance payout. For Eskins, the question is: “Can we as an industry come to a meeting of the minds as to how we quantify this risk? Assuming the answer is yes, we can absolutely create a viable product, because then we can agree to a pricing framework.”
Fox notes that enterprise risk managers have been doing work on this since 2013. The Reputation Institute, for example, offers an index of corporate reputations based on seven different factors: products and services, innovation, workplace, citizenship, governance, leadership, and performance. A 2014 RIMS paper, Managing Reputational Risk to Drive Strategic Performance, identifies metrics that can be used to measure the impact of each factor:
• Products and services (customer satisfaction surveys, quality metrics, consumer complaints/feedback, management responses, cycle time, percent of work done by suppliers)
• Innovation (analyst ratings, consumer attitude scanning, media mentions, percentage of time spent on new products and services, number of patents, awards from professional associations)
• Workplace (employee engagement surveys, compensation benchmarking, safety reports)
• Citizenship (social media ratings [e.g. Yelp], corporate social responsibility ratings, community engagement surveys)
• Governance (Institutional Shareholder Services Quickscore, Governance Metrics International (GMI), bond/credit ratings agencies)
• Leadership (credit rating agencies, analyst reports, employee engagement surveys)
• Performance (market share, margins, sales, financial results, budget performance, deviation analysis).
The list of factors is not exhaustive, Fox says. “We looked at those items and we thought there is more than that. There is also the perceptions of an organization by external partners, creditors, regulators, industry and media. You can have a stellar reputation, for example, but if someone in your industry does something that gets a lot of negative press, that can affect the entire industry. It’s hard to quantify each of those dimensions and then come up with an overall score.”
Organizations are beginning to put the numbers together, “but it’s baby steps,” says Fox. “I haven’t seen anybody look at this against all of these dimensions. They may just pick a few that they think are important to their organizations. At least it gives the organization some idea of where they are from a reputation standpoint.”
Transferring the risk to insurance
Corporations have been concerned about reputational damage for years; even so, not many insurance solutions are available on the market to cover it.
“There are specialized units within insurance companies (alternative risk teams) that create parametric products,” says Eskins. “Ultimately, the client and the insurer agree to the value of the reputation (via an agreed model). You will agree to what types of events will trigger the policy. You will agree to what amount or level of financial loss would need to take place before the parametric trigger in the policy kicks in. And then, upon the conditions being met, you get to a payout of policy proceeds.”
These specialized products are “generally be taken up by larger, sophisticated organizations with well-resourced enterprise risk management teams/units,” says Eskins.
There isn’t a large robust standalone market for reputational risk, in part because of the issue of quantification. That said, cyber policies have evolved to the point of addressing reputational damage associated with a data breach. “From a cyber perspective, there is a reputational harm insuring agreement, which is essentially a business interruption insuring agreement,” says Eskins. “This factors in the loss of business income or earnings as a result of a cyber event that causes you negative publicity, thus leading to a financial loss without a technological disruption to the business, such as a loss of revenue. This is a separate insuring agreement that is selectively being quoted on cyber policies now. Insurers are looking to charge for this, although without a meeting of the minds in advance, the utility of the coverage can rightfully be questioned.”
Mitigating reputational risk
Ultimately, risk managers may choose not to transfer the risk to insurance, preferring the time-honoured way of mitigating risk in-house. That comes from having well-established policies and procedures in place and making sure that employees know what to do in the event of a major blow to the company’s reputation. Cyber insurance provides an example.
“I think it’s really important that when companies have a cyber breach, they have a procedure in place,” say Gardiner. “And I think it’s very important that that procedure be known within the company. I think it’s got to be practised. Companies have to do a tabletop exercise at least once a year to make sure they know who is going to do what. The insurance policy is just a safety net.”