Getting serious about reputational risk is a must for financial services firms

Submit a Feature

Legal

Getting serious about reputational risk is a must for financial services firmsRecent events at Davy Stockbrokers have demonstrated just how susceptible a firm’s reputation can be to the damaging consequences of the poor judgement and conduct of individuals.

RDJ Partner, Brian Hunt looks at the importance of Boards’ and senior management taking a more proactive approach to the management of reputational risks and identifies some practical steps that firms could take to further safeguard their hard-earned reputation..

The Boards and management of well-run businesses recognise the value of their firm’s reputation. They jealously guard it because they know not only of its worth but also just how delicate it is. Warren Buffett is credited with having said that “it takes 20 years to build a reputation and five minutes to ruin it” – the fallout from the Central Bank of Ireland’s recent imposition of a €4.1m fine on Davy Stockbrokers was a stark reminder of this.

Importance of reputation

The strength of the reputation of a business flows through to the bottom line. Companies with a strong reputation tend to perform better, have loyal customers who may spend more, and having a strong reputation can also help these firms attract and retain a highly effective workforce. At the heart of a solid reputation lies trust – without trust a firm cannot thrive. Reputation and trust are key factors that help us distinguish one firm from another.

When a catastrophic reputationally damaging event occurs, it matters little in the minds of customers (or the regulator) that the bank offers the best deposit rates, or that the insurer has the best customer service, or that the investment firm produces great investment returns. Invariably, when a reputationally damaging event occurs and is poorly handled, it holes the ship below the water-line and it takes down the vessel in short order, both the good and the bad.

Reputation is somewhat nebulous – we can’t see it or feel it, and while it is subjective, we can attempt to measure its strength. Where a firm suffers reputational damage, we can easily see the outward signs of the effect of its downfall – a decline in share price, a reduction in turnover, in mainstream media reportage and commentary, in political discourse, and in damaging social media chatter. The unrelenting nature of the 24/7 news cycle with the added power of social media, an action or event that might in times past have blown over, can now quickly become a damaging and costly event for a business.

The higher the expectations, the greater the fall

Aside from supervisory and legal considerations, the reality for the financial services sector in Ireland is that there is a great readiness on the part of the public and the media to cast financial services firms as the villain. Maybe that is not an unreasonable position – after all this is the sector that played a central role in the financial crisis which necessitated taxpayer funded bank bail-outs. On occasion, a minor transgression by a financial services firm is all that is needed to serve as the seed for what becomes a reputationally damaging event.

It is arguable that in the financial services sector, where customers entrust firms with their savings and investments, reputation and trust matter a whole lot more, and crucially, a firm’s reputation will determine the level of trust that regulators afford to it.

Just as the proverbial policeman/policewoman cannot be on every street corner, the same goes for the Central Bank. In a post-financial crisis world, financial services firms are expected to have a strong compliance culture, a functioning moral compass, and to do the right thing even when no one is watching. The Central Bank expects that firms will, in the main, seek to do the right thing, but they cannot watch over or scrutinise every action or decision of regulated firms in real time.

As much as we might wish it were otherwise, there will always be transgressions and that is what drives the supervisory approach of the Central Bank whose toolkit includes imposing routine reporting requirements on firms, ongoing supervisory team engagement, the conduct of on-site inspections, market-wide thematic inspections, and the pursuit of contraventions through the enforcement processes.

Conduct of individuals

While externally triggered mishaps can inflict serious reputational damage on a firm (e.g. data breach, fraud etc.), it is invariably the choices made by individuals, whether acting alone or in concert, that hold greater potential to do longer-term damage to the firm’s hard-earned reputation.

Ask any cybersecurity buff about what the weakest link is in his or her firm’s I.T. security system and they will tell you that it’s their people. It just takes one curious or careless person to click on that tantalising link and expose the otherwise well-guarded I.T. infrastructure to a bad actor. The same can also be said of a company’s reputation – it is invariably the misguided or wrongly motivated actions of individuals that can lead to the destruction of a reputation that has taken decades to build.

Handling of damaging event

Individual perspective can greatly change how we view an event. In the mind of one person, what appears to be the careful handling of an historic transgression can be viewed by others as a shameful attempt to deny the gravity of egregious conduct.

The handling of a damaging event can influence the extent of the damage that arises from the event and it can also influence the timescale over which the story will continue to run.

Where the leadership of an organisation puts up its hand, admits the failing, accepts responsibility, apologises, and delivers the necessary resignations, that could well pave the way for the firm to begin on the slow and arduous process of recovery of its reputation. On the other hand, where a transgressor is in denial or tries to portray the transgression in a way which is not based in fact, or fails to apologise or vows to remain in office, that can cause the matter to play it over a longer period of time, command greater negative publicity and exacerbate the reputational damage incurred by the firm.

In reacting to a reputationally damaging event, to avoid being blinkered, firms should actively seek out the perspective of outsiders who will challenge the adequacy and appropriateness of the firm’s response.

Practical steps that firms can take to address reputational risk issues

Where a financial services firm is the subject of reports that suggest it has acted in contravention of regulatory requirements, that is bound to draw upon the firm the prying eyes of the Central Bank. This brings with it the increased risk that the normal, routine supervision of that firm becomes a far more intrusive form of supervision which is deeply unwelcome and uncomfortable for the firm.

The best preventive measure for a reputationally damaging event is good corporate culture. Strong governance with robust systems and controls can all help contribute to the right kind of culture and values within a firm.

Few of the settlement agreements entered into by the Central Bank in recent years have resulted in the level of controversy that has surrounded the recent imposition of a fine on Davy Stockbrokers.

While recognising that reputational risks are difficult to monitor and mitigate, there are measures that Boards and senior management within financial services firms can implement to guard against future events that might bring their organisation into disrepute. Some of those measures are now considered.

Proactive approach to reputational risk

Firms often think of reputational issues in the context of reactive crisis management. The effective management of reputational risk is not just about having the capability to communicate well when things go wrong. It is important that the mindset of financial services firms towards reputational risk becomes much more proactive. The circumstances that can trigger a reputational risk event can be proactively monitored and mitigated in the same way as other risk types.

Code of conduct

A firm whose Board, senior management and staff are guided, in practice and not just in theory, by a strong code of conduct have taken a good first step towards reducing the risk of an adverse event. The code of conduct should be used as a means of cultivating a strong culture of ethics and compliance.

Effective Board oversight

The Board should have oversight of matters relating to reputational risk and should require regular reports on developments that could potentially impact on the reputation of the firm.

Tone from the top

The tone from the top needs to be set by the CEO and visible adherence by the CEO to the highest ethical standards needs to be demanded by the Board. The CEO needs to be seen to be living and breathing every line of the code of conduct, and not just paying lip-service to it.

Whistleblower reporting facility

Firms should have in place a facility for staff to report, on a confidential or anonymous basis, concerns of wrongdoing or unethical behaviours within the firm.

Understand reputation and stakeholder expectations

Firms need to have an understanding of their reputation and standing in the market, and should have a strong sense of the expectations that their key stakeholders have of them, whether that is customers, staff, shareholders, or regulatory authorities. It is a transgression of those expectations that can give rise to reputational damage.

Reputational risk framework

Firms should seek to implement a reputational risk framework which clearly documents with whom responsibility for each risk lies, how risks will be identified, monitored and mitigated.  Potential scenarios for reputationally damaging events should be explored and analysed.  On a day-to-day basis, key decisions affecting the business should be required to be assessed through the prism of reputational risk.

Cross-functional reputational risk forum

Another potential measure that firms can consider is to put in place a cross-functional team specifically tasked with analysing and monitoring all aspects of reputational risk. Such a team ought to comprise functions from across the business that are best placed to understand the factors that drive reputational risk. Typically this might include representatives from risk, compliance operational business functions, and communications.

Ongoing monitoring of reputational risks

A matter that posed little or no risk yesterday might be a real cause for concern tomorrow – the triggers for reputational risks can be quite transient and sudden. In recognition of this, the process for monitoring reputational risks needs to be agile.

Develop and revise crisis response plan

Firms should develop a crisis response plan and should periodically test the effectiveness of the plan through crisis simulation exercises. The appropriateness of the plan should be regularly reviewed and the plan should be updated so as to take account of the changing risk landscape.

By Brian Hunt of Ronan Daly Jermyn.