A practical approach to reputation risk

Every organization has some desirable public image. Does it want to be perceived as environmentally sound? Family friendly? Political activist? A ‘high roller’? Cutting edge? Traditional? Or, perhaps it simply wants anonymity in the public eye.  Reputation risk results from strategies or actions that conflict with the desired public image.

Rather than wait for reputation risk issues to arise, it is important to be proactive. Let’s take a step back. Organizations are constantly developing strategies at all levels. Whenever someone is assigned a new task or objective, a strategy needs to be developed to accomplish it. The process of selecting or creating a new strategy can include the evaluation of whether that strategy is consistent with the organization’s public image.

In risk management, I use the term “risk attitude” to describe which strategies management would, or would not, feel comfortable with. A “low risk” attitude indicates that management expects assurance that the proper results will be achieved. A “high risk” attitude indicates that management is willing to take its chances and would be comfortable with a strategy that might deliver results ranging anywhere from wild success to total failure. Neither is necessarily good or bad and can vary not only from one objective to the next, but also with different components of a single objective. It’s possible, for instance, to develop a desirable strategy that is high risk in some areas (e.g. financial returns) while low risk in others (e.g. worker safety). But nearly every organization wants very low risk when it comes to protecting its public image. If that’s the case, then it’s reasonable to have a specific question that needs to be answered as part of every new strategy — is it consistent with our public image?

Of course, this assumes one very critical component. The organization needs to define and be able to describe its preferred public image. If that’s not the case, then reputation risk is increased simply because it may be unclear what to embrace or avoid during strategy development. If employees don’t know that the organization is cultivating a worker-friendly image, then a cost reduction initiative may include a strategy that includes massive worker layoffs.

That’s the first part — making sure that the organization understands how to develop appropriate strategies that will, at least initially, be consistent with your public image.

There is another part. An organization needs to be generally perceived as trustworthy and competent. For example, while an organization may not be explicitly cultivating a public reputation for good customer service, excessively poor customer service will still create a public image problem. The same would be true for any normal business activity if it is executed poorly to the level where the public perceives the organization as being incompetent. Even something as mundane as an inability to pay its bills accurately could grow to the extent that it creates a public perception of incompetence.

To avoid this, an organization also needs a general performance and risk management environment where expected performance levels are defined. Performance levels that don’t meet reasonable expectations need to be elevated to management long before such “incompetence” becomes a subject of public discussion.

Please share some stories about how your organization is addressing reputation risk.


Performance Risk Management – the practical approach

Performance Risk Management is my new and immensely practical approach to integrating performance management and risk management. This is the breakthrough that finally allows the “good ideas” behind enterprise risk management to shine through.

I have written about many aspects of risk management in the past. I find the topic fascinating because it offers such great promise to help organizations of all types accomplish their goals better, faster, and more completely. Unfortunately, for years, I was frustrated by all of the static surrounding risk management. This static has made it virtually impossible to convey a clear picture of the benefits of risk management.

The static

I have spent many years thinking this through. I have always known that the core message of risk management is profound. It just seemed that there was so much static surrounding risk management that the message was always hidden in irrelevancies. I needed to understand which pieces of risk management theory were creating this static. What did I need to strip away for this message to come through loud and clear? I have come to the realization that much of this static resulted from two fallacies:

  • An improper primary focus on risks, themselves
  • Useless attempts to categorize risks; focusing on the artificial differences between risks rather than finding the universal similarities

As I started recognizing these two ‘static generators’, I was able to develop an approach to risk management that suddenly accomplished two things.  

First, risk management could be intuitively aligned with an organization’s performance objectives. More than that – risk management works only if it is aligned with performance objectives.  It suddenly started making obvious, practical sense to executive leadership. It’s not just a “nice theory”; it can help achieve bottom line results in a real and practical way.

Second, it became clearer why so many organizations have prematurely abandoned their risk management implementation projects. I understood that the mind numbing real-world complications that these organizations experienced were, actually, irrelevant.

Eliminating the static

The first clear realization was that risk management starts with objectives, not risks. It’s always about accomplishing objectives. Managing associated risks is simply an additional technique to help accomplish your goals. Everyone knows this intuitively. The problem was that risk management theory made, at most, a passing reference to objectives. That’s why risk management never felt right. It never actually aligned with what we knew to be true. An organization doesn’t want to expend efforts to “manage risks”. It will, however, expend effort on better techniques that help it accomplish its objectives better, faster, and more completely.

The second clear realization came to me when I recognized the waste in categorizing risks among “Strategic Risk”, “Compliance Risk”, “Legal Risk”, “Financial Reporting Risk”, etc., etc., etc. Risk management theory loves to focus on these categories. This disguises a lack of deeper understanding – the similarity among all risks. This similarity flowed from the first clear realization – a focus on objectives, not risks. While there may be many types of objectives, there is only one type of risk – an inability to effectively execute.

When you logically extend these two clear realizations, the results are profound. Once you do away with the process of classifying risks, you can focus on actually identifying the risks. Not only that, you actually have a practical framework to identify those risks – real world things that could go wrong relative to a specific objective. Useless theory melts away and practical understanding takes its place. It has allowed me to better communicate not only how an organization benefits from risk management,  it has also allowed me to develop a practical way to (i) initially implement risk management within an organization, and (ii) enhance management processes to deliver results better, faster, and more completely.

These are the two basic components of Performance Risk Management. Many benefits flow as a result which I will continue to address in subsequent posts.



Risks have attributes, not categories

People like to categorize as I wrote in my prior post. But a question was left hanging — are there categories of risk? That depends on what we mean what we talk about categories.

One way of thinking about categories is to envision a number of “buckets” and every risk must fall into one of these buckets. This was where people think about whether a risk is a “Strategic Risk”, “Compliance Risk”, “Reputational Risk”, “Financial Reporting Risk”, etc. The problem with this approach is that there is an underlying assumption that the risk must be exist in only one category. Unfortunately, no matter how many buckets you come up with, sooner or later you’ll come up with a new item that doesn’t fit neatly into one of the buckets. So you create a new bucket. But then you discover that a risk that you earlier dropped into a different bucket now fits better in this new bucket. In short, this is an approach that simply doesn’t work very well because it is very difficult, probably impossible, to create a complete and exclusive system of categorizing risks in any meaningful way.

A better way of thinking about risks is through “attributes”. Rather than going through a mental process of depositing each risk into a specific bucket (which requires a sense of mutual exclusivity), consider instead what practical questions you might want to answer about your risks. What “knowledge” do you want to create?

Perhaps you will, in the future, want to know which risks occur simply because a computer is used as part of the process (e.g. “garbage in / garbage out”). Or perhaps, you want to know which risks occur simply because you choose to outsource a process to a third party (e.g. “insecure storage of sensitive data”). Or perhaps you want to know which risks might occur because of internal fraud (e.g. “expense reimbursement for the wrong amount”).

Notice that one or more of these attributes might apply to any particular risk. So, you can’t simply drop the risk into the “third party risk” bucket. It also needs to exist in the “IT risk” and “internal fraud” buckets. This is where it becomes necessary to eliminate  the idea of “buckets” think of “attributes”. Attributes are like standard sticky notes that you can attach to any risk, or perhaps  many risks.

Then, when you want to understand your risks better, this approach allows you to see see those risks that have the “internal fraud” attribute attached. Or, you can see those risks that have an “IT” attribute. Some risks will be in both lists.

This approach provides much more flexibility than going with an exclusive bucket approach.

If you don’t agree, I would love to hear your views.

The business of risk management

“The business of business is business.”

This quote is often attributed to Milton Friedman, Alfred P. Sloan, and others. It is frequently interpreted as conveying a cynicism that business people are intentionally uninterested in larger issues that impact society. The inference, then, is that business is often harmful to society through this neglect.

For this article, I am uninterested in this debate. Maybe I’ll take that on another time. Instead, I want to turn this around a little bit with the following aphorism – feel free to attribute this to me.

“The business of risk management is business.”

Many people, especially those who have not invested 1000’s of hours working with risk management concepts, want to attribute high and lofty goals to the ideas behind risk management. Risk management, though, has no goals. Risk management is simply a tool. It’s a hammer, a wrench. Tools have no philosophy or agenda. Tools are an invention of those persons who want to accomplish more with less effort.

Similarly, risk management exists solely to help a leader (of any enterprise — not just a for-profit business) accomplish more with less effort. That is, the goal of risk management is to help a business be a better business – no matter what that business is.

Before a craftperson picks up a tool, they already know the larger result that they have in mind and select the tool to help achieve it. This is an exercise in practicality. They do not select a wood plane because the world is fascinated with the concept of wood planes. They select it because it will help them accomplish more with less effort.

So, too, should a business person select the tool of risk management – that is, when it’s the right tool for the job at hand. So, that raises the obvious question. When is risk management the right tool?

I’ll start to address that in my next post.

The Sarbanes-Oxley lesson: doing it wrong is very expensive

One of the lessons from Sarbanes-Oxley was the sheer waste of time and energy for those organizations that tackled it the wrong way. Admittedly most organizations tried to be thoughtful and creative in addressing SOx. Some recognized that SOx requirements were not significantly different from what they were (should have been) already doing. However, given the relatively small amount of time for implementation and the very large downside, it was often approached as a ‘compliance’ issue rather than a ‘management information’ issue. It should have  been approached as a relatively easy re-design of management reporting to include  existing organizational knowledge about the internal control environment.

Public accountants and other consultants bear substantial blame for this. The CPAs were feeling pressure from their governing bodies to assure ‘compliance’ with SOx. This sometimes meant that they were in a less-than consultative mood with their clients. And third-party consultants, of course, were ready to accept fees and help assure that these public companies satisfied the requirements imposed by their public accountants.

Now let’s move forward a few years.

Many organizations are moving, in some way, into risk management. The reasons can vary … regulators are becoming more insistent, the governing board has indicated that they want it. Or, perhaps, executive leadership is intrigued by what they imagine risk management can provide to help them better run their organization.

One thing that organizations need to avoid is treating risk management implementation like they may have treated  Sarbanes-Oxley implementation. There is a natural temptation to presume that risk management is a side-project that the organization simply must accomplish and move past. There may be a presumption that there is a checklist that, once completed, will provide a risk management environment. In fact, there is … but only at a very high level. There are specific objectives that need to be achieved in order to implement risk management. But each of those objectives needs a strategy that is specific to each organization.

For those organizations considering a more formalized approach to risk management, there are three options:

  1. Spending: Creating a  risk management program that provides little value beyond the fact of its existence.
  2. Waiting: Doing nothing formal and continuing to rely on the management team to manage risk in an ad-hoc manner.
  3. Investing: Thoughtfully design and implement a risk management environment that will continually pay dividends in better organizational information and decision making.

The worst of these options is the first – spending money with little or no payback. The biggest damage is the illusion but no substance of risk management that is often created through a weak program.

The other two options are simple cost/benefit. If management believes that the organization can’t afford to improve its ability to make better decisions and achieve its objectives, it may be better to wait and not invest in risk management. However, if executives believe that the organization needs to perform better and achieve results faster then risk management is definitely a tool that they need to consider.

My advice – executive leadership should firmly reject any weak risk management process. Spending money with no clear payback is irresponsible.

Instead,  executives must consider carefully the cost and benefit of  risk management. Bring in advisers who can guide management in understanding, at a business level, the costs and benefits of risk management. Then make a decision of either waiting or investing.


Risk management implementation projects – what you should expect

Risk management implementation projects can be very challenging. But, when they are done correctly, they deliver results that can raise your organization to an entirely new level of performance.

My prior post discussed some unreasonable expectations for your implementation project. This post talks about the flip side — you need to set high expectations in some areas.

Risk management should provide more than lists and graphs – it should provide organizational insights

Risk management should provide value. The value isn’t necessarily embodied within a particular list that it might generate. Instead, the value is in the overall knowledge that it provides about the organization. The very process of implementing risk management helps drive a thought process that steps away from the day-to-day and focuses on the strategic and the “what-if”.

The risk management process naturally includes a need to understand which goals and risks are more impactful to the organization. Clearly, the most impactful goals and risks should receive a greater share of management’s attention. This process of thinking about goals and risks in this manner leads to the natural process of thinking about which actions, deeper in the organization, directly support these most critical goals. As an example, an organization’s highest goal may be to improve its customer service image. As this goal cascades through the organization, a low level risk of “Customer service representatives fail to reasonably satisfy customer requests” may be seen as one of the most significant risks to the organization – perhaps a much greater risk than those risks that might be attached to other top level strategies.

Limit executive leadership’s involvement to specific points

There are specific points in a risk management implementation project where executive leadership must be involved. This includes establishing the organization’s general approach to risk management, determining the scope of the implementation project, and identifying how the resulting information should be organized to provide practical answers.

However, once these foundational steps are done the project manager, along with the sponsor or liaison, should be able to proceed independently and methodically with gathering knowledge and data. This is done through interviews and discovery at varying levels throughout the organization. Interviews at the top level must, of course, include executive management. However, when the project is proceeding through lower levels of the organization executive management simply needs to monitor the progress (as with any project) and provide periodic insights and feedback.

Expert outsiders can provide immeasurable help

This expert help is seen in a few specific areas.

First and foremost is the value of experience in defining and managing the project.  Someone who has experience can provide options for what risk management realistically can, and cannot, provide to an organization. A third party can also help maintain a focus on the project so that it doesn’t get  buried underneath day-to-day urgencies.

Second, expert outsiders can help identify the risk environment in certain areas of the organization. This is especially true in areas with a specialized knowledge base. It can be very beneficial to have a third party help minimized ‘group-think’ and assure that the total risk environment is being considered.

Collected data can be used in many ways

Risk management expands data about the organization. This new data is necessary to answer questions that could not have been previously answered. It needs to be structured so that new insights (such as those that come along with periodic updates to risk assessments) can be captured over time. But the additional knowledge needed to specifically answer “risk” questions can also be used in other ways.

A critical feature of risk assessment activities is the need to understand which activities and risks have the greatest impact on the organization. As this information is collected, it is typically aggregated according to the unit or person who ”owns” them. This new knowledge about individual goals and activities can be used to enhance an organization’s overall performance management and goal-setting process.

Perhaps the greatest benefit from implementing risk management isn’t “risk management” specifically, but how the data and the knowledge round out the overall management and decision-making capabilities.


Risk management has the ability to deliver profound insights into an organization. Management can use these insights to dramatically improve its ability to achieve its goals. These past few posts have discussed ways to assure that your implementation project has a good chance of successfully adding value and setting a foundation for an effective on-going risk management environment.

Risk management implementation projects – unreasonable expectations

As I discussed in prior posts, risk management implementation projects can be very challenging. The perceived success is often directly related to the expectations for the project. In this post I’ll write about some common, but unreasonable, expectations. My next post will address the  flip side – what you should expect to receive from the project.

Unreasonable — Risk management is a one-time analysis

Everyone recognizes the need to continually update accounting records and periodically produce new balance sheets and income statements. Your risk environment, similarly, is constantly changing and needs to be updated if it’s to provide value. When risk management is treated as a one-and-done activity, it runs into two fundamental problems.

First, the information in the very first risk assessment is, essentially, an unvalidated model of your organization’s risk environment. It’s often unwise to place confidence in an unvalidated model. Instead, this risk model must be revisited from time-to-time and adjusted until the model reflects an ongoing representation of the real world. If a risk management model, 12 months later, indicates that a particular risk is the greatest risk to the organization does that still make practical sense? If not, what assumptions need to be tweaked?

Second, any organization’s real world environment is not static. It changes daily. The greatest benefit of risk management is to capture changing conditions and help identify where and when certain strategies may no longer be optimal and should be revisited. This capability focuses management’s attention on  either mitigating a new emerging risk or taking advantage of a new emerging opportunity. This value is lost if risk management is viewed as a static project.

Unreasonable — Risk management will deliver hard and objective answers about risk

Sorry. Risk management is inherently subjective. The foundation for risk management relies on people’s opinions of how different  activities and risks might impact your organization. Occasionally, in very specific risk areas, there may be  sufficient data such that analytical risk models can be created. But even these apparently objective models are based on historical experience and assumptions about future probability. It’s important to recognize that risk management always relies on opinions and assumptions. The goal is to remove the superficial subjectivity surrounding assumptions, definitions, and personal self-interest. When this superficial subjectivity is removed, it is far easier to discuss, rank, and monitor the impact and likelihood of risks.

Perhaps most important is to simply avoid the illusion of objectivity and openly recognize that periodic ongoing updates to your risk management system fulfill two purposes – i) to recognize changes to your risk environment (i.e., the inputs to your risk management model) and ii) to provide ongoing validation to your organization’s risk management model, itself.

Unreasonable — Management can fully outsource the implementation project

Senior management must remain involved to some level. No one outside of the senior management team can know all of the important strategic and tactical issues within your organization. This means that, except in broad general terms, no single individual can effectively:

  1. Design the ultimate risk management deliverable,
  2. Identify all of the risks,
  3. Determine which risks might be more potentially harmful to the organization,
  4. Determine the likelihood that those risks might actually occur.

Of course, the more time that someone spends inside the organization doing research and  interviews they can become more familiar with the organization. But that’s still no substitute to directly involving the right people at all levels of the organization. It’s the only option if the foundation is to be built on solid, informed opinions rather than uninformed generalities.

Recap: This post addresses some of the unreasonable expectations. You may have additional ones in mind and I would love to hear from you. The next post will flip this over and discuss some very reasonable expectations that management should have.