Reputation as a factor in the risk management process

In many companies, risk categorization is based on the COSO model (Committee of Sponsoring Organizations of the Treadway Commission). With its dimensions of strategy, operations, reporting and compliance, COSO supports the company-wide, risk-based view of an internal control system (ICS) and thus represents a superordinate link between ICS and risk management.

In contrast to the ICS, risk management is not only understood as the risk-based control of negative deviations from specifications, but also implicitly as the possibility of exploiting opportunities. This is also reflected in the risk definition formulated in accordance with ISO 31000, which understands a risk as an "effect of uncertainty on a goal" and thus does not provide an evaluation in the positive or negative sense of a risk.

This factor is also taken into account in the COSO model by deliberately adding a new level to the original model with the dimension of strategy (COSO II) and thus adopting a company-wide approach. Due to its legal origin, the ICS design is still too often lived in a framework related to financial reporting without covering the other dimensions with an equivalent framework. This narrow view can lead to risks - which are difficult to quantify - such as reputational risks being addressed too little and thus realized too late.

Traffic as a financial, operational or reputational risk?
An example from everyday life: a pedestrian can cross a road outside the recommendations provided for this purpose. He bears the risk.

There is also a financial risk if he is stopped by a law enforcement officer and possibly fined. There would be an operational risk if he misjudged this and did not make it to the other side of the road before it occurred.

The impact of the operational risk that has occurred can also be quantified in financial terms; from contributions to medical costs to funeral costs in a worst-case scenario. From a comprehensive risk management perspective, these views fall short.

Perhaps the pedestrian was really only concerned with the risk quantification of his goal of "crossing the road" when he considered the risk from the homo-econo-micus point of view. Maybe he was unconsciously or even consciously indifferent to the environment's perception of his failure. But what if the environment perceives this in a more differentiated way and demands justification for this behavior?

Objectives and role model function
An important factor in the assessment of possible reputational damage is the role model function. Even a pedestrian with a role model function can cross a road outside the recommendations provided for this purpose. On the other hand, the likelihood of having to justify this objective and this way of achieving it increases. A role model carries values with him, consciously or unconsciously. A role model carries recognition.

A role model has responsibility, for himself, his environment, his surroundings. What kind of image does a public figure present when he or she takes the risk of making his or her way through the queues of cars to the next side of the road in after-work traffic?

Is it still only a financially quantifiable operational risk? Or does it rather touch on another dimension of the COSO framework, compliance, commonly subsumed under the fashionable term compliance? Too often, this dimension in particular is viewed too narrowly: a focus on compliance with laws and regulations. As in this case on road traffic regulations. Too little consideration is given to compliance with social values and moral concepts, which ultimately results in a much greater loss.

Is a risk managed solely on the basis of financial risk assessments?
"The unthinkable has happened and we have to deal with it," Prof. Dr. Martin Winterkorn, outgoing CEO of Volkswagen AG, was quoted as saying after the VW scandal. At first, something big was overlooked: the reputation of the company.

It can be compared to boxing: the underestimation of the unknown left. It strikes when it is not expected. No matter how well prepared you are, it immediately knocks you down because it is unexpected and not anticipated. The occurrence of an unforeseen reputational risk has a comparable effect: Operational risks can be borne as long as the financial strength of the company permits. Reputation is lost once and history shows that a reputational risk also defeats financially strong companies or ends or at least severely jeopardizes their economic success.

Does the COSO cube with its dimensions do justice to the topic?
The COSO model supports the risk framework with its dimensions. Reputational risk should be seen as a further element in the COSO framework. This makes reputational risk an independent, essential factor of all dimensions. It wraps itself around the COSO cube and permeates each individual level (see Figure 1).

Reputational risk is thus an impact that is too often underestimated in the overall risk management process, an incalculable, non-quantifiable factor. In every sub-step of the COSO model, the

"It can be compared to boxing: the underestimation of the unknown left. »

Question: What if the public forms an opinion on this issue and that opinion is at odds with what is written on our banner? What then, need for explanation?

If this is followed by a half-hearted statement, a lack of risk management with inadequate specific communication, the company's business can be jeopardised by a simple reputation risk.

Dimension "Employees
And the employees? Those who fight against reputational risk on a daily basis? Excluding reputational risk and placing it in an operational or financial risk category is simply negligent. Reputational risk can be found in all risk categories and all components of the risk management process. Avoiding a catalyzing effect begins (not only in the automotive industry) by regularly sensitizing employees to the issue.

There are always people behind a company. People with values and role model functions. Preaching water and drinking wine starts at the top of the communications ladder. All organizational elements and levels of the company must always ask themselves the question: "What if the impossible is in the newspaper tomorrow?

Such a process, which is anchored in the corporate culture, can sustainably reduce the effects and the probability of occurrence of the reputation risk. VW pays billions in fines for the operational risk incurred. The reputational damage applies to the entire automotive industry, the diesel vehicle, the employees, and even the end customer.

Conclusion.
Reputational risk is and remains a factor that should not be underestimated in an overall risk assessment. It can neither be assessed quantitatively, nor can it be planned or booked. It has a unique significance within the risk management of every company and only the constant sensitization and the knowledge "Ah, there was something else, the reputation!" prevents trouble and facilitates the work of every compliance manager in the risk management process.

In this sense, the reputation factor is the "lubricant in the gearbox" of a well-functioning COSO model - if insufficient attention is paid to it, it is unfortunately the "sand in the gearbox".