ENGINEERING & CONSTRUCTION RISK INSTITUTEecrisponsor.org/PPlibrary/ECRI-EP-007 Reputation...

•

Document number:

ECRI-EP-007

Reputation Risk

Page 1 of 27

Issued: 27 November 2014

DISCLAIMER

Engineering & Construction Risk Institute, Inc., a nonprofit corporation incorporated under the laws of the District of Columbia (“ECRI”), and its directors, officers, employees and advisers make no representations or warranties (express, implied or statutory) with respect to the accuracy or completeness of any information disseminated thereby or its suitability for any purpose and assume no responsibility for the content of such information or the consequences of use thereof, which shall be at the sole risk of the user thereof. References by ECRI to other organizations or individuals or their publications, programs, information or services does not imply any ECRI endorsement thereof or of any policies or positions advocated thereby or therein.

ENGINEERING & CONSTRUCTION RISK INSTITUTE

Purpose The purpose of the Reputation Risk best practice is to provide Sponsors with a guideline for understanding reputation and assessing reputation risk, as well as proposing controls and interventions to mitigate these risks in the context of the Engineering and Construction (E&C) industry. Introduction Risk to reputation is nothing new. The 18th century American politician, inventor and author, Benjamin Franklin, first coined the phrase “It takes many good deeds to build a good reputation, and only one bad one to lose it.” However, globalisation and the increasing complexity of business models with international work fronts and supply chains, shareholders’ triple bottom line performance demands, clients’ requirements to push the limits of what is possible at lower cost and less time, increased competition, public platforms for increasingly vocal employees, customers, NGO’s and communities, and significantly more stringent regulatory environments, have intensified organisational exposure to reputation risk. Global news networks, the internet and the emergence of social media have accelerated the rate at which a risk event can cause lasting widespread damage to an organisation’s reputation and made controlling these diverse risk environments more challenging. Within the E&C industry, a number of individual organisations, and in some cases the industry as a whole, have suffered reputation damage in the recent past (see Appendix 2 for case studies). These factors motivated the development of a best practice guideline to address reputation risk.

•

Document number:

ECRI-EP-007

Reputation Risk

Page 2 of 27



1. Definitions Brand value, reputation capital and related terms are often used inter-changeably, however have distinctly different meanings. A brief definition of related terms is tabulated below;

Term Definition

1. Risk Effect of uncertainty on objectives1

2. Threat A risk with the effect of a negative deviation from the expected

3. Opportunity A risk with the effect of a positive deviation from the expected

4. Risk Management Coordinated activities to direct and control an organisation with regard to risk2

4. Brand value

To calculate relative brand value, Forbes use a method of discounting normalised after tax earnings, allocate a percentage of those earnings to the brand based on the role the brand plays in each industry, and then apply the company’s three year average price-to-earnings multiple.3

5. Brand equity

Brand equity is the value premium that a company realizes from a product with a recognizable name as compared to its generic equivalent. Companies can create brand equity for their products by making them memorable, easily recognizable and superior in quality and reliability.4 Brand equity therefore has value in promoting consumer products, but is not an appropriate generic metric for the E&C industry.

6. Intangible Asset

An intangible asset is an asset that is not physical in nature. Corporate intellectual property (such as patents, trademarks, copyrights, business methodologies), goodwill and brand equity are all common intangible assets in today's marketplace.5

1 ISO 31000: Risk Management - Principles and Guidelines 2 ISO 31000: Risk Management - Principles and Guidelines 3 http://www.forbes.com/sites/kurtbadenhausen/2013/11/06/worlds-most-valuable-brands-behind-the-numbers/ 4 Adapted from http://www.investopedia.com/terms/b/brandequity.asp 5 http://www.investopedia.com/terms/i/intangibleasset.asp

•

Document number:

ECRI-EP-007

Reputation Risk

Page 3 of 27



Term Definition

7. Goodwill

Goodwill is an intangible asset, reflected on a company’s balance sheet,that arises as a result of the acquisition of one company by another for a premium, over and above the value of its underlying assets and liabilities.6

8. Reputation The beliefs that are generally held about someone or something7

9. Reputation capital

Reputation capital can be managed, accumulated and traded in for trust, legitimisation of a position of power and social recognition, a premium price for goods and services offered, higher customer loyalty, a stronger willingness among shareholders to hold on to shares in times of crisis, or a stronger readiness to invest in the company's stock. 8

2. Reputation The value of reputation to an organisation takes three forms, (1) an intangible asset, (2) the ability to create future value and (3) organisational resilience to future shocks and crises9. Reputation has a significant impact on an organisation’s value. A 2012 study by Cole10 found that 49% of the S&P500 and 55% of the FTSE100 total market capitalisation was made up of intangibles. While some of this was accounted for in terms of forecast future earnings and predicted dividend flows, Cole found that reputation contributed a substantial portion of the difference (both positive and negative) between a company’s market capitalisation and net asset value. Significant investment is made by global companies in marketing and brand building. These brands are usually associated with products or services, as opposed to an organisation, which may own many brands. Consumer-facing companies own more than 80% of the Forbes’11

6 http://www.investopedia.com/terms/g/goodwill.asp 7 http://www.oxforddictionaries.com/definition/english/reputation 8 J Klewes and R Wreschniok, Reputation Capital: Building and Maintaining Trust in the 21st Century (2010) 9 JP Louisot and J Rayner, Managing Risk to Reputation – From Theory to Practice 10 S Cole, The Impact of Reputation on Market Value (2012), World Economics Vol3, No. 3 11 http://www.forbes.com/powerful-brands/list/

http://en.wikipedia.org/wiki/Reputation_capital

http://en.wikipedia.org/wiki/Reputation_capital

http://www.oxforddictionaries.com/definition/english/reputation

•

Document number:

ECRI-EP-007

Reputation Risk

Page 4 of 27



current 100 most valuable brands. Only one of the top 100 valued brands, Caterpillar, participates in the engineering and construction industry. This indicates that business to business (B2B) companies, such as is the case within the E&C industry, trade on more than their brands. These organisations often cite their reputation as one of their most valuable assets, even though it does not appear on their balance sheets. Reputation is defined by the online Oxford Dictionaries12 as “the beliefs that are generally held about someone or something”. However, beliefs may be too narrow. David Van13 argues that the definition should be expanded to include expectations, introducing a forward-looking component to reputation. This translates into the confidence stakeholders have in the organisation delivering on future performance commitments. There are six interrelated elements contributing to an organisation’s reputation;

What the organisation projects to stakeholders in terms of I. Past performance, values, behaviour and attitudes II. Current actions or activity (this could be the manifestation of or response to a

reputation risk event) III. Commitments and aspirations in terms of future performance, behaviour and

remedial action

How the organisation is perceived by stakeholders in terms of their; IV. Past experiences (this is the source of reputation capital) V. Current experience (a threat/opportunity to reputation could be whether this

contrasts with past experience) VI. Expectations and confidence in future performance and behaviour

3. Damage to reputation An organisation will improve their reputation when it consistently meets or exceeds stakeholder expectations, increasing the perceived value to the stakeholder. Reputation damage occurs when stakeholder confidence is decreased, relative to their past perceptions, which negatively influences their engagement with the organisation. Reputation damage can occur in a number of different ways (not an exhaustive list);

Following a catastrophic risk event occurring (see A2.3 Case studies: BP Deepwater Horizon),

12 http://www.oxforddictionaries.com/definition/english/reputation 13 D Van, Reputation Risk Management (2014), presentation to the ECRI sponsors’ meeting in Montreal, Canada

http://www.oxforddictionaries.com/definition/english/reputation

•

Document number:

ECRI-EP-007

Reputation Risk

Page 5 of 27



The on-going thin-slicing of bad news by organisations reaching a tipping point, after which stakeholders reverse any leniency that they may have granted (see A2.2 Case studies: South African Construction Industry)

From smouldering embers, where a risk is identified but remains unresolved over a protracted period, and suddenly ignites following a relatively minor incident,

Not delivering schedule, quality and budgetary obligations under the contract,

Following a risk event, where expectations are created by the organisation in terms of remedial action, and the stakeholder’s actual experience is one of disappointment,

Poor crisis communication, with organisational stonewalling, media blackouts, lack of transparency, misinformation and interventions that are perceived by stakeholders to not serve their best interests.

The impact that these events can have on an organisation is sensitive to a number of factors;

Reputation Capital. An organisation with reputation capital (defined in section 2), may enjoy a period of leniency from stakeholders, in the event of a crisis. Where the organisation’s response to the crisis is perceived to be effective, this may increase reputation capital (see A2.1 Case studies: SNC Lavalin).

Geographic Location. A safety incident in a third world environment might not draw significant attention. However this could result in significant reputation damage with clients and shareholders in the first world, with a different value system and set of sustainability metrics.

Perspective of the Individual Stakeholder. Site wages being paid late as a result of an administrative glitch may not be a significant event within the corporate head-office, but could result in substantial damage to reputation with the labour force, unions and local communities.

Context. Stakeholders will hold organisations operating within industries with high ethical standards, such as the judiciary or medical profession, to a higher standard than those industries that do not emphasise ethics as a core value, such as used motor dealerships.

•

Document number:

ECRI-EP-007

Reputation Risk

Page 6 of 27



Damage to reputation, from various stakeholders’ perspectives, may impact an organisation in a number of different ways, as set out in the table below; 14

Stakeholder Impact of damage to reputation

1. Shareholders, analysts and traders

Shareholders decision to hold onto or dispose of their shares, which can have a negative impact on the share price

2. Clients Clients’ desire to place new orders, exclusion from vendor lists, termination of existing contracts, willingness to resolve disputes, and calling bonds on underperforming contracts

3. Supply chain Partners, sub-contractors and suppliers desire to establish new partnerships, and to fulfil or accelerate their obligations on existing contracts, if required

4. Competitors Competitors eagerness to dilute the organisation’s market share

5. Media Negative media coverage

6. NGOs Pressure groups/NGO activism

7. Regulators Control and regulators authority attitudes, closer scrutiny, increased cost of compliance, penalties for compliance breaches as well as debarment from bidding for future contracts

8. Politicians Politically motivated negative media coverage, resulting from conflicting agendas (societal, party political, personal ambition and commercial)

9. Ratings agencies/ Bankers

Ratings downgrades, increase in cost of capital and a reduction in credit facilities. Reduced capacity to raise bonds and guarantees

10. Leadership and staff Difficulty in recruiting high potential individuals, unmotivated current workforce and high staff turnover

11. Labour force Go slows, unrest and industrial action

14 Adapted from JP Louisot and J Rayner, Managing Risk to Reputation – From Theory to Practice

•

Document number:

ECRI-EP-007

Reputation Risk

Page 7 of 27



12. Communities Protests and interference with ongoing activities

•

Document number:

ECRI-EP-007

Reputation Risk

Page 8 of 27



4. Opportunities created by a good reputation A good reputation, from various stakeholders’ perspectives, may impact an organisation in a number of different ways, as set out in the table below; 15

Stakeholder Impact of enhanced reputation

1. Shareholders, Analysts and Traders

Shareholders decision to hold onto or purchase additional shares, increasing demand, which can have a positive impact on the share price

2. Clients Clients’ desire to place new orders and willingness to resolve disputes

3. Supply chain Partners, sub-contractors and suppliers desire to establish new partnerships and flexibility to accelerate their obligations on existing contracts, if required

4. Competitors Competitors caution in entering markets in which the organisation is active

5. Media Positive media coverage

6. Ratings agencies/ Bankers

Good credit ratings, reduction in the cost of capital and extension of credit facilities. Increased capacity to raise bonds and guarantees

7. Leadership and staff Attractiveness of the organisation as employer of choice, recruiting high potential individuals, motivated and loyal current workforce

8. Labour force Amicable resolution of issues relating to industrial relations

9. Communities Positive social media coverage


•

Document number:

ECRI-EP-007

Reputation Risk

Page 9 of 27



5. Reputation: Risk or Consequence? There is some debate as to whether reputation is a form of risk in its own right, as is the case with strategic or financial risk, or whether it is the consequence of other risks. Risk is defined in ISO 31000 as “the effect of uncertainty on objectives.”16 For reputation to be a risk, it would need to be assessed in terms of the potential effect that some uncertain future reputation event may have on defined performance objectives, like cost or profit. However, if we consider that reputation has value that is not represented fully as a derivative of other financial measures, and reputation risk exposure can result from all of the typical forms of risk (Strategic, Operational, Financial and Hazard categories etc.), then this provides a motivation to consider reputation as a performance dimension, as opposed to category or form of risk. Similar performance dimensions are safety, health and environmental impact. Risk impacting these factors may have financial consequence, but not all material impact can be expressed in terms of financial indicators. A fatality or disabling injury will have direct financial consequence, such as penalties, site closure, workman’s compensation, civil claims, recruitment, induction and training of replacements. However, the assessed risk impact associated with a fatality or disabling injury can be orders of magnitude greater than the direct financial consequence. Potential safety risk impact is therefore measured in terms of more appropriate performance objectives, such as Occupational Injury Rates17. Reputation risk should therefore be assessed in terms of the potential impact of all identified risks on appropriate reputation performance objectives. Illustrative examples of these performance measures have been included in Appendix 1. Reputation risk can amplify the financial or other material impact associated with a risk realising. This is due to the challenge of controlling information from multiple formal and informal sources, some of which may be inaccurate, irrational or even inflammatory, negatively influencing the stakeholder’s perceptions and reactions. Reputation risk is also highly contagious, which can extend the duration of contamination, and cause other parts of the organisation damage as a result of their association with the business unit in crisis.

16 ISO 31000: 2009 Risk Management – Principles and guidelines 17 http://en.wikipedia.org/wiki/Occupational_injury

•

Document number:

ECRI-EP-007

Reputation Risk

Page 10 of 27



6. The challenge of managing reputation risk within the enterprise risk management framework

Enterprise risk management is defined by COSO (Committee of Sponsoring Organizations of the Treadway Commission) as the; “… process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”18 The emphasis in this definition is from an organisation’s internal perspective, and what can be done to give the assurance of performance in the context of its internal and external environments. However, reputation results from the perceptions and expectations that all stakeholders, both internal and external, have of an organisation. The existing standards and guidelines on enterprise risk management therefore do not accommodate the role that these external stakeholders play in an organisation’s reputation, and consequently fall short of managing reputation risk holistically. A further challenge is the traditional Risk Matrix used to evaluate and rank risk. This metric is inclined to result in lower relative rankings for risks with very low likelihood of occurrence, but potentially catastrophic impact (see traditional Risk Matrix example under section 9.2). This may be compounded by the perceptions of the senior executives accountable for reputation risk, who often focus on managing other risks, which pose more immediate tangible exposures, with a higher likelihood of occurring.

18 http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf

http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf

•

Document number:

ECRI-EP-007

Reputation Risk

Page 11 of 27



7. Causes and Consequences of Reputation Risk The underlying causes and consequences of reputation risk relate typically to ethics, health, safety and the environment, and technical issues, discussed briefly below.

Cause/source Consequence

Ethics:

fraud, corruption, anti-competitive behaviour, payment of facilitation fees, contravention of human rights (supply chains utilising sweatshops, child labour or forced labour, with poor working conditions)

loss of a senior personnel implicated in the contravention

regulatory penalties and civil claims

debarment and removal from vendor lists

substantially increased costs of compliance, assurance, forensic investigation and legal advice

potential residual liabilities on projects

diversion of executive attention to contain the damage,

reduction in productivity on current work fronts, due to shift in focus while employees engage in remedial action, like retraining

damage to public image

loss of shareholder confidence, resulting in disposal of interests and decline in share price

negative media coverage

loss of existing clients and difficulty in securing new contracts

employee dissatisfaction resulting in challenges wrt retention and attraction of key staff

negative effect of fire fighting, low morale, retreating into defence mode and being driven by external forces

Health, safety and the environment: development of occupation health conditions, treatment of prevailing diseases, workplace injury and fatalities, incidents leading to environmental damage

penalties and site closure

payment of workman’s compensation and civil claims,

recruitment, induction and training of replacements

lost productivity

difficulty in recruiting and retaining staff

go slows and industrial action




difficulty in securing new contracts

NGO activism

•

Document number:

ECRI-EP-007

Reputation Risk

Page 12 of 27



Cause/source Consequence

Technical:

process failure, permanent and temporary works structural failure, quality failure, professional negligence, product recall, low productivity




lost productivity due to rework, project delay and penalties

possible contract termination or calling of bonds

difficulty in securing new contracts

insurance claims, and resultant increase in premiums or lack of availability of future insurance coverage

warrantee and negligence claims

8. Identifying potential reputation risk events Even though the internal and external risk environments are considered, the traditional approach to evaluating enterprise risk is from an inside-out perspective. Reputation risk assessment requires this to be augmented with an outside-in view, to provide a holistic view of risk to reputation.19

8.1. Inside-out review Interviews are conducted with the organisation’s corporate and operational executives, in order to examine their current view of strategies, risks and vulnerabilities. This will cover the macro strategic plan and underlying assumptions (Chief Executive), financial profile and market outlook (Chief Financial Officer), key risks and industry threats (Chief Risk Officer), operational vulnerability (Chief Operations Officer), competitive position and market opportunities (Business Development), challenges in recruiting and retaining high quality talent (Human Resource Officer), major claims and disputes, and intellectual property exposures (General Counsel), regulatory compliance (Chief Compliance Officer) communication with key internal and external stakeholders (Communications Officer). These interviews identify key stakeholders to be engaged to form the outside-in perspective. This discovery phase can be augmented to identify additional stakeholders. Sources of information or “Listening posts” are identified, to provide input from

19 Adapted from Deloitte, Three steps toward managing reputational risk, Risk & Compliance Journal, April 2013

•

Document number:

ECRI-EP-007

Reputation Risk

Page 13 of 27



stakeholders. These can include analyst blogs, industry forums, academic journals, media coverage, interviews, canvasing and social media.

8.2. Outside-in review The inside-out phase identifies those key stakeholders to be engaged in providing the “outside-in” perspective. Within the context of the E&C industry, these stakeholders would typically include; shareholders, analysts, traders, clients, client’s engineers/agents, partners, sub-contractors, suppliers, competition, leadership teams/executives, permanent and limited duration staff, skilled and semi-skilled labour, external specialist consultants, regulators, ratings agencies, financiers and the communities within which projects are constructed. Each stakeholder’s reputation drivers20 are then identified, and will include

Financial performance and long-term investment value

Corporate governance and leadership

Corporate social responsibility

Workplace talent and culture

Delivering on client commitments

Legal and regulatory compliance

Communication and crisis management Intelligence is gathered from the different audiences using a variety of techniques. Threats and opportunities to the strategy are identified, and unpacked per stakeholder, depending on their reputation risk drivers. 8.3. Baseline The product of the inside-out and outside-in phases is a baseline set of risks to reputation, as well as a gap analysis between the outside-in view provided by key stakeholders, and management’s inside-out view of risk to the organisation’s reputation. The Johari window21 is used to examine multiple perspectives of risk from the inside-out and outside in, and helps to develop insight into potential responses. The model categorises risks into four quadrants: those that are known to the organisation and external stakeholders (known-knowns), those that are not known to external stakeholders (known-

20 Adapted from JP Louisot and J Rayner, Managing Risk to Reputation – From Theory to Practice 21 http://siteresources.worldbank.org/WBI/Resources/213798-1194538727144/1Final-Johari_Findings.pdf

•

Document number:

ECRI-EP-007

Reputation Risk

Page 14 of 27



unknowns), those that are not known to the organisation (unknown-knowns) and that those that are not known to the organisation or external stakeholders (unknown-unknowns).

•

Document number:

ECRI-EP-007

Reputation Risk

Page 15 of 27



9. Assessing Reputation Risk Exposure Perhaps the only way to know the value of a good reputation is to have is to have lost it entirely or have had it severely tarnished. This retrospective view can be useful to calibrate methods for measuring the exposure to reputation risk. However methods for assessing risk must take a view on the exposure to future events, some of which are discussed below.

9.1. #Tagging The simplest way to separate those risks with a potential impact on reputation, from those with no impact, is to add a “Reputation Risk” #tag (popularised by social media), which can be used to filter out reputation risk. This gives no indication of the significance, in terms of potential impact and likelihood of occurrence, or the required level of response. However, it will enable the risk practitioner to identify those reputation risks that may require further analysis.

9.2. Qualitative assessment A typical formulation for a 5x5 Risk Matrix, used in qualitatively assessing risk, is given below. Each of the Likelihood and Impact levels (Very Low, Low, Moderate, High and Very High) is assigned a number escalating from 1 to 5. The product of these numerical values is used against thresholds to define the resultant Low (<5), Medium (≤5, <15) and High (≤15) Risk Status.

•

Document number:

ECRI-EP-007

Reputation Risk

Page 16 of 27



VH (5) M (5) M (10) H (15) H (20) H (25)

H (4) L (4) M (8) H (12) H (16) H (20)

M (3) L (3) M (6) H (9) H (12) H (15)

L (2) L (2) L (4) M (6) M (8) M (10)

VL (1) L (1) L (2) L (3) L (4) M (5)

Likelihood/ Impact

VL (1) L (2) M (3) H (4) VH (5)

As mentioned under section 6, a potential shortcoming of this traditional method for qualitatively assessing risk is the lower relative ranking of potentially catastrophic, but highly unlikely risks (rated Medium in the sample Risk Matrix above). Risks impacting reputation frequently fall into this category. Furthermore, after the event has occurred, the risk may be considered to have materialised, with only containment mitigation options remaining. Thereafter, even if the event itself has occurred, and should still be treated as a live risk with residual exposure. It is also important to consider the potential upside or opportunity associated with reputation risk, since the attention created by high profile events can offer organisations the opportunity to enhance reputation capital, if their response is perceived to be effective, well communicated, and sensitive to key stakeholder’s needs. Two other opportunities associated with a crisis, is that if it is managed well, it can give stakeholders confidence in the organisation’s resilience to deal with unexpected events, and it can be a catalyst for

•

Document number:

ECRI-EP-007

Reputation Risk

Page 17 of 27



significant organisational change and corrective action, which may be difficult to achieve under normal operating conditions. A proposed amendment to the traditional 5x5 Risk Matrix and response rating is given below22.

Realised VALUE COST Realised

Almost certain

Almost certain

Likely Likely

50/50 50/50

Unlikely Unlikely

Rare Rare

Closed Out

LOST VALUEClosed Out

LIKELIHD./

IMPACTWindfall Major Moderate Minor

Insig- nificant

Insig- nificant

Minor Moderate MajorCata-

stropheLIKELIHD./

IMPACT

THREATOPPORTUNITY

22 Adapted from GM Ker-Fox, Project Risk Assessment module presented for IRMSA in Johannesburg, May 2014

•

Document number:

ECRI-EP-007

Reputation Risk

Page 18 of 27



The risk status and corresponding levels of required response are tabulated below (example for illustration purposes).

RISK STATUS AND REQUIRED RESPONSE

OPPOR-

TUNITYTHREAT

Extreme Extreme

High High

Medium Medium

Low Low

Immediate escalation to the Board. Responsible executive to develop and implement

resourced intervention plan. Monitor risk status and mitigation progress as part of daily

executive review, until the residual exposure has been brought within acceptable risk

tolerance limits

Include in report to the Board. Develop resourced mitigation plan. Monitor risk status

and mitigation progress as Exco review discipline.

Develop mitigation plan. Monitor risk status and mitigation progress as part of monthly

management review.

Monitor risk status monthly as part of routine management practice.

As a tool for qualitatively assessing reputation risk, the proposed amendments to the Risk Matrix above typically exhibit the following characteristics;

Risk ratings of Rare / Catastrophe, which may be anticipated for reputation exposures, carry a minimum status rating of High (Red), requiring a fully resourced mitigation plan, formal review as part of the established Exco discipline, and included in the reports to the Board

A potentially catastrophic reputation risk, with a likelihood of occurrence greater than Rare, even if Unlikely, would return a Status of Extreme (Purple) requiring escalation to the Board, with interventions, managed pro-actively until the residual exposure has been brought within acceptable risk tolerance limits

A Realised risk (i.e. the risk event has occurred) with an uncertain impact can be tracked as a live risk in the white “Realised” band. A Realised risk that is no longer live, can be recorded in the Realised band, and lessons learnt documented. This can also be used to evaluate the cost (or value destruction) of realised threats, over time.

A Closed Out risk (no further chance of occurrence) that could have had an impact on reputation, can be recorded in the white “Closed Out” band, adjacent to the final

•

Document number:

ECRI-EP-007

Reputation Risk

Page 19 of 27



impact rating, and appropriate lessons learnt documented. This can also demonstrate the value that has been created by risk management over time.

The Impact axis is continuous, from a Windfall Opportunity on the far left, through to a Catastrophic Threat on the far right. Where the impact is uncertain, this can be represented by a range (best and worst case scenario).

The Risk Matrix can be used to track opportunity associated with risk to reputation. A Realised Opportunity is desirable, and creates value. A Closed Out Opportunity will represent lost value.

A potential response to the qualitative assessment may be to conduct further analysis to better understand the exposure. A number of qualitative techniques are available to conduct this more detailed assessment, such as scenario analysis, bow tie analysis, root cause analysis, cause and consequence analysis 23. 9.3. Quantitative analysis Quantitative methods for analysing reputation risk may be appropriate in certain circumstances. As an example, research has been conducted on the impact of operational loss announcements on share price.24 The results demonstrated a significant increase in sensitivity of the share price to losses resulting from internal fraud, as opposed to other factors. This approach may provide a quantitative method for measuring reputation risk in future. However, the methodology is complex and would not currently be readily applied by risk practitioners in the E&C enterprise environment.

23 IEC/ISO 31010: 2009 Risk management – Risk assessment techniques 24 J Perry and P de Fontnouvelle (2005), Measuring Reputation Risk: The Market Reaction to Operational Loss Announcements

•

Document number:

ECRI-EP-007

Reputation Risk

Page 20 of 27



10. Recommendations: Mitigating Reputation Risk A range of controls and treatments can be deployed to mitigate risks to reputation. These include, but are not limited to;

10.1. Statement of ethical conduct A published statement of ethical conduct will mandate acceptable activities and behaviour, and articulate contravention of the organisation’s ethical principles and resultant sanction. This will require staff training, particularly if a strict regulatory environment has resulted in historical activities, which may have gone unchecked, no longer being acceptable. 10.2. Operational performance The organisation’s relentless focus on project delivery, in terms of fulfilling budgetary, schedule and quality obligations. Corporate communications, working with the operations executives must ensure that successes are communicated to stakeholders. 10.3. Robust systems and processes Well documented procedures, describing the way in which the organisation operates, will help to embed sound quality management systems, HSE management systems, project management systems, business management systems, risk management and governance processes. These systems and procedures help to prevent the events posing reputation risk from occurring. The risk bearing controls described by these procedures must be tested for effectiveness, as part of an integrated assurance programme.

10.4. Risk appetite Decisions potentially impacting reputation risk are made within defined risk appetite and tolerance frameworks. The culture of pro-actively safeguarding the organisation’s reputation is embedded throughout the organisation, holding individuals accountable for their actions, and entrenching the company’s core values. Induction programmes and risk management training should include reputation risk management. Risk workshops must include reputation as a performance dimension against which risk is identified, with response and escalation in terms of the defined risk appetite. This risk identification should emphasise opportunities, in addition to threats. 10.5. Transparency and disclosure With due care and consideration given to sensitive or privileged information, organisations can pro-actively limit damage to reputation by communicating transparently with stakeholders, disclosing significant risk that may impact performance and reputation. This gives the stakeholders the opportunity to evaluate the proposed remedial actions, and satisfy themselves that the organisation is acting in their best interests. In this way, a crisis

•

Document number:

ECRI-EP-007

Reputation Risk

Page 21 of 27



with a potentially negative effect on an organisation can enhance reputation, if the reputation capital is sound and the handling of the crisis is perceived by stakeholders to be effective and to serve their best interest. Corporate Communications should work with the risk teams to build reputation capital. 10.6. Compliance programmes The organisation requires a comprehensive understanding of all legal and regulatory frameworks that it is required to comply with, in all geographic locations of operation, as well as the capacity to ensure that the required compliance with these frameworks is achieved. Compliance requirements encompass not only the avoidance of corruption and anticompetitive conduct but also detailed compliance with highly complex national, regional and local regulations pertaining to contracting with the governments and parastatals.

10.7. Early warning Chief Executive Officer’s forums (physical and virtual), give stakeholders platforms to engage directly with the company leadership, and can provide management with invaluable insight into emerging issues. Anonymous whistle blowing facilities may be more appealing to stakeholders who fear identification. Trend analysis of listening posts like print, visual and social media can also give an indication of emerging issues, particularly with communities, staff and labour. 10.8. Crisis communication A simple, well-rehearsed crisis communication plan will prove invaluable in the event of a crisis. The plan should clearly identify the members of the crisis management team, people designated as the company representatives who may engage with media, the key stakeholders and the type and frequency of communication they require, as well as the different communication media required to reach the key stakeholders.

10.9. Insurance There are currently no insurance products covering the long-term effects of reputation damage. However, there are a number of products covering the direct financial consequence of events resulting in reputation risk, such as business interruption, product recall and professional negligence. A number of policies also contain secondary benefits in the event of a crisis, such as access to communication specialist and covering the associated legal costs. 10.10. Organisational re-engineering A crisis can create the opportunity and momentum for organisational re-engineering, including restructuring, rationalisation, refocussing the strategic plan, building organisational robustness through improved governance, risk management and compliance, documenting and training of organisational policies, standards and procedures.

•

Document number:

ECRI-EP-007

Reputation Risk

Page 22 of 27



•

Document number:

ECRI-EP-007

Reputation Risk

Page 23 of 27



Appendix 1: Risk Matrix

Examples of Likelihood thresholds, which can be utilised with the proposed amended Risk Matrix in section 9.2, are illustrated below;

Realised REALISED - has occurred

Almost certain Almost certainly will occur

Likely More likely to occur than not occur

50/50 Even chances of occurring and not occurring

Unlikely More likely not to occur than occur

Rare Almost certainly will not occur

Closed Out CLOSED OUT - no further chance of occuring

Similarly the Impact (threat and opportunities) thresholds for Reputation, which can be used with the amended Risk Matrix, are given below25;


•

Document number:

ECRI-EP-007

Reputation Risk

Page 24 of 27



Insignificant change in

stakeholders’

confidence

Minor change in

stakeholders’

confidence

Moderate change in

stakeholder confidence

Significant change in

stakeholder confidence,

removal from vendor

lists

Dramatic change in

stakeholder confidence,

termination of contracts,

calling of bonds

Impact lasting less than

one week


one month

Impact lasting between

one and three months

Impact lasting more

than three months

Impact lasting more

than 12 months/

Public announcement of

crisis results in

noticeable temporary

decline in share price


crisis results in 10%



crisis results in >20%


Attracts regulators’

attention /comment

Sanction by regulators Regulator has

significant public

findings, sanction,

penalties impact bottom

line, possible

debarment

Insignificant Minor Moderate Major Catastrophe

Re

pu

tation

THREAT - IMPACT ON REPUTATION OBJECTIVES

Insignificant change in

stakeholders’

confidence

Minor change in

stakeholders’

confidence

Moderate change in


Significant change in


Dramatic change in



one week


one month

Impact lasting between

one and three months

Impact lasting more

than three months

Impact lasting more

than 12 months/


crisis results in

noticeable temporray

increase in share price


crisis results in 10%



crisis results in >20%


Insignificant Minor Moderate Major Windfall

Re

pu

tatio

n

OPPORTUNITY - IMPACT ON PERFORMANCE OBJECTIVES

•

Document number:

ECRI-EP-007

Reputation Risk

Page 25 of 27



Appendix 2: Case studies

A2.1 SNC Lavalin The World Bank Group today announced the debarment of SNC-Lavalin Inc. - in addition to over 100 affiliates - for a period of 10 years following the company’s misconduct in relation to the Padma Multipurpose Bridge Project in Bangladesh, as well as misconduct under another Bank-financed project. SNC-Lavalin Inc. is a subsidiary of SNC-Lavalin Group, a Canadian company, and represents more than 60% of its business. SNC-Lavalin’s misconduct involved a conspiracy to pay bribes and misrepresentations when bidding for Bank-financed contracts in violation of the World Bank’s procurement guidelines. Under the Agreement, the SNC-Lavalin Group and its affiliates commit to cooperating with the World Bank’s Integrity Vice Presidency and continuing to improve their internal compliance program. The debarment of SNC-Lavalin Inc. qualifies for cross-debarment by other MDBs under the Agreement of Mutual Recognition of Debarments that was signed on April 9, 2010.26 The impact of the crisis on SNC Lavalin included;

the loss of a number key personnel within the implicated business unit,

penalties and class action by third parties,

debarment from tendering for World Bank work for a period of 10 years,

substantially increased costs of compliance, internal audit and forensic investigation,

potential residual liabilities on projects procured by implicated executives,

management distraction to deal with the crisis,

reputation damage. The SNC Lavalin leadership responded deftly to the crisis and used it as a change agent to re-engineer the internal business environment. Global benchmarks were used in setting objectives for ethics and compliance, HSSEQ, and implementing systems, processes and governance to embed pro-active risk management, facilitating rather than stifling innovation.27

A2.2 South African Construction Industry The Competition Commission (“Commission”) has reached settlement with 15 construction firms for collusive tendering, in contravention of section 4(1) (b) of the Competition Act. The firms have agreed to penalties collectively totalling R1.46bn.

26 World Bank announcement – Washington, April 17, 2013 27 Bob Card, SNC Lavalin CE presentation to the ECRI Sponsors, June 2014, Ethics Risk Management

•

Document number:

ECRI-EP-007

Reputation Risk

Page 26 of 27



The settlements were reached in terms of the Construction Fast Track Settlement Process, launched in February 2011. The fast-track process incentivised firms to make full and truthful disclosure of bid rigging in return for penalties lower than what the Commission would seek if it prosecuted these cases. Twenty-one firms responded to the Commission’s offer of a fast-track settlement. While over 300 instances of bid rigging were revealed through this initiative, the settlements were reached only with respect to projects that were concluded after September 2006, before which transgressions are beyond the prosecutorial reach of the Competition Act.28 In addition to the USD130 million in penalties, the sanction by the Competition Commission has further deepened the distrust between the South African Government and the E&C industry, damaging the reputation of the industry as a whole. This is a contributing factor to the Government’s delay in rolling out the Infrastructure Development Plan. The industry, facilitated by the South African Forum of Civil Engineering Contractors, is engaging with Government to rebuild the industry’s “catastrophically” damaged reputation.29 A2.3 BP Deepwater Horizon Oil and gas company BP enjoyed a formidable reputation with investors and other stakeholders under the leadership of its much-admired former CEO Lord John Browne. Its hard-won reputation allowed it to withstand a number of crises in the early 2000s.

However, the death of 15 workers and injury of 500 others when overfilled storage tanks exploded at BP’s Texas City refinery in the US in 2005 resulted in a massive loss of confidence in the company, a top-management shake-out and a new strategic approach.

2010 saw the departure of the new CEO, Tony Hayward and another massive fall in share price, following an explosion at BP’s Deepwater Horizon rig which killed eleven people, seriously injured another 17 and led to the biggest offshore spill in history when 5m gallons of oil poured into the Gulf of Mexico causing extensive environmental pollution. It remains to be seen whether, under new leadership, BP can avoid charges of ‘gross negligence’ and share the blame – and potentially more than $30bn of damages – with its major contractors on the well, Halliburton and Transocean.

Whatever the outcome, BP will face a major challenge in building its reputation as a safe operator and a safe investment with shareholders, regulators and the general public; actually,

28 South African Competition Commission, Media Release – Johannesburg, June 24, 2103 29 Engineering News: April 25, 2014, Construction industry, government in bid to mend “catastrophically” damaged relations

•

Document number:

ECRI-EP-007

Reputation Risk

Page 27 of 27



some analyst even question the long term survival of BP that might be taken over.30

30 Extract from JP Louisot and J Rayner, Managing Risk to Reputation – From Theory to Practice

Date post:	22-Feb-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

ENGINEERING & CONSTRUCTION RISK INSTITUTEecrisponsor.org/PPlibrary/ECRI-EP-007 Reputation...

Documents