BankThink

Get a handle on reputation risk before it's too late

The banking sector and its regulators have been grappling with the issue of reputation since the last economic collapse, but only recently have come to a clear understanding of what reputation means, how to assess and quantify its value and how to mitigate its risks.

In the late 1990s, in the wake of a global liquidity crisis, banking regulators elevated reputation to one of the eight named perils, but, like industry in general, equated reputation with public opinion and media coverage. In 1996, in its “Comptroller’s Handbook,” the Office of the Comptroller of the Currency defined reputation risk as “the risk to earnings or capital arising from negative public opinion.”

This amorphous definition led to the sense that reputation could be enhanced — and reputational risk diminished — through corporate social responsibility and like-themed marketing campaigns that generate positive media coverage and good feelings about the corporate brand.

Unfortunately, many institutions have learned the hard way that feeding the hungry, saving the rain forest or providing microloans for people in impoverished countries will do little to protect their reputations when stakeholders are disappointed or angry over lapses in governance or operational failures that are not consistent with their expectations.

Recognizing the persistence of this vulnerability, in June 2018 the OCC sharpened its definition of reputation and its risk. It noted that “the strength and level of transparency of a bank’s corporate and risk governance structure influence the bank’s reputation with shareholders, regulators, customers, other stakeholders, and the community at large.” It also emphasized that the peril was to “a bank’s current or projected financial condition and resilience.”
Last, and most significantly, OCC deleted completely language it previously included about “the market’s or public’s perception of the corporate social responsibility, mission, culture, and risk appetite of the bank.”

At my firm, we have been seeing a heightened level of interest and focus in the banking sector as the new OCC definition and other factors are leading to a new approach to reputation risk.

It has been common for some time for banks to mention reputation risk — sometimes repeatedly — as a material risk in their SEC filings. Nine out of ten companies in the S&P 500 do so in their 10-Ks and, among banking sector 10-Ks, JPMorgan Chase seems to be a standout, citing the word “reputation” in their 2018 filing 80 times.

But some banks have taken it to a new level. One recent proxy, for example, cited the need to evaluate “major risk exposures” including “reputational risk,” using “established risk measurement methodologies” and to report on “the steps management has taken to monitor and control such exposures.”

This particular banking entity also noted that its risk committee’s responsibilities include oversight of, among other things, “reputational risk matters, and other risks, as appropriate, and the steps management has taken to monitor and manage such risks.”

Another bank, which mentioned “reputation” 42 times in its 2018 proxy statement, went so far as to say that executive compensation could be clawed back for cause based on any act or statement “which impairs, impugns, denigrates, disparages or negatively reflects upon the name, reputation or business interests of the firm.”

But despite all the attention to reputation, risk management remains inconsistent across the banking industry.

In the current environment, bank boards need to concern themselves not only with their own governance, but with how they are going to differentiate themselves from others in their sector that may not be as diligent. And when crises do hit, directors and officers need to ask themselves two questions: “Did I do anything wrong?” and “Am I vulnerable?” They also need to assess whether they can make a convincing case that the bank did everything reasonably possible to prevent this situation from occurring — or to facilitate its being uncovered.

How can banks mitigate their reputational exposure, better prepare for and recover from the next crisis and differentiate themselves among their stakeholders from their peers?

First, they need to place responsibility for reputation risk under the purview of risk management, which deals with all other enterprise level risks. Let’s use as an example a bank whose reputation has been decimated because internal groups opened phony accounts and charged customers for insurance they didn’t need. A risk management process might have brought those activities to light more quickly. Predictive strategies, rather than compliance hotlines, are among the most innovative approaches to exposing and mitigating latent risks. And once risk managers were confident that appropriate mitigation processes were in place, they could seek third-party validation in the form of insurance.

Second, banks need to know their stakeholders — and that’s different than knowing their customers. Banks need to know what customers, employees, vendors, creditors, investors, regulators and the many socially focused nongovernmental organizations expect of them. This must be an ongoing process. The direction of society’s winds change — one day, offering National Rifle Association affinity cards is good business, the next it’s not; one day, leadership can overlook a “boys will be boys” culture, the next it cannot.

Third, if banks are going to mention reputational risk dozens of times in their 10-Ks, they’d better have a credible, transparent reputation risk governance strategy. Banks disclose risk management strategies generally well for most named perils — but for reputation risk, not so much. Banks need to disclose this strategy using terms that are easy to understand and completely credible. And they must take care not to undercut their credibility.

Finally, banks must look around corners and be alert to the subtle signs of lurking reputational crises. Build this mentality into the corporate culture. And when a potential crisis does hit, acknowledge it quickly and hold yourself accountable for addressing it. Failure to do so can lead to a reputational disaster, a spiraling loss of trust and confidence with serious implications for the overall business. One need look no further than comments from politicians about Wells Fargo’s leadership and media speculation about the bank’s difficulty attracting executive talent, or see how Goldman Sachs is now struggling to contain the fallout of 1MDB.

Incorporating the newer, more accurate definition of reputation into their entire risk management process — identifying and quantifying the risks and taking clear steps to mitigate them — is the way financial services firms can best defend themselves from the reputational tornadoes that cause devastation in the industry, particularly with virtually every downturn of the economic cycle.

For reprint and licensing requests for this article, click here.
Risk management Employee retention Workplace management Policymaking
MORE FROM AMERICAN BANKER