Not long ago, creditors, bondholders, and other risk-averse investors considered so-called “sin industries” to be safe havens that were less susceptible to market fluctuations. However, in recent months, we've seen how rapidly society's perceptions of and tolerance for “sin” can change, whether they are problems with an entire industry's business model or with the behavior of a specific company's executives. We've also learned how much economic damage can be caused by angry and disappointed stakeholders as a result of such problems.

We live in an era of cultural climate change and reputational risk tornadoes. Finance professionals who can demonstrate that their companies understand how to mitigate these risks—and who can provide validation of their reputational risk management practices—will find their reward in a lower cost of capital.

Changing Landscape of Culture Risk

Consider how dramatically recent changes in attitudes and perceptions of certain practices and events are affecting corporate America. In some workplaces, sexual harassment and abuse existed for years. The corporate world overall expressed regret about such behavior, recognized it as counter to organizational values, and dealt with it in ways that varied from company to company and case by case. But suddenly, in the wake of scandals starring Harvey Weinstein, Steve Wynn, and so many others, the #metoo movement has made this issue into a bright red line. Companies or individuals who cross it may have their reputations, and perhaps their future business prospects, destroyed.

Another realm in which culture risk is evolving rapidly is weapon sales. For years, our society understood that guns posed a threat, that at any time a deranged individual might wreak havoc with a product acquired legally, and that the retailer which sold the weapon could face tangible economic impacts. For years, national retailers accepted that risk—until the reaction to the Parkland, Florida, school shooting caused several retail chains to change their policies.

We seem to be at a similar inflection point now with respect to data privacy and security. For years, our society seemed to understand that we were surrendering a vast amount of personal information in return for a more customized user experience on various sites, including Facebook, and we were willing to accept the risks. Indeed, in many cases, consumers reflexively agreed to “privacy” policies that allowed companies to collect and use their personal information. Today, as more information comes to light about Cambridge Analytica, Facebook, and others, the public's expectations appear to be changing.

What all these events have in common is that they are altering, suddenly and profoundly, the risk environment for businesses. As they have done for years, companies need to be constantly challenging their own assumptions about future events and stakeholder expectations—protecting themselves against every “what if” they can imagine. But today, they need to do so more often. Failing to correctly gauge stakeholder expectations can lead to existential economic risks. Companies need to understand the nuances of reputation risk and how to measure, manage, and insure it.

The Reality of Reputation Risk

“Reputation risk,” defined as the risk of negative public opinion, has been named by banking regulators as one of the eight most threatening perils. We agree that it can have major consequences for companies, but we believe it should be defined in a subtly different way. We believe “reputation risk” is the threat of enterprisewide economic damage inflicted by angry, disappointed stakeholders. Identifying the source of risk as the gap between expectations and actual experience, rather than focusing on public opinion, means that it arises from the interplay of several operational factors that need to be measured, modeled, and managed.

In reputation risk scenario modeling, the peril involves actions by stakeholders and three contributing variables: stakeholders' expectations, their experience of reality, and the media's enhancement of both. Focusing exclusively on the media arm of this triangle obscures risk scenarios arising from changes in either stakeholder expectations or stakeholder experiences. This is especially problematic in current times, when many reputation crises are products of culturally driven changes in expectations.

Effectively managing reputational risk exposure can provide very tangible economic benefits, enabling treasury and risk professionals to give capital-markets principals and the ratings agencies greater confidence in the future stability of their cash flows.

This is an issue Steel City Re has researched. We've analyzed how credit markets have behaved toward companies dealing with reputational issues. Our data show that, all things being equal, the variance between a great reputation and a poor reputation can alter the cost of capital by around 80 basis points. And our RepuSPX index, an equity index of companies arbitraging underappreciated reputational value, has outperformed the S&P 500 by 375 percent over the past 15 years.

Companies need to recognize the tangible impact that reputational crises can have, and they need to consider these risks and plan to mitigate them just as they would an operational crisis. The difference is that an operational crisis occurs when something that a company is expected to control goes wrong. Often this involves a failed control for innovation, safety, security, sustainability, or quality.

A reputational crisis occurs when stakeholders believe the company didn't make an authentic effort at mitigation—and they're disappointed or angry that the company's leadership failed them. That anger can manifest itself in very real ways. Our research shows that the cost of reputational attacks against companies has risen by more than 500 percent over the past six years, fueled by weaponized social media and influencers, including politicians, who are adept at channeling public anger toward specific targets.

Stakeholders will forgive an unanticipated operational failure if they believe the company did everything it could to avoid the situation. And they may believe it did everything it could if the company has already convinced them that it is dedicated to their needs, concerns, and values; that it has identified future risks to stakeholder expectations; and that it is doing what is ethically prudent to mitigate those risks.

Building this understanding in advance is crucial if a company wants to emerge from a crisis with its reputation largely intact. At the same time, in the event of a reputational crisis, the company needs to prioritize managing stakeholder expectations and closing the gap between what stakeholders expect and what the company can practically achieve.

Consider three examples that illustrate a range of operational and governance-driven reputation risk management strategies. Each created value for its parent by being discovered, appreciated, and valued by stakeholders in the context of a potential crisis of reputation.

Following the 1982 Tylenol poisonings, Johnson & Johnson changed the reality of product safety, instituting new control processes over the supply chain and tamper-proof packaging. The value of that investment was realized in 1986 when a copycat poisoning in Brooklyn, N.Y., enabled Johnson & Johnson to highlight the new safety reality. From that point on, stakeholders came to expect this high level of product safety, and the company regained 30 percent of the market capitalization it had previously lost.

Rolls Royce and its board have long made reputation a priority with an asset preservation policy that prioritizes three things: reputation, profitability, and viability. The operational implications of this risk governance strategy were tested in November 2010 when a Rolls-Royce Trent 9000 engine powering an Airbus A390 blew up. The company identified and rectified a systemic fuel line issue, had the engine recertified, and announced the sale of 12 A390s to British Airways all within the span of 12 weeks. Customers and investors alike developed a better appreciation for the company's superior supply-chain control and commitment to product safety. Year-over-year sales increased by 25 percent and its equity outperformed the broader market by 30 percent.

Risk governance was also key to how Merck & Co.'s CEO, Ken Frazier, boosted his company's market cap in the aftermath of the white supremacist activities in Charlottesville, Va., in August 2017. Frazier was the first CEO to resign from President Trump's Manufacturing Advisory Council—a move supported by his board, company stakeholders, and the public at large. For about 10 weeks subsequently, Merck outperformed the S&P 500 pharmaceutical index by about 3.5 percent. Ultimately, Frazier's resignation produced almost $6 billion in value. The speed with which he responded to the president's comments and distanced himself from the advisory council was made possible by Merck's enterprise risk management (ERM) apparatus, which enabled corporate leaders to process a weekend event and make a board-level decision by Monday morning.

Accelerating Impacts

Clearly, in today's social media–driven environment, changes in expectations—i.e., cultural shifts—can occur at speeds never experienced before. Companies need to view these risks as they would view tornadoes. Once an event is upon you, it's too late.

Organizations need to build the systems and processes they'll use to recognize cultural shifts while they're still on the horizon. Then companies need to be able to adapt quickly. They need to develop internal systems that allow for rapid analysis, communication, and decision-making.

Businesses today need a reputation risk governance system representing the ideas, beliefs, and practices of the enterprise. They also need an operational ERM apparatus that integrates data on stakeholder expectations and coordinates efforts among internal communications, operations, legal/compliance, human resources, and risk management teams.

The operational systems should look for the signs of changes in stakeholder expectations, as reflected in specific metrics. For example, shifting customer expectations may be demonstrated by changes in sales volume, sales cycle time, or price point tolerance. Employee expectations are reflected in wage and salary costs, turnover, internal friction, and a range of HR-related expenses. Supplier terms are informative in determining supplier expectations, as are credit costs and credit default swap prices. Lastly, earnings multiples speak volumes about investor expectations.

An artificial intelligence system can index the values and volatility of these data points and predict trends to produce an in-house equivalent to the reputational value metrics we use at Steel City Re. Those internal metrics, in turn, can support both management and governance of reputation value and risk.

Signaling the company's internal efforts to protect against reputational risks through risk transfer, insurance, and third-party warranties can provide outside validation of the company's practices and governance, and can cast potentially damaging events as anomalous incidents rather than systemic failures. They essentially build storm shelters by ensuring that a clear and convincing, positive narrative is front and center before disaster strikes.

A town in a tornado zone can't be faulted if a tornado ravages the region. It can only be faulted if it failed to anticipate the crisis and do everything possible to protect its residents. Companies, along with their directors and executives, can survive reputational crises in a similar way—by constantly analyzing and anticipating future possibilities and building reputational storm shelters to protect against them.

Dr. Nir Kossovsky is CEO of Steel City Re, which analyzes reputational risk and resilience of companies and insures them and their directors and officers against the financial impact of reputational damage. He has written two books and many articles on trends affecting corporate reputation, has developed proprietary algorithms for measuring reputational risk, and has advised numerous companies on strategies for deterring and mitigating that risk.