Article

Reputational risk: Definition, threats, sources, and examples

Compliance
Time to read: 12 minutes

What is reputational risk?

Reputational risk is anything that can result in people having a negative perception of an organization. The impact of reputational risk is usually immediate; it can also be severe and long-lasting. Protections against reputational risk are implemented to prevent organizations from negative exposure to any constituents, including customers, employees, investors, partners, or vendors.

In most cases, events that turn reputational risk into an actual incident happen suddenly. Unlike strategic risks, which are largely controllable because they are specific, measurable, and predictable, reputational risks are mostly uncontrollable and unpredictable, making them difficult to manage.

The types of events that can threaten an organization’s reputation vary greatly, and the impact of any particular event can have vastly different consequences for one organization versus another.

Organizations know that incidents that impact reputational risk will cause damage, but they may not know how severe the damage will be until it occurs.

The impact to reputational risk following an incident can range from impacting an organization’s profitability for a period of time or causing the organization to shut down to forcing a person in a leadership position to resign or seeing executives stand trial on civil or criminal charges.

There are endless types of reputational risk. These can be the direct result of an organization’s actions, an indirect action related to an employee or employees, or tangentially through peripheral relationships. A few examples that help explain what leads to reputational risk are:

  1. Actions of wayward employees, such as egregious errors, fraudulent activities, or being recorded while mistreating a customer
  2. Data breaches involving sensitive information, such as personally identifiable information (PII), protected health information (PHI), or other malware attacks, especially a ransomware attack
  3. Natural or human-induced disasters can have impacts ranging from minor disruptions to catastrophic failures that materially impact all aspects of an organization
  4. Senior executives caught up in civil or criminal investigations and trials (e.g., regulatory compliance failures or insider trading), misguided investments, engaging in inappropriate behavior, or controversial public statements or messages
  5. Supply chain failures that result in a delay in goods or services necessary to running an organization and meeting customer demands
  6. Technology or operational failures that cause unexpected high-impact or long-term interruption

Sources of reputational risk

The following are examples of reputational risk that further illustrate the types and variety that organizations must be prepared to address.

Compromised data

Most organizations hold sensitive data from many sources, but mainly customers and employees. If a data breach results in sensitive information being compromised, it is most likely that a regulation will require disclosure. Regardless of what cybersecurity systems were in place or whether the organization is found to be at fault for the breach, there is reputational risk.

Negative press coverage

A negative article can cause significant reputation risk, especially when it can spread through online channels very quickly. In addition to the initial publication, articles can resurface and start the negative press again.

Negative articles can be the result of an unpopular action or event related to the company, such as:

  1. Closing an underperforming branch or manufacturing facility
  2. Customer complaints or regulation violations
  3. Employee disputes
  4. Lawsuits
  5. Layoffs
  6. Regulatory violations and penalties
  7. Scandals
  8. Unpopular mergers and acquisitions

Conduct by CEOs and presidents, other company leadership, and employees

Chief executive officers, presidents, and other company leaders are usually the face of an organization. Therefore, their reputation is of paramount importance.

A top leader with a sullied reputation can affect revenue, investments, shareholder value, employee retention, and customer acquisition and retention. In some cases, even if the CEO, president, or other leader leaves the organization, their legacy continues to cause reputational damage, as it is often difficult to separate the two when stories persist in digital media and people’s memories.

Examples include:

  1. Civil or criminal charges
  2. Engaging in unsavory activities
  3. Failing to respond appropriately in the wake of a natural or human-caused disaster
  4. Making controversial statements in writing, online, or verbally
  5. Non-compliance with high-profile regulatory requirements, such as the Clean Water Act or the Civil Rights Act
  6. Supporting causes or people that are misaligned with the organization’s mission and ethos
  7. Treating employees or third parties (e.g., customers, partners, or vendors) poorly

The leadership of an organization is not the only reputational risk from a human resources perspective. Any employee has the potential to present reputational risk. Among the many ways that an employee could trigger reputational risk are:

  1. Calling the police to a business or bank to respond to a person based on racial bias
  2. Conducting illegal activity that impacts the company (e.g., running scams through an organization or facilitating a data breach that compromises sensitive information)
  3. Engaging in sexual misconduct with other employees or someone peripheral to the organization (e.g., a vendor or partner)
  4. Refusing to provide service to someone based on their ethnicity or orientation
  5. Threatening violent acts or, worse, committing them

Quality of goods and services

Poor quality goods or services and high pricing can impact organizational reputation. Whether production quality for merchandise is subpar, product failures occur that require a recall, or online services perform poorly, customers and users can react, particularly when they perceive that the prices they are paying should shield them from these issues.

This source of reputational risk can sneak up on organizations.

Customer frustration and anger over perceived poor quality may simmer over time and then boil over, leading to incidents like poor reviews, negative press, and stinging social media posts.

This in turn can mean the loss of both current and prospective customers and damage to the organization’s overall value.

Social media

Social media can be of great help in responding to an incident, but conversely, it can be used to initiate and amplify negative messages. Unfortunately, social media reputational risk can also be generated internally when an organization’s leaders or employees make ill-advised or malicious statements on social channels.

Unsafe and unacceptable workplace conditions

Laws dictate minimum standards for safe work conditions based on industry and location. Meeting these requirements is mandatory. Organizations that fail to meet them face fines, closure, and associated reputational risks. In addition, meeting minimum standards does not protect an organization from reputational risk if workplace conditions are deemed unacceptable by workers.

Examples of reputational risk

Unfortunately, many organizations have experienced the effects of reputational risk. The following are several real-world examples that show the scale and impact of reputational risk.

Automaker – compliance violations and coverup

The Environmental Protection Agency (EPA) issued an automaker a violation notice of the Clean Air Act. The story of how the automaker had installed emissions software that was fully compliant during testing, but noncompliant in normal driving mode (i.e., allowing up to 40 times the EPA’s limit for exhaust emissions) illustrates the power of reputational risk from compliance violations.

The results of this incident included:

  1. The automaker was required to set aside $10 billion to fund an international recall program.
  2. The automaker lost its “Green Car of the Year” designation and environmentally friendly brand positioning.
  3. The company saw its first quarterly loss in 15 years.
  4. The U.S. Department of Justice ordered fines to settle criminal and civil suits.

Food and beverage companies – advertising misstep

Regardless of industry, advertising can be controversial and result in reputational risk. Below are the results from a food and beverage company that took an approach to an advertising campaign that was out of line with a significant portion of public sentiment.

After investing more than $5 million in an ad, the company’s brand property had to remove it. However, there was material reputational damage, including:

  1. Consumers were immediately outraged as they felt that the ad trivialized a social issue.
  2. The brand experienced nine months of the lowest perception levels it had seen in ten years, with public sentiment analysis showing more than 55% negative brand mentions.
  3. The brand’s positive sentiment on X (formerly Twitter) dropped to -12% compared to 2% net positive before the ad was aired.

Food service company – miscalculated response to customer incident

After an accident caused by one of the organization’s products, the injured party asked the company to compensate them for the associated medical expenses and lost wages. When the company refused, the case was taken to trial.

The case, fraught with reputational risk, garnered international attention because of the outcome. The jury awarded the plaintiff $200,000 in compensatory damages and $2.7 million in punitive damages for the company’s treatment of the incident.

Gas and oil companies – environmental vulnerabilities

Many of these organizations are targeted by activists and their supporters with scathing attacks that highlight the social and environmental impact of:

  1. Effects of climate change
  2. Extraction work
  3. Greenhouse gas emissions
  4. Pipeline development

Grocery store – supply chain issue

A large grocery store chain bore the brunt of reputational risk when it was found that beef burgers that it acquired from a third party contained horsemeat. The consumer backlash was significant, resulting in:

  1. 61% of X (formerly Twitter) comments on a single day revolved around the scandal, compared to just about 5% the week before.
  2. Sales of beef burgers fell by 43%.
  3. The company’s market value dropped by more than $3.5 million.
  4. The public company’s shares dropped by 1%.

International bank – executive's regulatory compliance failure

The chief executive officer (CEO) of an international bank failed to comply with the United Kingdom’s (U.K.’s) Financial Conduct Authority’s (FCA) Senior Managers Regime, Certified Persons Regime, and Conduct Rules. As a result, the FCA and Prudential Regulation Authority (PRA):

  1. Required an annual report to the FCA.
  2. Fined the CEO more than $2 million.
  3. Banned the CEO from holding a senior management or significant influence function in the financial services industry.

Personal banking – fraud

Employees at a bank opened millions of unauthorized retail accounts at the behest of supervisors who wanted to improve their sales metrics. The results included:

  1. The CEO and other leaders were fired or forced to leave.
  2. Regulators levied heavy fines and penalties.
  3. A number of key customers discontinued, reduced, and suspended relationships with the bank.
  4. The bank suffered international reputational damage.

Retail merchant – executive's blunder

Inexplicably, the CEO of a large, publicly traded retail chain made disparaging comments about the quality of the company’s products during a speech to industry influencers, stakeholders, and the media. The results were immediate and catastrophic, including:

  1. Hundreds of retail stores were closed.
  2. The CEO was fired.
  3. The company had to change its name and rebuild under a new brand.
  4. The company lost more than 80% of its market value within six months of the speech.
  5. The company’s shares plummeted by more than half a million dollars (more than double in today’s monetary value).
  6. Thousands of staff were discharged.

Managing reputational risk

Reputational risk is tricky to manage because of its diversity and unpredictability. However, below are commonly used tactics to prepare for and respond effectively to a reputational risk incident.

  1. Develop a strategy for proactively addressing and preparing for known reputational risks as well as for responding to unknown risks.
  2. Ensure that the organization has strong public relations and communications resources internally or externally available on short notice.
  3. Identify and assess potential reputational risks and associated stakeholders.
  4. Implement and enforce a top-down, organization-wide ethics and values program.
  5. Monitor brands continuously to maintain awareness of public sentiment and identify issues quickly using tools and services, such as those for:
  6. Customer sentiment tracking and analysis
  7. Database checks
  8. Reputation management
  9. Response management planning
  10. Social media monitoring

Preparation mitigates the potential damage of reputational risk

Regardless of whether the reputational risk incident is caused by people or technology, a swift and clear response in the wake of an incident is critical. This can change the narrative, putting the organization more in control of the story. One of the many reasons that this is important is that when an organization experiences an incident, it can spread like wildfire across online media platforms (e.g., search engines and social media). In many cases, it can become the first thing people see when they research an organization.

Crisis management planning helps organizations proactively address reputational risk. Organizations should prepare contingency plans for rapid restoration of operations and draft communications to expedite responses. All reputational risk scenarios should be reviewed and rehearsed to ensure the organization is ready to react and maintain some degree of control over the situation.

Mitigate risk with unified identity security

Centralized control. Enterprise scale.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief