Explore This Section

SRC Insights: Fourth Quarter 2007

Understanding Reputational Risk: Identify, Measure, and Mitigate the Risk

While building and maintaining a solid reputation is important for all types of organizations, it is especially important for financial institutions. It could be argued that protecting a financial institution's reputation is the most significant risk management challenge that boards of directors face today.

Last month, in the midst of the global credit crisis partly caused by the U.S. subprime mortgage meltdown, Northern Rock, Britain's fifth largest mortgage lender, had to be bailed out by the British central bank, the Bank of England. The institution began as a small local lender in early 2001, but grew excessively in 2005 and through early 2007, primarily by relying on wholesale markets rather than retail deposits. Northern Rock bundled its loans together and packaged them into bonds that it sold to investors around the world; however, as liquidity dried up this past summer in the U.S. and across the globe, it spelled disaster for Northern Rock. When news leaked out that Northern Rock had approached the Bank of England to obtain emergency funding, customers reportedly withdrew £2 billion in one day. Britain's first bank run in 140 years occurred despite the bank's solvency, the nation's strong economy, low interest rates, and low inflation. Northern Rock became a victim of reputational risk.

Reputational risk is regarded as the greatest threat to a company's market value, according to a study by PricewaterhouseCoopers and the Economist Intelligence Unit.1 Reputational risk also overtook credit risk last year as the most pressing issue facing bank audit committees, according to an annual survey released on February 27, 2007, by Ernst & Young, one of the Big Four accounting firms.2 This article will discuss reputational risk, its implications for financial institutions, and how bank supervisors assess management's ability to measure and monitor the risk.

What is Reputational Risk?
The Federal Reserve System's Commercial Bank Examination Manual defines reputational risk as "the potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.3" Reputational risk is one of the Federal Reserve System's categories of safety and soundness and fiduciary risk (credit, market, liquidity, operational, legal, and reputational) and one of three categories of compliance risk (operational, legal, and reputational). While it is a defined risk, reputational risk is often difficult to identify and quantify.

Interpreting Reputational Risk
Assessing reputational risk is not an objective process, but rather it is a subjective assessment that could reflect a number of different factors. "Reputational risk is the starting point of all risks…if you have no reputation, you have no business."4 Reputation can be interpreted as a market or public perception of management and the financial stability of an institution by its major stakeholders. Stakeholders can include its customers, shareholders, and the board of directors. The media could also have a perception, either good or bad, of an organization.

Reputation is and could be perceived as an intangible asset, synonymous with goodwill, but it is more difficult to measure and quantify. Consistently strong earnings, a trustworthy board of directors and senior management, loyal and content branch employees, and a strong customer base are just a few examples of positive factors that contribute to a bank's good reputation.

The rewards can be great for an institution that has an excellent reputation. Establishing a strong reputation provides a competitive advantage over an organization's counterparts. A good reputation strengthens a company's market position and increases shareholder value. It can even help attract top talent and assist in employee retention. In short, reputation is a prized asset, but it is one of the most difficult to protect.

How Can Reputation Be Tarnished?
Just as reputation can be built and preserved over time, it can also be destroyed quickly. We are all too familiar with the scandals that affected financial institutions such as Riggs, Bank of New York, and PNC. These organizations maintained a strong corporate and public image, but their brand values were eroded due to well-publicized missteps. And, as mentioned earlier, Northern Rock's franchise value tumbled as its share price plummeted by 50 percent over a few days in the midst of a global credit crisis.

In the banking industry, a reputable financial institution may encounter various issues that could significantly harm or even destroy its brand name in a short period of time. For example, noncompliance with and violations of laws could lead to issuance of civil money penalties and/or formal enforcement actions, which would be published in the local or national media and could ultimately tarnish the institution's image.

The public can also mistakenly interpret certain data, affecting its view of an institution. For example, in the compliance area, an institution's HMDA (Home Mortgage Disclosure Act) data and CRA (Community Reinvestment Act) ratings are publicly available on the Internet. Also, interpretation of an institution's lending practices can be gleaned from its HMDA data, while an institution's CRA rating (outstanding, satisfactory, needs to improve, and substantial noncompliance) can be easily obtained online.

Data security breaches in the bank's computer system, which houses sensitive financial data of hundreds of thousands of customers, or an unethical board member who leaks confidential information to a family member just days prior to a major announcement of a company acquisition are examples of events that could have an adverse effect on a bank's reputation.

BSA-related reputational risks remain high: How would the public and the markets react to a financial institution that is found to be a haven for terrorist financing or is laundering millions of dollars from illegal activities?

Other factors like bad customer service or costly lawsuits and litigation could all bring an organization's reputation spiraling downward. So, how can a financial institution prevent its reputation from being damaged or tainted?

Mitigating and Managing Reputational Risk
Preserving a strong reputation revolves around effectively communicating and building solid relationships. Communication between a bank and its stakeholders can be the foundation for a strong reputation. Timely and accurate financial reports, informative newsletters, and excellent customer service are important tools for reinforcing a bank's credibility and obtaining the trust of its stakeholders.

Reputational risk is managed through strong corporate governance. Setting a tone of strong corporate governance starts at the top; an institution's board of directors and senior management should actively support reputational risk awareness by demanding accurate and timely management information.

How should a bank's reputational risk be managed internally? The following are just a few examples of key elements for managing reputational risk:

  • Maintaining timely and efficient communications among shareholders, customers, boards of directors, and employees
  • Establishing strong enterprise risk management policies and procedures throughout the organization, including an effective anti-fraud program
  • Reinforcing a risk management culture by creating awareness at all staff levels
  • Instilling ethics throughout the organization by enforcing a code of conduct for the board, management, and staff
  • Developing a comprehensive system of internal controls and practices, including those related to computer systems and transactional websites
  • Complying with current laws and regulations and enforcing existing policies and procedures
  • Implementing independent testing and transactional testing on a regular basis
  • Responding promptly and accurately to bank regulators, oversight professionals (such as internal and external auditors), and law enforcement
  • Establishing a crisis management team in the event there is a significant action that may trigger a negative impact on the organization

Assessing and Evaluating Reputational Risk
One of the more difficult tasks for examiners is to determine how to assess a financial institution's reputational risk. Examiners complete a risk matrix when conducting full-scope examinations for community and noncomplex institutions. To arrive at a composite risk rating for one of the risk areas, the following criteria are used when assessing risk:5

  • Level of inherent risk-high, moderate, or low
  • Adequacy of risk management-strong, acceptable, or weak
  • Trend or direction of risk-decreasing, stable, or increasing

Many items and areas are considered when assessing the risk rating criteria. For reputational risk, prior to conducting an examination, examiners may review corporate press releases, letters to shareholders, stock message boards, and stock analyst comments to gain an initial indication of reputational risk. Examiners may also consider whether an institution responds to the customer concerns; whether the stock analyst recommends buying or selling and why; and what the shareholders, employees, or general public are saying about the institution.

Examiners analyze the financial statements, review marketing plans and advertising campaigns, and consider whether the institution is growing excessively and what types of risky products and services it is providing, if any. They also consider whether the institution is expanding outside its normal geographical area and is supportive of the community.

While on-site, examiners will talk to both bank employees and management to get a sense for items like corporate ethics, will talk to Human Resources to determine whether a consistent message on the importance of ethics is being conveyed throughout the organization, and will consider whether the institution's risk management practices are strong and commensurate with the size and complexity of the institution. Examiners will assess whether an institution's expertise is adequate and controls are in place to oversee growth if the institution should engage in riskier products or enter into new business lines.

In addition, examiners will determine whether there are violations of consumer law. For example, is the institution involved in unfair or deceptive practices, such as charging excessive interest rates on credit cards, or are there situations where the institution is overcharging its customers for accrued interest on loans? Reimbursing consumers for these charges could be embarrassing and tarnish an institution's reputation. Excessive violations could result in class action suits, civil money penalties, or other regulatory actions. There is also a stigma attached to institutions involved with payday lending, even though that type of lending is not illegal.

In the information technology area, where reputational risk and operational risk go hand in hand, examiners measure board and management oversight from the top down. Is oversight adequate? Are policies and procedures tailored to the institution, rather than boiler-plate? Are there adequate internal controls? Lax oversight and controls leave an institution open to security breaches and employee theft, which again could result in unfavorable media attention and may damage the institution's brand name and reduce the public's confidence in the institution.

Building a financial institution's reputation may take years, but it certainly can be damaged or even destroyed very quickly. Reputational risk exists in a combination of factors that financial institutions face every day. Boards of directors and senior management are responsible for measuring and monitoring reputational risk and therefore must remain vigilant and active in providing the safeguards to prevent loss of reputation. Assessing and managing the risk effectively and properly are one of the keys to a financial institution's continued viability and success.

Case Study: SunTrust Banks
In 2004, SunTrust Banks, a $180 billion financial institution headquartered in Atlanta, disclosed that due to an accounting oversight, it had to restate its corporate earnings. Because of accounting errors, the bank had overbooked the allowance for loan and lease losses, and therefore underreported earnings, for the first two quarters of 2004 by approximately $22 million. This led to a delay in the release of its third-quarter earnings statement.

Within hours, SunTrust issued a press release announcing the accounting irregularities. The release stated that its audit committee, with the assistance of an independent law firm, would begin a review and initiate lines of communication with independent auditors about the errors. In short, the institution addressed the issue immediately, communicating openly with the public and its customers.

Shortly thereafter, market analysts issued their comments concerning SunTrust's press release. One analyst stated that, "It creates a black eye regarding SunTrust's reputation, especially since the firm had a similar problem in late 1998."6

Within a month of the press release, the audit committee panel determined that the errors in the loan-loss data related to the auto loan portfolio were higher by approximately $25 million. Loan loss calculation errors and false draft meeting minutes were also uncovered. As a result, three credit administration division members, including the top credit officer, were fired, and a controller was assigned to another division.

Less than two months later, the SEC launched a formal probe of SunTrust's accounting deficiencies and issued subpoenas seeking documents related to the bank's accounting procedures. By the summer of 2006, however, SunTrust was notified by the SEC that its inquiry ended with no enforcement action recommended.

Though this newsworthy event cast a negative light on SunTrust's reputation, overall it did not hurt the organization's franchise value. Initially, the market and public perception were critical of the accounting issue, and SunTrust's shares fell 1.12% (less than $1 dollar to $69 per share); however, because the organization's board and senior management were proactive in addressing the issue quickly, the stock price loss (and financial statement gain, in this case) was manageable, and reputational risk was controlled.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.