How to manage reputation risk

Damage to a company's reputation can be much worse than a financial loss. In this issue of Industry Insider, John Billington, our guest columnist from Unisys Australia/New Zealand, discusses how IT systems can protect against both types of disasters.

John Billington, Unisys
Damage to a company's reputation can be much worse than a financial loss. In this issue of Industry Insider, John Billington, our guest columnist from Unisys Australia/New Zealand, discusses how IT systems can protect against both types of disasters.

With recent well-publicised events involving one of Australia's largest banks sending shock waves through boardrooms across Australia, managing reputation risk is a central concern for the chief executive officers and chief financial officers of the nation's leading financial institutions -- or at least it should be.

Reputation risk management is a vital element of a good governance model and one that is capable of supporting an institution's efforts in achieving both its business and compliance objectives. The impact of not managing reputation properly can have long term and devastating consequences for a business. For example, the existence of unethical behaviour will bring about poor market place perception, leading to a decrease in customer confidence and fewer sales, which in turn has a negative affect on stock price. Additionally, the personal reputations of executives and non-executives can be permanently damaged, not to mention the crippling financial costs they can face following the dishing out of hefty legal penalties. Remember the public humiliation suffered by those involved in the aftermath of the collapse of companies such as HIH, One.Tel and Enron?

These examples highlight the importance of managing corporate reputation, particularly in light of corporate reform acts such as the United States' Sarbanes-Oxley act, that make it an imperative for companies to disclose all the financial risks they face. Good businesses realise the importance of respecting and nurturing corporate reputation as a critical, yet intangible asset. The fact is that any organisation can apply simple risk management principles to build stakeholder confidence and safeguard and enhance its reputation...yet a number of Australian businesses still haven't seen the light.

Many companies ill-prepared
While the importance of managing corporate reputation has become an urgent priority for many organisations across Australia, the reality is that few of the country's leading financial institutions are prepared for compliance with the Australian Stock Exchange's (ASX) corporate governance recommendations -- recommendations which are aimed at protecting them against risk through more transparent reporting and supervision of financial services.

For instance, financial institutions need to be clearer about their ability to manage their reputation risk, which is particularly pertinent to Principle 7 of the ASX's top governance recommendation. This principle recommends the appointment of a committee to establish policies on risk oversight and management, in addition to the requirement for the CEO or CFO to confirm that the company has put the appropriate internal controls and procedures in place.

Any organisation can apply simple risk management principles to build stakeholder confidence, and safeguard and enhance its reputation.
One of the keys to establishing reputation risk management within an organisation is to build it from the 'inside out', rather than the 'outside in' as a reaction or a response to an incident. Organisations that factor good governance frameworks around the core of their businesses generally create sustainable reputations. They are recognised as being responsible by key stakeholders such as employees, shareholders and the community, and are rewarded as a result. Yet many of Australia's leading banks and insurance companies are still struggling to meet the current raft of compliance requirements by the regulator's deadline. Attention needs to begin focusing on increasing the visibility and accountability of their back-office processes to identify and trap rogue transactions as soon as they happen, thereby avoiding the excessive manipulation of complex financial instruments, and negatively impacting the company's reputation risk. It is here that technology plays its role.

IT and reputation risk management
Technology provides organisations with the mechanism they need to implement and demonstrate risk policies, controls and procedures. For instance, one of the requirements of the Sarbanes-Oxley Act is that organisations establish and maintain internal controls with regards to their financial transactions. By having the right technology framework in place, organisations can show compliance with the Act through Web-based reporting structures that allow financial reports to be produced via pre-defined, auditable paths of information.

Technology also plays a role in increasing the visibility of business processes by detecting particular patterns of activity. There are a number of different solutions that can be applied to achieve this including reporting, workflow and behavioural monitoring technologies.

Reporting technologies can help organisations identify rogue traders. Let's take for example foreign exchange currency trading. If one looks at a financial institution's day-by-day exposure to particular foreign currencies, one could easily see how these would vary over the typical trading day. It would then be simple to identify an exposure that went beyond and above a pre-set trading limit.

Technology also allows companies to segregate workflow information and introduce robust business processes so that transactions can be audited and responsibility can be assigned to individuals. This occurs through the segregation of duties between the front and back office, which is of paramount importance. The former is designed to execute the trade of the office, while the latter is designed to record and settle those trades. A majority of financial institutions have mandated this segregation in company policy and many have introduced a 'middle office' that oversees whatever happens in the front office reconciles with the back office. However, occasionally this process becomes unsynchronised. To complicate matters further, banks often have no direct electronic link between front and back office. Technology can easily solve these problems.

Behavioural monitoring technology can also help to protect an organisation's reputation by identifying patterns of aberrant behaviour. For instance, a financial institution can use this technology to draw information -- both financial and non-financial data - from relevant systems. Pre-defined business rules are used to analyse the information and identify patterns of behaviour associated with money laundering, fraud and rogue trading. The same type of technology can also be used to identify customer behavioural patters. For instance, it can identify behaviour that is indicative of a customer potentially closing an account and moving finances to a competitor institution. It can also identify positive employee and customer behaviour, which will produce information that the organisation can use to link to reward schemes.

From a corporate governance point of view, the technologies that support reporting, workflow and behavioural monitoring also help an organisation to enforce corporate governance and reporting policies as they allow it to produce evidence for regulators as to what path a particular report has taken. In doing this, companies can ensure they are compliant with local and overseas risk reporting requirements and anti-money laundering/fraud provisions, as well as Financial Transaction Reporting (FTR) Act requirements, Basel II and Sarbanes-Oxley. With the right systems in place, financial institutions can transform their businesses to become more agile, and provide greater visibility, traceability and flexibility in how the policies and procedures that they have introduced to protect against the impacts of risk, are implemented.

Until CEOs and CFOs take action, the risk of failing to manage reputation could mean doom for some businesses.
However, before effective compliance measures can be put in place, these institutions need to start mapping their underlying business processes to identify the vulnerabilities in their business. A good place to begin is for the organisation to ask what a particular process is designed to achieve. The process then needs to be critically dissected to determine what controls need to be applied according to the corporate policies in force. This way, the organisation can demonstrate compliance with the policy at every juncture of the process and is able to provide evidence should the rules be broken. One example that illustrates this is in the United States, where merchant banks have addressed components of their operational risk by using a sophisticated pattern-recognition technology to immediately identify and take appropriate automatic action on suspected fraudulent or money-laundering transactions - such as declining the transaction.

No silver bullet but ....
While technology will help a company to protect its reputation, the outcome of any implementation is only as good as the underlying corporate policies it is designed to enforce. There's not a technical implementation in the world that will stop all attempts to conduct fraudulent activity, rogue trading or money laundering. However, by having a technology-enforced compliance framework in place, an organisation can pinpoint where inappropriate behaviour has occurred. In doing this, it is able to protect its reputation by at least being able to prove to regulators, shareholders and the general public that it is trying to do the right thing by evidencing due process.

Until CEOs and CFOs take action, the risk of failing to manage reputation in a way that is consistent with the goals and values of their key stakeholders could mean doom for some businesses. Ironically, exposure of unethical behaviour can have a positive effect if action is swift and decisive and can be shown to uphold pre-existing policies and procedures. Perhaps it's inaction that is worst of all. Take for example Enron, HIH and One.Tel. These disasters illustrate that even some of the world's largest and seemingly most respectable corporations didn't get it right because they didn't have adequate reputation risk management systems and procedures in place. This is not difficult to achieve and there really are no excuses. With time running out, Australian organisations need to address these issues now - not in a week, or a month but now before it's too late.

John Billington is Unisys Australia/New Zealand managing partner for Financial Services.