An organization that actively builds and maintains a positive reputation gains a competitive advantage and improves its credibility if an event occurs that impacts that reputation. This paper lays the groundwork and helps stimulate thought around managing reputation risk, providing the opportunity and practical guidance for practitioners, executives, and board members to rally around meaningful organizational reputation risk principles that meet the broad needs of the company and its constituents. Companies can use this Shared Assessments TPRM Reputation Risk Framework construct to identify and act on opportunities to build their reputation capital.
Reputation risk is the potential that negative publicity regarding an organization’s business practices—whether true or not—causes a decline in reputation capital that can result in reduced revenue, regulatory fines, staff turnover and inability to attract quality candidates; and may adversely affect an organization’s ability to maintain existing or establish new business relationships. All aspects of the third party’s contracted services have the potential to impact reputation—such as product quality and safety; cybersecurity, physical security, privacy, legal practices; and Environmental, Social, and Governance (ESG), such as fair labor practices.
Reputation risks grew for multinational operations between 2022 and 2023 (World Economic Forum, 2023). The impact on reputation is widely magnified for companies that have not prepared a playbook for incident response, communication, and remediation. Companies can track and respond to evolving market and social priorities and expectations that can impact their reputation by using robust governance and cyber hygiene planning and assessment focused on reputation risk ahead of an event, in combination with ongoing monitoring.
Damage to reputation can swiftly unravel years of reputation building, which may be beyond the control of the affected organization to remedy directly. “The ability to effectively perform scenario modeling to predict outcomes is the holy grail of strategic decision making,” notes Marc Weinberg, Vice President Vendor Risk Management, Commerzbank AG, New York Branch. As reputation risk does not lend itself to deterministic analysis, in which all the necessary data is available to predict an outcome with 100% certainty, the framework addresses metric selection, risk quantification approaches and techniques, designing a roadmap, and calculating and reporting reputation risk.
The Shared Assessments TPRM Reputation Risk Framework principles and practices are applicable covering all areas of Enterprise Risk Management (ERM) across all organizations and sectors, and can be easily tailored for each organization’s unique needs and incident management playbook. The truth for organizations is that they must consider their reputation resilience—their ability to gauge their reputation and recover from reputation impacts—based on a thoughtful, pre-considered plan. Using the reputation risk framework outlined in this paper can help companies do a better job of understanding, assessing, building, and managing reputation capital and reputation-related threats that may arise through relationships throughout their supply chain.
This paper represents the work of the Shared Assessments Global TPRM Best Practices Committee and project team of SMEs who stepped forward to compile this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which this year has chosen to focus on ransomware preparedness, reputational risk, and onsite best practices.
Managing third-party risk is a global, multi-faceted challenge impacting organizations across all sectors. Shared Assessments’ committee structure offers opportunities for members and non-members alike to address all aspects of that challenge.
The Global TPRM Best Practices Committee, open to members and non-members, now has 260 registered individuals from 185 organizations spanning 15 time zones. Examples of previously examined topics include complex supply chains, fourth (and Nth) party management, third party contract development, risk rating, and assessment scoping. If you would like to join, we’d love to have you.
The paper is available for download here.
Shared Assessments Committees Registration.