Third-party risk management - Part II - Reputational Risk

Blog Image

Regardless of the nature of the exposure from any third-party risk, the even larger risk of brand damage is ever present - and it can happen in an instant. Like raising your children, you cannot afford to blink.

But where does that leave your business in our evermore outsourced, globalized, networked and virtualized world of commerce? Organizational structure can increasingly be diagrammed as many-tentacled, with each arm leading down a path toward suppliers of myriad goods and services, yet none of it under true control by the contracting entity.

The C-suite is certainly mindful, 87% of executives rate reputational risk as more important than any other strategic risk their companies face (Deloitte). And ultimately, how a company manages the expectations and performance related to its reputation determines whether value is created or destroyed. According to a study by the World Economic Forum, more than 25% of a company's market value is directly attributable to its reputation.

It is a short hop from these facts to the observation that trust = value. If we rely on third-parties to service our business needs, we must trust them. It's as simple, and as risky, as that. It's no wonder the C-suite is worried. The good news is there are strategies and practices the risk manager can put in place:

Trust but verify

Ronald Reagan may not have been a risk manager, but he had it right. The organization can verify that their third-parties are in compliance with all agreements, contracts, local and international laws, insurance requirements, supply chain covenants, licensure, documentation and so on. Anything that can be checked, within reason, should be checked.

Be proactive, be ready

News never traveled faster than it does today. Forget television or print news, social media can crush you, and it is vicious. Individual perceptions of a situation are personal, leading to fuzzy boundaries, disputable accounting of events, the conflation of grievance to outrage, escalating swiftly to threat and crisis. There is precious little time to figure out your next move. Every new business strategy, relationship and transaction must contemplate its potential impact on reputation, and there must be a standby plan for mitigating the worst of what might come at you.

Fourth parties

You have made an agreement with a third party. Does the third party have a subcontractor? Is there a fourth party? A fifth? It is critical to understand who, exactly, is performing the work, and to bind the third-party contractually to inform and gain approval on any fourth-party involvement.

Reputational risk derives from other risks

Reputational risk is a consequence of exposure resulting from some other business risk. The biggest risks, in order of concern, are ethics/integrity, product/services and security (Deloitte, again). A program of ongoing enterprise-wide risk identification and assessment will give the organization both the structure and the tools to better manage damage to the brand. Reputational risk cannot be siloed, it is the fallout from breakdown elsewhere in your business ecosystem. Look for hot spots, you will find them.

Talk to your customers

There is no one closer to your products and services than their users. Customer success relationships can provide feedback mechanisms to constantly measure product quality, system performance and customer expectations. Customer satisfaction is essential to prevent leakage of brand goodwill and business reputation. Reach out and touch someone. You may be surprised by what you learn, but better sooner than later.

External threats

It must be noted not all reputational risk causes can be controlled through internal processes. The impact of regulatory compliance, employee or executive misconduct and the actions of third-parties or competitors can have consequences beyond the capabilities of the enterprise to prevent. Therefore, a business continuity and crisis management program must be developed and stand ready in order to enable effective response and mitigate loss in a crisis. The buy-in of all key stakeholders – executives, the Board, shareholders – is essential; further, they should be utilized as monitoring posts for reporting back external information gleaned through observation and anecdotal communication.


Warren Buffet was right in observing it can take 20 years to build a good reputation and five minutes to lose it. Awareness and planning can do much to lengthen that timeline and increase the likelihood of preserving your brand when the unexpected knocks at your door. The alternative? Well, just ask Target, or Yahoo, or Uber, or Equifax, or Weinstein or ...

Back To Blog Stream

Leave a Comment