Management Of Risks Involved In It Business

Published Date: 02 Nov 2017

Abstract

After finishing my three semesters of masters’ degree the challenge of completing my study at university continued to draw. This dissertation is my final result of six months research and entails the post graduation project of the Masters of Business Administration. It has been carried out with support of Amity University.

The risk associated with the broad application of information technologies in business grows jointly with the increase of enterprise’s relationship from its customers, business partners and outsourced operations. The management of risks in business processes has a matter of dynamic study in the times of yore. Information Technology (IT) business processes that resulted from the accelerated technological pace of change, will enable a path of growth and long term return on investment (ROI) for organizations. However, embarking on such large scale investments leave little opportunity to turn back, and sound governance and management of risks will required to effectively managing unforeseen issues during the life cycle, and if these fail the organizations will be constantly functioning in crisis mode.

The absence of risk control and risk management can be destructive towards overall business performance. Management skills are therefore of paramount importance to reduce direct cost of projects and to handle increased challenges derived from improvements on existing IT infrastructures. The need for a robust risk management framework exists, although many industry standard methodologies are available to assist management in the ongoing task of project delivery.

The specific research aims of this study include the following:

To assess the current situation regarding risks that were common within organizations and how these risks were being effectively managed.

There is no specific policy or legislation that is formulated in the management of risks. Regarding public liability, loss or damage, there is minimal consideration for the person affected and compensation takes the forefront. The protection of human beings should be considered.

The health and safety of those involved in staging major events is important. Determining various systems and logical approaches that are required for a comprehensive, consistent, reliable and proactive way to ensure safe and successful organizations.

To make organizations and students aware of the fact that it is important to manage a risk which is suitable for all minor and major organizations.

Governance, as the binding glue for organizations, has been one of the fastest growing elements of risk management. Performance measurement is paramount to IT governance and must be set and monitored by measurable objectives. Various ISO standards can be used in conjunction with these management tools like the ISO 31000 risk management standard to guide management in the effective implementation of risk practices. Finally, a set of research agenda is proposed.

Acknowledgements

As I reach the end of the journey towards my masters, I am filled with gratefulness towards so many whose directions, blessings, guidance and mentorship helped me to accomplish this goal. I would like to take this opportunity to thank from the bottom of my heart everyone who helped me in pursuing this research.

I wish to acknowledge several great individuals who have supported me in this endeavour:

First very special thanks to my brother and my mentor, Ms. Sakshi Singh, for their undying support, love and guidance.

Table of Contents

Title Page

Preface

Abstract

Acknowledgement

CHAPTER – 1

Introduction

Background of the Study

Problem Statement

Objectives of the Study

Primary Objective

Secondary Objectives

Scope of the Study

Research Methodology

Limitations of the Study

Summary

CHAPTER – 2

Governance

IT Governance

IT Governance Domains

Roles

Governance Tools

COBIT

COBIT Construct

Applicability to the Organization

Recommended Action Plan

SOX

SOX Construct

Applicability to the Organization

Recommended Action Plan

ISO 31000

ISO 31000 Construct

Applicability to the Organization

Recommended Action Plan

Summary

CHAPTER – 3

Risk – Introduction

What is Risk?

Different Types of Risks

Market Risk

Management of Market Risk

Business Risk

Management of Business Risk

Financial Risk

Management of Financial Risk

Credit Risk

Management of Credit Risk

Reputation Risk

Management of Reputation Risk

Conclusion

CHAPTER – 4

Governance, Risk Management and Compliance (GRC) Platform Selection

General Considerations

Functional Requirements

Non-functional Requirements

Selection Process Walk Through

Summary

CHAPTER – 5

CHAPTER - 1

Nature and Scope of the Study

Introduction

Organizations face many uncertainties in their day-to-day operations (such as IT infrastructure malfunction or share market movement). The effects of these uncertainties on organizational objectives are known as risks, while the applications of relevant principles, framework, and processes to effectively manage risks are known as risk management.

The purpose of this study is to propose and define a general reference framework that describes an optimal risk management process plan for information technology processes from various industry types in India.

We call a system which allows the reasoning about and management of risks in business processes a risk-aware business process management (R-BPM) system, including the ability to analyze risks and incorporate risk mitigation strategies in a business process model during design time, to monitor the emergence of risks and apply risk mitigation actions during run time, as well as to identify risks from logs and other post- execution artifacts. Furthermore, it may also aid businesses to comply with various rules and regulations, such as Sarbanes-Oxley Act.

A vast array of academic articles and research focus on risk management practices. However, in this study an attempt will be made to create general reference frameworks that combine various risk management aspects to supply a holistic approach to managing the critical elements of an organization’s information technology (IT). Companies must develop the mindset and tools to explore the many dimensions of risk with each activity and opportunity as a passive risk management stance in this dynamic and competitive world will not be sufficient.

Background of the Study

Growth and profitability are exhilarating words for investors and stakeholders in companies all over the world although they can be illusory and destructive measures of performance in the absence of risk control and risk management.

An organization may regard Information Technology (IT) as a ‘necessary evil’, somewhat to facilitate the business, whereas others may perhaps perceive it as a key basis of planned prospect, looking for proactively to indentify how IT-based information systems can help them in gaining a competitive edge. The primary reason of increased IT risks is due to the accelerated technological pace of change. Organizations who fail to conduct an initial business impact assessment of the changes that result from the business process design activity will lead to project cost and schedule overruns.

Organizations typically contain large number of information that must not only be secured but also transformed into value for management to assist in the decision making process and the positioning of the organizations competitive stance. Strategies must be developed to manage this information as a resource and to share existing knowledge within an organization to boost performance.

Problem Statement

Recent years have seen increased concern and centre of attention on risk management, and it became obvious that a need exists for a vigorous structure to successfully recognize, measure, and deal with threat. Risks are unavoidable in any project, particularly IT projects, and if project managers do not apply sound risk management principles, the project manager may be constantly in crisis mode.

For any risk program to be successful, sound risk-based decision-making is crucial to drive the enterprise toward the formalization of risk management processes with the required accountability, transparency, and measurability. Risk management is the assessment of potential reasons for failure of projects and developing strategies to reduce risks. Information project risk management must be carefully evaluated and aligned with the general organization’s strategy as a new IT project has an enormous impact on core business functions.

Risk identification can get very complex and organizations can fail to understand their level of exposure. Organizations have two ways to address risk: the wrong way or the right way. The wrong way is to assume that people can understand all the vast amount of risk exposures. This is however not possible and risks and opportunities must be organized and accepted at various levels by risk owners. In order to gain competitive advantage, top management must ensure that information management is executed as an essential asset and that IT projects are not only the IT department’s responsibility, but the organization as a whole. An effective IT risk management process provides executives with the required information to implement smart business decisions with confidence in order to reduce, avoid, transfer or live with IT risk. Governance has been one of the fastest growing elements of risk management, with the separation of risk governance from all IT governance and the layering of risk governance entities that emerged as best practices.

From the above it is clear that a need exists for a robust risk framework to assist management in the execution of projects; assurance towards shareholders; alignment with business strategies; and required governance practices; as these risks are unavoidable in the IT environment.

Objectives of the Study

The research objectives are divided into general and specific objectives:

Primary Objective:

The primary objective of this research study is to the theory for managing IT related risks from an integrated governance perspective by researching literature, expert visions, executive cases and current frameworks methods and approaches. Comparing these frameworks and methods provide a comprehensive overview exposing possible gaps and flaws.

Secondary Objectives:

The secondary objectives of this research are:

Analysis of risk, and IT management and all the relevant process phases.

Governance as part of the organizational strategic layout.

Evaluation of existing methodologies and frameworks to assist and guide management.

Using the theoretical concepts, a possible approach for risk management processes will be devised to assist in the IT industry.

Scope of the Study

The study will evaluate best practices for business processes from a risk perspective but the underlying implementation and legislation will focus on the Indian IT industry.

Research Methodology

Chapter - 2

GOVERNANCE

To govern means to ‘control the actions or behavior of’. In organizations, governance (or the act of governing) is becoming a widespread term. Programmer and projects are now ‘governed’ by a programmers or project board, or by a steering committee. Governance is provided by internal audit, and operational governance ensures for the day-to-day activities of the organization are implemented and followed.

Corporate Governance

Corporate governance can be defined as the set of processes, customs, policies, laws and institutions affecting the way a company is directed, administered or controlled. Although corporate governance is designed for the protection of its external funders, it also applies to government, not-for-profit and other membership organizations. In this context, the ‘external funders’ become stakeholders who could, for example, be members of the public, or special interest groups to the whom to whom the body is accountable.

Corporate governance is the glue that blinds organizations together in the continuous pursuit of its objectives, while risk management provides the resilience. Linked with corporate governance is the design and implementation of IT governance that needs to be a cohesive, integrated process.

IT Governance

IT governance integrates and institutionalizes good practices to ensure that alignment exist between the organization’s IT and the general business objectives of the organization as a whole. The key elements of enterprise governance include the following:-

Assurance of the value of IT.

Management of IT-related risks.

Increased requirements for control over information with value, risk and control as the core drivers of IT governance.

Performance measurement is paramount for IT governance that must be set and monitored by considerable objectives of what the IT processes have to to convey and how to convey it. Although additional regulatory compliance adds more operational weight to an organization, improved performance and growth will result from the alignment of IT with business to further enable processes and drive innovation.

IT Governance Domains

IT governance domains includes

Strategic alignment- alignment between business and IT objectives.

Resource management- focus on the key issues of knowledge and infrastructure.

Risk management- is the way that a company identifies, manages, mitigates, and responds to risks.

Performance Management- tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balance scorecards that translate strategy into action.

Roles

Corporate boards and executives perceive risk management as a strategic discipline for improving business performance. They are under more pressure implement risk management with their auditors, regulators and credit-rating agencies, which calls for effective risk management programs.

It is the executives and the Board of directors to ensure that IT governance is implemented and monitored with the needed leadership, organizational structures and processes to ensure that the organizational IT objectives sustain and extend the overall strategy and objectives of an organization.

Board

Overall responsibility for IT governance.

Provide a balance between risk and control investment in an often unpredictable environment.

Senior Management

Provide ongoing assurance and the security and control measures of the IT services.

The contemporary IT risk manager is likely to work on an overall enterprise governance structure.

A lack of Board oversight of IT activities can put an organization in as much risk as a lack of underlying controls ensuring the quality of financial. Top management involvement in IT risk on the other hand can be improved by implementing an effective IT risk reporting framework that is closely linked to key IT processes. The critical success factors required for the implementation of such a framework consist of the following:

Close involvement by all parties and the understanding in the identification and assessment of the risks and their relation to the Corporate Technology (CT) process portfolio.

Allow for customization in the reporting in order to improve management ownership levels – improving the risk management process.

Mutual IT process portfolio derived from a combination of sources such as ISO 31000 and COBIT.

The study will now look at the literature that supports these governance tools and techniques that can assist managers in IT risks.

Governance Tools

COBIT

SOX

ISO 31000

ITIL

CHAPTER – 3

Risk – Introduction

Risk is an important component of a company's investment strategy. It is, thus, important to know the source of the risk, as well as to identify and evaluate factors contributing to risk. The relationship between the different types of risk is evaluated in this chapter, and the definition of risk, as well as the management thereof, is given and explained. Reputation risk is introduced, and different indicators, whereby reputation risk can increase, are identified. Risk managers have a crucial part to play in responding to and preparing for reputational events. Extensive risk management procedures have to be integrated. Managers can only respond to reputation risk once they have identified traditional risks, and then worked out events that could impact reputation.

What is Risk?

ISO 31000 define, risk is the effect of the uncertainty of an outcome. A company is vulnerable to all types of risk. Risk is inherent in business, not only because the organization operates in a risky environment, but also because the business itself is continuously changing. Certain risk relates to variability in returns caused by factors that are unique to the company, such as the type of industry in which the company operates, and the product that it sells. This is often referred to as unsystematic or unique risk. An investor may eliminate this type of risk by diversification.

Different Types of Risks

A company is exposed to all kinds of risk; however, the basic types of risk that affect a company are the following:

Market risk

Operational risk

Business Risk

Financial risk

Credit risk

Reputational risk

Market Risk

Market risk is the risk associated with movements in security prices, especially in share prices. If an individual buys a share and the market as a whole declines, the price of the specific share will probably fall. Conversely, if the market increases, the price of the share will also tend to increase. Essentially, understanding market risk assists in understanding price behaviour. The causes of changes in market price are usually beyond the control of the company. An unexpected war, the end of a war, an election year, political or terrorist activity, speculative activity in the market or the outflow of gold are all tremendous psychological factors in the market. Whatever the reason, the drop in the market is a temporary cyclical swing that causes a temporary drop in the price of the share.

For most companies, interest rates and foreign exchange rates are the main market risk exposures. Alternatively, some companies are exposed to commodity and energy prices. Where the corporation is subject to volatile market risks, or where it uses derivatives to manage its market risk, measures must be adopted in order to control the exposures from the different elements apparent in the market.

Management of Market Risk

Market risk is managed with a interim spotlight. Ongoing losses are avoided by avoiding sufferers from one day to the next. On a strategic point, traders and portfolio managers occupy an array of risk metrics, duration and convexity, the Greeks and beta, in order to assess their exposures. These methods allow management to identify and reduce any exposures that they may consider to be excessive.

There are several ways for companies to manage commodity risk. Firstly companies can study each security in an attempt to understand its price behavior. Shares that have shown a growth pattern in the past will reveal a similar drift for the future, except some unexpected event affects the company, thus reversing certain expectations. Shares tend to reflect a certain pattern, but not an exact pattern. Secondly, based on analysis, shares that have the lowest amount of market risk will be selected. Ordinary shares demonstrate both growth and income, and do not have the same degree of market risk as the recessive or cyclical shares. Investors, therefore, try to select shares that offer both growth and income. Shares that are recessive carry risks and penalties, and are, therefore, generally avoided. Thirdly, the timing of the purchase of shares is extremely important. The standard error of the estimate is used as a gauge. Shares are purchased when they are below the limits of one standard error of the estimate, and sold when they are above those limits.

The VAR (Value at risk) method is, increasingly, being used in order to define and monitor risk limits. It persuades treasury departments to impose risk limits on market risk exposure, and to manage risk in a more efficient manner. Calculating the company's value at risk helps to determine the aggregated risk exposure. VAR provides information about the potential for losses in value for a given position or portfolio.

Operational Risk

Operational risk represents the next stage in improving shareholder value, by reducing the amount of risk to the earnings of the firm. There is a growing recognition that a major source of earnings volatility is not due to financial risk. In fact, it is not related to the way a firm finances its business, but rather to the way a firm operates its business, and is called operational risk. Operational risk is concerned with the adverse deviation of a firm's performance, due to the way in which the firm is operated, as opposed to how the firm is financed. It is defined as a measure of the link between a firm's business activities and the variation in its business results.

Culp states that risks such as market and credit risk can often lurk undetected in hidden exposures of a company. Operational risk seems to suffer the reverse malady: the concept itself is so broad that operational risk can be found in just about everything. For this reason, identifying operational risk, in general, should not be the goal of the firm. Rather, identifying meaningful operational risks that could have a significant impact on the value of the firm is the task at hand, and it is not an easy one. Culp further emphasizes that operational risk identification is more art than science, and can get `sticky' for several reasons. Firstly, the definition of operational risk - and its distinction from business risk - at any particular firm, depends strongly on the risk management and business strategies of the firm.

A second complication to operational identification arises from the linkage between the risk and the loss. Operational risk-related losses are quite often driven by market, credit or liquidity risks. For example, the failure of Barings Bank to recognize the huge position that was held by Nick Leeson was an operational risk management failure. It was a failure of internal processes and systems: in other words, the case illustrates basic internal control failure, as well as ineffective operational risk management, which, consequently, failed to identify process, personnel and systems problems.

Management of Operational Risk

Operational risk helps management to determine what factors affect earnings, in terms of the overall operation of a company. Factors that cause changes in earnings should be investigated, in order to determine the overall effect. Management must understand the cause of the risk, so as to effectively manage the risk and obtain the desired balance between risk and return.

There are many benefits to managing risk and maintaining earnings.

Avoid unexpected losses and improve operational efficiency. If management understands operational risk, this will assist in understanding the operational activity of the firm and, thereby, being able to effectively strategize operational risk. This allows management to avoid large losses.

Efficient use of capital. Capital is budgeted based on future earnings. Capital usage helps to optimize the risk return trade-off for capital allocation decisions.

Satisfy shareholders. Risk measurement can help influence shareholder views, and improve areas that are needed to avoid shareholder surprises.

Comply with regulations. Operational risk management is a board level responsibility, which can be effectively maintained through the implementation of corporate governance principles, and the use of operational controls.

Operational control would be a controlled way of providing assurance on achieving certain performance objectives. Risk helps to determine the effect of fluctuations on performance of a company, and operational risk determines the connection between the fluctuation and business activities. Decreasing operational risk creates a domino effect, whereby reduced earnings create an increase in value for the company. Most operational risks become potential losses for a company, because they, basically, expose the company to market, credit and liquidity risk.

Business Risk

Business risk is defined as the uncertainty inherent in projections of future returns on assets - or of returns on equity, if the firm uses no debt - and it is the single most important determinant of capital structure. A company's capital structure affects the riskiness inherent in a company's share, and, therefore, affects its required rate of return and the price of the share. A company's capital structure policy requires choosing between risk and return. When a company increases its level of debt, this increases the riskiness of the firm's earning stream; however, the company also experiences a higher expected rate of return. High levels of risk tend to lower a share's price, but high levels of expected rates of return tend to raise it. Therefore, if a company manages to maintain a balance with the optimal capital structure, this maximizes the price of the share.

Fluctuations in the company's EBIT can be the result of many factors: upturn or downturn in the economy, launch of new successful products, labour strikes and natural catastrophes. However, there is also the possibility of a long-term disaster, for example, changes in technology, which could render products obsolete and could permanently depress the company's earning power, i.e. lower the earnings. This element of uncertainty about a company's future return on equity is the company's basic business risk. Business risk varies within the different industries, and can also change over time. Smaller companies that sell or manufacture a single product will tend to have a high level of business risk.

Brigham and Weston suggest that business risk depends on a number of factors, the more important of which are the following:

Demand (unit sales) variability. The more stable the unit sales of a firm's products are, provided that other things are held constant, the lower its business risk.

Sales price variability. Firms whose products are sold in highly volatile markets are exposed to more business risk than similar firms whose output prices are relatively stable.

Some firms have little difficulty in raising their own output prices when input costs rise; the superior the capability to fine-tune output prices, the lower the degree of business risk. This factor is especially important during periods of high inflation.

The extent to which costs are fixed: i.e. operating leverage.

Each of these factors is determined partly by the firm's industry characteristics, but each is controllable, to some extent, by management, for instance, through their marketing policies: i.e. stabilizing both unit sales and sales prices through advertising or discounts.

Management of Business Risk

Business risk is managed with a continuing center of attention. Business risk should be managed from two different sides. Firstly, how does a company manage its own business risk? The company will have to evaluate the impact that the potential risk could have on it. Secondly, a company must decide whether or not to use external techniques to manage the business risks. If the company uses external techniques, this will, obviously, make the company vulnerable to factors that are apparent in the business environment, and which will then impact the different portfolios.

Companies have to manage a potential business risk throughout the lifetime of a business. Most business risk is managed because of past experience, as well as by skilled managers, who possess that unique acumen, coupled with a natural instinct. In today's business environment, there is prevalent fraud, and it is highly difficult to predict movements in markets; this makes it harder for companies to be able to identify business risk. Another problem is that business risk is on the increase because companies tend to transfer risk; therefore, some sectors will be affected more than others, such as financial institutions. In addition, technology has also impacted business risk. Lastly, due to global markets and the increase in mergers and acquisitions, companies are purchasing outside their area of expertise, thus adding to the overall business risk.

Once a business risk is identified and assessed, a company must make a decision on whether to retain (i.e. manage) the risk or to transfer the risk. The isolating and transferring of the risk is part of the classic risk management market: the use of derivatives. However, it must be remembered that a company cannot offload the volatility of its complete portfolio of business risk. Some exposure is, therefore, retained and a funding mechanism is used to spread out the losses over a certain period.

Financial Risk

Financial leverage refers to the use of fixed-income securities, debt and preference shares. Financial risk is the additional risk placed on the ordinary shareholders, as a result of using financial leverage.

Companies have a certain amount of risk inherent to their operations: this is its business risk, which is defined as the uncertainty inherent in the company's earnings before interest and taxes (EBIT). When the company takes on debt and preference shares (financial leverage), the firm concentrates its business risk on the ordinary shareholders. This portion of the shareholders' risk, over and above basic business risk, resulting from the use of financial leverage, is the financial risk.

Management of Financial Risk

Brigham and Weston state that a firm's optimal capital structure is that mix of debt and equity, which maximizes the price of a company's share. At any point in time, the company's management has a specific target capital structure in mind, presumably the optimal one, although this target may change over time.

Credit Risk

Credit risk refers to the possibility that a borrower may fail to repay a loan. Lending from credit cards to corporate loans is the largest and most obvious source of credit risk. However, credit risk exists in some form or another throughout all companies, both on and off the balance sheet, from acceptances, inter-bank transactions, trade financing, and derivatives trading to guarantees and settlement. Fund managers and investors are directly exposed to credit risk in their fixed income investments. Companies are exposed to the risk that another company, supplier or foreign partner could default, or fail to meet deadlines. New tools used to manage credit risk have allowed companies to absorb certain inherent risk. These include the use of credit derivatives and securitizations, increasing the risks to which banks are exposed.

Companies must identify all credit risk exposures. This allows management to understand the credit risk and to assess how best to manage the risk. Firstly, how does one determine a credit rating for a company? Due to a lack of publicly available data on different companies, it is technically impossible to apply statistical methods; therefore, subjective methods have to be used. Most financial institutions use financial ratios, based on the information obtained from financial statements, to assess a company's credit standing.

Another popular method used to assess credit risk is called the Merton Model. This model is based on the principles of Robert Merton, and primarily considers the company's equity as a call option on the value of the firm's assets, in which the strike price of the option is related to the liabilities of the firm. This then allows the credit assessor to estimate the probable default. The technique also allows banks to manage their loan portfolios.

Other techniques used to assess the credit ratings of companies are called quantitative techniques; in other words, portfolio credit risk models. These models help make credit value at risk (VAR) a practical measure for bankers, as well as other portfolio managers, to assess likely portfolio credit losses. Although VAR models are easier to use for market risk, they remain difficult for credit risk, because liquidity is lacking. The negativity aspects related to the use of the models is that default correlations are difficult to measure, and, thus, the true credit risk of a portfolio is difficult to determine. Therefore, companies should implement credit policies that will help manage credit risk. The Basle committee has issued guidelines to assist companies in implementing a proper credit risk management programme. Companies should:

Establish an appropriate credit risk environment

Operate under a sound credit granting process

Maintain an appropriate credit administration

Measure and monitor processes

Ensure adequate controls over credit risk exist.

Management of Credit Risk

For companies adopting either a credit limit or credit line perspective, credit risk management means comparing actual exposures to risk tolerances, either ex-ante or ex-post. Limit stops must be exercised, and management must carry out continuous monitoring of the loans. With financial contracts or derivatives, companies must be wary of the fact that when entering into these contracts, the exact monetary exposure cannot be determined; this makes the contract values misleading, because of the embedded credit exposure.

There are two methods - which are commonly used by companies - that lower potential credit losses from the use of derivative contracts: netting and collateral. Most merchant banks use bilateral closeout netting agreements to prevent a defaulting counter-party from stopping payments on contracts with a negative value, while demanding payment on those with a positive value. The International Swaps and Derivatives Association has made these netting agreements legal and enforceable. Another commonly used method is the use of collateral: whether or not a company stands to lose if counter-party defaults, depends on how the market moves over time. However, there are certain limitations with regards to collateral, such as lack of expertise and legal uncertainty.

Companies can manage credit risk exposure by using credit derivatives, which are: credit default swaps, total return swaps and credit options. Another popular tool used to manage portfolios, thereby reducing credit risk, is the concept of securitization. Securitization allows banks to remove loan assets from credit card receivables to commercial loans from their balance sheets. Securitization also helps management to remove credit risk of loans from financial statements, which may add excessive emphasis on the loan portfolio.

New methods are continually being tested to create a balance between risk and return, as well as to lower regulatory capital.

Reputation Risk

Reputation is a collective representation of a company's past actions and results, which describes:

the company's ability to deliver valued outcomes to different stakeholders, and

how each stakeholder experiences the company's brand through its daily operations and conduct.

Therefore, a company's reputation is built upon the relationships it has with its stakeholders. Important relationship issues include the various kinds of benefits (tangible and intangible) offered to shareholders, and how shareholders judge the past behavior of the business. According to Rayner, the reputation of a company is driven by:

Financial performance and long-term investment value: A company that demonstrates a consistent financial performance is deemed a reputable company and, therefore, a safe investment.

Corporate governance and leadership: The effective corporate governance of the business helps to safeguard the company's reputation.

Regulatory compliance: Companies that contravene legislation can rattle shareholder confidence and impact corporate reputation.

Delivering customer promise: Companies have to maintain customer expectation, so as to maintain a good reputation.

Workplace talent and culture: Employees must be satisfied with their working environment so as to exalt the company name.

Corporate social responsibility: Companies can benefit from a good reputation if they demonstrate a commitment to corporate social responsibility.

Communications and crisis management: A company must have a contingency plan in place, in order to deal with any crisis, so as to maintain company reputation.

The management of a company has a fiduciary responsibility to protect the interests of both shareholders employees and creditors; this is a responsibility that is also at the heart of managing the reputation of the company. In disposing fiduciary responsibility, a company has to tread between legal obligation and ethical practices. This entails situations, which may be legal but not ethical, thereby placing the reputation of the company at risk.

Reputation risks do not take place in isolation; instead they interact with psychological, social and cultural processes. It is this integration that helps us to determine how we experience risk. Rayner maintains that there is no such thing as reputation risk - only a risk to reputation. However, there are different kinds of risk which impact reputation. The following definition captures the essence of reputation risk: "Reputation risk is any action event or circumstance that could adversely or beneficially impact an organization’s reputation".

Reputation risk also arises from the negative publicity that can occur due to a certain event or to mismanaged business practices. The publicity results in a decline in the customer base, thereby affecting revenue. Reputations are created in different ways. Different circumstances can enhance a reputation, but it is the value that the company provides to the shareholder that determines the value of the goodwill element. Therefore, reputation risk increases during a crisis, as the control thereof decreases. During a crisis or turmoil, management is unable to create a balance that would extinguish the risk and maintain the reputation of the company concurrently.

There are three broad indicators of a loss of reputation: an adverse movement in share price, an increase in negative media coverage and a loss of sales. A company must have a structured policy that will manage reputational risk. If reputational risk is not properly managed, the consequences can include:

Reduced revenue, increased expenses (including lawsuits and settlements) and liquidity issues

Lower security prices, reduced agency ratings, and unavailability of investor funding

Deterioration in partnerships and relationships with suppliers and customers

Inability to attract and retain high-quality employees.

Other factors, which can also impact reputations, are:

Poor performance directly connected to product and/or services

Poor performance with respect to achievement of relevant company aims

Value conflicts or violation of specific values, public relations crises and

fundamental ideological rejection.

Disruptive business practices, transgressions of legislation, undue or unreliable practices - both intended and unintended - influence compliance risk, legal risk, and reputation risk. The business of high-risk products or controversial products also affects legal risk, credit risk, and reputation risk. Companies that are dependent on outsourcing and third party arrangements are also vulnerable to reputation risk, in addition to operations risk and credit risk.

Management of Reputation Risk

In order to manage reputation risk, management must identify all risks systematically, and document them, once identified. All significant risks must be clearly understood and consistently assessed by the individual directors. This will allow risk expenses arising in different areas of operations to be compared and contrasted; subsequently, specific remedies and a more proactive reaction can be structured.

There are certain factors that affect reputation, and it is important for management to be able to identify possible risk to the reputation. As Alsop stresses, companies must always be alert in identifying possible threats to their delicate reputations, and should develop defenses, policies, procedures, and allies to assist in pre-empting or quickly overcoming these threats. This helps in avoiding the impending disaster, by identifying the indicators, which provide management with sufficient warning that the company's reputation could face possible jeopardy. Therefore, management is able to change tactics and avoid the possible disaster.

Conclusion

Risk awareness is largely a matter of corporate culture and education. Corporate governance is the practice that ensures that the board of directors and management has established the appropriate organizational processes and corporate controls to measure and manage risk across the company. This is, increasingly, required by regulatory standards and voluntary codes of conduct around the world.

The integration of risk management into the revenue-generating activities of the company - including business development, product and relationship management, and pricing - is crucial. It is these activities that most immediately generate risks, and, thus, a great deal of the efficiency of risk management is tied to the inclusion of risk as a factor in everyday decision-making. Managers need to ensure that their business complies with the overall corporate policy on risk: that risks are considered in the pricing of existing businesses and the development of new ones, and that unusual or large risks are referred to the appropriate authority for approval.