Contributors Organizational Resilience Risk

Reputational risk is not a risk

Corporate reputation is important, even a perception of wrongdoings can affect funding, sales and cost of doing business. Importance of reputations for both profits and non-profits is not up for a debate.

Despite the clickbait title, the messages in this article are important to the risk profession and are purely practical. First few caveats, corporate reputation is important, even a perception of wrongdoings can affect funding, sales and cost of doing business. Importance of reputations for both profits and non-profits is not up for a debate. Second caveat is that reputational risk in this article is just an illustration, the same underlying principles apply to all other “marketing” risks like Environmental, social, and governance (ESG), geopolitical and whatever bs consultants will come up with next.

Taleb calls it X and f(X)

One thing that dislike in risk management in financial services is the fact that regulators siloed risks into separate categories. Separate risk reporting for market risks, credit risks and operational risks, etc. Sure, it still all comes together for the capital adequacy assessment but the damage is already done. Risks and not decisions / objectives became the corner stone of methodology. Separate teams, methodologies, regulatory requirements for each risk category.

This is what Taleb calls X and f(X). Sure we can quantify any risk, build a loss exceedance curve and even make important conclusions related to the mitigation of that specific risk. This is called X. But it is so much more useful to measure the effect of risk on a decision or an objective instead. This is called f(X) or function of risk.

So this is the first issue with reputational risk. Unless there is a mature and liquid market for reputational risk mitigation, like hedging in market risk, bank guarantees for credit risk and insurance for operational risk, there is little practical use to measure, assess and treat reputational risk as a standalone risk. By the way, if you didn’t get the irony, there isn’t a market for reputational risk mitigation, so no real reason to treat it as a risk.

What then? f(X) on the other hand makes a lot of practical sense. When doing risk analysis for decisions or as part of planning, budgeting or forecasting, it makes a lot of sense to treat reputation as one of the factors affecting assumptions making them more expensive, less favourable or completely unavailable. The trouble with this paragraph is that it only works in RM2, where risks are assessed not as events with likelihood and impact but as volatility of assumptions and scenarios. Here is an example. 

In RM2, scenarios associated with the effect of reputation on cash flows are assessed regularly and yet the reputational risk as a standalone risk is superfluous.

A risk is a risk when it can be aggregated and the aggregation leads to mitigation

The second issue I have with reputational risk is that it is an umbrella marketing concept, just like ESG or geopolitics, that actually houses hundreds of specific and quite tangible issues and risks. For example market risk is actually price risk + interest rate risk + FX risk. Price risk in turn includes price risks associated with different products, different geographies, different indices, etc. This aggregation is quite artificial and driven purely by regulator and maybe by the fact that mitigations are similar. Unlike market risk, which has been defined by regulators, there is no regulation for reputational risk, so it is a hodgepodge. Anyone can claim anything is a reputational risk, because in a way it is, every risk on the planet has some reputational consequences. We see the same silly situation in ESG where it is 1000s of unique risks but the media mainly cares about climate change.

So while we technically can develop a methodology to assess all examples of reputational risks and even aggregate them into a single loss distribution. Ironically NO ONE who makes their living on selling the sexy topic of reputational risk would have even the slightest clue how to do it. The real question should be – why bother? Without even doing the calculation I can tell you reputation@risk will be a subset of cashflow@risk because not all forecasted volatility is associated with reputational events. So what? What does this tell you? Does your mitigation maybe depend on the reputational VaR? It doesn’t. Most mitigations these gurus propose are training, disclosure and other very basic and intuitive measures. Things companies can and should be doing regardless of how significant the risk is.

In summary, reputational risk is only useful for marketing brochures and empty conference talks, there is no practical application of the idea to manage reputational risk as a standalone risk. Prove me wrong in the comments.

You liked what you read ? Leave a comment.

See more posts from Alex Sidorenko at RISK-ACADEMY Blog.


  1. My understanding of risk treatment has 4 possibilities: Avoid, Mitigate, Transfer, and Accept. Is the thrust of the argument that if a risk can not be transferred (thru a liquid or illiquid market), then it is not a risk?

    For a high-end consumer products company, I would define reputational risk as the loss of the cashflow associated with the price differential between their product and a generic. I thought this was historically independent of corporate political decisions and subsequent public reactions. With respect to your article’s X and f(X), the X would be potential change in product price/cashflow and f(X) would be the programs designed to maintain quality image.

    1. You are right about 4 treatment options and of course my point is much more complex than you have put it. Let’s discuss all 4. Avoid not relevant. Transfer already covered, Mitigate – probably something to investigate. My initial thinking is that mitigations, all of them, would be directed at operational or market risks that trigger reputational damage and as a result affect future cash flows. Accept not relevant. Still don’t see an argument for treating reputation as a standalone risk

  2. There are some very good reasons to separate Credit, Market and Operational risk management. Each area demands a very different expertise – by the way Market risk has very little to do with Marketing! …. You are right reputational Risk is very difficult to measure …. metrics are few and far between.

    Organisations that have suffered from Reputational Risk have been Datsun (as a maker of rust bucket cars) [negative] – HP (quality computers) – [positive] – Du Pont (safety systems) – British Airways (emergency response) – John Lewis (product quality) … it is very interesting that some organisations have declined in reputation whilst others have recovered from negative states to regain their rightful position ….

    Before their demise Oxford Metrica did a lot of qualitative work on soft-issues and I think I still have a few papers.

    David Spinks

    1. So far, you have very much missed my point behind X and f(X) and the analogy for market and credit and ops risk and on the reputational risk argument it seems

Leave a comment

%d bloggers like this: