The Role of Internal Audit in Managing Reputational Risk

Stephanie Donaldson Martyn KenyonHead of Internal Audit Transformation ManagerMerseytravel Wigan Council

First question……….

Reputational Risk – Does it matter ?

Private Sector:

Reputation impacts upon………..• Brand image• Public confidence in the company• Public confidence in their products• Willingness to trade with them• profitability• dividends, share prices, • business success (or failure)

Basically…….reputation is everything!

……and to prove it…….

Dave Carroll v. United Airlines (2009)

• United stock dropped in value by $180m (10%)• Guest appearances on TV• 1m youtube hits in 4 days• 14,638,773….. to date!• “The Power of One Voice in the Age

of Social Media”

http://www.youtube.com/watch?v=5YGc4zOqozo

Additionally………….

Greenpeace Campaigns:Strategy is to cause the organisation to fear for damage to its reputation,

through publicising “unethical” practices”

Ethics and profitability are sometimes in direct conflict.

• Lego/Shell partnership https://www.youtube.com/watch?v=qhbliUq0_r4

• VW https://www.youtube.com/watch?v=R55e-uHQna0

• Asia Pulp and Paper / Mattel toys (esp Barbie )https://www.youtube.com/watch?v=Txa-XcrVpvQ

Multi £m business decisions have followed these campaigns

RATNERS

And there’s more…………………..

So……

how does this translate into the public sector ?

General Perception….?

Private sector = good Public Sector = bad

• Fuelled by media, central government• Bad news stories “confirm” innate prejudices• Provides a convenient scapegoat when things go wrong?

How long has this been the perception ?• Is it true ?• Does it matter ?

Consequences of poor reputation…………

• No continuity of administration (political uncertainty poor member / officer relations )

• Resistance to Council Tax collection• Problems with recruitment• Low staff morale lower productivity and lower quality of services• Public Reluctance to engage in:

– Recycling– Community ventures

• Low levels of pride in area litter, graffiti, arson, anti social behaviour, disaffected communities

• Claims, litigation• Lack of Inward investment (M&S, IKEA, other major employers)

WORKSHOP

What can internal audit do about it ?

Reputational Damage

An organisation’s actions need to be consistent with its public persona

Reputational damage arises when actual organisational strategies, actions (or perceived actions) don’t align with the public image:

• Safety• Ethics• Social Responsibility• Sustainability• Price• Integrity

….Difficult to Repair Damage

Reputation: How to lose it?

1.DIRECTLY

As a direct result of the actions of the organisation

2. INDIRECTLY

Through the actions of an employee or employees

3.TANGENTIALLY

Through external parties, such as joint venture partners or suppliers

Does your organisation have a consistent approach to addressing Reputational Risk?

Is Reputational Risk included in the Risk Register?

1. Identify scenarios where reputation may be significantly impacted

2. What underlying events may lead to this scenario?

3. How to prevent or mitigate this damage:

• Roles & Responsibilities• Actions (before & after)• Monitoring Arrangements• Internal Communication• Culture

WHAT ARE OUR TOP 5 REPUTATIONAL RISKS?

1

2

3

4

5

SERIOUS CASE REVIEW

ADVERSE MEDIA REPORTS

SIGNIFICANT FRAUD

CONDUCT OF ELECTED MEMBER / SENIOR OFFICER

QUALIFIED ACCOUNTS

Considerations when Auditing Reputational Risk

1. Not straightforward – Complex risk environment

2. What is the public perception?

3. Media & Social Media – Double-edged sword

4. Reputational risk is not always borne from a single event – aggregation of other risks (often long-term)

5. How robust is the internal control environment?

6. Culture of the organisation

7. Scale / impact

Some questions to ask…..

Strategy:• What elements of our image are most important? (internal +external)• How could the organisation’s image be damaged / improved ?• What’s the culture and morale of the organisation ?• What image to we want to project to employees and the public ?• Does our Communications strategy adequately address these ?

Putting Strategy into practice:• Do Senior Managers and members “walk the walk” ?• Do they regularly reinforce the key messages ?• How do they do this ? How does it relate to other (high profile / high

image orgns.)• Are these efforts reflected in the results of staff and public surveys ?

Reputation Toolbox

• How do we use (and control) social media?• Do we have an effective Code of Conduct?• Adequacy of Whistleblowing arrangements / culture?• How do we use the results of staff and public surveys ?• How effective are performance monitoring arrangements?• How robust are Business Continuity / Disaster Planning

arrangements?• How do we protect / handle / share confidential & sensitive data?• Other triggers / “warning lights”?

Conclusions

• Addressing Reputational Risk is complex and multi-layered• Impact can be devastating, opportunity costs are huge• Focus on the root causes / scenarios and the expected control

environment• Business Continuity / Disaster Planning arrangements to mitigate

impact “if” / “when”.• Managing the Media / Social Media - “putting the record straight”• The REAL test is in levels of public and employee engagement

Given the scale and impact of this risk, where does it feature on your audit plan ?

Thankyou!

Stephanie Donaldson MA (hons) CPFA Martyn Kenyon

Head of Internal Audit Transformation Manager

Merseytravel Strategy and Transformation Team

Liverpool Wigan Council

tel: 0151 330 1031 tel: 01942 827343 (ext 2343)

stephanie.donaldson@merseytravel.gov.uk martyn.kenyon@wigan.gov.uk