Have you heard the one about the Kit Kat and the orang-utans? It’s not a joke, actually. In 2010 the environmental campaigning group Greenpeace accused Nestlé – the maker of Kit Kat – of using palm oil supplied by a company that was destroying the habitat of the endangered primates. Spearheading the campaign against the confectioner was a made-for-YouTube video featuring a bored office worker eating a Kit Kat that oozed fake blood.

Mere weeks after the YouTube video was posted – and 200,000 complaining consumer emails later – Nestlé released a statement about its commitment to tropical rainforests and announced a new partnership with the Forest Trust. Within two months of the campaign’s launch, Greenpeace reported: “You’ll never guess what: Nestlé has only gone and agreed to our campaign demands.” In an era when reputation is all, Nestlé acted quickly and decisively to close down a negative story that threatened to blight one of its leading brands.

There’s no question that reputation is a powerful factor. Some organisations flourish on the basis of glowing reputations – Amazon and John Lewis are good examples. Others have the opposite experience – think News Corporation and the News of the World. But what exactly is reputation, anyway?

Permission statement

It’s quite hard to pin down a consensus on what reputation really means. It’s variously described as a business asset to be safeguarded; a subjective composite of perceptions about an organisation; and the consequence of long-term work on building trust. In truth, it’s all three and more.

For Richard Anderson, chairman of the Institute of Risk Management, “It’s what gives us permission to go out to the market. And, if we blow our reputation, we blow that permission.”

By way of explanation, he cites the example of BP. “Had the company had less of a reputation before it went into the Gulf of Mexico disaster, it would not have survived. It did so because BP had a deep reputation and the financial resources that made people believe that it would be able to manage its way out of that situation.”

In that instance, then, reputation was like a licence to continue trading. For Anderson, who is also the managing director of Crowe Horwath Global Risk Consulting, reputation is also a kind of capital that organisations build up. “Your reputation is intimately linked with trust,” he says. “And reputation and trust give you permission to be in business.”

Estimating how much a reputation is worth is equally problematic. But Jean-Paul Louisot, professor of risk management at Université Paris 1 Panthéon-Sorbonne, has a very precise answer. He quantifies reputation as the difference between an organisation’s physical asset value and its market price. By that reckoning, reputation “has a significant economic impact, representing probably between 60 and 70 per cent of developed countries’ wealth”, he says.

It’s a startlingly high value, but it chimes with research from public relations firm Weber Shandwick. It surveyed 950 business executives worldwide, who “strongly agreed” that 63 per cent of a firm’s market value is attributable to reputation.

These are big numbers, but why not? After all, a positive reputation goes a very long way. It improves relationships with stakeholders and helps with recruiting and retaining the best employees. It creates a more favourable environment for investment and access to capital. It attracts the best suppliers and customers. It reduces barriers to developing new markets. It helps organisations to charge premium prices. And it reduces the likelihood of litigation and punitive regulation. No wonder it’s important.

As a consequence, organisations in general – and risk managers in particular – need to ask themselves if they are paying reputation as much attention as it deserves. Or are we, as Louisot suggests, all but ignoring the source of two-thirds of our organisation’s value?

If you’ve got it, keep it

One problem with managing the risks concerning reputation is where reputation sits in relation to risk management.

“I’ve always struggled with the best way to present this,” says Jackie Cain, the IIA’s policy director. “But really it doesn’t matter whether reputation is a category of risk or whether it’s an impact that risks might have – as long as you choose to deal with it in a way that’s effective in your organisation.”

For Anderson, meanwhile, reputation is something that you create, maintain, manage and, if necessary, recover. “The issue as I see it is that everything we do can potentially have an impact on our reputation, either positively or negatively,” he says. “As risk managers, we are interested in the potential for either building or destroying reputation, just as we are interested in the potential for building or destroying financial resources or human resources. Reputation is another of those resources that is available to you.”

It follows that, for risk managers, reputation should be a major part of the equation. “When I’m looking at an organisation’s appetite for risk, I’m considering several things,” says Anderson. “I’m looking at its capacity for managing risks in terms of having the skills and the knowledge. I’m looking at its capacity to manage risks in terms of financial resources. I’m looking at the organisation’s capacity in terms of having the necessary infrastructure and I’m also interested in its capacity to manage risk in terms of its depth of reputation. Having that asset of reputation behind you is one of the important aspects in determining how risky you can be in determining how you pursue your business.”

For internal auditors, the important thing is to ensure that it stays on the radar. “It’s about challenging the organisation,” Cain says. “Start with what your organisation is trying to achieve. Find out what people think about its reputation. Is it an asset that they are trying to manage, is it merely appearing as a risk or is it not really appearing at all? And make sure that, whatever management thinks is happening, you can actually provide some assurance that that is the case.”

Anderson adds: “Organisations have to ensure that they understand what drives the building or the destruction of reputation, just as they have to ensure that they understand what drives performance and what builds shareholder value. Then you can start to look at the risks that have an impact on those reputational drivers.”

Cain and Anderson agree that internal auditors are ideally placed both to see how reputation is handled across the business and to raise its profile in the right places inside the organisation. Above all, the profession needs to understand its importance. “Since internal auditors are increasingly moving away from financial audit, reputation really ought to be one of their key focuses,” Anderson says. “That’s because it’s a major component of shareholder value.”