Two separate conversations last week bothered me. The first was with a communications director in a large company, who spoke of early plans to initiate a full review of the company’s crisis resilience which were effectively kicked down the road another year because of budgets and competing priorities. The second, was with a friend and company board member, who confirmed that while their board had a good oversight of operational risks, that didn’t extend into the realms of communication.

I have come to the conclusion that businesses are inadvertently self-harming by not taking their reputation seriously enough. A company’s reputation is one of its most valuable assets, but I am far from convinced that many of those at the top of businesses are aware of what it takes to actively manage their reputations in this day and age.

I remember a closed doors event in 2012 on the topic of boardroom risk, where a CEO who had been at the helm of a prominent FTSE 100 company during a major global crisis admitted that while his business had been operationally well prepared for the type of event that had occurred, and had even identified it as number 2 on its risk register, reputationally it was completely under-prepared.

Things have not changed much. In an Experian survey in 2022, around half of UK business leaders admitted their organisations lacked crisis response plans.

Board responsibilities

All this points to the need to escalate reputation to the realms of the board.

Yet doesn’t the UK Corporate Governance Code – the bible of listed company boards – already emphasize the board’s pivotal role in this area? Well, yes and no. It mandates that boards “review the company’s risk management and internal control framework, and, at least annually, carry out a review of their effectiveness”.

But the Financial Reporting Council’s guidance further advises that “it is for individual boards to decide on the governance arrangements most appropriate to their company’s circumstances.”

My sense is that too many boards are interpreting this in a manner that ignores the importance of them actively engaging in reputational risk management. They are failing to recognise that any operational risk, financial risk, people risk or any other type of risk can become a reputational risk.

This is not just about communications. Reputational risk management is about taking active stewardship over measures that can reduce risks, and effective communication plays a key role in that at all levels.

Real world implications

Passivity in this regard is perilous. Reputational damage has real world implications. Lost sales. Damaged margins. Difficulty retaining and hiring talent. Plummeting share prices.

It is not just the company’s reputation at stake. Individual directors can be and are targeted by the media, and can potentially face legal threats if it is felt that they have neglected their duties to the detriment of shareholders or other stakeholders.

And thanks to ever-increasing scrutiny and ever-developing technology, the likelihood of a company facing a reputational issue and the likelihood of it seriously blowing up are considerably heightened.

As such, reputation isn’t just a communications issue, it’s a strategic threat that requires board-level attention.

By not giving it that attention, the message is also being sent to those working within the organisation – such as the communications team - that it is not that important. If reputation is not deemed worthy of a board’s time, attention and investment, does it really matter if we downgrade the robust preparations we had talked about, or even put them off until next year?

Boards are entrusted with safeguarding the long-term interests of their organisations, a fiduciary duty that includes risk management. Those not interpreting that duty in a manner that includes instigating and maintaining robust reputational risk processes - including crisis communication preparedness - are leaving their companies poking their heads considerably higher above the parapet than is advisable.

What the governance of this should look like in practice is up for debate. Boards have audit committees, among whose responsibilities is ensuring that risk management systems are in place. Some boards have risk committees, though they are not widely mandated.

“Permanent state of resilience”

Whatever the architecture used, reputational risk must be given specific attention. They must identify their reputational risks so they can be managed. Understand their organisation’s capabilities to handle a serious reputational issue, in communications terms as well as operationally. And put in place and stress-test all the processes and procedures for identifying, escalating and managing risks, including communicating effectively throughout. They must aim to embed a permanent state of resilience into their organisation.

Board agendas are long and full of highly important issues to address, and I don’t for one moment believe their disregard for reputational issues is a deliberate dereliction of duty. But while the Corporate Governance Code provides a clear framework, on the subject of reputational risk management it is open to interpretation. It is therefore incumbent on boards to take the bull by the horns and act decisively. The stakes are too high to ignore it.