Oxfam scandal – seven vital steps to manage reputational risk

Reputation in mud

The Oxfam story must be a warning sign to risk managers

As Oxfam finds itself engulfed in crisis due to the actions of its employees, we take a closer look at the consequences of reputational damage. Following sexual misconduct claims against the charity’s staff dating back to 2011 in Haiti, Oxfam is scrambling to contain the crisis, with the UK government threatening to cut its funding of over £30m. The charity must now demonstrate to the government that they have “moral leadership” to stand any chance of retaining any of the funding.

This not the only high profile scandal that has shaken a once-reputable organisation. In September 2017, Mrs Thatcher’s favourite PR firm, Bell Pottinger entered into administration this week on the back of a disastrous, well, PR campaign. The swirling scandal that brought down an industry giant started with a £100,000 per month contract to run a campaign in South Africa on behalf of the Guptas, a family-run business empire ensnared in the largest web of corruption and political intrigue since the end of apartheid.

Bell Pottinger began its campaign with fomenting discontent of “economic apartheid,” the idea that racial injustice in South Africa has simply been replaced with economic injustice. However, this campaign increasingly became about deflecting attention away from the actions of the Gupta brothers.

If reputational risk is not already one of the top five things on your risk management system, it should be now. A good reputation can take a lifetime to build and sometimes just seconds of a viral video to destroy. While many institutional-level companies can and do weather harsh PR storms, they often need to pour resources into image-boosting campaigns and crisis management operations to steady the ship for many years after.

Dealing with the fallout from reputational risk is expensive, damaging and, as Bell Pottinger has shown, potentially fatal. So what can senior executives and risk managers do to mitigate these risks? VinciWorks’ risk experts have identified seven vital steps to mitigate reputational risk.

The seven vital steps to mitigating reputational risk

1. A strong board that pays attention

Risk management has to start at the board level. Without executive champions and a top-level commitment to getting things right, a risk-ready culture can easily seep in and undermine whatever other measures have been put in place. From the Chair to the CEO, risk has to be a standing agenda item, not an excuse for a coffee break

2. Assess potential risks in light of the business strategy

This means taking stock of risks in light of the business strategy. If, for instance, one of your key strategic goals is to double your turnover, you need to consider the entire arena of risks connected to that. From what the risks are if you don’t meet that target to the risks if you do meet it, or even exceed it. Or, like Bell Pottinger, the manner in which you operate could be so damaging that if exposed, would destroy your company

3. Live up to your brand

Telling your business story is not just a job for the marketing department. Everyone, from the board to the cleaners, needs to understand the image and brand, and ensure they live up to the story they are trying to tell. Establishing accountability means living up to the story you tell yourself. Talking about integrity and values while consistently falling short can cause institutional cognitive dissonance that can lead to a collective blind eye of potentially damaging actions.

4. Don’t reward excessive risk

In a recent VinciWorks survey on the risks of tax evasion, one in ten legal and financial firms admitted to having a bonus structure that rewards excessive risk taking. Corporate culture is often shaped by the most successful employees; so if everyone knows your best paid workers are those flying by the seat of their pants, this behaviour will be seen as not only acceptable, but the only way to get ahead.

5. Compliance is everyone’s responsibility

Compliance management is becoming increasingly easier and automated with incident registers, online training and live policy trackers to inform and test staff on how well they know company policies. There’s little excuse today for any company to say that making compliance a priority is too hard. The bottom line is that better compliance leads to less risks across the board.

6. A risk management system that works

Enterprise risk management systems have revolutionised the entire concept of risk management. Coming up with control measures and assigning responsibility is a hallmark of an effective system. The best systems can even send automated emails to those assigned as owners of a risk, making sure they deal with their responsibility. Just shoving everything on a spreadsheet and hoping for the best is no longer an option.

7. Have a rapid response plan ready to go

Your business must be able to measure and deal with risk velocity. This is the time it takes for a risk to impact your business. Something like poor customer service could, over time, dent your reputation as more and more people complain about the poor service they’ve received. While this is a very real risk that could significantly impact your business, the velocity is quite low. However, something like an email leak, a breaking news scandal or a raid by the authorities has a very high risk velocity that can quickly damage your reputation. The second there are TV cameras outside your offices, there isn’t time to sit down and have a planning meeting. High risk velocity events require rapid responses.

VinciWorks’ Risk Management System

A dynamic incident reporting system such as VinciRisk’s Omnitrack is essential to a well-functioning risk management system. It helps to store data in one place, as well as track and manage it in real time. A risk system is far more than a static document that’s written, passed around, and never looked at it again. To be effective, it must be live, dynamic, fit your business strategy and fit your way of working.

These steps will help get you started in managing risk in your organisation. VinciWorks has an extensive risk management system and world-leading expertise that can help your risk management department easily identify, log, track and mitigate risk. For more information and consultation, contact us below.

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.