According to Fitzsimmons and Atkins (2017) reputation is “the sum total of how your stakeholders perceive you” and reputational risk is “the risk of failure to fulfil the expectations of your stakeholders in terms of performance and behavior”. Fitzsimmons and Atkins assert that failure to fulfil the expectations of performance falls within Enterprise Risk Management (ERM), and failure to fulfill the expectations of behavior falls with Classical Risk Management (CRM). The issue here is that from a practical perspective, it is impossible to separate performance and behavior, since they are unquestionably both linked. Importantly, this linkage it is influenced by three important traits: emotion, attitude and personality. Consequently, the management of reputation can be confusing, complex and extremely difficult. Hence, reputational risk for the corporation and stakeholders is a constant dilemma to control and mitigate.
Due to the aforementioned, and the strong impact of reputation on corporate sustainability or stakeholder continuity, I argue that Reputational risk is an independent matter of effective Governance rather than being included in ERM or CRM. Therefore, accountability for the management of corporate reputation and reputational risk falls within the highest level of the corporation, that being the board or the business owner. I further argue that an effective and essential tool for the board to manage reputation/reputational risk, is the Code of Conduct.
The Code of Conduct is defined as a guideline for required behavior, compliance (i.e., law and prohibited behavior) and accountability for both the individual and the corporation (see Nijhof, Cludts, Fissher & Laan, 2003). It is considered an instrument for enhancing corporate social responsibility and/or complying with environmental, social and governance, (ESG) factors. The last two aspects are possibly the reason why the code of conduct is usually written in relation to guidelines of corporate social responsibility and ESG factors, because from a corporation standpoint compliance with these aspects will control and mitigate reputational risk. Nevertheless, I contend that this corporate position will increase the possibility of reputational damage rather than mitigating it, since it is a very limited view, which is missing important genuine and authentic corporate idiosyncrasies and values but also lacking guidelines for emotion, attitudes and personality conduct. I can confirm from experience and research that not fulfilling the expectations of performance and behavior, are not only influenced by values and idiosyncrasy but also emotion, attitude and personality. Subsequently, controlling and mitigating risks related to reputation is complex and difficult.
To verify my point, I undertook a benchmark of the top two organizations in 2021 listed at the Dow Jones, NASDAQ, London Stock Exchange and Australian Stock Exchange as shown in Table 1. The results of my analysis demonstrate that organizations design their codes of conduct primarily in relation to corporate social responsibility, compliance and accountability. Nevertheless, only two organisations include comprehensive aspects related to ESG factors, those being HSBC and CSL. In terms of Corporate idiosyncrasy and values (i.e., culture), the majority of corporations incorporate important aspects of Culture, and to my surprise Climate, in their codes of conduct. For example, corporations such as Microsoft, HSBC, CSL and Westpac have included aspects related to trust and communication. Even better, two organization provide a guideline for personality, those being American Express and Microsoft. Although the results are encouraging, a noticeable gap still exists - none of the eight corporations are providing a guideline for emotion and attitude in their codes of conduct. Consequently, the corporation (any size) remains at risk of reputational liability due to potentially not fulfilling expectations with performance and behavior.
To better manage, control and mitigate reputational risk, I urge board members or business owners to re-design their codes of conduct that are exhaustive by including the many variables that could affect performance and behavior, particularly emotion and attitude. The Microsoft Code of Conduct is possibly the strongest and most genuine code of conduct I have reviewed, yet is not comprehensive enough, the code lacks emotional and attitudinal guidance.
If the code of conduct is sufficiently thorough and genuine to mitigate and control reputational risk, the code cannot be disseminated in one or two sessions. Such sessions are normally undertaken during on-boarding, or when it is too late such as when an investigation is under way. The Code of Conduct has to be frequently communicated, awareness should be provided on a weekly basis, to board members, executive team, senior management and operational staff. If this communication or awareness sessions are not occurring, this is an important risk factor that should be reflected in the risk register. Moreover accountability not only falls to the risk officer, but the executive officer and the board.
In addition, if the code is not authentic by reflecting the culture and climate, specifying emotion, attitude and personality assertively, and not communicated by competent and experienced individuals, building awareness of the code of conduct can be extremely difficult. This could lead to greater exposure of reputational risk for the individual and the corporation but also ironically, not complying with corporate social responsibility/ESG factors.
Thank you for taking the time to read my article, I welcome any comments or queries you may have. Further, I am encouraged to discuss how I may work with you, your board and your corporation to design a robust code of conduct, but also disseminating it and providing the right awareness for mitigating and controlling reputational risk. Have a happy week!
Table 1. Benchmarking Corporate Codes of Conduct