The Role of Internal Audit in Managing
Reputational Risk
Stephanie Donaldson
Head of Internal Audit
Merseytravel
Martyn Kenyon
Transformation Manager
Wigan Council
First question……….
Reputational Risk – Does it matter ?
Private Sector:
Reputation impacts upon………..
• Brand image
• Public confidence in the company
• Public confidence in their products
• Willingness to trade with them
•  profitability
•  dividends, share prices,
•  business success (or failure)
Basically…….reputation is everything!
……and to prove it…….
Dave Carroll v. United Airlines (2009)
•
•
•
•
•
United stock dropped in value by $180m (10%)
Guest appearances on TV
1m youtube hits in 4 days
14,638,773….. to date!
“The Power of One Voice in the Age
of Social Media”
http://www.youtube.com/watch?v=5YGc4zOqozo
Additionally………….
Greenpeace Campaigns:
Strategy is to cause the organisation to fear for damage to its reputation,
through publicising “unethical” practices”
Ethics and profitability are sometimes in direct conflict.
• Lego/Shell partnership https://www.youtube.com/watch?v=qhbliUq0_r4
• VW https://www.youtube.com/watch?v=R55e-uHQna0
• Asia Pulp and Paper / Mattel toys (esp Barbie )
https://www.youtube.com/watch?v=Txa-XcrVpvQ
Multi £m business decisions have followed these campaigns
And there’s more…………………..
RATNERS
So……
how does this translate into the public
sector ?
General Perception….?
Private sector = good  Public Sector = bad 
• Fuelled by media, central government
• Bad news stories “confirm” innate prejudices
• Provides a convenient scapegoat when things go wrong?
How long has this been the perception ?
• Is it true ?
• Does it matter ?
Consequences of poor reputation…………
• No continuity of administration (political uncertainty  poor member
/ officer relations )
• Resistance to Council Tax collection
• Problems with recruitment
• Low staff morale lower productivity and lower quality of services
• Public Reluctance to engage in:
– Recycling
– Community ventures
• Low levels of pride in area  litter, graffiti, arson, anti social
behaviour, disaffected communities
• Claims, litigation
• Lack of Inward investment (M&S, IKEA, other major employers)
WORKSHOP
What can internal audit do about it ?
Reputational Damage
An organisation’s actions need to be consistent with its public persona
Reputational damage arises when actual organisational strategies,
actions (or perceived actions) don’t align with the public image:
•
•
•
•
•
•
Safety
Ethics
Social Responsibility
Sustainability
Price
Integrity
….Difficult to Repair Damage
Reputation: How to lose it?
1.DIRECTLY
As a direct result of the actions of the organisation
2. INDIRECTLY
Through the actions of an employee or employees
3.TANGENTIALLY
Through external parties, such as joint venture partners or
suppliers
Does your organisation have a
consistent approach to addressing Reputational Risk?
Is Reputational Risk included in the Risk Register?
1. Identify scenarios where reputation may be significantly impacted
2. What underlying events may lead to this scenario?
3. How to prevent or mitigate this damage:
•
•
•
•
•
Roles & Responsibilities
Actions (before & after)
Monitoring Arrangements
Internal Communication
Culture
WHAT ARE OUR TOP 5 REPUTATIONAL RISKS?
1
SERIOUS CASE REVIEW
2
ADVERSE MEDIA REPORTS
3
SIGNIFICANT FRAUD
4
CONDUCT OF ELECTED
MEMBER / SENIOR OFFICER
5
QUALIFIED ACCOUNTS
Considerations when
Auditing Reputational Risk
Not straightforward – Complex risk environment
What is the public perception?
Media & Social Media – Double-edged sword
Reputational risk is not always borne from a single
event – aggregation of other risks (often long-term)
5. How robust is the internal control environment?
6. Culture of the organisation
7. Scale / impact
1.
2.
3.
4.
Some questions to ask…..
Strategy:
• What elements of our image are most important? (internal +external)
• How could the organisation’s image be damaged / improved ?
• What’s the culture and morale of the organisation ?
• What image to we want to project to employees and the public ?
• Does our Communications strategy adequately address these ?
Putting Strategy into practice:
• Do Senior Managers and members “walk the walk” ?
• Do they regularly reinforce the key messages ?
• How do they do this ? How does it relate to other (high profile / high
image orgns.)
• Are these efforts reflected in the results of staff and public surveys ?
Reputation Toolbox
•
•
•
•
•
•
How do we use (and control) social media?
Do we have an effective Code of Conduct?
Adequacy of Whistleblowing arrangements / culture?
How do we use the results of staff and public surveys ?
How effective are performance monitoring arrangements?
How robust are Business Continuity / Disaster Planning
arrangements?
• How do we protect / handle / share confidential & sensitive data?
• Other triggers / “warning lights”?
Conclusions
• Addressing Reputational Risk is complex and multi-layered
• Impact can be devastating, opportunity costs are huge
• Focus on the root causes / scenarios and the expected control
environment
• Business Continuity / Disaster Planning arrangements to mitigate
impact “if” / “when”.
• Managing the Media / Social Media - “putting the record straight”
• The REAL test is in levels of public and employee engagement
Given the scale and impact of this risk, where does it feature on
your audit plan ?
Thankyou!
Stephanie Donaldson MA (hons) CPFA
Head of Internal Audit
Merseytravel
Liverpool
Martyn Kenyon
Transformation Manager
Strategy and Transformation Team
Wigan Council
tel: 0151 330 1031
stephanie.donaldson@merseytravel.gov.uk
tel: 01942 827343 (ext 2343)
martyn.kenyon@wigan.gov.uk