The Role of Internal Audit in Managing Reputational Risk Stephanie Donaldson Head of Internal Audit Merseytravel Martyn Kenyon Transformation Manager Wigan Council First question………. Reputational Risk – Does it matter ? Private Sector: Reputation impacts upon……….. • Brand image • Public confidence in the company • Public confidence in their products • Willingness to trade with them • profitability • dividends, share prices, • business success (or failure) Basically…….reputation is everything! ……and to prove it……. Dave Carroll v. United Airlines (2009) • • • • • United stock dropped in value by $180m (10%) Guest appearances on TV 1m youtube hits in 4 days 14,638,773….. to date! “The Power of One Voice in the Age of Social Media” http://www.youtube.com/watch?v=5YGc4zOqozo Additionally…………. Greenpeace Campaigns: Strategy is to cause the organisation to fear for damage to its reputation, through publicising “unethical” practices” Ethics and profitability are sometimes in direct conflict. • Lego/Shell partnership https://www.youtube.com/watch?v=qhbliUq0_r4 • VW https://www.youtube.com/watch?v=R55e-uHQna0 • Asia Pulp and Paper / Mattel toys (esp Barbie ) https://www.youtube.com/watch?v=Txa-XcrVpvQ Multi £m business decisions have followed these campaigns And there’s more………………….. RATNERS So…… how does this translate into the public sector ? General Perception….? Private sector = good Public Sector = bad • Fuelled by media, central government • Bad news stories “confirm” innate prejudices • Provides a convenient scapegoat when things go wrong? How long has this been the perception ? • Is it true ? • Does it matter ? Consequences of poor reputation………… • No continuity of administration (political uncertainty poor member / officer relations ) • Resistance to Council Tax collection • Problems with recruitment • Low staff morale lower productivity and lower quality of services • Public Reluctance to engage in: – Recycling – Community ventures • Low levels of pride in area litter, graffiti, arson, anti social behaviour, disaffected communities • Claims, litigation • Lack of Inward investment (M&S, IKEA, other major employers) WORKSHOP What can internal audit do about it ? Reputational Damage An organisation’s actions need to be consistent with its public persona Reputational damage arises when actual organisational strategies, actions (or perceived actions) don’t align with the public image: • • • • • • Safety Ethics Social Responsibility Sustainability Price Integrity ….Difficult to Repair Damage Reputation: How to lose it? 1.DIRECTLY As a direct result of the actions of the organisation 2. INDIRECTLY Through the actions of an employee or employees 3.TANGENTIALLY Through external parties, such as joint venture partners or suppliers Does your organisation have a consistent approach to addressing Reputational Risk? Is Reputational Risk included in the Risk Register? 1. Identify scenarios where reputation may be significantly impacted 2. What underlying events may lead to this scenario? 3. How to prevent or mitigate this damage: • • • • • Roles & Responsibilities Actions (before & after) Monitoring Arrangements Internal Communication Culture WHAT ARE OUR TOP 5 REPUTATIONAL RISKS? 1 SERIOUS CASE REVIEW 2 ADVERSE MEDIA REPORTS 3 SIGNIFICANT FRAUD 4 CONDUCT OF ELECTED MEMBER / SENIOR OFFICER 5 QUALIFIED ACCOUNTS Considerations when Auditing Reputational Risk Not straightforward – Complex risk environment What is the public perception? Media & Social Media – Double-edged sword Reputational risk is not always borne from a single event – aggregation of other risks (often long-term) 5. How robust is the internal control environment? 6. Culture of the organisation 7. Scale / impact 1. 2. 3. 4. Some questions to ask….. Strategy: • What elements of our image are most important? (internal +external) • How could the organisation’s image be damaged / improved ? • What’s the culture and morale of the organisation ? • What image to we want to project to employees and the public ? • Does our Communications strategy adequately address these ? Putting Strategy into practice: • Do Senior Managers and members “walk the walk” ? • Do they regularly reinforce the key messages ? • How do they do this ? How does it relate to other (high profile / high image orgns.) • Are these efforts reflected in the results of staff and public surveys ? Reputation Toolbox • • • • • • How do we use (and control) social media? Do we have an effective Code of Conduct? Adequacy of Whistleblowing arrangements / culture? How do we use the results of staff and public surveys ? How effective are performance monitoring arrangements? How robust are Business Continuity / Disaster Planning arrangements? • How do we protect / handle / share confidential & sensitive data? • Other triggers / “warning lights”? Conclusions • Addressing Reputational Risk is complex and multi-layered • Impact can be devastating, opportunity costs are huge • Focus on the root causes / scenarios and the expected control environment • Business Continuity / Disaster Planning arrangements to mitigate impact “if” / “when”. • Managing the Media / Social Media - “putting the record straight” • The REAL test is in levels of public and employee engagement Given the scale and impact of this risk, where does it feature on your audit plan ? Thankyou! Stephanie Donaldson MA (hons) CPFA Head of Internal Audit Merseytravel Liverpool Martyn Kenyon Transformation Manager Strategy and Transformation Team Wigan Council tel: 0151 330 1031 stephanie.donaldson@merseytravel.gov.uk tel: 01942 827343 (ext 2343) martyn.kenyon@wigan.gov.uk