reputational risk in banks nibm lecture 220213

K. Ram Mohan, General Manager (Chief

Operations Officer)Punjab National Bank, Head Office:

New Delhi

The fragility of reputation“ It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently “

“Our assets are our people, capital and reputation. If any of these are ever diminished, the last is the most difficult to restore.” (Goldman Sachs Business Principles)

Reputational Risk in Banks: Agenda

1. Reputation, Its Attributes , Importance & Value to firm

2. Reputational Risk: Definitions, Reputational Risk Capital, Case Studies, Examples & Surveys

3. Reputational Risk Measurement: Broad Qualitative & Quantitative Measures

4. Reputational Risk Assessment framework of PNB

5. Assessment/Evaluation (Off-site & On-site) of Reputational Risk by Regulator: Important Points to consider

6. Reputational Risk Management7. Case Study of a Better managed

Reputational Risk

“The beliefs or opinions that aregenerally held about someone orsomething

A widespread belief that someoneor something has a particularcharacteristic”

Compact Oxford English Dictionary

Reputation

It is : an intangible asset not a brand the sum total of all stakeholders’ experience public information regarding an organization’s

trustworthiness

It also assures: premium value growth opportunities to shareholders

(value growth resulting from managerial experience, innovation, intellectual property)

continued comparative advantage

What is Reputation

• Customers• Suppliers• Investors• Advocacy groups• Regulators• Policymakers• General public

Reputation = judgments and perceptions of others

Reputation is “owned” by stakeholders

Stakeholders’ perceptions develop via three channels

• Direct experience with the company• What others say about the company (online and off)• What the company says about itself (marketing, PR,

exec comments, etc.)

Attributes of Reputation

Importance of Reputation to Stakeholders

Employees: Are more loyal to a company with goodreputation.

Investors and business partners: Will take risk in acompany that they can thrust based upon its

reputation. (More than 90% think about reputation ininvestment decisions: 40% care about reputation, 50%care partially). Lawmakers and regulators: Reputation can help

lessen the legal burden on a company. Public at large: Preserve ―social license to operate

Customers and Depositors: Support loyalty to company

Competition: Barrier to entry

Information asymmetry

Outsiders don’t know as much about a company asinsiders, so a good reputation alleviates and allows

customers to make a choice

Important for all companies but crucial and vital tobanks as our relationship is solely built on

faith/trust. More important in a period of rapid changes, globalization, internet blogs, activism, mass media.

Importance of Reputation and Trust

Positive reputation yields measurable value

- Strong brand loyalty- Returning high value customers- Lower employee turnover- Easier recruitment of high-caliber employees- Higher investor confidence- Positive regulatory environment- Lower costs of capital

A company highly regarded by its stakeholders is more likely to enjoy:

The risk: Negative reputation exacts a measurable penalty

- Increased customer churn- Elevated customer acquisition costs- Higher employee training costs- Regulatory constraints- Increased cost of capital- Lower investor confidence- Increased vulnerability to competitors

A company viewed with distrust and outrage by its stakeholders is more likely to suffer:

Reputation: Penalty or Advantage?BP Stock Price vs. DJIA: 2007-2012

Reputation: Penalty or Advantage?Apple Stock Price vs. DJIA: 2007-2012

Banks may encounter various issues that could significantly harm or even destroy their brand name in a short period of time.

Some of the important factors which may lead to same: Adverse regulatory reports and sanctions Continued decline in share price Consistent unfavorable ratings Increased incidences of fraud Sudden change of management; no succession planning Public perception of organization’s standards drop Actions that result in stakeholders lose of trust and confidence

How can Reputation be Tarnished?

Reputational Risk While building and maintaining a solid reputation is

important for all types of organizations, it is especially important for financial institutions / Banks.

It could be argued that protecting reputation is the most significant risk management challenges that boards of directors face today.

As for ladies in Victorian times, the reputation of a bank is both its most important asset and the asset that is most difficult to recover once it is lost.

While expectations of women’s virtues have nowadays relaxed a bit, those of the virtues of financial institutions have hardened to the point where the value of a bank’s reputation is practically impossible to underestimate.

Reputational Risk: Regulatory Definitions

FSA(UK): The risk that the firm may be exposed to negative publicity -Trust - about its business practices or internal controls – Actions -, which could have an impact on the liquidity or capital of the firm or cause a change in its credit rating. -Affecting its stakeholders-.

US Federal Reserve(2004): “Reputation risk is the potential loss that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions (financial loss).

HKMA: “Reputational risk” means the risk that an Institution’s reputation is damaged by one or more than one reputation event, as reflected from negative publicity about the Institution’s business practices, conduct or financial condition.

Such negative publicity, whether true or not, may impair public confidence in the Institution, result in costly litigation, or lead to a decline in its customer base, business or revenue.

Reputational Risk: Regulatory Definitions

Basel Definitions The Basel Committee on Banking

Supervision (BCBS (2001)) defines reputational risk as “the potential that adverse publicity regarding a bank’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution.”

In a more recent document, the Committee (BCBS (2009)) defines it as the “risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.

It is, perhaps, an indication of the difficulty of providing a rigorous assessment framework for reputational risk that the Basel II Accord, arguably the most important regulatory document on risk of the last decade, expressly takes reputational risk out of operational risk and does not mention it anywhere else in its 300+ page document.

Basel Definitions

Relationship between Reputational Capital and Risk

The fluctuating value of the company’s reputation has been termed reputational capital and calculated as the market value of the company in excess of its liquidation value and its intellectual capital.

It constitutes the residual value of the company’s intangible assets over and above its stock of patents and know how.

While “Reputational risk is defined as the range of possible gains and losses in reputational capital for a given firm. Source: The Reputation Institute

Reputational Capital Provides a platform from which other

investment opportunities may arise similar to R&D in this respect: Upside example: sound corporate citizenship

improves relations with constituency groups and provides a holistic approach to implementing strategy

Constituency groups are Community, Regulators, Customers, Partners, Employees, Investors, Activists, and Media

Difficult to quantify these gains but they exist Downside example: Loss of reputational capital

comes from these same 8 constituency groups; threats include rogue behavior by employees, defection by partners, and the threat of legal action by regulators

Reputational Risk- Opinions / Surveys

Reputational risk is regarded as the greatest threat to a company's market value, according to a study by PricewaterhouseCoopers and the Economist Intelligence Unit.

Reputational risk also overtook credit risk the most pressing issue facing bank audit committees, according to an annual survey released on February 27, 2007, by Ernst & Young.

Reputational risk a top concern for boards• 63% of directors see reputational risk as top concern…and concerns are growing

• Primary concerns cover product quality, liability, customer satisfaction• Secondary concerns: integrity, fraud, ethics• Three-fourths of directors seek broad-based risk assessment… and they want to know more

Third Annual Board of Directors Survey 2012 - Concerns About Risks Confronting Boards – EisnerAmp


Reputational Risk(52)

Regulatory Risk(40)

Human Capital Risk(40)

IT RISK(35)

Financial, Market, Credit and Insurance Risk(30)

Crime, security, political, natural hazard, FX, Terrorism, Country Risk(20)

Source: Economist IntelligenceUnit, 2005

Max Scale: 100


According to Economist Intelligence Unit(2005) survey,―52% consider reputation risk as a risk by itself, while48% consider it as a consequence of other risks likeoperational risk - people, process, systems and

external events - compliance and financial.

Appears that if first risks are more quantitativelyanalyzed - market, credit, operational … -

Reputational risk appears as a second tier risk -mostly within financial institutions - while it appears as

a risk of its own in the corporate world - like Hilton,Cruise companies where emphasis is on theirproducts/services -.

Reputational Risk: A Risk by itself or a

Consequence (Second tier )of Other Risks

Impact of Reputational Risk – Case Study

In the midst of the global credit crisis partly caused by the U.S. subprime mortgage meltdown, Northern Rock, Britain's fifth largest mortgage lender, had to be bailed out by the British central bank, the Bank of England.

The institution began as a small local lender in early 2001, but grew excessively in 2005 and through early 2007, primarily by relying on wholesale markets rather than retail deposits.

Northern Rock bundled its loans together and packaged them into bonds that it sold to investors around the world; however, as liquidity dried up this past summer in the U.S. and across the globe, it spelled disaster for Northern Rock.

When news leaked out that Northern Rock had approached the Bank of England to obtain emergency funding, customers reportedly withdrew Â£2 billion in one day.

Britain's first bank run in 140 years occurred despite the bank's solvency, the nation's strong economy, low interest rates, and low inflation.

Northern Rock became a victim of reputational risk.

Impact of Reputational Risk – Case Study

Scandals/Fraud: Arthur Andersen co. fell almost entirely due to its

damage to its reputation after Enron’s scandal in2002.

Interesting case in the field of reputation. Similar toBarings in the field of operational risk.

One year earlier in 2001, the Chief Executive wassaying: ―There is extraordinary power in our namebecause it stands for time-tested values, a unique

one-firm global operating approach and recognizedsuperior performance.‖

Other Examples – Financial Sectors

Fraud: KPMG paid 456 million dollars but escaped indictment that could have crippled the firm.Market Timing/Fraud in 2003/2004 at Putnam Investments Paid 4 million in fines.

Fired top management of international funds. Lost 14 billion of assets under management in a week (5%). Assets under management from 272 billion (03) to 192 (07).

Never recovered from institutional clients. Putnam sold to Great-West Life in Feb. 07 ending a history

dating back to 1937.

©Enterprise Risk Advisory, LLC 28

Other Examples – Financial Sectors

Safety Issue: Union Carbide chemical leak in Bhopal in 1984.

Environmental issue: Home Depot promising to stop selling woodfrom protected forests after Rainforest Group Action intervention,Exxon Valdez

Catastrophe: Concorde crash and impact on both Air France (lessimpact ) and British Airways (larger impact due to slow response).

Product Recall: Tylenol tampering scare in 1982 due to cyanide. Limitedimpact due to Johnson and Johnson quick responses in the

end. In fact, Johnson and Johnson has been rated top inreputation by Harris Interactive.

Perrier suffered longer from toluene traces found in its watersdue to lack of crisis management.


Examples – Non Financial Sectors

The Basel Committee is of the view that existence of assessment framework may help Board & senior management to better understand threats to reputation and to develop proactive reputation risk management plans in response.

Although the causes of reputational risk and its indicators appear to be quite straightforward, their assessments are not quantitatively possible as:- The Indications of reputational risk cannot be always

linked to the factors enumerated above, and Most of the indicators and the causal factors listed

above cannot be captured objectively and hence quantification is quite difficult.

Some of the broad factors (both qualitative as well as quantitative) are listed in the next slides:

Reputational Risk Assessment / Measurement

Complaints by all stakeholders act as an early warning system:Monitor and analyze trends.

Identify and monitor your company’s HOT SPOTS in relation to allyour stakeholders’ interests, particularly in periods of rapidchange. Ex. Organizational changes, new products/services.

Compliance/Audit functions. Are they proactively identifying andfollowing-up on issues?

Assess flows of risk information in the institution. Assess the link between compensation programs and desired

behaviours. Is reputation risk part of the new product approval process?

Is there a Code of Ethics? Reward ethical behavior? Penalizemisbehavior?

Evaluation of media coverage of companies Monitor internet blogs

20

Reputational Risk – Qualitative Measures

Measured as the market value impact of an event which is abovethe direct value of the event itself, the excess is qualified as the

reputational impact.

Ex. Federal Reserve Bank of Boston measured Reputationalimpacts of operational events: Internal Fraud: The market value impact was more than 6times the value of the internal fraud itself, which is due to lack

of control by the company and lack of confidence in actualmanagement.

Externally caused events: No reputational impact. Thus, seems to confirm the initial definition of reputation as

being based on ACTIONS by company. Fines account for less than 10% of total market value loss.


Reputational Risk – Quantitative Measures

Failures by companies that have a reputational impact have alasting financial effect on the market value of companies:

1/3 of financial analysts say that their evaluation of a companywill take into account the impact of a failure in reputation up to

3 years after the event. (Hill/Knowlton 2006 survey) Companies take up to 3 years to recover from a crisis that

affected their reputation. (Burson/Marstelle Market research)

Model developed by UK-Based OxFord Metrica calledValueReaction Model: Analyze impact of reputation crisis oncompany stock price. Will company recover from a crisis? Ifmanagement handles crisis badly, investors conclude thatmanagement cannot handle unexpected events.

Set up Loss Data Base of operational events and theirreputational impacts.

Scenarios modeling of major threats using expert judgment

23

Reputational Risk – Quantitative Measures

Reputation Risk: Model Quantitative Financialand non Financial Impacts of Damage: Factors

Stock Price decline

Run on the bank Decrease in business, decline in market share Ratings downgrade

Regulatory investigations, Penalties, fines Shareholders’ litigations Negative media coverage

Pressure groups and public opinion Employees and contractors resignations / withdrawals.


Reputational Risk Assessment Framework of PNB

Assessing reputational risk is not an objective process, rather it is a subjective assessment that could reflect a number of different factors.

The bank has attempted to create an Reputational Risk index which will provide the insight into the bank’s reputation risk status.

The bank’s reputational risk framework consists of 17 risk parameters selected after prolonged discussion by a group of risk experts

Each parameter has been categorized into different attributes depending on the severity of the occurrence of an event within the parameter.


After finalization of weights, simulation techniques have been used to generate distribution of all the possible scores.

In the absence of adequate data set, a methodology has been developed for generating total number of possible scenarios with the given parameters and their attributes.

Methodology developed to capture most representative distribution depicting all the scenario.

The distribution has been generated by assigning different probabilities to different attributes.


Graphically representation of the framework:

Resultant Loss Distribution

Score Bands of Risk Index The distribution matches with intuition that

distribution of the reputational risk shall be skewed as majority of the events will cause negligible or low risk but some events may lead to sudden increase in reputational risk

Based on this distribution total score has been divided into different score bands.

Based on this distribution total score has been divided into different score bands and different ratings.

Reporting & Action Points The Bank tracks the Reputational Risk Index on

regular basis and put up to the top management.

The increase or decrease in the overall scores is further analyzed granularly.

Score of each of the parameters are analyzed in detail and the concerned user divisions are advised to take corrective actions for improvement.

Assessment /Evaluation of Reputational Risk by Regulator

One of the most difficult tasks for regulators is to determine how to assess a financial institution's reputational risk.

Regulators may complete a risk matrix when conducting full-scope examinations.

To arrive at a composite risk rating for one of the risk areas, the following criteria may be used when assessing risk:

Level of inherent risk - High, Moderate, or Low Adequacy of risk management - Strong,

Acceptable, or Weak Trend or direction of risk - Decreasing, Stable, or

Increasing

Off-site examination by Regulator Regulators may review corporate press

releases, letters to shareholders, stock message boards, and stock analyst comments to gain an initial indication of reputational risk.

They may also consider: : whether an institution responds to the

customer concerns; Whether the stock analyst recommends

buying or selling and why; and what the shareholders, employees, or

general public are saying about the institution.

Off-site examination by Regulator Further, they may also

analyze the financial statements, review marketing plans & advertising

campaigns, consider whether the institution is growing

excessively and what types of risky products and services it is providing, if any.

They may also consider whether the institution is expanding outside its normal geographical area and is supportive of the community.

On-site examination by Regulator While on-site, Regulators may:

talk to both bank employees and management to get a sense for items like corporate ethics,

talk to Human Resources to determine whether a consistent message on the importance of ethics is being conveyed throughout the organization, and

consider whether the institution's risk management practices are strong and commensurate with the size and complexity of the institution.

assess whether an institution's expertise is adequate and controls are in place to oversee growth if the institution should engage in riskier products or enter into new business lines.

On-site examination by Regulator In addition, Regulators may determine

whether there are violations of consumer law. For example, Is the institution involved in unfair or

deceptive practices, such as charging excessive interest rates, or

Are there situations where the institution is overcharging its customers for accrued interest on loans?

Reimbursing consumers for these charges could be embarrassing and tarnish an institution's reputation.

Excessive violations could result in class action suits, civil money penalties, or other regulatory actions.

On-site examination by Regulator In the information technology area, where

reputational risk and operational risk go hand in hand, examiners may also measure board and management oversight from the top down. E.g. Is oversight adequate? Are policies and procedures tailored to the

institution, rather than boiler-plate? Are there adequate internal controls?

Lax oversight and controls leave an institution open to security breaches and employee theft, which again could result in unfavorable media attention and may damage the institution's brand name and reduce the public's confidence in the institution.

It is the current and prospective impact on earnings and capital arising from negative public opinion

It measures the change in perception of a company

It is linked with customer expectations regarding an organization’s ability to conduct business securely and responsibly

Reputational Risk Management

Key Goals of Management of Reputational Risk

Identify and minimize factors that could damage reputation (threats) and identify and exploit factorsthat could boost reputation (opportunities)

Identify gaps between stakeholder experience and

expectation and bridge them by: improving business

strategy/performance/behaviour and/or influencing stakeholder beliefs and

expectations so they are more closely aligned with reality and whatthe business can realistically deliver

Ensure processes are in place to enable the business to respond and ride out the storm if an unforeseencrisis hits (crisis management contingency plan)

Major Gaps in Management of Reputational Risk

Reputation literacy not on risk agenda

Risk literacy not on reputation

agenda

A dual approach to managing risk to reputation

As reputation is based on perception, notnecessarily reality, risks to both realityand perception must be actively managed

Reputation mustbe built both:

„inside-out‟Reputationand „outside-in‟

Spotting major „mismatches‟

Strategy vs expectations Performance vs objectives True intentions vs „spin‟Real vs published risk exposures Compliance „in letter‟ vs „spirit‟ Minimal disclosure vs transparencyProduct reality vs marketing claims „Easy-win‟ incentives vs stretching targets

Executive directors Non-executive directors Management Public relations Internal auditors Risk and insurancemanagers All other employees Business partners …All must play their part

in moulding and upholdingcorporate reputation

Make reputation risk management everybody’s business

Enterprise wide competence aligns organizational action

Management of Reputational Risk Internally

Maintaining timely and efficient communications among shareholders, customers, boards of directors, and employees

Establishing strong enterprise risk management policies and procedures throughout the organization, including an effective anti-fraud program

Reinforcing a risk management culture by creating awareness at all staff levels

Instilling ethics throughout the organization by enforcing a code of conduct for the board, management, and staff

Management of Reputational Risk Internally

Developing a comprehensive system of internal controls and practices, including those related to computer systems and transactional websites

Complying with current laws and regulations and enforcing existing policies and procedures

Responding promptly and accurately to bank regulators, oversight professionals (such as internal and external auditors), and law enforcement

Establishing a crisis management team in the event there is a significant action that may trigger a negative impact on the organization

In 2004, SunTrust Banks, a $180 billion financial institution headquartered in Atlanta, disclosed that due to an accounting oversight, it had to restate its corporate earnings.

Because of accounting errors, the bank had overbooked the allowance for loan and lease losses, and therefore underreported earnings, for the first two quarters of 2004 by approximately $22 million.

This led to a delay in the release of its third-quarter earnings statement.

Case Study of A Better Managed Reputational Risk

Within hours, SunTrust issued a press release announcing the accounting irregularities.

The release stated that its audit committee, with the assistance of an independent law firm, would begin a review and initiate lines of communication with independent auditors about the errors.

In short, the institution addressed the issue immediately, communicating openly with the public and its customers.


Within a month of the press release, the audit committee panel determined that the errors in the loan-loss data related to the auto loan portfolio were higher by approximately $25 million.

Loan loss calculation errors and false draft meeting minutes were also uncovered.

As a result, three credit administration division members, including the top credit officer, were fired, and a controller was assigned to another division.


Within a month of the press release, the audit committee panel determined that the errors in the loan-loss data related to the auto loan portfolio were higher by approximately $25 million.

Loan loss calculation errors and false draft meeting minutes were also uncovered.

As a result, three credit administration division members, including the top credit officer, were fired, and a controller was assigned to another division.

Less than two months later, the SEC launched a formal probe of SunTrust's accounting deficiencies.



Though this newsworthy event cast a negative light on SunTrust's reputation, overall it did not hurt the organization's franchise value.

Initially, the market and public perception were critical of the accounting issue, and SunTrust's shares fell 1.12% (less than $1 dollar to $69 per share);

however, because the organization's board and senior management were proactive in addressing the issue quickly, the stock price loss (and financial statement gain, in this case) was manageable, and reputational risk was controlled.

“The way to gain a goodreputation is toendeavour to be whatyou desire to appear “

Socrates, 469-399 BC

The concept isn’t new

“The way to gain a goodreputation is to

Socrates, 469-399 BC

Any Questions

If No Questions, then……

reputational risk in banks nibm lecture 220213

Economy & Finance