IBM professor of regulation and competitive practice, Kellogg School of Management
Daniel Diermeier, the IBM Professor of Regulation and Competitive Practice at the Kellogg School of Management, is one of the country’s leading experts on managaing reputational risk. Originally trained as an applied game theorist, Diermeier’s teaching and research focuses on the interaction of business and politics, crisis leadership and reputation management. His most recent book, Reputation Rules: Strategies for Managing Your Company’s Most Valuable Asset, explains how companies can integrate reputation management into their culture before disaster strikes. Diermeier has advised many of the world’s leading companies and institutions, including the FBI, Ernst & Young, Johnson & Johnson, Kraft, McDonald’s, Shell and others.
Reputational risk wasn’t something you heard a lot about several years ago. Why is so much attention being paid to it now?
To me, the watershed events that changed the thinking for many people occurred in 2010. Within two or three months, you had a crisis at Toyota over unintended acceleration of its cars, Goldman Sachs being sued by the SEC, and the BP oil spill. What was so striking about these three cases was the effect on the market cap. BP at one point lost 50 percent of its market cap, about $90 billion. So with those types of numbers, you get the board members’ attention.
And these were not just some rickety companies that nobody had ever heard of. These were the absolute category leaders in their industry. So you couldn’t dismiss these events as one offs, or the result of incompetence or unethical behavior, like in the case of Enron. These events were affecting the most successful and admired companies in the world. And even they were unable to handle it. That got everybody’s attention.
We used to think of reputation management as somebody in the communications department running a few ads. But that’s over. Reputational risk is now on the agenda for executive committees, and it’s definitely on the board’s agenda.
Where do reputational risks come from these days?
They can come from anywhere. It can be a marketing issue, it can be a safety issue, it can be a data privacy issue. It’s scary for businesses. You now have to think that literally everyone, from the guy who’s in building maintenance to the CEO, can play a role in enhancing or destroying a company’s reputation. The reputational risk for every significant company is considerably higher than it was five to 10 years ago. Yet the capability to manage that risk has not kept up.
What’s driving increased reputational risk for companies?
Number one, it’s so obvious, but I still have to say it, is the rise of social media. Another big factor is the unintended consequences of globalization and outsourcing. You have these complex supply chains, and you don’t control as much of your business process as you used to. You’re less likely to find out if there’s a problem, and if there is a problem, it’s more difficult to manage. Then add the global dimension, which means you have to deal with cultural issues and different regulatory environments. The bottom line is that you can outsource legal and operational risk through outsourcing contracts. But you cannot do the same thing with reputational risk. You believe you’re protected by putting all of these conditions into a contractual agreement, but when there’s a problem, it ends up at your doorstep.
Are consumer expectations also playing a role in increased reputational risk for companies?
What has happened is that in addition to the brand promise, which will always be there, we now have high expectations about what I would call background processes or business processes that are not part of your brand, but are there to keep the ship running. IT security is a great example of that. For example, nobody ever went to Target because of its superior data protection. The value proposition of Target is that it’s convenient, affordable and has a great selection. Now you have this data breach and it’s the biggest crisis in the history of the company. That’s the thing that companies have to understand. They’re not only being held accountable for the promises that they make, but also for the expectations that people have, even if those expectations are unrealistic.
How did we come to expect so much of our companies?
One of the few really sustainable sources of competitive advantage is brand and reputation. And that is fundamentally based on trust. So you constantly tell people that you should trust them, and they do. And what happens, of course, is that customers have very high expectations. That’s what these brand-based strategies are all about. We’re no longer saying, ‘We’re selling you insurance.’ We now say, ‘We’re selling you peace of mind.’ Well, selling peace of mind is a pretty high standard.
So companies that live by the brand, die by the brand. Consumers want companies to have sustainability policies, responsible labor standards and animal welfare policies. We expect more and more for companies to self-regulate, and take on many of the traditional roles of government.
How has the CIO’s role changed with respect to managing reputational risk?
I think we’re entering chapter three in the history of the chief information officer. Chapter one was the guy in the basement that made sure the lights were on. That chapter ended about 15 years ago. Then in chapter two, chief information officers became strategically relevant, they had to demonstrate business value and become part of the discussion at the c-suite level. Now we’re in chapter three, where CIOs have to deal with enterprise-wide strategic risks. CIOs are now connected with what makes the business the business.
What kind of new skills does that require?
The first thing CIOs need to understand is that the risks and consequences of their actions go beyond technology. If all of my Web sites go dark for an hour because of an IT error and my customers are first responders like police departments, this is a huge reputational risk for my company. It becomes a bigger reputational risk if my brand is based on operational excellence.
So CIOs have to think of things not only from a technology point of view, but also from an operational and reputational point of view. If system performance isn’t what it should be, what are the consequences for reputational damage? That means they have to think of reputation management as an enterprise capability rather than as a specific function. What the CEO really wants is for the CIO to identify the risks. Then you’re really hitting gold.
What’s your advice to companies that find themselves in a crisis that puts their reputation at risk?
There is a tendency for companies in a crisis to immediately focus on trying to resolve the problem. The trouble with that approach is that any crisis of even moderate-sized complexity will take weeks to figure out, especially in the IT area. The window of how long people pay attention to you during a crisis is usually just a day or two. So when I work with boards or executive teams, we work on techniques and tools that help establish trust during the time when people pay attention. How company managers conduct themselves will determine how the company is going to be perceived by customers, partners, vendors and business partners in the future.
This stuff is not easy. People sometimes say, ‘Just do the right thing.’ Well, no. There are a whole bunch of biases that executives have to overcome. When I work with executive teams, I typically tell them, ‘If you trust your gut in a crisis, you will go over the cliff.’