Building trust: Reputation risk management in the banking industry

A review of 2023

2023 challenged firms to deal with an array of reputational risks and issues – many of which were controllable (i.e. internally‑led – think service outages, governance failures and greenwashing allegations), whilst others were less controllable (i.e. externally‑led – think inflation, cost of living and geopolitics).

Read any financial services Chairman or CEO’s letter in the foreword of an Annual Report and you will find several references to the challenges all firms are facing and critical need to navigate these to steer clear of controversies and crises.

Their message is clear. Customers' expectations continue to rise while tolerance of poor behaviour declines, making the operating environment with respect to reputation risk ever more fragile.
 

How can organisations mitigate reputational risks effectively?
 

A strong but flexible reputation risk management framework is one of the tools that Boards and senior management are utilising to protect trust in their brands and anticipate negative public reactions.

A reputation risk management framework is a systematic approach to governance and operational activity designed to identify, assess, monitor and report, and control potential events or situations that may have an adverse impact on an organisation’s reputation. It provides a set of guidelines and processes for effectively and efficiently managing risks that arise.

From our experience working with financial institutions, and from interviews held with several reputation risk leaders at large banks, the most effective reputation risk frameworks:

1. actively challenge business decision-making and strategy – without seizing ownership of the risk;
2. constructively provide an ‘outside in’ perspective – bringing together a range of external and internal stakeholder perspectives; and
3. develop intelligent and actionable insights – to enable senior management and the Board to make risk-intelligent decisions.

This enables constructive and open dialogue within an organisation, where resources are focused primarily on identifying and understanding emerging reputation risks, taking appropriate action to maintain and build the trust of stakeholders, and informing business decision making.
 

How can firms improve their reputation risk management frameworks?
 

Now that we’ve outlined the growing importance of reputation risk management frameworks, we’ll discuss how the banking industry can improve them. At Deloitte, we benchmark Financial Services firms around their reputational risks and can see common themes and areas of challenge.

Our benchmarking assessment, which uses the reputation risk pillars detailed below, provides firms with an objective review of how their framework is running. We take insights from across the business, coupled with our understanding of industry best practice and provide a concise view about what is working well and where improvements are needed.

Our primary observations – and recommendations to teams managing their firm’s framework – are:

Governance and strategy

Understand and embed ‘pillars of reputation’

Firms deploy policies and standards to document, contextualise, and disseminate the firm's position on various issues (such as social media use, sponsorship, sensitive sectors, and customer/client management). These policies are typically clearer about what the firm is ‘against’ or should avoid, rather than what it stands ‘for’ reputationally or aims to achieve.

Recommendation:

Embed a limited number of core values – or ‘pillars of reputation’ – against which the reputation risk management framework can be designed. Pillars of reputation define what a firm wants to be known for in the market (aligned to the firm’s strategy). Once this is clear, it becomes easier for all colleagues to identify, escalate, assess and make decisions against potential reputation risks.

Structure and organisation

Ownership of reputation risk vs. the role of oversight

Firms have established frameworks owned and managed by different parts of the business (primarily risk, compliance or corporate affairs). Where the framework is primarily managed can drive different behaviours. Risk-led frameworks are often stronger on reporting and measurement. Communications-led frameworks typically focus more on identification, escalation and mitigation activity.

What matters most is the ‘outcomes’ that the framework delivers for the firm, rather than where it is managed. Ultimately, the framework must be clear: it is for the business area that initiates the activity to own, monitor, and manage the reputation risk associated with that activity – with support from other functions such as communications, legal, risk, and compliance to reach an acceptable position on behalf of the firm.

Recommendation:

Having a tightly defined and well understood operating model, with clear roles and responsibilities, lines of escalation, reporting cadence – and importantly senior management sponsorship – will all support a strong framework.

Clarity of structure instils confidence that the firm will spot and mitigate the important reputation risks. All the while engaging the wider business through awareness and training and providing senior management with sufficient oversight of key reputation risks, so they can instigate and drive change in the business, where necessary.

Culture and leadership

‘Outside in’ perspective

Building reputational resilience requires an organisation to be responsive to external perceptions, to challenge self-limiting behaviours, to build brand capital and reserves, and maintain trust and dependability. Communications-led frameworks (or those with strong communications involvement) are typically more sensitive to the need for an outside-in view, given their closer engagement with external stakeholders.

The frameworks that best demonstrate the value added (or protected) do so through engaging and leveraging broad colleague experiences, whilst avoiding a ‘tick-box’ compliance-focused approach. This strengthens the framework and fosters the ‘pull’ factor, where the frontline business actively seeks advice and input from those colleagues, rather than perceiving internal consultation as an additional hoop to jump through.

Recommendation:

Organisations should seek to incorporate external perspectives into their reputation risk management frameworks wherever possible (particularly within the assessment and decision-making phases of the lifecycle). This can be achieved through engaging and leveraging the expertise of the organisation’s network of ‘stakeholder communicators’ (e.g. communications/ corporate affairs, regulatory affairs, customer experience/client relationship managers).

Identification and assessment

Escalation and decision making

Keeping pace with business

Reputation risk escalation and decision-making processes must but often fail to keep pace with the fast-paced nature of the financial industry. Organisations may struggle with this if frameworks are rigid and static (e.g. weekly or monthly standing agendas, paper-based assessment forms). Agile and well-embedded escalation routes (e.g. approved email routes, technology-based solutions) work better and enable the business and central teams to collaborate with the necessary input from experts to reach a decision within an acceptable timeframe.

Recommendation:

Tooling and digitisation of escalation and decision-making processes is the ideal solution to avoid burdensome paper-based form-filling. Digitising assessment and escalation routes standardises these processes, provides a consistent documentation trail and ultimately leads to better and clearer decisions – assuming that all parts of the business are engaged and embedded within the tech-enabled solution.

Measurement and reporting

Measurement and reporting Reporting should be insight-led, not event-led

Firms have established regular (typically quarterly) reputation risk reporting to senior management. Reporting often summarises media coverage (and stakeholders' subsequent reaction) and tracks the ‘live’ reputation risks identified, escalated, and assessed within the reputation risk framework. There is no silver bullet metric for reputation, so data must be synthesised using a range of data points and collated to provide a holistic (albeit imperfect) view of the firm’s reputation and its material risks.

Recommendation:

The most effective reporting provides insights of reputation risk trends and, importantly, enables the business to consider how it may need to adjust and adapt. Gathering data points from across the stakeholder landscape gives a more rounded view of the firm’s reputation. As the firm gathers data over time it will be able to see trends and provide clearer insight to senior management about how reputation issues affect stakeholder sentiment. This will help inform where additional effort or investment is required to address any gaps.

A look ahead to 2024
 

Financial Services firms, and the wider corporate sector, will continue to be challenged reputationally into 2024.

In line with our colleagues in the European Centre for Regulatory Strategy, we have identified short term challenges and ongoing structural changes which firms will have to deal with in the near future and over the medium term.¹

In the short term, firms will have to contend with maintaining their own financial and operational resilience, as well as supporting their customers, clients and counterparties in the ongoing challenging macro-economic conditions. Firms will need to continue to support all, but particularly vulnerable, customers while keeping the taps open and the lights on. Stakeholder expectations are unlikely to diminish so establishing and maintaining the external perspective will be critical.

In the medium term, geopolitics, economic, social and governance (ESG) and technological innovation will continue to throw up challenges and opportunities for firms’ reputations.

• Geopolitics: In 2024, there is a greater risk even than in 2023 that geopolitical tensions fragment the global economic landscape. Unforeseen (e.g. escalation in the Middle East) and foreseen catalysts (e.g. global election cycles) may drive geopolitical fragmentation and other prudential risks, altering the operating environment (e.g. regulatory divergence, supply chain de-risking). This will require banks to continually react and respond, with the correspondent challenges that will generate for teams managing and shepherding their firms’ reputations.²
• ESG and climate change: The regulatory and supervisory agenda for climate is consistent, but the politics of sustainability is becoming increasingly complex and fractured (for example, the challenge US banks have encountered in American states). The political impetus behind long-term measures in support of net zero could recede, and could make compliance with current rules more difficult and reinforce the importance of having proper climate risk management practices in place. All the while stakeholder pressure to implement sustainable practices remains strong as businesses edge ever closer to their Net Zero and other commitment deadlines.
  
• Technological innovation: Technology, particularly AI, remains an opportunity and a risk for firms. There is potential for short‑ and medium-term cost‑efficiencies, but also there are risks associated with the application – and funding of – artificial intelligence in financial services.
   

Regulatory pressure
 

There are currently limited formal references to reputation risk from regulators in the sector. The Financial Conduct Authority (FCA) primarily refers to reputation risk in relation to fraud, anti-money laundering and professional conduct. However, with the increased customer scrutiny and the politicisation of banking, pressure is building on regulators to implement new rules and guidelines on reputation risks. HM Treasury has announced new measures to protect customers’ freedom of speech, with other regulation that considers reputation risk expected to follow.³

Additionally, the likelihood of sanctions being implemented escalates in an increasingly polarised geopolitical world and the level of compliance expected can pose differing reputation risks.

About Deloitte’s Risk, Reputation, Crisis and Resilience team
 

Helping clients navigate complexity

Our practice has the world’s largest fully-dedicated team of consultants in crisis and resilience, enterprise risk and communications and reputation management. Deloitte is a partner for firms looking to develop their reputation risk management frameworks, using our experience working across sectors supporting organisations to prepare for, respond to and recover from crises and high impact reputational events.

We support organisations in the spotlight navigate the most complex communications challenges. This includes communications through change, which helps clients communicate and engage with stakeholders as they deliver major programmes – including transformations, special situations and major corporate announcements. We work closely with senior leaders and corporate affairs teams to understand and build reputation. We also support clients to communicate effectively in crisis and respond to reputational issues that impact their license to operate or grow.

If you would like to discuss any of the topics covered in this article, please contact us.