Elizabeth Carmichael

Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected]

Risk Insider: Elizabeth Carmichael

Reputational Risk – What Is It? Can We Manage It?

By: | October 25, 2016 • 2 min read
Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected]

Reputational risk is a category unto itself in the enterprise risk management basket. Everyone knows what it means — it’s common sense, right?

Something bad happens and your company or institution gets trashed in the press or on social media. There could be some fallout; sometimes it happens immediately and sometimes the fallout takes years to emerge.

As risk managers, we may often feel there is nothing we can do to address it until it happens — after all, how can we predict what the public and media will do? But, the more important questions are, why does it happen and how can we prevent it?

I would like to posit the idea that most reputational risks arise when the behavior or actions of the company or institution (or their employees) is not aligned with either its stated values or what the public thinks its values ought to be.

The solution is therefore quite simple: Practice what you preach. Follow the rules and play fairly.

The greater the incongruence between what the organization says it will do vs. what happens, the greater the reputational risk and likely fallout.

If an organization consistently and completely aligns its actions with its stated or expected values, even a wrongful act by a rogue employee is mitigated when the organization can demonstrate that the act was unprecedented and the employee was truly a loose cannon.

Advertisement




If only it were as easy as it is simple. I’ll illustrate using an example from higher education.

The public and congress believe that universities should keep students safe and that they should fight sex discrimination. Most institutions have statements of non-discrimination based on gender and statements on harassment prevention.

In addition, the Higher Education Act, Title IX and its subsequent and related reenactments, revisions, regulations and guidance require that institutions not discriminate based on sex and stipulate how they must respond to reports of sexual assault or harassment.

Failure on the part of many institutions to do this has resulted in more than 280 investigations by regulators, lower admission applications for some institutions and increased regulation for the industry overall.

This often boils down to compliance. Baylor University has been in the news quite recently over this — their policies said that they would responsibly investigate and manage claims of sexual assault filed by students.

But when allegations involved star athletes, they backed down, prevented their Title IX coordinator from doing her job and protected the athletes instead of the victims. The scandal (reputational risk) has resulted in the ousting of coaches, athletes and even the president of the university, as well as multiple claims and litigation.

Root cause: the institution’s actions did not align with their stated policies and values.

The greater the incongruence between what the organization says it will do vs. what happens, the greater the reputational risk and likely fallout. Compliance gaps in organizations are the harbingers of reputational risk as well as compliance risk.

Risk managers need to be aware of these gaps and build them into the ERM process for the success and reputation of our organizations.

Share this article:

Risk Insider: Elizabeth Carmichael

Putting Your Organizational Values Where Your Risks Are

By: | July 8, 2016 • 3 min read
Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected]

I think that many risk managers (myself included) struggle with guiding their organizations to choose what risks to prioritize for management.

Even when we work for an organization that has a highly functional ERM process, and senior leaders are actively engaged in the identification, management and mitigation of risks, can and/or should compliance and risk officers be leaders in helping them set their priorities?

If the answer to that question is “yes,” how can we be better leaders? We can do it by identifying and aligning risk management as a cornerstone of institutional values.

One of the things that has always bothered me about “reputational risk” is that it measures how the outside world will view the institution (by measuring lost revenue, increased costs, or reduced shareholder value) if it fails to address a particular issue.

This has become a shorthand of sorts for measuring the ethical aspects of failure to address some kinds of risks. The problem is, it doesn’t address the actual values of the organization. Reports have been published on the atmosphere at Penn State where alumni and other donations actually increased in support of the university after the news of the Sandusky sex scandal broke.

Other schools, like Dartmouth University, may have seen a drop in applications from women because of sexual assaults and harassment, but given the strength of the school, it probably hasn’t impacted the bottom line. The outcomes of bad press are impossible to predict.

Advertisement




There is no discussion, no scoring, in the enterprise risk management process of “How antithetical to our institution and our values would it be if something happened because we failed to address this risk?”

Or, “What are our institutional values and how does this risk conflict with our values?”

We should ask ourselves how risks might be scored if these questions replaced, “What is the reputational risk?”

Assuming — and admittedly it may be a big assumption — that organizations want to align their operations with their stated and implied values, the ERM process can and should be used to support this objective.

Even when we work for an organization that has a highly functional ERM process, and senior leaders are actively engaged in the identification, management and mitigation of risks, can and/or should compliance and risk officers be leaders in helping them set their priorities?

Now, if your company’s sole value and objective is to sell products more cheaply than any other company, ethics and values will not be likely to have any traction with company leadership on risk matters.

But if your company or organization has a mission, vision and/or values statement, you will have a place to start.

Reputation, on its most basic level, is a measure of trust — how well does the organization deliver the products and services, the values, which it promises?

This applies to both the organization’s customers and employees.

Do employees know what the organization’s values are? Are policies, procedures and risk mitigation efforts aligned with its values?

Compliance officers and risk managers may find that, when faced with opposition on a risk mitigation effort or prioritization, that helping mangers understand how the mitigation helps the organization’s actions align with its values will break down the resistance.

I’ve seen it work; try it!

Share this article:

Risk Insider: Elizabeth Carmichael

ERM Is Not Just ‘Our’ Problem

By: | June 15, 2016 • 2 min read
Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected]

Jack Hampton recently wrote, “Risk managers have a staggering problem on their hands if they are ever going to make enterprise risk management inroads across the full Academy. There is no other way to see it.”

And he’s right. Risk managers will always have a staggering, even insolvable problem, on their hands as long as they are the ones responsible for developing and implementing ERM at their institution. The same holds true for any business.

I’ve recently come back from the Higher Education Compliance Conference of the Society of Corporate Compliance and Ethics (SCCE).

There, I was heartened to hear presentations from multiple institutions where a team of senior leaders across the institution lead the ERM process.

As we know, engaging senior leadership in the ERM process helps to ensure the success of the program by placing the risk ownership across the institution, rather than allowing the perception of ownership to sit in Risk Management.

As we know, engaging senior leadership in the ERM process helps to ensure the success of the program by placing the risk ownership across the institution, rather than allowing the perception of ownership to sit in risk management. The most mature and robust programs fully integrate the compliance, ERM, traditional risk management and internal audit functions.

Advertisement




The risk management burden, as Jack points out, is endless and ever varying. We will never be able to stop the rogue employee from breaking the rules, including the grumpy professor trying to make a point by publicly illustrating gaps in our systems.

We may seldom be able to stop the determined assassin before he strikes.

However, an ERM program can protect the institution or the company from the consequences of these actions while boosting resiliency and resources if it enables us to develop processes that will

  • Put organizational structures in place to identify and manage risk across the enterprise (including compliance risks);
  • Create codes of conduct, policies and procedures in place to guide people on what to do;
  • Educate and train our community so they know what they are expected to do;
  • Give our operations managers tools to self-monitor their risk management and compliance activities and audit the operations as necessary;
  • Develop a clear reporting and investigation processes for claims and complaints;
  • Discipline those that willfully break the rules; teach those that accidentally break the rules; and
  • Investigate and remediate systemic problems and risks.

So, how do we engage leadership in embracing and leading ERM? We talk about it, frequently and to anyone who will listen.

Practice your one-minute ERM elevator speech and use it on faculty, deans, all of your director-level peers and especially senior leaders.

Meet with key risk partners and share the benefits of an enterprise-wide approach.

Be a thought leader on your campus and tie the ERM process to the academic mission.

Gates Garrity-Rokous, vice president and chief compliance officer at The Ohio State University recommends relentless optimism.

Help your senior leaders and administrators understand that using the ERM process will make their lives easier, because ERM will help the institution allocate resources by highest need. Tell them how the ERM process will make our campuses better through improved awareness and clearer communication of risk issues.

It’s easy to feel discouraged in the face of constant stories of tragedies and malfeasance. But there are silver linings.

The students at UCLA were prepared and knew how to shelter in place so that casualties from the Mainak Sarkar shooting were limited. We’re getting better, we’re doing more with less and finding continual improvement.

Find your inner optimist, share your successes with your peers, keep calm and carry on.

Share this article: