• RR-2 RR-2 Sources of Reputational Risk

    • RR-2.1 RR-2.1 Key Drivers

      • RR-2.1.1

        It is vital for banks to understand how different sources of reputational risk can impact their business operations, to set up appropriate systems and controls which can be used to manage these risks. It should be noted that many of the reputational drivers are inter-related, representing common factors applicable to banks, and relate to how well a bank has managed its business and controlled its material risks.

        July 2018

      • RR-2.1.2

        The key drivers of reputational risk that could assist banks in identifying and categorising the major sources of reputational risk applicable to them, amongst others, are outlined below:

        (a) Corporate governance—good corporate governance is vital to a bank's reputation. The leadership of the Board and senior management will directly affect stakeholders' perception of the bank;
        (b) Board and management integrity—the personal ethics and behaviour of directors and senior management are important determinants of stakeholder confidence;
        (c) Staff competence/support—staff competence and support is essential for business success. Any deficiencies in employment and staff management practices could lead to various problems, which include high staff turnover, insufficient staffing, poor service quality, staff incompetence/misconduct, customer complaints and employee disputes. Some of these issues may result in damaging headlines and adverse publicity;
        (d) Corporate culture—it is crucial for banks to promote a corporate culture where the adoption of ethical and responsible behaviour, that can protect and enhance their reputation, is encouraged. Inadequate corporate culture may result in a loss of confidence;
        (e) Risk management and control environment—a sound risk management and control environment is essential for banks to safeguard their assets and capital, and to mitigate reputational risk. Banks should seek independent assurance that existing risk management and control systems are appropriate via internal audits, and take remedial actions for any deterioration in risk management and control standards;
        (f) Financial soundness/business viability—a bank's reputation is likely to suffer if its financial soundness, or business viability, is questioned. To safeguard and strengthen their reputation, banks should build-up stakeholder trust in their financial reporting systems, manage stakeholder expectations by providing relevant factual information to facilitate their assessment of the banks' financial performance and future prospects;
        (g) Business conduct and practices—banks are required to run their businesses in a responsible, honest and prudent manner. Business practices which deviate from this basic standard could erode stakeholder confidence and damage their reputation, and any resultant breach of laws and regulations may lead to investigations, disciplinary action and criminal charges. In dealing with customers and other counterparties, banks should be guided by, and adhere to, all relevant ethical standards and codes of conduct;
        (h) Stakeholder satisfaction—a banks' ability to satisfy stakeholder needs and expectations on a continuing basis is of utmost importance in sustaining their business in a highly competitive banking environment. Failure to do so, may result in loss of stakeholder confidence, falling business, adverse publicity or, in some cases, legal sanctions;
        (i) Legal/regulatory compliance—banks should adequately appraise legal and regulatory risks, and put in place robust systems to ensure compliance, including enhancing staff awareness of compliance issues and identifying areas of potential threat and vulnerability. Breaching the law or any relevant regulatory standards and guidelines can lead to serious consequences, including regulatory investigations, costly and high profile litigation, public censure, civil and criminal sanctions, harmful publicity, claims for damages, or even the loss of authorization. There may be significant damage to a bank's reputation even if the bank is ultimately acquitted of any illegal conduct;
        (j) Contagion risk/rumours—banks operating as part of a group will be susceptible to reputational events affecting their parent bank, non-bank holding company, or other members of the group (e.g. subsidiaries and affiliates). Such contagion effects on a banks' reputation may also result from other problematic relationships, such as any close association with major customers, counterparties or service providers that are revealed to be engaged in unethical, unlawful or corrupt activities. Rumours may have a damaging impact on the bank's reputation and the level of public confidence. Therefore, adequate contingency procedures should be developed by banks;
        (k) Crisis management—a bank's inadequate response to a crisis, or even a minor incident, that attracts media attention could arouse stakeholder concerns about management competence, thereby jeopardising the bank's reputation. On the other hand, effective crisis management arrangements (including communications with stakeholders and the media) could quickly allay stakeholder fears, restore their confidence and even enhance reputation. Therefore, banks should ensure that they are ready to deal with possible crises (which may be unprecedented and totally unexpected), with detailed and well-rehearsed crisis management plans in place. Close attention should also be paid to managing media communications;
        (l) Transparency/accountability—a banks' ability to be responsive to and satisfy stakeholders' information needs (e.g. by disclosing information in respect of material issues of interest to stakeholders in a transparent, honest and prompt manner) has become a key determinant of business competence. Such information will help stakeholders in understanding a banks' values, strategies, performance and future prospects. Stakeholder confidence, as well as the banks' credibility and reputation, will be weakened if information disclosed is found to be misleading, inaccurate or incomplete. There should be adequate accountability for the integrity of information disclosures, which should be backed by robust management monitoring and reporting systems;
        (m) Branding and cross-selling—this refers to the potential harm to a bank's reputation when an entity has clients in common with the bank and also carries the bank's brand (e.g. corporate name, logo/symbol). Different brand strategies create different risk profiles. Banks should consider the degree to which cross-selling is part of their overall strategy, as a greater degree of cross-selling increases reputational risk. This is particularly the case if a bank or banking group has stand-alone deposit-taking institution(s), broker-dealer(s) and asset management unit(s) that cross-sell products;
        (n) Outsourcing—a bank's reputation could also be damaged by sub-standard service quality, improper acts, or lax controls of some key service providers (e.g. outsourced telephone banking operations, IT support, debt collection services etc.). Banks should closely monitor the performance of the outsourcing providers and the on-going impact of the agreement on their risk profile, systems and controls framework; and
        (o) Shari'a non-compliance risk—Shari'a non-compliance is a unique operational risk in Islamic finance products resulting from non-compliance of the bank with the rules and principles of Shari'a in its products and services. It is crucial to set up key risk indicators for identifying the Shari'a non-compliance risk inherent in different kinds of Shari'a-compliant contracts, and to outline a set of variables that help to estimate the likelihood and severity of Shari'a non-compliance risk. It is possible for banks to become insolvent because of the reputational risk that is triggered by the Shari'a non-compliance risk. It is important to consider Shari'a non-compliance risk as one of the main risks that banks should take into account as part of their enterprise-level risk evaluation. Banks should be aware of the implications of Shari'a non-compliance risk for the overall enterprise when Shari'a requirements and rulings are not effectively communicated, translated into internal policy, or observed by banks across different businesses and functional units; and
        (p) Step-in risk—refers to the level of risk that is associated with a bank's decision to provide financial support to an unconsolidated entity that is facing stress, in the absence of, or in excess of, any contractual obligations to provide such support. The main reason for step-in risk is to avoid the reputational risk that a bank might suffer if it did not support an entity facing a stress situation. The financial crisis provided evidence that a bank might have incentives beyond contractual obligation or equity ties to 'step in' to support unconsolidated entities to which it is connected (refer to Section RR-3.3).
        July 2018