Reputational Risk Management: What Boards Get Wrong

ByKeith Lacy
Why Reputational Risk Is Treated as a Communications ProblemThe Risk Register ProblemWhat Scenario Planning Actually InvolvesThe Stakeholder Mapping GapSpeed Versus Substance: Getting the Balance RightThe Operational Decisions That Create Reputational RiskDigital Footprint and the Long Tail of ReputationMeasurement: What Good Looks LikeWhat Boards Actually Need to Do

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

Reputational risk management is the discipline of identifying, assessing, and mitigating threats to how an organisation is perceived by its customers, partners, employees, investors, and the public. Done well, it sits at the intersection of strategy, communications, and operations. Done poorly, it lives in a drawer labelled “crisis comms plan” that nobody has read since it was written.

The gap between those two versions is where most organisations actually sit. And that gap tends to become visible at the worst possible moment.

Key Takeaways

  • Reputational risk is not a communications problem. It is a business problem that communications is asked to solve after the fact.
  • Most organisations conflate crisis response with risk management. One is reactive. The other requires ongoing, structured work before anything goes wrong.
  • The risks that damage reputations most severely are rarely the ones on the risk register. They come from operational decisions that nobody flagged as a comms issue.
  • Speed of response matters far less than quality of position. A fast, wrong answer is worse than a considered, honest one delivered a few hours later.
  • Scenario planning is the single most underused tool in reputational risk management, and it costs almost nothing to do properly.

In This Article

  1. Why Reputational Risk Is Treated as a Communications Problem
  2. The Risk Register Problem
  3. What Scenario Planning Actually Involves
  4. The Stakeholder Mapping Gap
  5. Speed Versus Substance: Getting the Balance Right
  6. The Operational Decisions That Create Reputational Risk
  7. Digital Footprint and the Long Tail of Reputation
  8. Measurement: What Good Looks Like
  9. What Boards Actually Need to Do

Why Reputational Risk Is Treated as a Communications Problem

I have sat in enough boardrooms to know how this conversation usually goes. Someone raises reputational risk on the agenda. The room turns to the marketing director or the PR lead. A plan is requested. A plan is produced. It gets filed. The next agenda item starts.

The problem with treating reputation as a communications function is that it misdiagnoses the source of most reputational damage. Communications cannot fix a bad product. It cannot repair a broken supply chain. It cannot rehabilitate a culture that has been quietly toxic for years. It can only shape how those things are perceived, and only up to a point.

When I was running agencies, the clients who handled reputational crises best were not the ones with the sharpest PR teams. They were the ones where the CEO treated reputation as a commercial asset, not a comms deliverable. That distinction changes everything about how an organisation prepares, responds, and recovers.

The broader discipline of PR and communications sits underneath reputational risk management, and if you want a fuller picture of how these functions connect, The Marketing Juice PR and Communications hub covers the strategic landscape in detail. But for now, the specific question worth examining is: what does rigorous reputational risk management actually look like, and where do most organisations fall short?

The Risk Register Problem

Most organisations maintain a risk register. Reputational risk usually appears on it. It is typically rated on a likelihood-impact matrix, assigned an owner, and given a mitigation note that reads something like “maintain strong stakeholder relationships and respond promptly to media enquiries.”

That is not a mitigation. That is a hope.

The structural problem with risk registers is that they tend to capture the risks people are already aware of, already comfortable discussing, and already have a language for. The risks that actually damage reputations are often the ones that fell between categories, or that nobody thought to flag as a reputational issue because they looked like an operational decision at the time.

A sourcing decision. A pricing change. A product feature that gets quietly deprecated. A redundancy process that leaks before the announcement is ready. None of these appear on a standard risk register as “reputational threats.” All of them have ended up as front-page problems for organisations that thought they were making internal decisions.

The fix is not a better risk register. It is a different conversation at the point where decisions get made. Someone in the room needs to be asking: if this decision became public in the worst possible framing, what would that look like? That question does not require a communications specialist. It requires a culture where reputational thinking is embedded in operational decision-making, not bolted on afterwards.

What Scenario Planning Actually Involves

Scenario planning is the most consistently underused tool in reputational risk management. I say that having worked across more than 30 industries, and having watched organisations spend significant money on crisis simulations while doing almost no structured thinking about the scenarios most likely to affect them specifically.

Genuine scenario planning for reputational risk involves three things. First, identifying the specific threats that could plausibly affect your organisation, not generic categories like “data breach” or “executive misconduct,” but the actual scenarios grounded in your business model, your industry, your customer base, and your operating environment. Second, working through what the response would look like before the pressure is on. Who speaks? What is the initial position? What do you say to employees before you say anything publicly? What is the holding statement while you gather facts? Third, testing those plans under realistic conditions, not a boardroom walkthrough but a live simulation with time pressure, incomplete information, and people playing the roles they would actually play.

I learned the value of this the hard way. We were deep into production on a major Christmas campaign for Vodafone, working with a Sony A&R consultant to ensure music licensing was clean. At the eleventh hour, a rights issue emerged that killed the campaign entirely. We had to go back to zero: new concept, new creative, client approval, delivery, all under severe time pressure with a hard broadcast deadline that was not moving. What saved us was not the quality of our crisis response. It was the fact that we had done enough contingency thinking during the production process to know roughly what our options were if something went wrong. We had not planned for that specific failure, but we had thought about failure. That thinking gave us a framework to move fast when we needed to.

Organisations that have never stress-tested their reputational response plans tend to discover the gaps at the moment they can least afford to. The investment in scenario planning is modest. The cost of not doing it can be significant.

The Stakeholder Mapping Gap

One of the consistent failures in reputational risk management is a narrow definition of who matters. Most organisations think about customers and media. Some think about investors and regulators. Fewer think systematically about employees, suppliers, local communities, and the adjacent audiences whose opinions shape the broader perception of the business.

This matters because reputational crises rarely stay in one channel. A customer complaint that goes viral draws media attention. Media attention prompts employee questions. Employee commentary on social platforms adds another layer. Supplier relationships get quietly reassessed. Investors ask questions on earnings calls. Each of those audiences requires a different communication approach, a different tone, and often a different message, while remaining consistent with the overall position.

Organisations that have done proper stakeholder mapping before a crisis know who their tier-one audiences are, what those audiences care about, and what a credible response looks like to each of them. Organisations that have not done that work tend to default to a single public statement and hope it lands across all audiences simultaneously. It rarely does.

Tools like Sprout Social’s social listening capabilities can help organisations monitor how different stakeholder groups are responding in real time, but the monitoring is only useful if you have already done the thinking about who those groups are and what signals matter. Technology amplifies good preparation. It does not substitute for it.

Speed Versus Substance: Getting the Balance Right

There is a persistent belief in crisis communications that speed is the primary variable. Get out in front of the story. Fill the vacuum before someone else does. Own the narrative.

There is something to this, but it gets overapplied. The organisations that have damaged their reputations most severely through their own responses have almost always done so by prioritising speed over substance. They issued statements before they had the facts. They apologised for things they had not yet confirmed. They made commitments they could not keep. Each of those moves created a second story that was worse than the first.

The right balance is: fast enough to demonstrate awareness and control, substantive enough to be credible. A holding statement that says “we are aware of the situation, we are investigating, and we will provide an update within four hours” is more effective than a rushed position that has to be walked back. It signals that someone is in charge. It buys time without creating a vacuum. And it sets an expectation you can meet.

What makes this hard is internal pressure. Boards want statements. Investors want statements. Journalists are calling. The temptation to say something, anything, is real. The discipline to hold until you have a defensible position is what separates organisations that manage crises from organisations that compound them.

I have watched clients make both calls. The ones who held, gathered facts, and came out with a clear and honest position almost always recovered faster than the ones who rushed and had to correct themselves. The correction is what people remember.

The Operational Decisions That Create Reputational Risk

If you want to understand where reputational risk actually originates, follow the operational decisions. Pricing strategy. Product quality. Customer service processes. Hiring and firing practices. Supplier standards. Data handling. Environmental footprint. Each of these is primarily an operational or commercial decision. Each of them is also a reputational decision, whether or not anyone in the room is thinking about it that way.

The organisations that manage reputational risk well have found a way to make that connection visible at the point of decision, not after the fact. That does not mean every operational choice needs a communications review. It means building a habit of asking the “if this became public” question for decisions with material exposure.

This is harder than it sounds because it requires breaking down the silos between functions that do not naturally talk to each other. Finance does not typically loop in communications when modelling a price increase. Operations does not typically ask PR to review a supplier contract. The reputational risk sits in the gap between those conversations.

Some organisations address this through a formal reputational risk committee that reviews significant decisions before they are implemented. Others embed it more informally through a culture where the question gets asked. Either approach can work. What does not work is treating reputational risk as something that only becomes relevant after a problem has surfaced.

Forecasting frameworks can help here. Forrester’s work on business forecasting makes the broader point that organisations which build structured anticipation into their planning processes make better decisions under pressure. The same logic applies to reputational risk. The organisations that have thought through the scenarios in advance are not smarter in the moment. They are better prepared.

Digital Footprint and the Long Tail of Reputation

Reputation used to have a shorter memory. A crisis would peak, coverage would fade, and the story would move on. The digital environment has changed that significantly. Search results persist. Review platforms accumulate. Social content gets archived and resurfaces. A reputational event from five years ago can be the first thing a prospective customer, employee, or investor finds when they search your organisation’s name.

This changes the calculus of reputational risk management in two ways. First, it raises the stakes on how you handle a crisis, because the record is permanent and searchable. Second, it creates an ongoing obligation to manage your digital footprint actively, not just during a crisis but as a continuous discipline.

That means monitoring what is being said about your organisation across search, social, and review platforms on a regular basis. It means having a clear process for responding to negative content, not to suppress legitimate criticism but to ensure that your side of the story is visible alongside it. And it means investing in positive content, earned and owned, that reflects the organisation you are and want to be seen as.

Local search reputation is a specific area that often gets overlooked by organisations focused on broader brand perception. Moz’s guidance on local business search presence is a useful starting point for understanding how reputation manifests at a local level, particularly for organisations with multiple locations or regional operations.

The broader point is that reputational risk management in a digital environment is not a campaign. It is an ongoing operational discipline with its own processes, metrics, and accountabilities. Organisations that treat it as a campaign tend to be reactive. Organisations that treat it as a discipline tend to be prepared.

Measurement: What Good Looks Like

Reputational risk is genuinely difficult to measure, and I have seen organisations tie themselves in knots trying to find a single metric that captures it. Brand health trackers. Net Promoter Score. Share of voice. Sentiment analysis. Each of these tells you something. None of them tells you everything.

The more useful approach is to define a small set of indicators that are meaningful for your specific organisation and track them consistently over time. That might include media sentiment across key publications, employee engagement scores, customer complaint volumes and resolution rates, and social sentiment across relevant platforms. The value is not in any single data point but in the trend, and in understanding what drives movement in either direction.

When I was at iProspect, growing the business from around 20 people to over 100, one of the things that became clear as we scaled was that the internal reputation of the business, how employees talked about it to people outside, was a significant driver of client perception and commercial outcomes. We started tracking that more deliberately, not through formal surveys alone but through the quality of conversations we were having with candidates, clients, and industry contacts. That informal signal was often ahead of the formal metrics.

The honest truth about reputational measurement is that it requires judgment as much as data. Analytics tools give you a perspective on reality, not reality itself. The organisations that manage reputation well combine quantitative tracking with qualitative intelligence, and they are honest about the limits of both.

If you want to go deeper on the strategic communications frameworks that sit underneath this kind of measurement and planning, the PR and Communications section of The Marketing Juice covers the full range of disciplines involved, from earned media strategy to internal communications to crisis response frameworks.

What Boards Actually Need to Do

Boards have a specific responsibility in reputational risk management that goes beyond approving a crisis comms plan. They set the culture, the values, and the commercial priorities that determine how the organisation behaves when nobody is watching. That behaviour is the primary source of reputational risk, or reputational strength.

Boards that take this seriously ask different questions. Not just “do we have a crisis plan?” but “what decisions are we making right now that could create reputational exposure in 12 or 24 months?” Not just “what is our media sentiment score?” but “what are employees saying about us, and is that consistent with what we say publicly?” Not just “who is our PR agency?” but “is reputational thinking embedded in how we make operational decisions?”

Those questions are uncomfortable, which is probably why they do not get asked often enough. But they are the right questions. And the organisations that ask them regularly tend to be the ones that handle reputational challenges with something approaching composure when they arrive, because they have done the preparation that makes composure possible.

Reputational risk management is not a communications function. It is a leadership function that communications supports. The sooner boards internalise that distinction, the better placed their organisations will be.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

What is reputational risk management?
Reputational risk management is the process of identifying, assessing, and mitigating threats to how an organisation is perceived by its key stakeholders, including customers, employees, investors, media, and regulators. It spans crisis preparedness, ongoing monitoring, stakeholder communications, and the embedding of reputational thinking into operational decision-making before problems arise.
What is the difference between crisis management and reputational risk management?
Crisis management is reactive. It describes what an organisation does after a reputational event has occurred. Reputational risk management is proactive. It describes the ongoing work of identifying potential threats, preparing responses, embedding reputational thinking into decisions, and monitoring stakeholder sentiment before any crisis materialises. Most organisations invest heavily in the former and underinvest significantly in the latter.
How do you measure reputational risk?
There is no single metric that captures reputational risk comprehensively. Organisations typically track a combination of media sentiment, social sentiment, employee engagement scores, customer complaint volumes, brand health tracker data, and share of voice over time. The value lies in tracking trends consistently rather than optimising for any single data point, and in combining quantitative metrics with qualitative intelligence from stakeholder conversations.
What causes the most reputational damage to organisations?
The most damaging reputational events typically originate in operational decisions rather than communications failures. Pricing practices, product quality issues, supply chain problems, data handling failures, and internal culture issues tend to cause more lasting reputational damage than external events. This is because they reflect on the values and behaviour of the organisation itself, not just on how it communicates.
How should an organisation respond in the first hours of a reputational crisis?
The priority in the first hours is to demonstrate awareness and control without overcommitting to a position before the facts are clear. A holding statement that acknowledges the situation, confirms that an investigation is underway, and sets a timeline for a fuller response is more effective than a rushed statement that may need to be corrected. Internal communications to employees should happen before or alongside any public statement. Speed matters, but not more than accuracy and credibility.

Similar Posts