Don’t Duck Reputational Risk in ERM

On March 14, 2011, Aflac severed ties with comedian Gilbert Gottfried; the only quacking voice that its popular television mascot, the Aflac Duck had ever had. The dismissal occurred within hours after Gottfried tweeted a chain of tasteless jokes about a devastating earthquake and tsunami in Japan, the same day the disaster occurred. In the aftermath, more than 20,000 people were lost making the potential harm to Aflac’s reputation from the tweets particularly severe at the time, as more than 70 percent of its income emanated from Japan.

How Aflac quickly and creatively responded to this massive reputational risk was an incredible achievement. Not only did Aflac avoid potentially disastrous financial losses, they turned the incident completely around into an incredible marketing opportunity. A year later, the response to this crisis is worthy of study by other insurers working to identify, monitor, and control reputational risk within their enterprise risk management (ERM) programs.

Step One: Remain Calm

Aflac was compelled to immediately pull all commercials with Gottfreid’s voice. In the interest of gaining widespread public interest, the company organized a nationwide casting call to find a new voice for the Duck. In a clever move, Aflac also began to show a silent-movie style commercial starring the voiceless Aflac Duck with a sign instructing viewers to go online and “apply to be the next voice.”

The official job description asked for candidates who could create “innovative and original quacking that helps consumers understand how Aflac is different” from its competitors. 

Aflac also stressed that the candidate must embody “the spirit of caring and ethics that Aflac is known for, both in and out of the recording studio.” As a core competency, Aflac further required that its new representative “inspire trust and behave ethically.”

By the end of the campaign, more than 250,000 people viewed the contest website,, and more than 12,100 people submitted auditions electronically. In addition, hundreds attended live auditions held in six cities across the nation.  

Step 2: Prioritize Risk Management

Reputational risk represents a principal risk that is becoming increasingly important to boards of directors and risk committees, as well as to external stakeholders such as regulators, auditors, and—of most import—shareholders. Historically, companies may have believed that general reputational risk would be sufficiently addressed by tightly managing and controlling specific sources of loss, such as financial, operational, legal, regulatory or claim-related loss. Today, however, leading companies are specifically addressing reputation as a major, distinct component of any ERM program, with its own risk assessment, control, monitoring, and reporting processes.

Situations like Aflac’s do not arise every day; however, companies are realizing that when they do, any response needs to be quick, efficient and thorough. Advance planning and preparation for reputational crises help ensure all the necessary resources, such as strategy, people, technology, communication channels and money, are already in place.

Step 3: Realize the Risk

Managing reputational risk has special challenges, however. First, the concept has to be separated from “brand management,” a closely related concept, which relates to how the company proactively manages its marketing image, often of specific products or services, through advertising, customer relations, and strategic distribution. Branding can be considered part of reputation, but reputation is a broader concept that refers more to perceptions of the company as a whole.

Reputation also includes public views of the company’s ethics, morals, and values, financial stability, and history of fair dealings or performance. Accordingly, to mitigate such risk, a larger number of controls, and a wider variety of procedures, may need to be established than what may already exist for brand management.

Second, the question of what reputational risk needs to be managed can be daunting, as most of the day-to-day operational, legal, regulatory, and financial activities can have a collateral impact on reputation. For example, consider some of the top compliance risks for insurance companies, which are also major direct and indirect risks to the company’s larger reputation:


  • Fraud or ethical problems amongst senior management.
  • Poor dealings with policyholders, such as improper advertising, non-disclosure, or misleading coverage terms.
  • Mishandled claims and related lawsuits.
  • Failure or inability to meet or follow new regulations.


  • General economic conditions leading to insurer financial instability.
  • Misconduct of agents, vendors, and other  business partners.
  • Activities of “bad apple” competitors that cast a shadow on the whole industry.

Each of these risks will likely have a number of associated policies, and procedures specifically geared to prevent incidents on an operational level, such as claims manuals, multiple levels of approvals and sign-offs, and use of automated compliance tools. When they are also identified as a potential larger “reputational risk,” however, focus on related controls shifts to “the bigger picture.”

Appropriate mitigation efforts may again need to be expanded, from creating crisis management teams to developing external communication policies. For example, the risk of a rogue inappropriate employee incident may not only be handled by a dismissal, perhaps pursuant to a standard HR policy, but may also be subject to a wider realm of controls relating to  public relations, press releases, and board or corporate disclosures.

Step 4: Measure the Risk

Third, measuring the true financial impact of reputational risk is incredibly difficult. In most ERM  assessments, companies rank and prioritize risks in terms of cost or loss scales, by severity of an occurrence and its frequency or probability. However, reputational risk is hard to measure in the same terms. Reputational harm is almost impossible to measure before an event (and easier to cost) but is of little use after an event. So many variables can affect the measurement of reputational loss, including historical/past dealings and current reputation, the details of the incident itself, and the many ways a response can be ultimately handled.

Some risk professionals have suggested that a share price volatility after a public incident may be one measure of the effects of reputational risk. In some cases, it might, provided that the company had a solid, steady stock history and no other factors affecting share price were present. For many situations, though, there may be significant other factors affecting share price at the time of a “publicity incident.” Stock price could drop for other reasons, such as unusually large claims against the company, such as natural disaster-related claims; poorer company earnings than expected for a quarter; or stock market drop impacting the whole insurance industry. 

For this reason, most reputational risk assessments rely on narrative reporting and descriptions of potential loss rather than trying to come up with an ultimate loss figures. This may be the best a company can do, and it is certainly better than nothing. Even describing potential reputational risk scenarios, their various components, and their potential impact on multiple company departments, staff, customers, and other stakeholders, can help a company prepare for the worst. For this reason, regulators, auditors, and rating agencies may soon start to demand more disclosure of details relating to reputational risks, particularly losses with a social media or widespread publicity element.

Step 5: Own the Risk

Once reputational risk becomes a unique consideration in the ERM process, a single risk owner should be appointed to manage it. For other types of risk, the person assigned to assess or report on a risk usually has a supervisory or compliance responsibility for the controls and processes in a specific department within the company, like underwriting or claims.

In contrast, the “reputational risk manager” can be anyone in the company with the skills to develop a comprehensive project plan. The key is for the company to create an active, central hub with a strong personality that will bring together information from all parts of the company specifically with a reputational impact, and who can coordinate a response to emergencies quickly.

Ultimately, however, ownership of reputational risk rests with the company’s board of directors, who sets the “tone from the top” for the company’s ethics and compliance culture. Reputational risk management is a major tool in crisis prevention. It is also important to keep in mind, however, that building a reputation in the first instance, and maintaining it long term, is often a matter of human trust. When consumers and stakeholders have trust in company management, staff, and governance policies, the impact of negative incidents may not be as severe.

To Aflac’s credit, immediately after the Japan earthquake and tsunami, the company issued a press release confirming that it was donating $1.2 million (100 million yen) to the International Red Cross, sending a powerful message of caring and responsiveness. Two days after the Gottfreid dismissal, the company was declared a “World's Most Ethical Company” for a fifth consecutive year by the Ethisphere Institute.

Step 6: Don’t Be A Sitting Duck!

In the wisdom of Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Remember this when designing an ERM program, and build out a specific plan and strategy for managing reputational risk, covering:

  • What kinds of losses or events may need to be specially managed from a publicity standpoint.
  • What must be done to protect the company’s image, character and reputation above and beyond brand marketing.
  • How responses to negative events will be timely and thoroughly decided and communicated.

Don’t just be a sitting duck.

Featured Video

Most Recent Videos

Video Library ››

Top Story

Identity theft takes the sparkle off of the holiday shopping season says new study

Cyber risks affect shopping patterns according to Generali Global Assistance.

Top Story

5 things to know about the NAIC's new cybersecurity model law

The NAIC's newly-adopted Insurance Data Security Model Law provides guidance for carriers, agents, brokers and their business partners.

More Resources


eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.