On March 14, 2011, Aflac severed ties with comedian Gilbert Gottfried, the quacking voice behind its popular television mascot, the Aflac Duck.

The dismissal occurred within hours after Gottfried tweeted a chain of tasteless jokes about the devastating earthquake and tsunami in Japan. The potential harm to Aflac’s reputation from the tweets was particularly severe—as more than 70 percent of its income emanated from Japan.

How Aflac quickly and creatively responded to this massive reputational risk was an incredible achievement. Not only did Aflac avoid potentially disastrous financial losses, they turned the incident completely around into an incredible marketing opportunity.

A year later, the response to this crisis is worthy of study by other insurers working to identify, monitor and control reputational risk within their enterprise risk management (ERM) programs.

Step 1: Remain Calm

Aflac was compelled to immediately pull all commercials with Gottfreid’s voice. In the interest of gaining widespread public interest, the company organized a nationwide casting call to find a new voice for the Duck. In a clever move, Aflac also began to show a silent-movie style commercial starring the voiceless Aflac Duck with a sign instructing viewers to go online and “apply to be the next voice.”

By the end of the campaign, more than 250,000 people viewed the contest site, Quackaflac.com, and more than 12,100 people submitted auditions electronically.

Step 2: Prioritize Risk Management

Reputational risk is becoming increasingly important to boards of directors and risk committees, as well as to external stakeholders such as regulators, auditors, and—of most import—shareholders.

Historically, companies may have believed that general reputational risk would be sufficiently addressed by tightly managing and controlling specific sources of loss, such as financial, operational, legal, regulatory or claim-related loss. Today, however, leading companies are specifically addressing reputation as a major, distinct component of any ERM program, with its own risk assessment, control, monitoring and reporting processes.

Step 3: Realize the Risk

Managing reputational risk has special challenges. The concept has to be separated from brand management. Branding can be considered part of reputation, but reputation is a broader concept that refers more to perceptions of the company as a whole.

Reputation also includes public views of the company’s ethics, morals and values; financial stability; and history of fair dealings or performance. Accordingly, to mitigate such risk, a larger number of controls, and a wider variety of procedures, may need to be established than what may already exist for brand management.

Consider just some of the top compliance risks for insurance companies, which are also major risks to the company’s larger reputation: Fraud or ethical problems amongst senior management; mishandled claims and related lawsuits; and poor dealings with policyholders, such as improper advertising or misleading coverage terms.

Each of these risks will likely have a number of associated procedures specifically geared to prevent incidents on an operational level. When they are also identified as a potential larger reputational risk, however, focus on related controls shifts to the bigger picture.

For example, the risk of a rogue employee incident may not only be handled by a dismissal, but may also be subject to a wider realm of controls relating to public relations, press releases and board disclosures.

Step 4: Measure the Risk

Measuring the true financial impact of reputational risk is incredibly difficult. So many variables can affect the measurement of reputational loss, including historical/past dealings and current reputation, the details of the incident itself, and the many ways a response can be ultimately handled.

Some risk professionals have suggested that share-price volatility after a public incident may be one measure of the effects of reputational risk. For many situations, though, there may be significant other factors affecting share price at the time of a “publicity incident.”

For this reason, most reputational risk assessments rely on narrative reporting and descriptions of potential loss rather than trying to come up with ultimate-loss figures.

Step 5: Own the Risk

Once reputational risk becomes a unique consideration in the ERM process, a single risk owner should be appointed to manage it. Ultimately, however, ownership of reputational risk rests with the company’s board of directors, who set the tone from the top for the company’s ethics and compliance culture.

Step 6: 20 Years vs. 5 Minutes

In the wisdom of Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Remember this when designing an ERM program, and build out a specific plan and strategy for managing reputational risk—to avoid being a sitting duck when it comes to reputational risk.