On March 14, 2011, Aflac severedties with comedian Gilbert Gottfried, the quacking voice behind itspopular television mascot, the Aflac Duck.

The dismissal occurred within hours after Gottfried tweeted achain of tasteless jokes about the devastating earthquake andtsunami in Japan. The potential harm to Aflac's reputation from thetweets was particularly severe—as more than 70 percent of itsincome emanated from Japan.

How Aflac quickly and creatively responded to this massivereputational risk was an incredible achievement. Not only did Aflacavoid potentially disastrous financial losses, they turned theincident completely around into an incredible marketingopportunity.

A year later, the response to this crisis is worthy of study byother insurers working to identify, monitor and controlreputational risk within their enterprise risk management (ERM)programs.

Step 1: Remain Calm

Aflac was compelled to immediately pull all commercials withGottfreid's voice. In the interest of gaining widespreadpublic interest, the company organized a nationwide casting call tofind a new voice for the Duck. In a clever move, Aflac also beganto show a silent-movie style commercial starring the voicelessAflac Duck with a sign instructing viewers to go online and “applyto be the next voice.”

By the end of the campaign, more than 250,000 people viewed thecontest site, Quackaflac.com, and more than 12,100 people submittedauditions electronically.

Step 2: Prioritize Risk Management

Reputational risk is becoming increasingly important to boardsof directors and risk committees, as well as to externalstakeholders such as regulators, auditors, and—of mostimport—shareholders.

Historically, companies may have believed that generalreputational risk would be sufficiently addressed by tightlymanaging and controlling specific sources of loss, such asfinancial, operational, legal, regulatory or claim-related loss.Today, however, leading companies are specifically addressingreputation as a major, distinct component of any ERM program, withits own risk assessment, control, monitoring and reportingprocesses.

Step 3: Realize the Risk

Managing reputational risk has special challenges. The concepthas to be separated from brand management. Branding can beconsidered part of reputation, but reputation is a broaderconcept that refers more to perceptions of the company asa whole.

Reputation also includes public views of the company's ethics,morals and values; financial stability; and history of fairdealings or performance. Accordingly, to mitigate such risk, alarger number of controls, and a wider variety of procedures, mayneed to be established than what may already exist for brandmanagement.

Consider just some of the top compliance risks for insurancecompanies, which are also major risks to the company's largerreputation: Fraud or ethical problems amongst senior management;mishandled claims and related lawsuits; and poor dealings withpolicyholders, such as improper advertising or misleading coverageterms.

Each of these risks will likely have a number of associatedprocedures specifically geared to prevent incidents on anoperational level. When they are also identified as a potentiallarger reputational risk, however, focus on related controls shiftsto the bigger picture.

For example, the risk of a rogue employee incident may not onlybe handled by a dismissal, but may also be subject to a wider realmof controls relating to public relations, press releasesand board disclosures.

Step 4: Measure the Risk

Measuring the true financial impact of reputational risk isincredibly difficult. So many variables can affect the measurementof reputational loss, including historical/past dealings andcurrent reputation, the details of the incident itself, and themany ways a response can be ultimately handled.

Some risk professionals have suggested that share-pricevolatility after a public incident may be one measure of theeffects of reputational risk. For many situations, though, theremay be significant other factors affecting share price at the timeof a “publicity incident.”

For this reason, most reputational risk assessments rely onnarrative reporting and descriptions of potential loss rather thantrying to come up with ultimate-loss figures.

Step 5: Own the Risk

Once reputational risk becomes a unique consideration in the ERMprocess, a single risk owner should be appointed to manage it.Ultimately, however, ownership of reputational risk rests with thecompany's board of directors, who set the tone from the top for thecompany's ethics and compliance culture.

Step 6: 20 Years vs. 5 Minutes

In the wisdom of Warren Buffet, “It takes 20 years to build areputation and five minutes to ruin it. If you think about that,you'll do things differently.” Remember this when designing an ERMprogram, and build out a specific plan and strategy for managingreputational risk—to avoid being a sitting duck when it comes toreputational risk.