The Central Bank of Nigeria (CBN) Guidelines on the Management of Reputational Risk

Introduction & Background

1. This framework sets out the Central Bank of Nigeria (CBN) approach to assessment of Reputational Risk as part of the Supervisory Review and Evaluation (SREP) of the banks’ end-to-end Internal Capital Adequacy Assessment Process (ICAAP), and provides guidance to banks on the key elements of effective reputational risk management.

2. The CBN expects banks to manage reputational risks on a day-to-day basis rather than on ad hoc basis where it is approached as a crisis management issue. The focus should, in particular, not be only on damage control in the aftermath of a reputational event.

3. This framework is essential given that reputational risk has become a key concern for banks particularly in the wake of the 2008-2009 global financial crisis which resulted in increased stakeholders’ interest in the issues of trust and corporate culture in financial institutions. The CBN therefore expects banks in Nigeria to effectively manage their  reputational risk, which is critical given that trust in the integrity of the individual banks and the overall banking sector is essential in ensuring safety and soundness of banks, and stability of the overall financial system.

4. Reputational risk is not addressed in the context of Pillar 1 of the Basel Capital Framework though it is a material risk for banks given the rise of social media and the resulting speed at which information including rumours can be disseminated to a much wider audience.

 Definition of Terms 

In the context of this framework, the meaning of reputational risk and  other related terms are as detailed below:

 “Reputation” means perception, opinions and beliefs that a bank’s stakeholders have in respect of the bank, based on their experience with, or expectations of the b

“Reputational event” includes any action, incident or circumstance 

in relation to a bank which induces, or is likely to induce, reputational risk for the bank. Reputational event may arise from market rumours, severe regulatory sanctions, operational  shortcomings, questionable judgement, external attacks, bad conduct or heavy financial losses. Such events, if not actively managed, may turn into a full-blown crisis such as a run on the bank.

“Reputational risk” is the risk of damage to a bank’s reputation as a result of any reputational event, arising from negative publicity about its business practices, conduct or financial condition. Such negative publicity may affect public confidence in the bank; result in decline in its customer base, business volume, revenue, liquidity or capital position. Reputational risk may also arise as a result of negative stakeholder opinion.

“Reputational risk management process” is the risk management process adopted by a bank to identify, assess, mitigate, control, monitor and report reputational risk. 

“Stakeholders” mean those groups of individuals or organizations that (i) are involved or interested in the affairs of a bank, or (ii) can exert an influence over, or are affected by, the bank and its activities.

Scope of Application 

-In line with the expectation of Principle 15 of the revised “Core Principles for Effective Banking Supervision” issued by the Basel Committee on Banking Supervision (BCBS) in September 2012, the CBN requires all banks in Nigeria to establish an effective process for the management of reputation risk. The adopted process should be appropriate for the size, geographical spread, product range and complexity of its operations.

 -These guidelines are applicable to all the Deposit Money Banks (DMBs) in Nigeria, including the specialized non-interest financial institutions. The principle of proportionality will however be applied by the CBN in the supervisory assessment of the banks’ processes and methodologies. -The CBN has not prescribed any specific methodology for measuring and quantification reputational risks capital charge under Pillar 2. The discretion in respect of approaches to be adopted is left to the banks.  

Objectives

This framework focuses on the following:

1. Ensuring that banks value their institution’s reputation and assesses risks to that value. This includes understanding the contribution of the institution’s reputation to its value creation and how this can be measured in absolute or relative terms;

2. Drawing banks’ attention to various sources of reputational risk; 

3. Providing banks with guidance on the key elements of reputational risk management;

5. Promoting the adoption of a formalized and structured approach  to managing reputational risk;
6. Elaborating on the CBN’s approach to supervisory review of reputational risk

Guidelines on the Internal Governance of Reputational Risk

Overall Reputational Risk Strategy

-Though it does not appear in most balance sheets (except for acquisitions), reputation is increasingly being recognized as a valuable asset particularly to financial institutions for which the confidence of key stakeholders is critical to their survival. Business strategy and approach to its implementation can, in particular, have significant impact on the reputation of a bank. 

The board of a bank should therefore have a very good understanding of their organization’s reputation and its key drivers including vulnerabilities. This knowledge is very important in strategic and risk management decision-making. 

-It is the responsibility of the bank’s board to ensure that: 

(i) sufficient focus is given to reputational risk management, and 

(ii) the bank has appropriate governance structures and policies in place to facilitate the provision of reliable, timely and complete information on the bank’s reputation and the underlying risks and vulnerabilities. Hence, the overall ownership of reputational risk management resides with the Board.

-The banks’ strategy for management of reputational risk, including the risk tolerance levels and the management actions to mitigate against the impact of reputation risk events should be approved by the board. 

Banks should also be able to fully demonstrate to the CBN that the risk management objectives of Reputational Risk Strategy are fully aligned with the overall strategic objective of the bank.

– Banks are expected to implement appropriate governance framework to support the management of reputational risk. The framework should, among others, set out clear objectives in relation to management of reputational risk as well as define the responsibilities of all parties involved in the management of the risk. The responsibilities and lines of authorities should be adequately documented and disseminated to all the relevant parties. There should also be an effective process for monitoring the performance of assigned responsibilities, and for triggering early corrective actions before any damage to reputation is caused as a result of either internal or external events.

– Banks are expected to carry out self-assessments of their reputational risk management practices and subject the same to independent third-party reviews. 

Risk Management Framework and Responsibilities

– The banks’ board should ultimately be responsible for the oversight of Risk Management Framework and challenge of the adequacy of the level of the internally estimated capital to cover all the bank’s material risks including reputational risk, where applicable. The board may however delegate the responsibility for the monitoring and management of reputational risk to bank’s senior management or other board committees.

-Banks are expected to continuously promote staff awareness of reputational risk in their respective businesses, operations or functions. 

This should particularly be the case for those staff that interact on an ongoing basis with external stakeholders such as depositors, investors, media, market participants, equity analysts, rating agencies, suppliers, vendors, etc.

– Banks are required to continuously identify key risks (e.g. strategic, operational risks, etc) that could significantly affect the bank’s reputation or business and should bring them to the Board’s attention in a timely manner.

– Banks should ensure that they have Service Level Agreements (SLAs) for all their outsourced activities. The bank should also have a process in place to effectively monitor the performance of external service providers (e.g. outsourced telephone banking operations, Information 

Technology (IT) support, debt collection services, etc.).

Reporting of Reputational Risk

– Banks should ensure that the approach to identification of reputational risk events and the strategies in place to mitigate reputation risk are reported to the board and senior management at least on a quarterly basis while supervisory benchmarks (metrics) should be reported as part of the annual Internal Capital Adequacy Assessment Process (ICAAP) submission to the CBN. The reports to the board and senior management should include reputational risk indicators reflecting stakeholder confidence to provide a gauge of a bank’s reputation which include : 

– Early warning indicators such as a sudden increase in customer complaints, breaches of internal controls, operational errors, system outages, fraudulent incidents and any significant deterioration in other performance indicators.

-Industry, market, political, legislative or social developments which may have implications on the bank’s performance and reputation.

-The progress in the implementation of remedial action plans arising from either the SREP, internal self-assessment or internal audit reviews, and 

-Other relevant issues or developments.

Risk Identification, Assessment, and Control

General Requirements

– Banks are required to adopt a systematic approach to identification, assessment, mitigation and control of any risk or potential threat that may adversely affect their reputation. The approach should be relevant to their business model and risk profile, and should be tailored to their individual circumstances and needs. 

– Banks are expected to document the results of their reputational risk identification and assessment exercise, as well as the proposed action plans to mitigate it.

Risk Identification

– Banks are required to develop processes and procedures for the identification of reputational risk that :

a).Defines the types of risk events they would expect to capture and the areas of their focus in their risk assessment and management.

b). Establishes the key sources of reputational risk they are exposed to on the basis of the bank’s circumstances. These sources of risk may be classified by risk category, business activity or area of operations.

c). Describes the risks identified in terms of the nature of risk and the potential consequences that the risks may bring to their reputation.

d).Takes into account any risks arising from new business projects which may affect reputation.

e).  Establishes procedure to ensure that the risks identified are subject to ongoing review and no major risk areas or events are missed.

– Banks are expected to involve all relevant staff (e.g. those representing major departments, business or functional units) in the identification of reputational risk. In doing so, banks should adopt techniques that are appropriate to their individual circumstances. These may include the use of: interviews, questionnaires, risk identification workshops, or self assessments.

– Stakeholder analysis constitutes an important part of banks’ risk identification process; particularly given that reputation is largely about  stakeholders’ trust and confidence.

As stakeholders’ expectations and concerns changes over time, banks should conduct regular stakeholder monitoring to facilitate the identification of new issues and threats.

Banks are required to conduct stress testing or scenario analysis to assess any secondary effects of reputational risk on liquidity position.

Supervisory Approach to Reputational Risk

– Reputational risk is one of the inherent risks which the CBN has identified as risks that should be assessed under ICAAP. Banks are thus required to establish a sound and effective system to manage all its material risks. 

– The CBN will use a combination of techniques, such as qualitative analysis, peer group comparison and supervisory judgment, in its assessment of appropriateness of banks’ approach to management of reputational risk. Based on its assessment results, the CBN will assign one of the four risk score for reputational risk, i.e., Low, Moderate, Above Average, or High.

– The effectiveness of the banks’ reputational risk management strategy will be assessed by the CBN as part of its SREP. The assessment will mainly focus on the quality of policies, systems, processes, procedures and controls established by banks.

To facilitate this assessment, the CBN may require banks to provide the following, amongst others :-

– Policies, codes of conduct, guidelines and procedures relevant to reputation risk management;

– Documentary evidence in support of the banks’ processes for risk identification, assessment, control, monitoring and reporting (including early warning systems), as well as other available measures to mitigate against reputational risk; 

-Management reports submitted to the Board and senior management to facilitate the management of reputational risk; 

– Minutes of Board or committee meetings addressing reputational risk management; 

– Report of any independent review or audit relating to reputational risk management; 

The following are the proposed supervisory benchmarks (metrics) for use as the basis for peer group comparison of the level of reputational risk across Nigerian banks, and to facilitate the supervisory challenge of the appropriateness of the banks’ reputational risk management framework including, where applicable, estimates of internal capital to cushion against the potential crystallization of reputational risk. Supervisory benchmarks (metrics) shall be reported as part of the annual Internal Capital Adequacy Assessment Process (ICAAP) submission to the CBN. 

The benchmarks are:

• a) Frequency, nature of and changes in complaints from customers and other third parties;
• b) Staff turnover at different operational and management levels;
• c) Number and nature of reported unethical practices, failure to comply with any market rules and conducts that could undermine orderly development and growth of the economy;
• d) Number and nature of regulatory sanctions from official bodies, i.e., financial regulator, tax authorities etc;

• e) Fraud rate (internal and external);

• f) Number of negative mentions in the traditional and social media;

• g) Increased costs of raising funds from the capital or money market;
• h) Average number of years of industry experience for the key office holders;
• i) Current and recent changes in external credit ratings;