For the first time in three decades, athletic retailer Adidas reported an operating loss to the tune of €700 million ($736 million) in 2022 and warned of a €1.2 billion ($1.27 billion) revenue decrease in 2023. The incurred losses and potential revenue hit aren’t from ongoing supply chain issues or a result of inflation. A March 8 press release attributed the results to the brand ending its nine-year relationship with Ye, the rapper formerly known as Kanye West. Adidas will write off the entire line of Yeezy-branded clothing and sneakers. Adidas and Ye parted ways last fall after the rapper made a series of antisemitic remarks. The resulting backlash by customers exposed the reputational risk of this third-party relationship.

Third Parties Are Businesses’ Biggest Risk-Management Blind Spot

When you think of third-party risk management (TPRM), more than likely it’s risk management efforts that focus on software vendors and managed services providers. If you’re among the more mature firms, it may also include suppliers, logistics providers, and suppliers to your suppliers. Any entity or individual, however, that is not an employee is, in fact, a third party. These include outsourced operations (legal, accounting, audit), outsourced business functions (communications, public relations, creative design), and even famous/influential figures affiliated with your business.

Businesses have been using celebrities (third parties) to promote products since baseball hall of famer Lou Gehrig adorned a box of Wheaties in 1934. Over the decades, celebrity endorsements have evolved from movie stars and athletes to musicians and social media influencers. With countless examples of brands terminating third-party relationships when the celebrity conflicts with the brand’s desired image, this reputational risk was established and — as the operating and revenue losses of Adidas can attest — costly.

Evaluating Third-Party Reputational Risks Isn’t Yeezy, But It Can Be Done

Most TPRM programs are not only limited in scope (in terms of which third parties are evaluated) but are also narrow in focus (in terms of the risk categories that are being assessed). Reputational risk rarely comes up in initial relationship evaluation, let alone monitored over time, primarily because it’s not a requirement and is notoriously difficult to do. Even the Basel II enterprise risk management framework excludes reputational risk due to the difficulty of factoring it into capital-adequacy requirements. Just because it’s difficult doesn’t mean that we shouldn’t do it anyway, though. After all, far too many examples of reputational damage from brand/celebrity breakups give risk management pros countless reasons to try.

Here’s what risk management pros need to consider about third-party reputational risk:

  1. Use your risk appetite statement to set guardrails. All firms must accept some risk to innovate and grow — identifying which risks to take and at what cost are the basic tenants of successful enterprise risk management. A risk appetite statement will help define the degree of reputational risk that your firm is willing to accept and under what conditions. After a 2009 sex scandal and an intoxicated driving arrest, golf legend Tiger Woods was dropped by brands such as Gatorade, AT&T, and Accenture. Nike and Electronic Arts stayed the course. The difference in response can be attributed to the risk appetite of these firms. Those that go to market on trust and reliability perceived the risk as too high. Those that message around performance and excellence perceived it as acceptable because Tiger Woods was still an exceptional athlete, distinctly different than the Lance Armstrong doping scandal during which Nike dropped the Olympics cyclist — drawing the line at cheating to win.
  2. Do a thorough assessment, but continue to monitor for changes to risk profile. When assessing operational or cybersecurity risk, firms will go to great lengths to get information, verify details, and ask for evidence. They should do the same when assessing reputational risk. Before Adidas formalized its partnership with Ye in 2013, a simple Google search would have revealed a history of impulsive and erratic behavior as far back as his 2009 outburst at the MTV Video Music Awards. Ongoing monitoring of social media would have revealed a pattern of controversial and unsubstantiated statements years before the infamous antisemitic statements in October 2022 that prompted Adidas and other brands to cut ties.
  3. Be prepared to act decisively or face long-term reputational risk fallout. By 2015, Jared Fogle, “the Subway guy,” was the brand’s sole spokesperson for 15 years until he was convicted for underaged sex, thrusting Subway into a full-blown PR nightmare. The fast food chain stayed silent for a month, then assumed that a tweet ending the third-party relationship was enough to avoid reputational fallout — Subway was wrong. Its reputation score fell from high to average, the brand has never recovered, and the company continues to lose market share.

To learn more about the reputational risk of third parties, schedule an inquiry with me. You can also access the Forrester Risk Appetite Statement Template to define your own reputational risk thresholds.