In my analysis of and response to the OCC and FDIC’s proposal to remove “reputation(al) risk” from the supervisory lexicon, I argued that the change was not only defensible but overdue, but I was also clear that we need to talk about the holes it leaves behind.
Reputational risk never meaningfully belonged in the taxonomy of financial risks. It was an interpretive convenience – a category used to capture issues that did not sit comfortably anywhere else, or to signal discomfort where formal breach language was insufficient.
The regulators have now corrected the conceptual record. But removing a flawed category does not resolve the governance challenges it previously concealed. Instead, it brings them into sharper relief.
Reputation still matters. Stakeholder trust still matters. Sentiment still accelerates crises. Culture still shapes conduct.
What has changed is simply this: firms can no longer use ‘reputational risk’ as the narrative shortcut through which these concerns were previously raised and governed.
The question now is not why the regulators were right. It is:
What holes does the removal leave behind – and how should firms govern them?
1) Public Perception: The Early Warning Signal With Nowhere to Go
A reputational controversy is rarely the root cause of a problem. More often, it is the first visible sign that something beneath the surface – in conduct, decision-making, controls or cultural tone – is misaligned. The NPR rightly prohibits supervisors from drawing conclusions based purely on perception. But that does not make perception irrelevant.
In practice, perception is one of the earliest, most volatile, and most democratised risk signals firms receive.
The governance challenge is this:
If ‘reputational risk’ is no longer available as a flag, how do organisations ensure perception-driven signals still trigger thoughtful scrutiny rather than disappearing into the noise?
Doing so requires:
- Distinguishing signals from evidence while acknowledging the value of both
- Designing structured escalation pathways for perception-led alerts
- Mapping perception signals to specific risk domains (conduct, compliance, strategy, operational risk, governance)
If firms do not design explicit pathways for perception-driven concerns, they will simply vanish – and with them, an early warning mechanism too valuable to lose.
2) Enforcement Consequences: The Gap Between Action and Impact
Regulatory actions often produce substantial reputational outcomes: clients withdraw, counterparties reduce exposure, investors react, and markets adjust. Under the NPR, regulators cannot justify interventions based on “reputation”. Yet the reputational effects of those interventions remain both inevitable and material.
This creates a subtle structural challenge:
If regulators cannot consider reputation, how should firms interpret – or prepare for – the reputational consequences of enforcement?
Three implications follow:
- Legal defensibility must be clearer.
- Agencies may face attempts to argue that enforcement produced reputational harm outside their mandate.
- Board expectations will shift.
- Boards must learn to interpret supervisory language that has been stripped of reputational framing, even when reputational consequences dominate the external narrative.
- Assurance functions must adapt.
- Internal audit and compliance must prepare for scenarios in which enforcement actions cause disproportionate external reactions without the benefit of reputational reasoning in the regulatory dialogue.
Enforcement will still damage reputations; the only question is whether firms are prepared for that damage to be examined strictly on prudential terms.
3) Sentiment-Driven Liquidity Crises: A Transmission Mechanism Without a Name
Bank runs and liquidity destabilisation do not begin with liquidity ratios – they begin with sentiment. A rumour, a headline, an online cascade, or a misinterpreted disclosure may set off a chain reaction long before objective indicators signal deterioration.
Reputational risk once served as the narrative umbrella under which these dynamics were discussed. Without it, supervisors must now frame sentiment-driven crises solely through liquidity risk.
This leads to a central governance challenge:
How can firms model, escalate and manage liquidity crises that are triggered by perception, when the concept that best describes that trigger has been retired?
That requires:
- Enhancing liquidity stress tests to incorporate sentiment-propagation channels
- Embedding social media and news-sentiment monitoring within liquidity and treasury governance
- Defining escalation thresholds where sentiment-driven early indicators must prompt action, even before financial indicators move
If liquidity frameworks do not explicitly account for sentiment-driven contagion, firms should not be surprised when “non-financial” triggers produce deeply financial consequences.
4) Culture and Conduct: Raising Concerns Without the Old Vocabulary
For years, reputational risk functioned as governance shorthand for “this may be permissible, but it is not right.” It allowed leaders, auditors, compliance officers and risk functions to escalate cultural or behavioural concerns that fell short of formal breach thresholds.
With the category gone, firms face a sharper question:
How do we raise cultural red flags when the previous escalation language no longer exists?
This elevates the need for:
- Behavioural metrics and culture dashboards
- Enhanced whistleblowing analysis
- Independent culture reviews
- Incentive and decision-pattern scrutiny
- Board-level reporting of cultural indicators linked to conduct and operational risk
- Clearer thresholds for when cultural concerns merit escalation
Without a replacement for “this is reputationally dangerous”, cultural issues risk being deprioritised at exactly the moment regulators worldwide are scrutinising behaviour more closely.
What Replaces Reputational Risk: A Governance Framework for 2026 and Beyond
Reputational risk should not be replaced with another vague category.
It should be replaced with a more mature governance architecture.
Here are five design questions every firm should now address:
1. Signal: What perception-driven indicators are we monitoring, and who owns them?
Customer complaints, whistleblowing patterns, social sentiment, media traction, investor reactions – these must sit somewhere, not nowhere.
2. Attribution: How will we link perception signals to specific risk types?
A perception issue is rarely “reputational”. It is usually conduct, culture, operational, liquidity or strategic in disguise.
3. Escalation: When should perception trigger board or executive attention?
Clear thresholds prevent issues from being dismissed as noise.
4. Assurance: How will internal audit and compliance test that this process works?
A governance system without assurance is simply a policy.
Visibility: How will boards be informed of reputational consequences without a reputational category?
Boards need structured, integrated reporting that shows how reputational outcomes map to underlying drivers.
This is the governance work the NPR now requires – not explicitly, but implicitly.
Conclusion – Reputation Remains. The Category Does Not.
Removing reputational risk from the supervisory lexicon is a conceptual correction. But it does not eliminate the phenomena the category once attempted to capture.
Perception still signals weakness. Conduct still shapes outcomes. Culture still determines resilience. Sentiment still accelerates crises. Enforcement still produces reputational consequences.
The regulators have clarified what they are not responsible for. It is now for firms to decide what they will be responsible for.
Reputational risk may be gone. But the holes it leaves behind must be filled – not with a new label, but with better governance.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
