I. Introducing our methodology video II. Research approach and scope III. Methodology: The research process IV. The RepRisk Index (RRI): Our algorithm for reputational risk exposure V. The RepRisk Rating (RRR): Our rating or risk benchmarking VI. The UNGC Violator Flag

RepRisk
methodology overview

Info & contact

#

I. Introducing our methodology video

At RepRisk, we have pioneered the combination of artificial and human intelligence to identify business conduct and ESG risks that could have adverse impacts on financial performance, people, or the planet. Our data enables decision-makers to act swiftly, safeguard business and investments, and foster positive change.

In our new video, we provide an overview of how our unique methodology translates big data into actionable research, analytics, and risk metrics. With daily-updated data sourced in 23 languages using a transparent and rules-based methodology, RepRisk systematically flags and monitors material business conduct and ESG issues that can translate into financial, reputational, and compliance risks. Leading organizations around the world rely on RepRisk as their key due diligence solution to prevent and mitigate business conduct and ESG risks related to their operations, business relationships, and investments.

#

II. Research approach and scope

# a. What types of sources and stakeholders does RepRisk screen?

RepRisk screens, on a daily basis, over 100,000 public sources and stakeholders in 23 languages.

These include print media, online media, social media, blogs, government bodies, regulators, think tanks, newsletters, and other online sources. These sources range from the international to the regional, national, and local level.

This list of sources is reviewed regularly and extended according to daily searches, RepRisk’s own research, and through client feedback.

Figure 1: Scope of sources

Born out of credit risk management, the purpose of RepRisk’s dataset is not to provide ESG ratings, but to systematically identify and assess material ESG risks. RepRisk has always taken an outside-in approach to ESG risks, by analyzing information from public sources and stakeholders, and intentionally excluding company self-disclosures. It is now well-accepted that self-reported information is not reliable data – especially when it comes to risks.

Over a decade of experience has shown that RepRisk’s unique perspective serves as a reality check for how companies conduct their business around the world – do they walk their talk when it comes to human rights, labor standards, corruption, and environmental issues? This perspective, together with a transparent, rules-based methodology and daily updates, ensures that our clients have consistent, timely, and actionable data at their fingertips.

Important: While RepRisk does not verify or validate reported allegations, our analyst team conducts quality checks and regularly reviews our list and classification of sources (see point IIIa). RepRisk focuses on identifying and assessing the risk incidents in a systematic and rules-based way, providing relevant information and transparency.

# b. What languages does RepRisk cover?

RepRisk searches for ESG risk incidents in 23 languages – English, Arabic, Chinese, Danish, Dutch, Filipino, Finnish, French, German, Hindi, Indonesian (Bahasa Indonesia), Italian, Japanese, Korean, Malaysian (Bahasa Malaysia), Norwegian, Polish, Portuguese, Russian, Spanish, Swedish, Thai, and Turkish.

# c. What is RepRisk’s research scope?

RepRisk’s core research scope is comprised of 28 ESG Issues that are broad, comprehensive, and mutually-exclusive (see Figure 2 below).

The 28 Issues drive the entire research process, as every risk incident in RepRisk’s dataset is linked to at least one of these Issues. When RepRisk screens the sources and stakeholders, it screens for any company or project linked to these Issues.

The Issues were selected and defined in accordance with the key international standards related to ESG issues and business conduct, such as the World Bank Group Environmental, Health, and Safety Guidelines, the IFC Performance Standards, the Equator Principles, the OECD Guidelines for Multinational Enterprises, the ILO Conventions, and more.

Furthermore, RepRisk covers 74 Topic Tags, ESG “hot topics” and themes (see Figure 3 below) that are an extension of RepRisk’s core research scope of 28 ESG Issues. Topic Tags are specific and thematic, and one Topic Tag can be linked to multiple ESG Issues. They are a dynamic concept, with the list expanding over time in response to client feedback and emerging trends.

In total, RepRisk covers 102 ESG risk factors allowing comprehensive and granular research.

# d. Which international ESG frameworks are mapped to RepRisk’s data?

RepRisk maps its data to international ESG and regulatory frameworks:

  • The 17 Sustainable Development Goals (SDGs) are mapped to RepRisk’s 102 ESG risk factors.
  • The Australian Modern Slavery Act is mapped to the 102 ESG risk factors.
  • The California Transparency in Supply Chain Act is mapped to the 102 ESG risk factors.
  • The SASB Materiality Map is mapped to RepRisk’s 102 ESG risk factors.
  • The Sustainable Finance Disclosure Regulation (SFDR) is mapped to the 102 ESG risk factors.
  • The ten principles of the UN Global Compact are mapped to RepRisk’s 28 Issues.
  • The UK Modern Slavery Act is mapped to the 102 ESG risk factors.
  • The German Supply Chain Act is mapped to the 102 ESG risk factors.

The goal of integrating these frameworks into RepRisk’s products is to allow clients to assess a company’s or infrastructure project’s ESG risk exposure through the lens of a universally used framework. Clients can easily identify material ESG risks in line with any of these standards, as well as identifying companies and infrastructure projects that may harm progress on a framework such as the SDGs or violate a framework such as the UN Global Compact.

Figure 2: RepRisk's Research Scope - 28 ESG Issues

Figure 3: RepRisk's Research Scope - 74 ESG Topic Tags

# e. What is the universe of companies that RepRisk analyzes?

RepRisk’s methodology is issues- and event-driven, rather than company-driven – i.e., RepRisk screens sources and stakeholders (see question IIa above) for ESG risk incidents, in accordance with the RepRisk research scope (see question IIc above), not a defined list of companies.

This means that RepRisk offers universal coverage – i.e., RepRisk captures any company exposed to ESG risks, regardless of the company’s size, sector, country of headquarters or operations, or whether the company is listed or non-listed.

The RepRisk Dataset grows daily as new relevant information is captured and analyzed. 30-50 new companies are added each day.

# f. How many companies in the RepRisk Dataset are currently associated with risk incidents?

As of September 2023, the RepRisk Dataset includes more than 255,000 companies that are associated with risk incidents. Of these 255,000 companies, approx. 6% are listed companies and approx. 94% are non-listed companies.

The companies in RepRisk's dataset stem from all sectors and countries. The geographical distribution is as follows: approx. 24% of the companies are headquartered in North America, 33% in Asia, 26% in Europe, 9% in Latin America and the Caribbean, 5% in Africa, and 3% in Oceania.

The RepRisk's dataset also includes risk profiles on more than 75,000 projects (e.g., mines, pipelines, chemical plants, ports, factories, pulp mills, plantations, etc.), as well as for all sectors and countries in the world. In addition, the RepRisk ESG Risk Platform provides information on other entities such as NGOs (more than 25,000) and governmental bodies (more than 20,000).

# g. How often is the data updated?

Daily – i.e., every day, RepRisk screens, identifies, and analyzes risk incidents, adds curated research and analytics to its dataset, and updates its proprietary risk metrics whenever new risk information is published.

# h. How far back does RepRisk’s data history go?

RepRisk’s data history spans back to January 2007, representing a consistent time series with 17+ years of data.

#

III. Methodology: The research process

# a. What are the various steps of the research process?

RepRisk follows a strict, rules-based research process that helps ensure consistent data over time. AI and machine learning combined with human intelligence help translate big data into curated research and metrics.

# Screening and identification

  • The goal of the screening process is to identify any company or project associated with an ESG risk incident, per RepRisk’s research scope (see question IIc above).
  • RepRisk screens, on a daily basis, over 100,000 public sources and stakeholders in 23 languages (see question IIa above).
  • Every day, more than 2,000,000 documents are aggregated through advanced text and metadata extraction from unstructured content and undergo multilingual de-duplication and clustering processes, reducing incoming documents to approximately 150,000 daily. These documents are analyzed for relevancy and sentiment scoring, as well as entity detection and issue classification, based on proprietary machine learning models to further support the automatic identification of relevant risk incidents.
  • Based on the machine learning model predictions, each risk incident is automatically tagged to all the entities identified, for example the related companies, projects, sectors, countries, ESG Issues, etc. The automated tagging serves to pre-select the relationships between various entities and issues in the RepRisk Dataset before being distributed for analysis and curation.
  • When a particular risk incident appears in multiple sources, the incident is taken only once, from the most influential source, as this reflects the overall risk exposure. Whenever possible a sample source in English is selected for display. The incident is only added again if the risk profile of the incident changes (see below for details).

# Analysis and curation

The results of the screening process are delivered to the RepRisk analyst team, who is responsible for reviewing and approving the automated tagging, relevancy scoring, and news analytics according to RepRisk’s proprietary rules-based system. The analyst team further curates the identified risk incidents including a risk summary.

  • Each risk incident is analyzed according to the following three parameters:

  1. Severity (harshness) of the risk incident or criticism. The severity is determined as a function of three dimensions: firstly, what are the consequences of the risk incident (e.g., with respect to health and safety: no further consequences, injury, death); secondly, what is the extent of the impact (e.g., one person, a group of people, a large number of people); and thirdly, was the risk incident caused by an accident, by negligence, or intent, or even in a systematic way. There are three levels of severity: low severity, medium severity, and high severity.

  2. Reach of the information source (influence based on readership/circulation as well as by its importance in a specific country), according to RepRisk’s own rating. All sources are pre-classified by reach: limited reach, medium reach, and high reach. Limited reach sources would include local media, smaller NGOs, local governmental bodies, and social media. Medium reach sources include most national and regional media, international NGOs, and state, national, and international governmental bodies. High reach sources are the few truly global media outlets.

  3. Novelty (newness) of the issues addressed for the company and/or project, i.e., whether it is the first time a company/project is exposed to a specific ESG Issue in a certain location.

  • For each risk incident, a RepRisk Analyst writes an original Risk Incident Brief in English that summarizes the risk incident. For simple risk incidents where a title captures the relevant issues, an additional body of text may not be required.

  • A risk incident is only reflected once in the RepRisk Dataset, unless the risk profile of the incident changes. This can occur in one of the three following scenarios, which increases the reputational risk of the incident for the company:

  1. Story development: a new development appears related to the same issue.

  2. Source escalation: the issue appears again in a more influential source.

  3. Six-week rule: the issue appears again for the same company in the same country after a six-week period, which is a potential signal that the issues are unresolved.

# Quality assurance

  • Before a risk incident is published in RepRisk's dataset, it undergoes a quality assurance check and approval by a senior RepRisk Analyst to ensure that the overall analysis process is in line with RepRisk's strict, rules-based methodology.

  • The goal of the quality assurance process is to ensure that the complete analysis process has been completed in line with RepRisk’s strict, rules-based methodology.

# Quantification

The final step in the process, the quantification of the risk, is done through data science. There are proprietary standard and customized risk metrics. The RepRisk Index (RRI) dynamically captures and quantifies reputational risk exposure related to ESG Issues. The RepRisk Rating (RRR), a letter rating (AAA to D), facilitates benchmarking and integration of ESG and business conduct risks. The United Nations Global Compact (UNGC) Violator Flag identifies companies that have a high risk or potential risk of violating one or more of the ten UNGC Principles.

#

IV. The RepRisk Index (RRI): Our algorithm for reputational risk exposure

# a. What is the RepRisk Index (RRI)?

The RepRisk Index (RRI) is a proprietary algorithm developed by RepRisk that dynamically captures and quantifies a company’s or project’s reputational risk exposure to ESG issues.

The RRI facilitates an initial assessment of the ESG risks associated with investments or business relationships, allows the comparison of a company’s exposure with that of its peers, and helps track risk trends over time.

The RRI is purely performance-based i.e.,:

  • The RRI of company A depends only on A’s risk incidents.

  • The RRI reflects a company’s actual risk management performance as opposed to its communicated goals and policies.

# b. How is the RRI calibrated?

The RRI ranges from zero (lowest) to 100 (highest). The higher the value, the higher the risk exposure:

  • 0-24 generally denotes low risk exposure
  • 25-49 denotes medium risk exposure
    • Note: It is expected that most large multinationals have an RRI between 25-49, due to their global footprint and salience vis-à-vis media and stakeholders.
  • 50-59 denotes high risk exposure
  • 60-74 denotes very high risk exposure
  • 75-100 denotes extremely high risk exposure
    • Note: The RRI is calibrated in such a way that only the handful of companies that are extremely exposed ever reach this threshold, helping clients to easily identify these companies.

# c. What do the three RRI values mean?

  • Current RRI: reflects the current level of media and stakeholder attention ESG issues are being given in connection to a certain company.

  • Peak RRI: is equal to the highest level of the RRI over the last two years – a proxy for the overall reputational risk exposure related to ESG issues of a company.

  • RRI Change or Trend: shows the increase or decrease of the RRI within the past 30 days.

# d. How is the RRI calculated?

  • The RRI calculation is based on the reach of information sources, the frequency, and timing of ESG risk incidents, as well as the risk incident content, i.e., severity (harshness) and novelty (newness) of the issues addressed. The RRI does not depend on the sequence of ESG risk incidents.

  • The RRI emphasizes companies and/or projects that are newly exposed or have had less exposure in the past, i.e., companies and/or projects with a lot of past exposure are less sensitive to new risk incidents.

  • The methodology does not change depending on whether an issue is an environmental (E), social (S) or governance (G) issue.

  • There is no weighting of the ESG Issues e.g., by sector or country.

  • The RRI does not have any E, S, or G components. What is available, however, is a breakdown of each RRI by the number of associations a company has with the aggregate E, S, or G issues. The ESG breakdown should not be used for company-to-company comparisons, but rather to see how a company’s E, S, or G exposure has developed over time.

# e. How does the RRI develop over time?

For any given day, there are two events that can happen:

  1. There is a new risk incident for a company or project, in which case the RRI is recalculated. The magnitude of the increase depends on the severity, reach, and novelty of the incident.

  2. There is no new risk exposure, in which case the RRI decays.

The RRI decays over time as follows:

  • For the first 14 days after a significant risk incident, the Current RRI remains constant.

  • If no new exposure is captured thereafter, the Current RRI decays to zero over a maximum period of two years:

    • If the Current RRI is in the range of 25-100 and no significant exposure is captured, it decays at a rate of 25 every two months until it reaches 25.

    • If the Current RRI is at or below 25 and no significant exposure is captured, it decays at a rate of 25 every 18 months until it reaches zero.

Discover the Jupyter Notebook on the RRI, Country RRI, and Country-Sector RRI.

#

V. The RepRisk Rating (RRR): Our rating or risk benchmarking

# a. What is the RepRisk Rating?

The RepRisk Rating (RRR) is a letter rating (AAA to D) that facilitates corporate benchmarking against the peer group and sector of a company, as well as integration of ESG and business conduct risks into business processes. The Rating provides decision support in risk management, compliance, investment management, and supplier risk assessment.

In contrast to the RepRisk Index (RRI), the RRR depends not only on a company’s own performance (i.e., on its own ESG risk incidents) but also on its country and sector affiliations.

# b. How is the RRR calculated?

The methodology combines two factors:

  1. The Company-specific ESG risk
    • Provided by the Peak RepRisk Index (RRI) (please see question IVc above)
  2. The Country-sector ESG risk
    • Provided by the Country-Sector Average of the company, calculated by:
    • The Headquarters ESG Risk Exposure (weighted 50%): Captures the risk exposure of a company's business activity in its headquarters country and primary sector(s)
    • The International ESG Risk Exposure (weighted 50%): Captures the risk exposure of a company's business activities in the countries and sectors (worldwide) where it was associated with ESG risk incidents.

# c. How is the RRR calibrated and what does it indicate?

The RepRisk Rating ranges from AAA to D:

  • AAA, AA, A denotes low ESG risk exposure

  • BBB, BB, B denotes medium ESG risk exposure

  • CCC, CC, C denotes high ESG risk exposure

  • D denotes very high ESG risk exposure

Discover the Jupyter Notebook on the RRR.

#

VI. The UNGC Violator Flag

# a. What is the UNGC Violator Flag?

The UNGC Violator Flag allows for an easy identification of companies that have a high risk or potential risk of violating one or more of the ten UNGC Principles. With the Flag, it is also possible to see if the UNGC violations are primarily linked to the operations (O) or to the supply chain (S) of a company.

# b. How is the UNGC Violator Flag calibrated and what does it indicate?

For each company and each Principle, the UNGC Violator Flag will have one of the three values:

  • Violator” (red): high risk of violating the UNGC Principles

  • Potential” (yellow): potential risk of violating the UNGC Principles

  • Blank” (gray): no strong evidence of violating the UNGC Principles

Companies classified as “UNGC Violators” are those that have had a significant and credible exposure to ESG risk incidents associated with one or more of the ten UNGC Principles.

# c. What is the RepRisk UNGC Violator Index (UNGC VI)?

The underlying risk metric of the RepRisk UNGC Violator Flag is the RepRisk UNGC Violator Index (UNGC VI), which is based on the ESG risk incidents related to a company over the previous two years. Very severe risk incidents are given a higher importance than severe and less severe risk incidents. Further, the UNGC VI underweights risk incidents reported in less influential sources.

The threshold for being classified as a “UNGC Violator” is higher for highly scrutinized companies, i.e., particularly multinationals that are more exposed due to their size, global footprint, and saliency towards media and stakeholders. This approach helps to balance the information available on smaller companies that may inherently be more vulnerable to risks.

Discover the Jupyter Notebook on the UNGC Violator Flag and UNGC VI.

Copyright 2021 RepRisk AG. All rights reserved. RepRisk AG owns all intellectual property rights to this methodology and to the content of this website. This information herein is given in summary form and does not purport to be complete. Any reference to or distribution of this methodology must include the entire methodology to provide sufficient context. The information provided on this website does not constitute an offer or quote for our services or a recommendation regarding any investment or other business decision. Should you wish to obtain a quote for our services, please contact us.