How corporate social responsibility mediates the relationship between corporate reputation and enterprise risk management: evidence from Spain

Enterprise risk management (ERM) systems lessen the probability of risks harming a firm’s reputation for a number of reasons. First, a high-quality ERM system makes it less likely a firm will suffer a risk-based reputational crisis. Second, ERM systems help companies to behave more responsibly towards all stakeholders, thereby ensuring firms meet stakeholders’ expectations. Third, when a crisis stemming from an uncontrollable risk occurs, a high-quality ERM system helps to reduce the negative impact on reputation because stakeholders will not attribute guilt to a firm which has acted responsibly in its risk management. In this research, we explore the link between corporate reputation and ERM systems together with the role played by corporate social responsibility (CSR) performance as a mediator. Our results support the notion that ERM system quality enhances CSR performance as well as corporate reputation. The results also confirm that ERM systems have a positive impact on corporate reputation via the mediating effect of CSR performance. Companies should therefore use risk management policies to bolster both their CSR and their reputation.

The fragility of corporate reputation forms the basis of its credibility. That is, reputation is accumulated over a long-term process, but it may be eroded very quickly. Just one adverse event can be enough to destroy this reputational capital (Hall, 1992(Hall, , 1993. This feature of corporate reputation has been termed "reputational risk", which refers to the probability of a firm losing corporate reputation capital (Dowling, 2006;Nujen et al., 2021). Interestingly, reputational risk has been characterized as a derivative risk (Heidinger & Gatzert, 2018;Tonello, 2007) because it arises from all the risks a company faces (operational, commercial, financial, environmental, legal, etc.). If these risks materialize, the company will immediately enter a reputational crisis.
Therefore, a high-quality enterprise risk management (ERM) system can reduce reputational risk through two effects: a direct effect derived from the ability of ERM systems to minimize the likelihood of suffering a reputational crisis and an indirect effect derived from a reduction in the attribution of guilt during a crisis. The later means that if a company suffers a reputational crisis but engages in responsible risk behavior, the negative impact on stakeholder perceptions will be smaller because stakeholders will not attribute guilt to the firm (Xu, 2018).
Scholars (Gatzert, 2015;Gatzert & Schmit, 2016;Heidinger & Gatzert, 2018;Pérez-Cornejo et al., 2019;Power et al., 2009;Tonello, 2007) have pointed out the importance of ERM systems in ensuring balanced value distribution amongst a company's stakeholders. This argument places ERM systems as effective tools to manage and boost corporate social responsibility (CSR) performance. Indeed, a high-quality ERM system can minimize the likelihood that risk will harm a company's social performance. Meanwhile, the literature provides evidence that CSR performance is the main factor in building and consolidating corporate reputation (e.g. Bianchi et al., 2019;Børing, 2019;Brammer & Pavelin, 2006;Javed et al., 2020;Melo & Garrido-Morgado, 2012;Pérez-Cornejo et al., 2022;Tetrault-Sirsly, & Lvina, 2019). The link between these two relationships also suggests that the quality of ERM systems may indirectly impact corporate reputation through mediation by CSR performance. ERM system quality promotes sustainable balanced value distribution by minimizing day-to-day risks (Pérez-Cornejo et al., 2019), helping companies to act responsibly. Risks can lead firms into crises that prevent effective CSR performance. This inability to operate responsibly and to fulfil stakeholder expectations over time can damage a company's reputation.
Although the literature predominantly focuses on analyzing how CSR policies reduce company risks (Gangi et al., 2020(Gangi et al., , 2021Harjoto and Laskmana, 2018;Husted, 2005;Kim et al., 2021;Naseem et al., 2020;Orlitzky & Benjamin, 2001), scholars have also proposed risk management as a tool that enhances CSR (Frederiksen, 2018). In essence, there is an ongoing discussion about which of CSR or risk management needs to be managed and which is the consequence of the other. Therefore, to address this research gap we examine how ERM systems enhance CSR to contribute to the debate over which should come first. Such an approach is more responsible because it focuses on reducing a firm's potential negative impacts on stakeholders. We argue that ERM is a proactive way to reduce company's risks and thus achieve better CSR performance, whilst helping meet stakeholder demands. In short, in this research, we examine the impact of ERM on CSR and on corporate reputation at several specific stages. First, we discuss the relationship between ERM and corporate reputation to test the direct effect. Second, we analyze and argue the relationship between the quality of ERM systems and CSR performance. CSR performance and corporate reputation. Third, we also present the impact of CSR performance on firm's reputation. Finally, and pursuant of the above, we also test the mediating role of CSR performance between ERM systems and corporate reputation.
To address these research goals, Sect. 2 presents the theory and hypotheses while Sect. 3 presents the empirical methods, and Sect. 4 describes the results. Finally, Sect. 5 offers the main conclusions, findings, managerial implications, limitations and possible future research lines.

ERM systems and corporate reputation
Corporate reputation can be defined as the perception of the capability of a company to meet stakeholder's expectations in the future (Fombrun, 2002;Herbig & Milewicz, 1995;Wartick, 1992). As mentioned earlier, the fragile nature of corporate reputation is the source of its credibility which derives from the stark contrast between its sluggish accumulation and its potentially rapid destruction (Hall, 1992(Hall, , 1993. Thus, reputational risk is a firm's likelihood of losing its corporate reputation (Dowling, 2006;Nujen et al., 2021). This risk is considered "a risk of risks" (Heidinger & Gatzert, 2018, p. 106). That is, if any of the firm's risks materialize, they will immediately lead the company into a reputational crisis. In the short term, every reputational crisis has a negative impact on corporate reputation. However, in the long term, the overall impact of the crisis on corporate reputation depends on several factors, including the extent of the negative impact on stakeholders, the company's management of the crisis and specially the degree of attribution of guilt to the firm (Mariconda et al., 2021).
ERM involves identifying and evaluating the risks that a company faces to develop a risk map that systematically categorizes each risk based on the likelihood that it will harm the company and the extent of its potential impact (COSO, 2004). The aim is first to identify actions that minimize those likelihoods and negative impacts then to develop systems that can contain any harms should the risks materialize. It is also important to define who is responsible for supervizing and updating this process throughout the organizational hierarchy. 1 High-quality ERM systems make less likely for companies to suffer a crisis that harms corporate reputation Gatzert & Schmit, 2016) In fact, the scarce prior research on this topic finds support for this relationship (Pérez-Cornejo et al., 2019). Therefore, we propose ERM aids firm's reputation since it reduces the likelihood of suffering a reputational crisis.
H.1: The company's ERM system quality has a positive and direct impact on its corporate reputation.

ERM systems and CSR performance
According to stakeholder-agency theory (Freeman, 1984;Hill & Jones, 1992), a company is a nexus of contracts (Jensen & Meckling, 1976) between the company and different groups of stakeholders (Cornell & Shapiro, 1987;Hill & Jones, 1992). These stakeholders include shareholders, employees, clients, suppliers, society and the environment. CSR extends the responsibility and commitment of the company beyond shareholder profits to a responsibility to meet all stakeholders' demands (Alpaslan et al., 2009;Clarkson, 1995;Donaldson & Preston, 1995). CSR performance is simply a firm's approach for value distribution through specific policies and behaviors designed to satisfy stakeholder demands (de Quevedo-Puente et al., 2007;Jones, 1980;Pérez-Cornejo et al., 2020;Rowley & Berman, 2000). However, a wide range of risks faced by companies in their daily activities can trigger crises that alter the value provided to stakeholders (e.g. Alsaifi et al., 2021;Bundy et al., 2017;Coombs, 2007;Helm & Tolsdorf, 2013;Pérez-Cornejo et al., 2019). For some stakeholders, the value they receive may be affected, whilst others may even experience negative impacts. Value distribution is constantly threatened by risks that lead companies to behave in a non-socially responsible way. For example, Merck, Exxon Valdez and Volkswagen suffered crises that were the consequence of a high tolerance for operational risk. Because of these crises, the companies in question caused negative impacts on various stakeholders. Costumers, the environment and other stakeholders such as shareholders and suppliers saw the value they initially expected from the company fall (Arora & Lodhia, 2017;Ndedi & Feussi, 2015;O'Rourke, 2006;Pérez-Cornejo et al., 2019;Vergin & Qoronfleh, 1998). Therefore, if companies wish to achieve and maintain high CSR performance, they should limit the likelihood of crises and use instruments to minimize the impact of these crises on value distribution. Being socially responsible means anticipating future stakeholder requirements to minimize the risk of being unable to meet future demands (Gangi et al., 2021;Orlitzky & Benjamin, 2001). Having effective ERM systems is thus synonymous with being responsible. For example, a company that tries to reduce occupational risks through policies that strengthen job security will probably have a low occupational accident rate.
Although much research has focused on how CSR reduces a firm's risk (Gangi et al., 2020(Gangi et al., , 2021Harjoto & Laskmana, 2018;Husted, 2005;Kim et al., 2021;Naseem et al., 2020;Orlitzky & Benjamin, 2001), recent research has proposed that risk management can reinforce responsible interaction with stakeholders (Frederiksen, 2018). We follow this line of thinking and argue that the control and reduction of risk through ERM systems ensures sustainable CSR by preventing the company from crises. Hence, ERM systems should make companies more responsible over time. An ERM system reduces the likelihood of a risk-based reputational crisis that prevents a balanced value distribution amongst stakeholders. Therefore, firms should design ERM systems based on corporate strategy, communication policies and industry standards so that they support value creation and the balanced distribution of value amongst stakeholders (Pérez-Cornejo et al., 2019). Companies must continuously monitor and update their ERM systems to guarantee their effectiveness. An effective ERM system minimizes the likelihood that financial, operational, ethical or environmental risks cause a crisis that damages CSR performance. These theoretical arguments and managerial foundations support the following hypothesis: H.2: A company's ERM system quality positively affects its CSR performance.

CSR performance and corporate reputation
Managers and scholars consider corporate reputation to be a sustainable competitive advantage (e.g. Dowling, 2016;Hall, 1992Hall, , 1993Roberts & Dowling, 2002). Accordingly, there has been great interest in the search for how to manage this asset. Corporate reputation is an intangible asset that reflects stakeholder expectations about future firm behavior (Fombrun, 2002;Waddock, 2000;Wartick, 1992). These expectations are generated through the company characteristics and behaviors that stakeholders perceive. Some scholars have focused on CSR performance as the main driver of corporate reputation (e.g. Aksak et al., 2016;Brammer & Pavelin, 2006;Bianchi et al., 2019;Børing, 2019;Brammer & Pavelin, 2006;Javed et al., 2020;Pérez-Cornejo et al., 2022;Tetrault-Sirsly & Lvina, 2019). CSR performance is an objective account of the actual impact on stakeholders of all company actions and attitudes designed to satisfy their interests. The literature recognizes CSR performance as a signal (Brammer & Pavelin, 2006;Fombrun & Shanley, 1990) that helps with a firm's legitimation process (Mas-Ruiz et al., 2021;Rao, 1994). In this sense, a company that acts in a socially responsible manner consistently over time generates expectations about its good behavior with stakeholders, thereby consolidating a strong corporate reputation (de Quevedo-Puente et al, 2007;Logsdon & Wood, 2002;Pérez-Cornejo et al., 2022). In fact, ample research confirms the positive impact that CSR performance has on firm reputation (e.g. Aksak et al, 2016;Bianchi et al., 2019;Børing, 2019;Brammer & Pavelin, 2006;Javed et al., 2020;Pérez-Cornejo et al., 2022). Despite extensive evidence of this relationship, the following hypothesis is instrumental for our analysis: H.3: A company's CSR performance has a positive effect on its corporate reputation.

Mediating role of CSR performance between ERM system quality and corporate reputation
When a risk leads a company into a crisis, the reputational damage depends on the size of this undesirable impact on stakeholders and the extent to which guilt can be attributed to the corporation (Coombs, 2007). Because a reputational crisis places the offending firm in the spotlight, huge volumes of information are released about the event, and the behavior of the firm is scrutinized. When an undesirable impact occurs and the stakeholders judge that the company management has acted irresponsibly due to a high level of risk tolerance, reputational damage will be high. However, if there is no attribution of irresponsible management, the same undesirable impact will cause less reputational damage. That is, if a reputational crisis occurs and the company is proven to have engaged in responsible risk behavior, the negative impact on stakeholder perceptions will be smaller because stakeholders will not attribute guilt to the firm (Lange & Washburn, 2012). For example, the Tylenol scandal in 1983 triggered a reputational crisis for Johnson & Johnson when cyanidelaced capsules caused the death of seven people. Although the crisis had a tragic outcome for some stakeholders, it was proven that the crisis was not caused by high tolerance in the company's risk management. Moreover, the company dealt with the crisis effectively. By identifying the causes of the deaths and recalling the dangerous products, huge efforts were made to reduce the potential negative impact with no concern for cost (Balmer & Greyser, 2009). The result of this crisis was that, six months later, Johnson & Johnson designed new tamper-resistant packaging for Tylenol, which was the first product in this industry to offer these characteristics (Haywood, 2005;Larkin, 2003). This effective risk management prevented the company from being considered the culprit of the crisis, thereby minimizing the impact on its reputation (Balmer & Greyser, 2009). This effect was aided by the company's diligence in its crisis management. Risk may also lead a company into a crisis that affects its value creation and distribution (i.e. the company's CSR performance). Accordingly, the interests of some stakeholders may not be satisfied, and the company's reputation may be harmed (Coombs, 2007;Eccles et al., 2007). In fact, many company crises stem from an unbalanced and unsustainable risk-taking situation that impedes the achievement of high CSR performance and the fulfilment of stakeholder expectations. For example, the Merck, Exxon Valdez and Volkswagen crises show how irresponsible behavior by companies can harm stakeholders and immediately damage a firm's reputation (Arora, & Lodhia, 2017;Ndedi & Feussi, 2015;O'Rourke, 2006;Pérez-Cornejo et al., 2019;Vergin & Qoronfleh, 1998). Therefore, CSR performance may act as a mediator between ERM system quality and corporate reputation in two ways. First, ERM favors socially responsible performance that meets stakeholder expectations and enhances corporate reputation. Second, during a crisis, responsible firm behavior reduces reputational damage because stakeholders do not attribute guilt to the firm. In this situation, the perceptions about a company's responsibility towards its stakeholders are enhanced. Therefore, high-quality ERM systems enable firms to behave more responsibly, helping them to meet stakeholder expectations Coombs, 2007;Gatzert & Schmit, 2016;Pérez-Cornejo et al., 2019) and reducing the attribution of guilt in case of crisis. Accordingly, we propose: H.4: The firm's CSR performance mediates the positive relationship between the company's ERM system quality and its corporate reputation. Figure 1 illustrates the hypotheses proposed in the conceptual framework.

Sample
To test the hypotheses proposed we used a sample of 40 Spanish public companies. The final sample comprised 255 company observations. This sample was gathered by merging data on companies in the Thomson Reuters Eikon database, which provides environmental, social and governance (ESG) scores and listed companies in Spain between 2008 and 2015.

Independent variable: ERM system quality
There are no generalized measures of ERM system quality. Instead, studies have measured this complex multidimensional concept in different ways (e.g. Beasley et al., 2015;Beasley et al., 2005;Daud et al., 2010;Glowka et al., 2021;Gordon et al., 2009;Hoyt & Liebenberg, 2011;Naseem et al., 2020;Otero-González et al., 2020;Pérez-Cornejo et al., 2019). They have used either survey-based scales (Beasley et al., 2015;Daud et al., 2010;Glowka et al., 2021) or data taken from financial statements (Baxter et al., 2013;Gordon et al, 2009;Naseem et al., 2020;Otero-González et al., 2020;Pérez-Cornejo et al., 2019). We used the scale proposed by Pérez-Cornejo et al. (2019). This scale has the advantage of enabling longitudinal analysis of ERM system quality because it is based on data published in corporate governance reports each year. The measure is the result of a scale based on the COSO definition of ERM and the guidelines provided by the National Stock Market Commission of Spain on how listed firms must report information about their ERM systems in their corporate governance reports. The measure uses three items to capture the companies' ERM system quality. These three items are the company's definition of ERM, ERM scope and the use or non-use of the COSO as an ERM framework. All the data on the ERM system were gathered by analyzing the corporate governance reports published yearly by each firm in the sample for the period 2008 to 2014. All the reports were analyzed separately by two researchers. Differences in the two assessments were resolved, and final scores were assigned to each company for each year. We used Krippendorff's alpha to test the inter-rater reliability. For all items, this score was higher than 0.8. The final score of ERM system quality employed as the independent variable measure in the models was the result of the factor loadings of principal component analysis (using varimax rotation). The results of the analysis provided a solution of one-component through different criteria: the scree plot, eigenvalue and interpretability. The scores for internal consistency reliability (measured using Cronbach's alpha) were greater than 0.7. We tested our measures' reliability using confirmatory factor analysis. For all items, the average variance was higher than 0.5, and composite reliability exceeded 0.7. The factor scores from the factor analysis provided the final measure of ERM system quality.

Mediating variable: CSR performance
CSR performance data were gathered from Thomson Reuters Eikon™. This database provides comprehensive environmental, social and governance (ESG) information for more than 9000 public companies worldwide and provides over 450 different ESG metrics. In fact, these data have been employed in numerous recent studies (e.g. Dwekat et al., 2020;Pérez-Cornejo et al., 2022). The process of ESG measurement involves participation by more than 150 analysts who manually guarantee that the information is comparable across all rated companies (Thomson Reuters and Eikon™, 2020). We used the overall ESG score, which is the result of more than 70 key indicators forming three pillars: environmental (three categories: resource use, innovation and emissions) social (four categories: community, workforce, product responsibility and human rights) and governance (three categories: CSR strategy, management and shareholders). The overall ESG scores range from 0 (low CSR performance) to 100 (excellent CSR performance).

Dependent variable: corporate reputation
We employed two measures to assess corporate reputation. The first was a dichotomous variable that took the value 1 if the company was among the firms included in the MERCO ranking and 0 if it was not included. The second measure was the reputation score for firms of our sample that were included in the MERCO ranking. In Spain, MERCO is the sole index with available data for building a panel because it offers information from 2001. It consists of the 100 companies with the strongest corporate reputation in Spain. In fact, because of the advantages of this measure, much research in Spain has employed these data (Delgado-García et al.2010;Navarro-García et al., 2020;Pérez-Cornejo et al., 2019;Fernández-Sánchez et al., 2012). This ranking is based on an annual survey that is completed by a wide range of groups of stakeholders. The survey assesses firms by focusing on six aspects: economic performance, culture and quality of the workplace, product quality, ethics and CSR, international presence, and innovation. There are several stages in the preparation of the ranking. In the first stage, the survey is sent to more than 1000 senior managers of companies with revenues of over 50 million euros, asking them to provide their perceptions. This step provides a provisional proposal of the 100 most reputable companies in Spain. In the second stage, this list is evaluated by financial analysts, social media managers, consumer associations, unions, non-government organizations, business journalists, opinion leaders, university professors and politicians. In the third stage, analysts and researchers assess the feats of the companies in the provisional classification. Next, the data on consumer opinion are included. Subsequently, the perceptions of workers, university students, human resource managers and the general public regarding the reputation of companies as places of employment are added to the index. In the last stage, all scores are combined. The final ranking is given using a total of 10,000 points. For both measures (dichotomous corporate reputation and corporate reputation score) possible endogeneity problems were controlled for by measuring corporate reputation in the period t + 1.

Control variables
We used company size, return on equity (ROE), leverage, age, year, and industrial sector as control variables. In this study we measured firm size as the standardized value of the total assets of each firm. Empirical research has shown that the corporate reputations of larger firms are better (e.g. Cordeiro & Sambharya, 1997;Fombrun & Shanley, 1990;Pérez-Cornejo et al., 2019). The actions of big firms are more striking and visible, and, also come under greater scrutiny by different sectors of the public. Therefore, they should distribute value more fairly amongst their stakeholders and should thus build stronger corporate reputations. By contrast, smaller companies may be less careful in their value allocation because they go unnoticed (and are therefore subject to less oversight), such that they are expected to have poorer corporate reputations. We also included the company's age in the analysis because firm reputation is the result of a public legitimation process that takes place over time (Fombrun, 1996;Schultz et al., 2001). Firms that have remained in the industry over long periods under market supervision may be expected to have satisfactorily met the demands of stakeholders. Then, we measured company age as the number of years since the firm was founded. In addition, we included ROE because there is ample evidence of its effect on corporate reputation (e.g. Dunbar & Schwalbach, 2000;Rose & Thomsen, 2004). When financial performance is higher, the company has more financial resources, which may help satisfy stakeholders in the future. We also included leverage as a control variable. Leverage ratio was measured as a firm's debt-to-equity (e.g. Delgado-García et al., 2013;Pérez-Cornejo et al., 2020;Wei & Zhang, 2006). High leverage may be a threat to the future of a company and thus may negatively affect corporate reputation. Finally, we also included industry and year as dummy variables. To categorize the industrial sector dummies, we used the CNAE (Spanish National Classification of Economic Activities Code), which defines the industrial classification in Spain. Information about company size, ROE, leverage, company age and industry were collected from the SABI database (Iberian Balance Sheet Analysis System).

Analytical method
We used multiple methods to test our hypotheses. We employed a panel data approach as well as pooled analysis. First, in order to eliminate the unobservable heterogeneity problem, we employed panel data analysis (Arellano, 2003). A random effects model was used when CSR performance was included as the dependent variable. As noted earlier, we employed two measures of corporate reputation. In the models where corporate reputation was measured as a dichotomous variable, we used random effects logit analysis. As explained above, the MERCO index provided information on only the 100 most reputable companies in Spain. Therefore, our second dependent variable was left-censored given that some companies had no data for this variable because they were not included in the index. However, we know that their value must be less than the corresponding score for the last firm included in the MERCO ranking. We, then used tobit random effects analysis for the models where corporate reputation was a left-censored dependent variable. We used the Wald chi-square test to estimate the significance of all panel model analyses. We also replicated these analyses using a pooled approach with ordinary least squares (OLS) regression, logistic regressions and tobit regressions. To avoid endogeneity problems, we used a lag of one period between the dependent variable and the independent variables. We used the procedure proposed by Baron and Kenny (1986) to test the mediating role of CSR. Table 1 shows the descriptive statistics and the correlation matrix. The variance inflation factors were less than 5 for all models, indicating no multicollinearity problems. Table 2 shows the results from the panel approach. Table 3 shows the results for the pooled method. To test H.1, the procedure proposed by Baron and Kenny (1986) was used to test whether a direct effect of ERM system quality on corporate reputation remained after introducing the effect of CSR (i.e. the mediating effect presented in H.4). Therefore, this analysis was performed last. Models 1 and 6 were used to test the causal relationship between ERM system quality and CSR performance. Both models confirm a positive and significant impact of ERM system quality on CSR performance, supporting H.2. Models 3, 5, 8 and 10 were used to analyze the relationship between CSR performance and corporate reputation using a panel method approach (Models 3 and 5) and a pooled approach (Models 8 and 10). Both Models 3 and 8 (which used a dichotomous variable as measure of corporate     To test the mediation hypothesis, we used the Baron and Kenny (1986) procedure. This procedure suggests that mediation occurs if four conditions are satisfied. To begin with, there must be a significant impact of ERM system quality (the predictor variable) on CSR performance (the mediator variable). As explained earlier, this condition is met because H.2 is supported. Next, ERM system quality (the predictor variable) must have a significant impact on corporate reputation (the dependent variable). Models 2 and 4 (panel methodology) and Models 7 and 9 (pooled methodology) show that this condition is satisfied. Third, there needs to be a significant impact of CSR performance (the mediator variable) on corporate reputation (the dependent variable). This condition is fulfilled because H.3 is supported. Finally, the fourth condition is met in all models because the influence of the quality of ERM system on corporate reputation is weaker in the models where CSR performance (mediator variable) is included than in the models where CSR performance is not included. However, whilst the findings for the tobit models (Models 5 and 10) suggest partial mediation by CSR performance between ERM system quality and corporate reputation, the logit models (Models 3 and 8) support full mediation. In sum, the results confirm H.4. These results also partially confirm the direct effect between ERM system quality and corporate reputation (H.1). That is, when CSR performance (the mediator) is introduced in the models, the tobit models still present a significant impact of the quality of ERM system on corporate reputation. Although the results are consistent in almost all models and the main conclusions are supported by both methods, our results for the direct effect between ERM systems and corporate reputation (H.1) differ between the logit and tobit models. Whereas the tobit models confirm the direct effect between ERM and corporate reputation, the logit models do not. Because the tobit models use more information for the dependent variable than the logit models, H.1 is partially confirmed.

Conclusions and discussion
This study examines the effect of ERM system quality as a booster of corporate reputation. Our results confirm that ERM systems exert a direct, positive effect on corporate reputation. This finding supports the argument that having high-quality ERM systems reduces the likelihood of suffering a reputational crisis. Furthermore, our findings provide evidence of the impact of ERM systems on corporate reputation through the mediating effect of CSR performance. This mediation of the relationship can be explained by two reasons. First, high-quality ERM systems support sustainable high CSR performance that satisfies stakeholder expectations and, in turn, enhances firm reputation. Second, effective risk management helps avoid the perception of guilt when a crisis is caused by a risk that is inherent to a company's normal activity. It reinforces stakeholder perceptions that the company has behaved responsibly towards its stakeholders, removing the blame placed on the company when a negative event occurs. In other words, when a responsible company suffers a reputational crisis, the negative impact on stakeholder perceptions is reduced because stakeholders do not attribute guilt to the firm. Finally, our results show that high CSR performance enhances company reputation. These findings are strongly consistent with prior studies which have shown that CSR performance is a key driver of corporate reputation (e.g. Bianchi et al., 2019;Brammer & Pavelin, 2006;Javed et al., 2020;Pérez-Cornejo et al., 2020, 2022Tetrault-Sirsly & Lvina, 2019) and point out that commitment to stakeholders shown through CSR performance is a useful way of consolidating and managing corporate reputation (McWilliams et al., 2006). Overall, the results support the notion that ERM systems help manage reputational risk by improving corporate responsibility. The results are also consistent with the literature supporting that high financial risk decreases corporate reputation because it threatens the firm's future viability (Brammer & Pavelin, 2006;Fombrun & Shanley, 1990;Hammond & Slocum, 1996). In addition, our findings concur with the results of the study by Pérez-Cornejo et al. (2019), who found support for the effect of ERM system quality on corporate reputation. However, the present study goes further, exploring the underlying details of how ERM systems drive the achievement of better corporate reputation.
This article expands previous research through different ways. First, our paper examines the factors that enhance corporate reputation, thereby contributing to the literature on its determinants by providing new evidence that ERM and CSR are antecedents. Specifically, it looks into how efficient ERM reduces reputational risk. Second, this study shows more empirical evidence of the positive relationship between CSR performance and corporate reputation. However, our main contribution is to offer theoretical arguments that justify the assertion that ERM systems are key managerial drivers for improving CSR performance and company reputation. In fact, although most prior research has examined how high CSR performance reduces a firm's risk (Gangi, et al., 2021;Gangi et al., 2020;Harjoto & Laksmana, 2018;Husted, 2005;Kim et al., 2021;Naseem et al., 2020;Orlitzky & Benjamin, 2001), the present study examines the relationship in the opposite direction, studying how CSR performance is the consequence of a high-quality risk management policy. Our study fills a research gap by providing theoretical arguments and empirical support for this link. This study offers extensive empirical analysis of these relationships by combining logit and tobit models, as well as pooled and panel analyses. Moreover, this research shows that high-quality ERM systems help consolidate corporate reputation by influencing CSR performance. As a result, this study contributes to the literature on risk management, CSR performance and corporate reputation.
Although this research makes several contributions to the literature, it has certain limitations. First, the corporate reputation variable was left-censored, which limited the analysis. Second, our study focused on a sample of large public firms because data on ERM system quality and CSR information are not available for all companies. Therefore, to extend these results to small and medium-sized enterprises (SMEs) new studies are needed to analyze this problem in this context based on primary survey data from managers. In addition, the sample was small because of the nature of the data. However, we employed different methods to ensure the robustness of our results. However, new studies could identify novel ways of measuring risk management to expand the sample. For example, the number of controversies faced by a company could also be used as a proxy to measure risk management because these issues are the consequence of a company's risk policy. Finally, this study was limited to Spanish firms. Therefore, future studies in other contexts are welcome.
Our findings have several managerial implications. ERM systems are useful tools that managers should consider when managing corporate reputation and sustaining a high level of CSR performance. Effective ERM systems control company risks to a responsible degree of tolerance, enabling firms to sustain high CSR performance and meet stakeholder expectations. Having ERM systems raises companies' awareness, helping companies close the gap between expectations and actual behavior and reducing the risk of reputational damage. This approach can lead to more responsible management because it places the focus on reducing potential negative impacts (risks), ensuring sustainable CSR performance. Thus, companies should detect the risk that they face in their daily activities in order to build a risk map. This map should identify and evaluate all risks in terms of their probability and the magnitude of their impact. In addition, the responsibility of the agents involved in this process throughout the organizational hierarchy must be defined. The risks identified in this process should lead to CSR actions. Our findings empirically justify the approach of some companies as described in their annual reports. When they identify some out-of-tolerance risks for certain stakeholders, they implement CSR actions to prevent a negative impact on the company. Furthermore, our findings also justify the use of CSR actions to improve and manage corporate reputation. Business executives already consider CSR a major driver of corporate reputation (Weber Shandwick, 2015). However, managers should also consider two effects derived from the materialization of a reputational risk. First, crises always have an immediate impact on corporate reputation. That is, in the short term, corporate reputation is always negatively affected. Therefore, the implementation of high-quality ERM systems is important. Second, after the negative event that leads to a crisis emerges, stakeholders will look for answers and culprits. At this point, diligent risk management policies can help regain stakeholder trust by protecting the company from accusations of guilt.
Funding Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http:// creat iveco mmons. org/ licen ses/ by/4. 0/.