Safeguarding corporate reputations is becoming significantly more challenging as digital technologies open access and blur boundaries. With technology a part of nearly everything a business makes, sells or services – and the primary means by which so many companies interact and transact with their customers – brand value is increasingly connected to technology performance. Failures, be they breaches, breakdowns or brownouts, exact a significant toll, one amplified and sharpened by a 24/7 news cycle and the social media environment. To put into perspective just how closely IT is interwoven with reputational risk, consider that research shows a significant customer data breach causes the economic value of a company’s reputation to decline by an average of 21 percent.1
Step 1: Clarify accountability
Organizations must clarify the chain of command with respect to reputational risk from IT. When a crisis hits, communications and response plans need to be rolled out and a sequence of decisions made– often within minutes. That’s no time to be scrambling around trying to gain consensus and schedule meetings with a cast of senior executives.
In some organizations, accountability may rest with one individual, a chief risk or digital officer, someone with the organizational clout to speak to a range of business and IT issues. Other organizations prefer a team approach with shared responsibility among the CFO, CIO and CMO, individuals whose functions span the types of reputational risks affected most by IT. Either approach can work as long as the governance framework supporting it is clear and roles and expectations clearly defined.
Step 2: Understand the connection between compliance and reputation
Compliance has traditionally been seen as discrete from reputational risk management, but IT failures have severe consequences for compliance, particularly when it comes to data protection and archiving, capabilities that are essential to responding effectively to legal or regulatory inquiries. Keeping compliance siloed within the finance function can leave an organization open to preventable vulnerabilities. To reduce that chance, a review of compliance practices and processes should form part of an organization’s formal reputational and IT risk management program.
Step 3: Assess the effect of social media
Given its power and immediacy, reputational and IT risk strategies must take social media into account. That means identifying tactics in which social media can be employed to enhance the company’s reputation and understanding what safeguards are needed to protect the organization from its potentially damaging effects.
It also means having the right policies in place internally so employees understand how to make best use of the medium to help the company without further compromising the company’s reputation or revealing sensitive information. As with any risk mitigation strategy, organizations must have a tested communications and crisis response plan in place to help thwart the potential for customer backlash to grow into a social media firestorm.
Step 4: Hold your supply chain to the same standards
In an interconnected operating environment, businesses are only as secure as their supply chains. A disruption in one link, be it a missed shipment, a defective part, sloppy standards or substandard workplace conditions, can have a domino effect with lingering financial and reputational repercussions. And because the problems occur outside the company, redress can be more complicated, costly and cumbersome.
Sensitive corporate data that is shared with third parties can be compromised if those third parties lack robust IT security and resiliency protections. Inadequate protections on the part of a key supplier can result in unplanned downtime, leading to disruptions in production cycles that reflect negatively on both the corporation and the partner.
To stay protected, organizations not only need to require their partners to match their level of reputational and IT risk management, they also need to verify adherence to these standards through regular audits and other reporting methods.
Step 5: Invest in prevention and avoid complacency
It’s human nature to assume that what hasn’t happened won’t happen and that the measures in place to mitigate IT and reputation risks are sufficient. The reality, of course, is that the threat is constantly changing. Recent high profile incidents across industry show the nature and severity of computer hacking and data breaches have become more sophisticated and difficult to trace.
Reputational and IT risk management needs to be adequately funded to cover the range of liabilities faced. When one considers that a typical business interruption event can result in more than $400K in just direct costs2, the business case for investing to protect against those risks becomes clearer.
Organizations not only need to have the basic protections in place, such as firewalls and identity and access controls, they also need to conduct regular penetration testing and stay current with the latest security intelligence. Organizations should also perform regular gap analyses to assure that both strategy and tactics evolve to address ever-changing risks.
1. “Reputation impact of a data breach: US Study of Executives & Managers, “Sponsored by Experian Data Breach Resolution Ponemon Institute, November 2011.
2. Ponemon Institute.
3. 2012 Global Reputational Risk and IT study, IBM.