Cybersecurity and Managing Reputational Risk

The onslaught of cyberattacks being reported in the media is causing organizations to struggle in their attempts to keep risk management efforts in sync with the pace of threats. According to Aon Insurance and Risk Management, out of over 50 categories of risk, reputational risk is the number one concern across the globe. The 2007 Global Risk Management Survey indicated the same result more than a decade ago.

The most common approach to managing reputational risk is to view it from the perspective that bolstering security and placing a heavy focus on preventing security breaches will sufficiently mitigate reputational loss.

Aon cautions organizations to consider the opposite perspective — that reputational issues can open opportunities for security incidents. All organizations need the benefit of risk management teams that can monitor and analyze all risks, including the cause-and-effect nature of reputational risks.

Proper Cyber Risk Management Entails Assessing How Reputational Issues Negatively Impact Security

Reputational loss threatens the public’s view of a company or organization. Loss of reputation directly impacts finances for businesses and nonprofits. A loss that causes reputational damage is considered reputational risk.

Corporate consulting experts caution organizations to consider that managing reputational risk is a two-way relationship. Security impacts reputation and reputation impacts security.

Deloitte, a corporate audit, consulting, advisory and tax organization, cites that “security risks, including both physical and cyber breaches,” caused reputational risks more frequently than other types of risks, according to their 2018 CEO and Board Risk Management survey. Aon notes that risk management teams would be wise to avoid taking a simplified approach to risk management.

To look at the reverse effects of reputation, Aon recommends that organizations look at the four Ps within their companies — products, policies, people and politics. Here’s why that can be valuable advice:

Products

Great new products and services are only great until someone uncovers some unethical situation related to them. Perhaps someone discovers a flaw in the product design or production, such as using substandard materials or products with missing parts. Companies sometimes exacerbate the situation by producing fraudulent, false or misleading marketing statements. Allegations, whether they prove true or not, can quickly threaten a company’s reputation, especially with the viral speed of social media. To top that, the media has the power to destroy companies overnight.

A prime example of how a product threatened major pharmaceutical companies is opioids. Opioids quickly became the painkiller of choice for many physicians who failed to consider the addictive qualities of the drug. As a result, physicians became over-reliant on prescribing opioids to help their patients be more comfortable. It wasn’t long before people from all walks of life began struggling with opioid addiction. The trend in pain management has led to a growing opioid crisis. People are protesting the excessive prescribing of opioids and demanding restrictions on the drugs to protect our society.

Policies

Organizations need the assistance of lots of policies, procedures and practices to ensure fair and ethical treatment and good governance, among other things.

In this realm, two terms often get confused — illegal and unfair. For example, a company can fire someone because the boss doesn’t like them and that’s perfectly legal. However, if a manager fires someone simply because of their race or gender, that’s discrimination and it’s illegal. Unfair practices may not be illegal at all, but they still leave a bad taste in someone’s mouth. Whether an issue is illegal or unfair, it can and does affect organizations’ reputations.

People

People are a huge source of reputational risk. This applies to people both inside and outside of organizations. Executives need to be highly careful of any statements they make publicly, especially during times of crisis. Retractions don’t always get the same attention as breaking news.

Corporate policies make it easier for employees and others to bring forth allegations of sexual, physical and emotional harassment, which can quickly go viral and create reputational risk. There is much concern among shareholders and other stakeholders about the actions, behavior and lifestyles of corporate executives. Lower-level managers can also be a source of rampant reputational risk.

Public reviews and star ratings are a real asset when they’re favorable toward a company. Companies like Glassdoor also provide a public forum for disgruntled employees to voice their opinions (negative or positive) about companies for which they have worked. They can even post anonymously.

Politics

When organizations meet politics, it can really turn people off and damage an organization’s reputation in the process.

One notable example of this was when protestors took to chaining themselves to the entrance of Uber because they disapproved of President Trump inviting Uber’s former CEO, Travis Kalanick, to participate in his Strategic and Policy Forum in 2017.

In a more recent example, the issue of how the federal government is handling migrant detainees is a major source of controversy. While much of the media attention focuses on the federal government, it’s important to consider the thousands of contracts that the government has with public and private companies and that they rely on to enforce laws. Microsoft employees have expressed their displeasure at the FedRAMP High ATO (authority to operate) agreement that assures that Microsoft’s Azure Government meets all security and compliance standards to meet ICE’s most confidential classified and unclassified data. Azure aids the federal government in facial recognition and identification of humans.

As the 2018 Deloitte survey mentioned above notes, only 50 percent of organizations can identify reputational risk events and only 53 percent have the capacity to analyze them and predict their impact. It is prime time to move ahead of the competition in managing all kinds of risks.

Reputational risk is a sensitive risk that can create extreme financial impact, both positive and negative. Board management software by BoardEffect presents a secure way for boards, executives and their risk management committees to collaborate and communicate about the company’s risk management plans and strategies.

A company’s reputation takes years to build. It can be destroyed overnight, taking the board of directors’ credibility and reputation down with it. Ultimately, boards are responsible for overseeing reputational risks along with other risks. A highly secure board management software program is a necessity in the fast-changing corporate world.