© 2013 IBM Corporation

Reputational risk and IT in 2013How to protect brand value with security and business resiliency

Presenter

Date

© 2013 IBM Corporation

Patrick Mcilwee FBCI,FICPEM, BSc, MBa, MRs

International keynote speaker

Nearly 30 years in industry

4575 events successfully handled

Author

Fellow Of the BCI

Fellow of the Institute of Civil Protection & Emergency Management

© 2013 IBM Corporation3

© 2013 IBM Corporation4

Agenda

Why reputational risk is a critical issue

What IT risk factors most impact reputation

Six key recommendations for effective reputation and IT risk management

© 2013 IBM Corporation5

OPTIONAL SLIDE

Presenter: Add a slide on a recent or high-profile incident relevant to your customer / audience

© 2013 IBM Corporation6

Reputation has a definable value — much like brand value — that can be diminished by IT risk-related events

-21%The economic value of a company’s reputation declines an average of 21% as a result of an IT breach of customer data*

*“Reputation Impact of a Data Breach: U.S. Study of Executives & Managers,” Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.

“Underestimating the cost of reputational risk greatly exceeds the cost of protection.”

Finance manager, American financial services company

US$1MEconomic value assigned to corporate brand or reputation*

US$10BUS$1.56BAverage

© 2013 IBM Corporation7

The impact on “reputation recovery” is measured in months, not hours or days like recovery time objectives (RTO)

Website outage

0-6 months

71%

6-12 months

12%

12+ months

System failure 68%8%

Mobility (BYOD) 68%14%10%

Data loss 64%14%10%

Inadequate continuity plans 54%22%10%

Insufficient DR measures 56%20%11%

New technology 58%13%

Data breach 59%16%13%

Compliance failure 56%19%12%

Poor IT skills / tech support 59%18%11%

6%

15%

15%

Study findings (2013 data)

© 2013 IBM Corporation8

In partnership with the Economist Intelligence Unit, IBM has been studying the business perspectives of IT risk since 2010

20102010 20112011 20122012 20132013

IT security and system availability are key concerns

IT risk management lacks executive support

IT security and system availability are key concerns

IT risk management lacks executive support

Emerging trend: holistic IT risk management

Compliance is an IT risk issue

CIOs and IT managers chief stakeholders

Emerging trend: holistic IT risk management

Compliance is an IT risk issue

CIOs and IT managers chief stakeholders

IBM Global Reputational Risk and IT Study2012 and 2013

IBM Global Reputational Risk and IT Study2012 and 2013

Findings of the study: IT is a key safeguard to protecting against reputational harm

Findings of the study: IT is a key safeguard to protecting against reputational harm

Implications of the study: what you can do to protect your reputation

Implications of the study: what you can do to protect your reputation

© 2013 IBM Corporation9

Our most recent worldwide study examined where and how IT is making impacts on reputational risk — and what are the gaps

Largest study to date examining the relationship between IT and reputational risk

Initial survey of 427 respondents was conducted by the Economist Intelligence Unit on behalf of IBM

Additional 175 participated online at an IBM survey website

Respondents: 604

North America, 47%

Europe, 23%

Asia Pacific, 19%

Middle East/Africa,

6%

Latin America, 4%

Industries: 23*

Banking, 18%

IT/Tech,

13%Energy/ Utilities, 10%

Insurance, 9%

Financial Markets, 9%

Professional Services, 5%

All others, 36%

Job titles: 15*

IT manager, 33%

CIO/CTO/ Tech director, 11%

CEO/President/ Managing Director, 10%

CRO/Risk Director, 2%

Other C-suite, 10%

SVP/VP/ Director, 11%

Other non- C-suite, 23%

Company sizes: 5

$500M or less, 35%

$500M to $1B, 14%

$1B to $5B, 15%

$5B to $10B, 9%

$10B or more, 26%

*Top responding categories shown.

© 2013 IBM Corporation10

Data breach tops the list of IT risk factors that can cause the most reputational harm

62%

45%

40%

data breach

system failure

data loss

Top three IT risk factors harmful to reputation

Study findings (2013 data)

© 2013 IBM Corporation11

Put someone in charge

Make the compliance connection

Reevaluate the impact of social media

Based on study findings and IBM IT risk management expertise, we recommend six key initiatives

Keep an eye on your supply chain

Avoid complacency

Fund remediation; invest in prevention

Six keys to effective reputational and IT risk management

1

2

3

4

5

6

© 2013 IBM Corporation12

Put someone in charge1Study findings (2013 data) Study implications

Ultimate responsibility for reputational risk should rest with one person — but who?

CEOs: multiple responsibilities, little time

CFOs: focused on financial risks, not IT

CROs: do traditional and IT risk responsibilities leave enough time for reputation risk?80%

CEO

CFO

34%

CRO

24%

CIO

23%

22%

CMO

Emerging trend: the Chief Digital Officer

New C-suite role for technology-driven world

Strong business and technology knowledge

Responsible for all aspects of digital presence

Role most accountable for company’s reputation

© 2013 IBM Corporation13

Make the compliance and reputation connection2Study findings (2013 data)

Study implications

Where IT and compliance intersect:

Regulatory requirements for recovery time from system outages

Legal requirements for data archiving, retrieval and eDiscovery

Legal and regulatory requirements for privacy and data protection

87%of banking

respondents say IT failures can have severe compliance consequences

Reputational factors very strongly/strongly affected by IT risk

Customer satisfaction

Brand reputation

Compliance

Profitability

74%

74%

72%

60%

Recommendations:

Integrate compliance requirements into IT and reputational risk strategies

Measure performance

Identify gaps in protection and mitigation processes

© 2013 IBM Corporation14

Reevaluate the impact of social media3

Only 27% provide

Companies are missing the opportunity to leverage social media to protect and recover their reputations

Study findings (2013 data) Study implications

Add a third dimension to risk management

guidelines for employee social media use during a crisis

Only 19% haveincorporated social media into their disaster recovery plans

Respond swiftly to IT-related reputational incidents—and use social media as an informational channel

Build a bank of goodwill—use social media as a channel for enhancing your reputation

2

3

1 Likelihood

Impact

Velocity

1 in 7?1 in 100?

SevereModerate

Mild

NEW!

© 2013 IBM Corporation15

“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”

Chief marketing officer, American education company

*Average

Keep an eye on your supply chain4Study findings (2013 data) Study implications

Two aspects of vulnerability

Security: Sensitive data shared with third parties can be compromised

Continuity: Supplier downtime can disrupt production and product availability

are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control*

Only 28% of companies

Recommendations

Identify outside sources that your company relies on

Require partners to meet your levels of IT and reputational risk management

Verify compliance through regular auditing and reporting

© 2013 IBM Corporation16

Avoid complacency5

82% rate reputation as excellent or very good

18% rate ability to manage IT risk as very strong

Recommendations

Ensure that foundational IT risk management tools are in place

Map IT and reputational risk strategy to concrete, measurable tactics

Perform regular gap analysis

Stay ahead of new technology and changing threats

There is room for improvement in almost every organisation

Perception/ reality gap

Study implications

Study findings (2013 data)

© 2013 IBM Corporation17

Companies are overlooking many of the security controls that can proactively protect their reputations before harm happens

Firewall management

Identity/access controls

Network /endpoint protection

Security threat intelligence

Penetration testing

Encryption

Vulnerability scanning

Mobile device security

66% Very confident/confident about protection againstData breach

Security controls in place

Confidence level

70%

5

Study findings (2013 data)

© 2013 IBM Corporation18

Companies have continuity basics in place, but are missing IT fundamentals that provide additional protection

68% Systems failure Data loss73% Backup/restore testing

Fully documented DR plan

Automated backup processes

Change management

24x7 software tech support

Testing includes business users

Continuity controls in place

Very confident/confident about protection against

Very confident/confident about protection against

Confidence level

76%

69%

69%

5

Study findings (2013 data)

© 2013 IBM Corporation19

Fund remediation; invest in prevention6Study findings (2013 data) Study implications

say IT risk management funding is adequate to protect reputation

Only 56% of companies

increased spending on IT related to reputational risk over the past 12 months

54% of companies have

increase spending on IT related to reputational risk over the next 12 months

55% of companies will

Recommendations

Include the CIO in reputation risk management

Evaluate the cost of inadequate funding

Treat IT as a core business asset, not a cost centre

Base IT spend on risks and outcomes, not revenue or sales

The cost of system downtime*

$181,770per hour

The cost of data centre downtime

$418,017per event

The cost of a business interruption event

*“Datacenter Downtime: How Much Does It Really Cost?” Aberdeen Group, February 2012.

© 2013 IBM Corporation2020

Going forward, new technologies and social media will help fuel increased focus on reputational risk

68% will increase focus on reputational risk compared to five years ago

New technology/ social media, 43%

Previous event harmful to competitor/industry, 20%

Previous event harmful to company, 18%

Board of directions/C-suite mandate, 10%

Other, 7%Shareholder pressure, 3%

Why increase?

“Technology is an amplifier in all it touches, for better and worse. If we use it, we must manage it rigorously.”

CIO, Barbados professional

services firm

Study findings (2013 data)

© 2013 IBM Corporation21

Reputational risk and IT in 2013—a point of view from IBM

As cybercrime escalates, so will reputational risk

Social media is the best tool you have to minimise reputational damage

Reputational risk will become a primary justification for IT investment

Your partners’ compliance with your security and continuity standards will be mandated

© 2013 IBM Corporation22

What can you do now? Develop your own set of best practices.

Be proactive — and be prepared to invest in IT controls

Create a collaborative environment — encourage executives, risk management specialists and IT managers to work together

Engage in scenario analysis, especially with new technology

Assess risk across the supply chain, and confirm partners’ compliance with your standards

Consider outside help for an unbiased view of perception versus the reality of your risk exposure

© 2013 IBM Corporation23

How well are you doing? Find out with the

IBM Reputational Risk Index

Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company

Download the full study report ibm.com/services/riskstudy

Scan the code or go to www.ibmriskindex.com

Download the IBM point-of-viewibm.com/services/riskstudy

Yourscore

129out of200

© 2013 IBM Corporation24

Thank you for your interest

© 2013 IBM Corporation25

IBM United Kingdom LimitedPO Box 41, North HarbourPortsmouth, Hampshire PO6 3AUUnited Kingdom

IBM Ireland LimitedOldbrook House24-32 Pembroke RoadDublin 4

IBM Ireland registered in Ireland under company number 16226 

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

© Copyright IBM Corporation 2013