reputational risk and the c-suite
Post on 03-Apr-2018
220 Views
Preview:
TRANSCRIPT
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 1/12
Reputational risk and the C-suite How IT risks can shape a company’s reputation and value—the enterpriseexecutives’ point o view
IBM
Research Report
Risk Management
Findings from the 2012 IBM Global Reputational Risk and IT Study
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 2/12
Reputational risk and the C-suite: How IT risks can
shape the reputation and value of your company—
the enterprise executives’ point-of view draws upon
an IBM study that investigates how organizations
around the world are managing their reputations in
today’s digital era, where IT is an integral part o the
organization and IT ailures can result in reputational
damage. The online survey and interviews were
conducted by the Economist Intelligence Unit
on behal o IBM. We would like to thank all o
the executives who participated in the survey and
interviews or their valuable time and insight.
About the survey
The survey, conducted in June 2012 by the
Economist Intelligence Unit, included responses
rom 427 senior executives rom around the world.
O them, 42 percent are C-level executives. About
33 percent o respondents are rom North America,
29 percent rom Europe, and 26 percent rom Asia-
Pacic. Companies with less than US$500M in
revenue comprise 37 percent o respondents, and 52
percent come rom companies with more than US$1B
in revenue. The survey covers nearly all industries,
including banking (19 percent), IT and technology
(15 percent), energy and utilities (13 percent), and
insurance (11 percent).
The 2012 IBM Global Reputational Risk and IT Study survey, conducted by the Economist Intelligence Unit, gathered inormation rom 427senior executives—including 176 C-suite members—rom around the world.
Middle East/ Arica, 8%
Latin America, 5%
North America, 33%
Europe, 29%
Asia Pacifc,26%
ProessionalServices, 5%
All others,28%
FiscalMarkets, 9% Insurance,
11%
CEO/President/ Managing Director 13%
CIO/CTO/Techdirector, 12%
CFO/Treasurer/
Comptroller, 8%CMO/Marketingdirector/Branddirector, 1%
IT manager,24%
$500M or less,37%
$500M to $1B,13%
$1B to $5B,16%
$5B to $10B,
9%
$10B or more,27%
Respondents: 427 Industries: 23*
Job titles: 15† Company sizes: 5
*Top responding categories shown †Break-out of C-suite titles
CRO/Risk director, 3%
Other C-suite, 5%
Banking, 19%
IT/Tech, 15%
Energy/ Utilities, 13%
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 3/12
A spotless reputationBusiness leaders usually have a good understanding o the
value o their organization’s reputation. A strong reputation
generates stakeholder trust. I a company is trusted, customers
will buy and recommend its products; prospective investors
and employees will want to become part o it; and communities
will welcome its operations.
The unortunate reality, however, is that corporate reputationsare increasingly dicult to manage in the digital era, and can
be easily sullied by any number o actors—among them IT
ailures. With social media sites such as Facebook and Twitter
boasting over 950 million and 500 million users respectively,
and business-ocused LinkedIn providing instant connections
in over 200 countries, there is now a highly visible and
immediate alternative to a company’s own communications
regarding its reputation.
“All C-level executives need to be awareo the technology risks that can afect our reputation in the marketplace.”
— CIO, insurance company, Mauritius
In response, more organizations have introduced reputational
risk as a distinct category within their enterprise risk
management rameworks. Our research nds that companies
have begun to pay closer attention to the links between IT
ailures and reputational damage. It looks at how executives are
attempting to protect their brands rom what could arguably be called “a preventable glitch.”
Based on CEO, CIO and CFO responses to the study, three
principal orces drive corporate reputations: provision o a
best-in-class product or service, customer satisaction and
compliance. CFOs add protability to the mix, as well.
Considering how companies are becoming increasingly
dependent on technology to ulll all our—to say nothing
o running the business—the consensus is clear: IT risk can
imperil companies’ productivity, damage customer relations
and ultimately erode trust.
It is interesting to note that—compared to each other and to
study respondents as a whole—CEOs, CIOs and CFOs oten
have widely divergent opinions on the aect o IT risk on their
companies’ reputations and reputational risk management
practices. To some extent, these dierences can be attributed
to each C-suite executive’s area o expertise and point o view.
Such dierences o opinion can be good or an organization,
encouraging exploration o all areas o risk and potential
solutions. They can also, however, result in a skewed view
o the reputational risk and IT connection and inadequate
unding or protections. In these cases, companies may beneft
rom the holistic and objective recommendations o a third-
party consultant.
This report describes how C-suite executives around the world
are seeking to protect their organizations’ reputations by
adapting to the pervasiveness o technology and ongoing shits
in the business environment and IT landscape.
Risk Management 3
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 4/12
4 Reputational risk and the C-suite
An ounce of preventionCEOs, CIOs and CFOs have begun to look more closely at
the reputational implications o IT ailures. Study respondents
say that IT exerts a particularly strong inuence on brand
reputation, compliance, customer satisaction and protability.
(see Figure 1).
C-suite executives also identiy three core responsibilities o
the IT unction where reputational risks are the highest:
• Security(84percent)
• Businesscontinuity(77percent)
• Technicalsupport(65percent)
It is easy to understand why executives believe that security
has stronger links to reputational risk than IT unctions such
as business continuity or technical support. A company’s
reputation would surely sufer, or example, i its customer
database was breached and customer credit card numbers were
stolen. It is interesting to note, however, that when individual
C-suite executives were asked about the specic IT risks with
the biggest impact on their companies’ reputations (see Figure
2), their answers were ar less denitive than those o study respondents as a whole. This begs the question whether the
C-suite has the inormation necessary to make appropriate IT
and reputational risk management decisions.Brand reputation
41%
48%
35%
Compliance
48%
Customer satisaction
Proftability
32%
42%
39%
41%
43%
59%
27%
46%
24%
23%
18%
21%
CEOs All studyrespondents
CIOs CFOs
Figure 1. Among the our business elements cited most oten by C-suite
executives as “very much” aected by IT risks, there is a signiicant divergenceo opinion between CIOs and CFOs.
Data breaches
Data loss
Systems ailures
Websiteoutages
37%
44%
CEOs All studyrespondents
CIOs
25%
22%
29%
18%10%
19%
18%
17%
15%
8%
12%
10%
18%
CFOs
Figure 2. CEOs, CIOs and CFOs are less deinitive than all study respondents when selecting the top three IT risk actors impacting theircompanies’ reputations.
61%
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 5/12
While all C-suite executives agree on the importance o
securing against data breaches, they difer on the importance
o business continuity risks. CEOs and CFOs put data loss
in second place among their top three IT risks actors;
CIOs place systems ailures at number two. Systems ailures
are number three on CEOs and CFOs lists, while website
outages—which was not a top three answer among all study
respondents—rank third in CIOs lists.
When it comes to technical support ailures,CMOs indicate extended reputational recovery times o 12 to 24 months.
While technical support ranks third among core IT
responsibilities in terms o the possible threat posed to a
rm’s reputation, all study respondents rank it at the top o
the list o ailures that require between six and 24 months
o recovery time. In act, chie marketing ocers (CMOs),
who are arguably closest to the public pulse when it comes
to their companies’ reputations, extend the recovery time orinadequate technical support to between 12 and 24 months,
a potentially critical hit to a company’s competitive position.
Only about 12 percent o respondents say they have recently
experienced severe technical support ailures, but the intensity
o risk is elevated by the relatively long recovery times
ollowing an incident o this nature. The intensity o risk can
be urther elevated as a company adopts new technologies such
as cloud and social media.
Reactive versus proactive
One problem identied by the study ndings is that many companies take a reactive approach to IT risk management.
They typically dedicate resources to risks like data thet and
Risk Management 5
cybercrime, systems ailure and data backup ailure where they
have experienced serious ailures in the past. But they pay less
attention to emerging risks that have not yet caused major
reputational damage. CEOs, CIOs and CFOs report that
resources are least oten allocated to proactive items such as
technical support, the use o social media tools in their disaster
recovery plans and change management
MESSAGE TO THE CEO:
“Underestimating the cost o reputational risk greatly exceeds the cost o protection.Being proactive is preerable tobeing reactive.”
IT manager, energy and utility company, US
Executives are, however, attempting to look beyond therearview mirror. O the 63 percent o C-suite respondents who
say their company will ocus more on managing its reputation
in the uture, nearly hal (46 percent) say this is driven by the
growthoftechnologyandsocialmedia,whileonly18percent
cite previous adverse experiences as the primary driver. Not
only are companies more willing to look or blind spots in their
risk management rameworks, they are also dedicating the
necessary resources to support their IT risk management. Over
90 percent o C-suite respondents say their IT budget will
grow over the next 12 months due to reputational concerns,
and 16 percent say the increase will be more than 20 percent.
As one US-based study respondent argues, “Underestimatingthe cost o reputational risk greatly exceeds the cost o
protection. Being proactive is preerable to being reactive.”
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 6/12
6 Reputational risk and the C-suite
Five characteristics o highly trusted companies
For the purposes o this study, a “successul” organization
is one that respondents identifed as enjoying an “excellent”
reputation. Interestingly, only 30 percent characterized their
company in these terms. Notwithstanding the bias inherent
in the sel-rating process, an analysis o relative reputational
perormance reveals that these organizations share a
common approach o linking strong IT risk management
capabilities with a solid understanding o how specifc IT
risks can threaten reputation. While this list is by no means
exhaustive, these characteristics have been distilled down to
the ollowing list o fve key success actors.
Integration o reputational and IT risk
Notably, an overwhelming majority (83 percent) o
executives who characterized their frms as having
excellent reputations say their company has integrated IT
into reputational risk management (see Figure 3). Still, the
act that nearly two-thirds (64 percent) o those who
rated their frms’ reputation as average or worse than
their competitors also say that IT has been integrated intoreputational risk management underscores that this alone
does not guarantee success.
Mapping o IT threats to key elements o reputation
Successul organizations perceive stronger links
between IT threats and key elements o reputation.
The correlation is especially strong between IT and customer
satisaction and brand reputation.
Strong IT risk management capability
About 84 percent o companies with an excellent
reputation say they have strong or very strong IT
risk management capacity (see Figure 3). This compares
with ewer than 30 percent o companies with reputations
described as average or weaker than those o their
competitors. Not surprisingly, strong IT risk management
capabilities also mean that the company experiences ewer
severe reputational incidents. For example, in the case o a
data thet/cybercrime event, approximately 80 percent o
study respondents who rate their frm’s IT risk management
as “very strong” say they can recover in six months or less,compared with only about hal o those with “weak” IT
risk management.
Robust IT risk management unding
Successul frms have well-resourced IT risk
management unctions (see Figure 3). The proportion
who say their frm’s IT risk management unction has
adequate unding alls rom 78 percent or those with excellent
reputations to 59 percent o those with very good reputations,
and to 36 percent o the remainder.
Strenuous supply chain control
Successul frms are signifcantly more likely than
others to report that they very strenuously requirevendors and supply chain partners to meet the same levels
o control as required internally (see Figure 3). The proportion
o respondents who say they do this drops rom 58 percent
o those rated excellent to 38 percent o very good and to 33
percent o the others.
Larger frms are generally better equipped to manage IT risks
than smaller frms. This accounts or the higher proportion o
large frms with excellent reputations. However, organizations
o all sizes have succeeded in managing IT risks to contribute
to building excellent reputations.
1
2
3
4
5
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 7/12
Risk Management 7
Figure 3. Important IT risk elements and how oten they are implemented by companies o varying reputational strength. The study ound a direct relationshipbetween IT unding and reputational risk management success.
Integrate IT intoreputational risk
management
83%
Have strong/ very strong IT risk
management capacity
Have adequate ITrisk management
unding
Very strenously require vendors and partners to match standards
81%
64%
84%
63%
28%
78%
59%
36%
58%
38%33%
Organizations categorizing their reputation as:
Excellent Very good Average or worse
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 8/12
8 Reputational risk and the C-suite
Reputation and the supply chain The organization’s supply chain is a point o concern or all
study respondents. When a supplier, vendor or other third
party experiences an IT ailure related to the organization’s
systems, data or customers, that ailure can have as signicant
a reputational impact as a ailure within the organization.
Further increasing the risk, third parties are more challenging
to control than in-house systems and staf.
C-suite executives are more concerned about the supply chain
risk gap than study respondents as a whole. Analysis o the
responses o CEOs, CIOs and CFOs reveal that there are
particular areas where they view their companies as requiring
no control at all on the part o their partners (see Figure 4). In
particular, CEOs identiy suppliers’ disaster recovery measures
and systems ailure protections to be a source o concern.
CIOs’ areas o concern are systems ailures and data loss, while
CFOs see no supplier control in the areas o IT skills, disaster
recovery plans and business continuity plans.
The marked diference between the responses o all study
respondents compared to responses o C-suite executives
makes supply chain control an area o concern to which most
companies will want to pay increased attention. The public will
almost always blame the corporation, rather than its website
vendor, when a data breach happens. In getting to the bottom
o the supply chain control issue, it will be important to
determine whose perception is accurate, the C-suite or other
executives, and a third-party consultant may prove invaluable
in making this assessment.
Figure 4. The C-suite sees more instances o “no control at all” over thereputational risk management attributes o their third-party suppliers, ascompared to study respondents overall.
Lack o IT skills
12%
17%
13%
Inadequate business
continuity plans
29%
Data breaches
Inadequate disaster recovery measures
10%
19%
11%
29%
7%
13%
11%
15%
10%
19%
15%
29%
7%
13%
11%
15%
7%
13%
11%
15%
Data loss
Systems ailures
All studyrespondents
CEOs CIOs CFOs
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 9/12
Risk Management 9
It is interesting to note that only CIOs include themselves
on the list. O even greater importance is the act that CEOs,
CIOs and CFOs assign each other ar less responsibility or
their companies’ reputations than do study respondents as
a whole. In some cases, responsibility is assigned to other
C-level executives such as the chie risk ocer or chie security
ocer, indicating that reputational responsibility may be more
compartmentalized—and reputational risks less holistically
managed—than may be good or the organization.
The level o reputational responsibility assumed by the C-suite
is consistent with broader trends toward greater C-level
responsibility or integrated enterprise-wide risk management.
In a 2011 study 1 o 391 senior executives sponsored by IBM
and conducted by the Economist Intelligence Unit (EIU), 71
percent o respondents said that C-level executives were “very
involved” in their organization’s overall risk management
strategy,and88percentsaidtheyexpectedthislevelof
involvement to increase. Yet executives suggest that the most
successul strategies come together when risk managers with
diferent specialties collaborate to provide integrated risk proles to senior management. Over three-quarters o C-suite
participants say that IT risk exposures are escalated to the
C-level efectively.
The expanding role o marketing in protecting reputation suggests the need or closer collaboration between CMOs and CIOs.
A 2005 EIU survey 2
ound that marketing managers played aminor part in the management o reputational risk, and their
unction was limited mostly to a communications role as the
company’s “eyes and ears” on reputational threats. In the
2012 study results, both CEOs and CFOs said that their chie
Top-down and bottom-up approaches to
managing IT-related reputational risks Thevastmajority(85percent)ofC-suiterespondentsin
the study say the CEO is most accountable or their
company’s reputation, ollowed by CFO (33 percent),
CIO (27 percent) and CMO (25 percent). O particular
note, close to two-thirds say that accountability is shared
among more than one C-level position.
CEO
Who is responsible?
85%
CFO
33%27%
CIO
25%
CMO
Figure 5. Who is most responsible or a company’s reputation? C-suiteexecutives overwhelming give irst place to the CEO. Only CIOs includedthemselves among the top three.
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 10/12
10 Reputational risk and the C-suite
marketing ocer is one o the top three corporate executives
responsible or the company’s reputation. This expanding
role o the marketing unction suggests a need or closer
collaboration between CIOs and CMOs as companies employ
technology to make sense o mountains o marketing data that
can contain hidden insights into a company’s reputation.
Protecting reputation through
communication While IT specialists are accountable or technical recovery
ater an incident, they need to work closely with counterparts
in marketing, communications and public relations to clearly
communicate with stakeholders in the atermath o a ailure.
Experienced IT executives invariably say that these messages
need to be both swit and brutally honest, especially in an
environment where the media are primed to pounce on
perceived corporate deceit.
Communications to convince stakeholders that the causes o
an IT ailure have been addressed can sharply cut the time
needed to restore trust, but the harm that a particular IT
ailure causes to stakeholders increases the efort required. For
example, website outages inict only minor inconvenience on
customersandarefairlyeasilyexplained.About78percentof
study respondents say they recover rom such incidents in less
than six months. At the other end o the scale, it takes longer
to recover rom reputational damage due to cybercrime, partly
because it tends to inict more serious harm on stakeholders
and also because it can be harder to sell the message that the
problem has been entirely xed.
Going social with risk managementSocial media eature prominently in executives’ reasoning,
both in interviews and in study responses, about why they are
growing more concerned about protecting their companies’
reputations. Since social networking is enabled by technology,
there is a tendency to lump it in with IT-related technical risk.
But social media channels are not risks in themselves; rather
they are ampliers o an organization’s reputation (or better
or worse). This means they should be evaluated as part o an
organization’s overall communications mix.
Only 19 percent o C-suite respondents saytheir company has a disaster recovery planthat includes the use o social media tools.
Social media have moved beyond their initial unction o
enabling consumer-to-consumer communications. Blogs
ocused on specialized business and technical communities
have a growing impact on business-to-business (B2B)
enterprises. In act, “social” may no longer be an appropriate
term to describe peer-to-peer exchanges among community
members. In any event, the need to mitigate potential
reputational damage posed by accelerated communications is adiferent challenge than efectively using social media as a tool
or engaging stakeholders. This study suggests that strategies
to deal with the latter are still in their inancy. Only 19 percent
o study respondents say that their company has a disaster
recovery plan that includes the use o social media tools.
33%
33%
CMO respondents highlight two areas whereextended recovery times may require intensifed
external communications
Inadequate businessresilience plans
Lack oIT skills
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 11/12
Risk Management 11
Best practices for improving reputational
risk management performanceC-suite members interested in improving their organizations’
reputational risk management perormance can learn rom the
best practices identied by executives who participated in this
study. Efective strategies include:
• Be proactive rather than reactive. Be prepared to invest
in developing comprehensive reputational risk management
strategies that include robust controls on IT risks—particularly those related to security, business continuity
and technical support—as well as other reputational risks.
• Create an organization where line of business
executives and IT managers collaborate with other risk
management specialists. Together they should be tasked
with presenting a comprehensive prole o organization-
wide reputational risks to senior management.
• Engage in scenario analysis, especially with new and
emerging technology. Don’t wait or an incident to
happen. There are plenty o case studies to be used as a
basis or “what i” planning.
• Assess risks across the whole supply chain. A ailure
by a downstream supplier can be just as devastating as an
internal problem, and risk controls can be harmonized
among key players. Likewise, B2B companies should
collaborate with customers to provide assurance that all
relevant risks are well managed.
• Consider outside help. Employing an outside consultant
with a proven track record can aid your company’s
reputational and IT risk management eforts. An outside
consultant can look at the big picture rom an objectivepoint o view, which may prove invaluable in eliminating
areas where company executives have a perception o
adequate protection while actual processes and procedures
indicate potential weaknesses.
ConclusionOrganizations o all sizes are paying more attention to
threats to their reputations stemming rom today’s digital
environment. This concern is reected in more integrated,
enterprise-wide approaches to risk management and increased
attention being paid to the direct reputational impacts o
IT risks. These include risks stemming rom the use o new
technologies. Security has edged out business continuity as the
most important connection between IT risks and reputation.
MESSAGE TO THE CEO:
“IT… is like the heart pumping
blood to the whole body, so any ailure could threaten the wholeorganization’s survival.”
— IT manager, IT and technology company,
France
The ndings o the 2012 IBM Global Reputational Risk and
IT Study demonstrate the importance o managing IT risks
within the context o the array o reputational risks conronting
the organization. When that happens, companies can enjoy the
trust and support o their key stakeholders, which ultimately
drives business perormance.
7/28/2019 Reputational risk and the C-suite
http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 12/12
Please Recycle
© Copyright IBM Corporation 2012
IBM CorporationIBM Global Technology ServicesRoute 100Somers,NY10589
Produced in the United States o AmericaDecember 2012
IBM, the IBM logo and ibm.com are trademarks o International Business Machines Corp., registered in many jurisdictions worldwide. Other producand service names might be trademarks o IBM or other companies. A current list o IBM trademarks is available on the Web at “Copyright andtrademark inormation” at www.ibm.com /legal/copytrade.shtml.
This document is current as o the initial date o publication and may bechanged by IBM at any time. Not all oferings are available in every countryin which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the termsand conditions o the agreements under which they are provided.
1 Key trends driving global business resilience and risk: Findings rom the 2011 IBM Global Business Resilience and Risk Study. September, 2011.
2 Reputation: Risk o risks. Economist Intelligence Unit. December, 2005.
For more information To help you share the inormation presented in this report
with your colleagues, you can download the corresponding video report at http://youtu.be/cyyW19DyaAU . To learn
more about how IBM can help you protect your organization’s
reputation by strengthening IT risk management, contact your
IBM representative or visit the ollowing websites.
For security and IT risk management, visit:
http://www-935.ibm.com /services/us/en/it-services/
managing-risk-security-resiliency/index.html
Security essentials or CIOs:
ibm.com /smarterplanet/us/en/business_resilience_
management/article/security_essentials.html
For business continuity and IT risk management, visit:
ibm.com /services/continuity
For technical support and IT risk management, visit:
ibm.com /services/techsupport
View the IBM reputational risk and IT inographic at:
ibm.co /repriskinfographic
Add your voice to the discussion Your opinion matters! Participate in the extension o our 2012reputational risk and IT survey. Just scan the quick response
code here or go to ibmrisksurvey.com
Your input will be added to what we anticipate will be the
largest survey ever conducted on this important subject. You
will receive the new analysis and report on the survey ndings
in early 2013. Thank you very much or your participation.
CIW03084-USEN-00
top related