Reputational risk and ITHow security and business continuity can shape the reputation and value of your company

Global Technology ServicesResearch Report

Risk Management

Findings from the 2012 IBM Global Reputational Risk and IT Study

Reputational risk and IT: How security, business continuity and technical support can shape the reputation and value of your company is an IBM study that investigates how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of the organization and IT failures can result in reputational damage. The report was written by the Economist Intelligence Unit, which also executed the online survey and conducted the interviews on behalf of IBM.

We would like to thank all of the executives who participated in the survey and interviews for their valuable time and insight.

About the survey The survey, conducted in June 2012 by the Economist Intelligence Unit, included responses from 427 senior executives from around the world. Of them, 42 percent are C-level executives. About 33 percent of respondents are from North America, 29 percent from Europe, and 26 percent from Asia-Pacific. Companies with less than US$500M in revenue comprise 37 percent of respondents, and 52 percent come from companies with more than US$1B in revenue. The survey covers nearly all industries, including banking (19 percent), IT and technology (15 percent), energy and utilities (13 percent), and insurance (11 percent).

Middle East/ Africa, 8%

Latin America, 5%

North America, 33%

Europe, 29%

Asia Pacific, 26%

Professional Services, 5%

All others, 28% Banking, 19%

IT/Tech, 15%

Fiscal Markets, 9%

Energy/ Utilities, 13%Insurance,

11%

IT manager, 24%

CIO/CTO/Tech Director, 12%

CEO/President/ Managing Director, 13%

CRO/Risk Director, 3%

Other C-suite, 14%

SVP/VP/ Director, 11%

Other non C-suite, 23% $500M or less,

37%

$500M to $1B, 13%

$1B to $5B, 16%

$5B to $10B, 9%

$10B or more, 27%

Respondents: 427 Industries: 23*

Job titles: 15* Company sizes: 5

The 2011 IBM Global Reputational Risk and IT Study survey, conducted by the Economist Intelligence Unit, gathered information from 427 senior executives from around the world.

*Top responding categories shown

A spotless reputationBusiness leaders usually have a good understanding of the value of their organization’s reputation. A strong reputation generates stakeholder trust. If a company is trusted, customers will buy and recommend its products; prospective investors and employees will want to become part of it; and communities will welcome its operations.

The unfortunate reality, however, is that corporate reputations are increasingly difficult to manage in the digital era, and can be easily sullied by any number of factors—among them IT failures. With social media sites such as Facebook and Twitter boasting over 950 million and 500 million users respectively, there is now a highly visible and immediate alternative to a company’s own communications regarding its reputation.

In response, more organizations have introduced reputational risk as a distinct category within their enterprise risk management frameworks. Our research finds that companies have begun to pay closer attention to the links between IT failures and reputational damage. It looks at how executives are attempting to protect their brands from what could arguably be called “a preventable glitch.”

Based on this study of 427 senior executives worldwide, three principal forces drive corporate reputations: provision of a best-in-class product or service, customer engagement and trusted-partner status. Considering how companies are becoming increasingly dependent on technology to fulfill all three—to say nothing of running the business—the consensus is clear: IT risk can imperil companies’ productivity, damage customer relations and ultimately erode trust.

“IT…is like the heart pumping blood to the whole body, so any failure could threaten the whole organization’s survival.” — IT manager, French IT and technology company

Business continuity failure is one of the more obvious IT-related risks that can damage corporate reputations. But the study found that other IT threats—ones that do not necessarily interrupt operations—rank as high as or higher than business continuity on the list of reputational risk factors. In particular, executives consider data theft/cybercrime as the most serious threat, well ahead of systems failures. Emerging technologies such as cloud, bring your own device (BYOD) and social media further complicate the issue. These new technologies are less well controlled than other IT threats because organizations have not had time to fully adapt to them and, in the case of BYOD and social media, because they blur the line between professional and personal tools.

Jaideep Jain, an IT business partner with a global consumer goods company in India, says that larger companies, in particular, have been relatively slow to adopt technologies like cloud and BYOD. “These threats are understood, but…we don’t have data to quantify the risks. And because we’re approaching those technologies with such caution, we’re less likely to have experienced an incident.” Furthermore, Mr. Jain adds, it takes an incident or an adverse finding from a penetration test to truly focus attention on a new IT vulnerability.

Risk Management 2

It’s easy to understand why executives believe that security has stronger links to reputational risk than IT functions such as business continuity or technical support. Suppose, for example, that a company’s customer database was breached and customer credit card numbers were stolen. That company’s reputation would certainly suffer. In a similar vein, study respondents indicate that data theft/cybercrime (61 percent) is more of a reputational threat than systems failures (44 percent), which reinforces the view that security is top of mind for executives today (see Figure 2).

Figure 2. IT risks posing the greatest threats to reputation.

3 Reputational risk and IT

This report describes how organizations around the world are seeking to protect their reputations by adapting to these ongoing shifts in the business environment and IT landscape.

An ounce of preventionExecutives have begun to look more closely at the reputational implications of IT failures. Study respondents say that IT exerts a particularly strong influence on customer satisfaction, compliance and brand reputation (see Figure 1).

Figure 1. Percent of respondents identifying business elements as “very much” affected by IT risks.

Executives also identify three core responsibilities of the IT function where reputational risks are the highest: • Security(84percent)• Businesscontinuity(77percent)• Technicalsupport(68percent)

0 20 40 60 80 100

Customer satisfaction

Compliance

Brand reputation

Profitability

Social media presence

Supplier/partner relationships

Stock price

46%

41%

40%

21%

18%

17%

13%

020 40 60 80 100

020 40 60 80 100

Data breaches/data theft/ cybercrime 61%

Systems failures 44%

Data loss/failed backup or restore 37%

Compliance failures 22%

Website outages 18%

Insufficient disaster recovery measures 17%

Inadequate business continuity plans 15%

Lack of IT skills/poor technical support 14%

Technology adoption (e.g. cloud) 8%

Workforce mobility (e.g. bring your own device) 3%

While technical support ranked third among core IT responsibilities in terms of the possible threat posed to a firm’s reputation, it ranks at the top of the list of failures that require between six and 24 months of recovery time. Only about 12 percent of respondents say they have recently experienced severe technical support failures, but the intensity of risk is elevated by the relatively long recovery times following an incident of this nature. The intensity of risk can be further elevated as a company adopts new technologies such as cloud and social media.

“Underestimating the cost of reputational risk greatly exceeds the cost of protection. Being proactive is preferable to being reactive.” — IT manager, US energy and utility company.

One problem identified by the study findings is that many companies take a reactive approach to IT risk management. They typically dedicate resources to risks like data theft and cybercrime, system failure and data backup failure where they have experienced serious failures in the past. But they pay less attention to emerging risks that have not yet caused major reputational damage.

Executives are, however, attempting to look beyond the rearview mirror. Of the nearly two-thirds of study respondents who say their company will focus more on managing its reputation in the future, nearly half (43 percent) say this is driven by the growth of technology and social media, while only 20 percent cite previous adverse experiences as the

Risk Management 4

primary driver. Not only are companies more willing to look for blind spots in their risk management framework, they are also dedicating the necessary resources to support their IT risk management. Fully three-quarters of respondents say their IT budget will grow over the next 12 months due to reputational concerns,and18percentsaytheincreasewillbemorethan20 percent. As one US-based study respondent argues, “Underestimating the cost of reputational risk greatly exceeds the cost of protection. Being proactive is preferable to being reactive.”

Going forward, assessing potential blind spots and new technologies will likely be accelerated through the use of case studies and scenario analysis rather than waiting for direct experience. “To use new technologies like cloud you need trust,” says Andrea MacIntosh, director of quality with Alpha Technologies in British Columbia, Canada. “How do you build trust? Either by demonstrating performance or through looking at comparable organizations that are using it with good success. I think there’s a lot of referential data for companies like ours, but as with any new technology, you’ve got to be cautious.”

75%64%

say their company will focus more on managing its reputation

in the future

of respondents say their IT budget will grow over the next 12 months

due to reputational concerns

5 Reputational risk and IT

Five characteristics of highly trusted companies

For the purposes of this study, a “successful” organization is one that respondents identified as enjoying an “excellent” reputation. Interestingly, only 30 percent characterized their company in these terms. Notwithstanding the bias inherent in the self-rating process, an analysis of relative reputational performance reveals that these organizations share a common approach of linking strong IT risk management capabilities with a solid understanding of how specific IT risks can threaten reputation. While this list is by no means exhaustive, these characteristics have been distilled down to the following list of five key success factors.

Integration of reputational and IT risk Notably, an overwhelming majority (83 percent) of executives who characterized their firms as having

excellent reputations say their company has integrated IT into reputational risk management (see Figure 3). Still, the fact that nearly two-thirds (64 percent) of those who rated their firms’ reputation as average or worse than their competitors also say that IT has been integrated into reputational risk management underscores that this alone does not guarantee success.

Mapping of IT threats to key elements of reputation Successful organizations perceive stronger links between IT threats and key elements of reputation.

The correlation is especially strong between IT and customer satisfaction and brand reputation.

Strong IT risk management capability About 84 percent of companies with an excellent reputation say they have strong or very strong IT

risk management capacity (see Figure 3). This compares

with fewer than 30 percent of companies with reputations described as average or weaker than those of their competitors. Not surprisingly, an excellent reputation and strong IT risk management capabilities also mean that the company experiences fewer severe reputational incidents. For example, in the case of a data theft/cybercrime event, approximately 80 percent of study respondents who rate their firm’s IT risk management as “very strong” say they can recover in six months or less, compared with only about half of those with “weak” IT risk management.

Robust IT risk management funding Successful firms have well-resourced IT risk management functions (see Figure 3). The proportion

who say their firm’s IT risk management function has adequate funding falls from 78 percent for those with excellent reputations to 59 percent of those with very good reputations, and to 36 percent of the remainder.

Strenuous supply chain control Successful firms are significantly more likely than others to report that they very strenuously require

vendors and supply chain partners to meet the same levels of control as required internally (see Figure 3). The proportion of respondents who say they do this drops from 58 percent of those rated excellent to 38 percent of very good and to 33 percent of the others.

Larger firms are generally better equipped to manage IT risks than smaller firms. This accounts for the higher proportion of large firms with excellent reputations. However, organizations of all sizes have succeeded in managing IT risks to contribute to building excellent reputations.

1

2

3

4

5

Risk Management 6

Figure 3. Important IT risk elements and how often they are implemented by companies of varying reputational strength. The study found a direct relationship between IT funding and reputational risk management success.

020

4060

8010

0

010

2030

4050

6070

80Integrate IT into reputational risk

management

83%

Have strong/very strong IT risk

management capacity

Have adequate IT risk management

funding

Very strenously require vendors and partners to match standards

81%

64%

84%

63%

28%

78%

59%

36%

58%

38%33%

Organizations categorizing their reputation as:

Excellent Very good Average or worse

Many companies are also insisting that their supply chains strengthen their controls for managing IT-related reputational risk. The proportion of executives who say their company strenuously requires vendors and partners to meet the same levels of control ranges from 67 percent for data theft/cyber crime to 32 percent for workforce mobility risks (see Figure 4).

Figure 4. Percentage of respondents who strenuously require supply chain partners to apply the same level of IT risk control as their organizations do internally.

7 Reputational risk and IT

Ms. MacIntosh, whose company provides industrial power solutions, explains that a failure of one of Alpha’s backup power solutions could potentially paralyze a US telecom provider’s emergency phone service, triggering a regulatory and compliance fiasco. This would be a case of Alpha’s product failure triggering a customer’s IT failure. If Alpha had an IT failure of its own that became widely known (say through a power industry blog), Ms. MacIntosh says, this event would also have an impact on Alpha’s reputation and “we could lose the trust of potential customers.” Ms. MacIntosh contends that recognition of this connection is growing: “We’re seeing more requests from our customers for details of our IT infrastructure and security, along with on-site audits, as part of the supplier qualification process.”

“We’re seeing more requests from our customers for details of our IT infrastructure and security, as well as on-site audits, as part of the supplier qualification process.”— Andrea MacIntosh, Director of Quality, Alpha Technologies, Canada37%

020 40 60 80 100

020 40 60 80 100

Data theft/cybercrime 67%

Data loss 63%

System failures 60%

Compliance failures 58%

Disaster recovery 53%

Business continuity plans 52%

Website outages 50%

Lack of IT skills 43%

Technology adoption

Workforce mobility 32%

Top-down and bottom-up approaches to managing IT-related reputational risksThevastmajority(over80percent)ofexecutivesinourstudy say the CEO is most accountable for their company’s reputation, followed by CFO (31 percent), CIO (27 percent), CRO (23 percent) and CMO (22 percent). Of particular note, close to two-thirds say that accountability is shared among more than one C-level position (see Figure 5).

This is consistent with broader trends toward greater C-level responsibility for integrated enterprise-wide risk management. In a 2011 study1 of 391 senior executives sponsored by IBM and conducted by the Economist Intelligence Unit (EIU), 71 percent of respondents said that C-level executives were “very involved” in their organization’s overall risk management strategy,and88percentsaidtheyexpectedthislevelofinvolvement to increase. Yet executives suggest that the most successful strategies come together when risk managers with different specialities collaborate to provide integrated risk profiles to senior management. Nearly three-quarters of study participants say that IT risk exposures are escalated to the C-level effectively.

A 2005 EIU survey2 found that marketing managers played a minor part in the management of reputational risk, and their function was limited mostly to a communications role as the company’s “eyes and ears” on reputational threats. As we move forward to the 2012 study results, nearly one-quarter of respondents said that their Chief Marketing Officer is one of the top three corporate executives responsible for the company’s reputation. This expanding role of the marketing function suggests a need for closer collaboration between CIOs and CMOs as companies employ technology to make sense of mountains of marketing data that can contain hidden insights into a company’s reputation.

Risk Management8

80%

CEO

31CFO

%

27%

CIO23%

CRO 22%

CMO

Figure 5. Who owns it? The CEO is the clear leader when respondents choose the top three job functions most responsible for managing reputational risk.

9 Reputational risk and IT

Protecting reputation through communicationWhile IT specialists are accountable for technical recovery after an incident, they need to work closely with counterparts in marketing, communications and public relations to clearly communicate with stakeholders in the aftermath of a failure. Experienced IT executives invariably say that these messages need to be both swift and brutally honest, especially in an environment where the media are primed to pounce on perceived corporate deceit. Mr. Jain says that the best protection is to build up a reputation for being transparent and communicating effectively with stakeholders. Then, he says, “If an incident happens, it’s important to acknowledge the mistake and spell out clearly how it has been fixed and what’s being done about it right now.” He stresses that a speedy response is essential: “If you’re slow communicating with the public, you allow them to reach their own conclusions.”

Communications to convince stakeholders that the causes of an IT failure have been addressed can sharply cut the time needed to restore trust, but the harm that a particular IT failure causes to stakeholders increases the effort required. For example, website outages inflict only minor inconvenience on customersandarefairlyeasilyexplained.About78percentofstudy respondents say they recover from such incidents in less than six months. At the other end of the scale, it takes longer to recover from reputational damage due to cybercrime, partly because it tends to inflict more serious harm on stakeholders and also because it can be harder to sell the message that the problem has been entirely fixed.

Going social with risk managementSocial media feature prominently in executives’ reasoning, both in interviews and in study responses, about why they are growing more concerned about protecting their companies’ reputations. Since social networking is enabled by technology, there is a tendency to lump it in with IT-related technical risk. But social media channels are not risks in themselves; rather they are amplifiers of an organization’s reputation (for better or worse). This means they should be evaluated as part of an organization’s overall communications mix.

“The [social media] community is talking about you whether you participate or not, and you have to decide what kind of positioning you’re going to take. Otherwise people will do it for you.” — David Boroevich, Vice President of Marketing, Alpha Technologies, Canada

Social media have moved beyond their initial function of enabling consumer-to-consumer communications. Blogs focused on specialized business and technical communities have a growing impact on business-to-business (B2B) enterprises. In fact, “social” may no longer be an appropriate term to describe peer-to-peer exchanges among community members. In any event, the need to mitigate potential

Risk Management 10

reputational damage posed by accelerated communications is a different challenge than effectively using social media as a tool for engaging stakeholders. This study suggests that strategies to deal with the latter are still in their infancy. Only 19 percent of study respondents say that their company has a disaster recovery plan that includes the use of social media tools.

“I’ve been a bit skeptical about the value of social media in our business,” says David Boroevich, vice president of marketing for Alpha Technologies, a B2B enterprise offering industrial power solutions. “We’ve got people working on it, but we’ve come to think that this isn’t just a ‘skunk works’ anymore; it’s got to be part of our program.” He adds that even in specialized industries, “the community is talking about you whether you participate or not, and you have to decide what kind of positioning you’re going to take. Otherwise people will do it for you.”

Best practices for improving reputational risk management performanceBusiness leaders interested in improving their reputational risk management performance can learn from the best practices identified by executives who participated in this study. Effective strategies include:

• Be proactive rather than reactive. Be prepared to invest in developing comprehensive reputational risk management strategies that include robust controls on IT risks—particularly those related to security, business continuity and technical support—as well as other reputational risks.

• Create an organization where IT managers collaborate with other risk management specialists. Together they should be tasked with presenting a comprehensive profile of organization-wide reputational risks to senior management.

• Engage in scenario analysis, especially with new and emerging technology. Don’t wait for an incident to happen. There are plenty of case studies to be used as a basis for “what if” planning.

• Assess risks across the whole supply chain. A failure by a downstream supplier can be just as devastating as an internal problem, and risk controls can be harmonized among key players. Likewise, B2B companies should collaborate with customers to provide assurance that all relevant risks are well managed.

“Technology is an amplifier in all it touches, for better and worse. If we use it, we must manage it rigorously.”— CIO, Barbados professional services firm

ConclusionOrganizations of all sizes are paying more attention to threats to their reputations stemming from today’s digital environment. This concern is reflected in more integrated, enterprise-wide approaches to risk management led from the C-suite and increased attention being paid to the direct reputational impacts of IT risks. These include risks stemming from the use of new technologies. Security has edged out business continuity as the most important connection between IT risks and reputation.

Please Recycle

© Copyright IBM Corporation 2012

IBM CorporationIBM Global Technology ServicesRoute 100Somers,NY10589

Produced in the United States of AmericaSeptember 2012

IBM, the IBM logo and ibm.com are are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

1Key trends driving global business resilience and risk: Findings from the 2011 IBM Global Business Resilience and Risk Study. September, 2011.

2Reputation: Risk of risks. Economist Intelligence Unit. December, 2005.

The findings of the 2012 Global IT Reputational Risk and IT Study demonstrate the importance of managing IT risks within the context of the array of reputational risks confronting the organization. When that happens, companies can enjoy the trust and support of their key stakeholders, which ultimately drives business performance.

For more informationTo learn more about how IBM can help you protect your organization’s reputation by strengthening IT risk management, contact your IBM representative or visit the following websites.

For security and IT risk management, visit:ibm.com/services/security

For business continuity and IT risk management, visit:ibm.com/services/continuity

For technical support and IT risk management, visit:ibm.com/services/techsupport

View the IBM reputational risk and IT infographic at:ibm.co/repriskinfographic

Add your voice to the discussionYour opinion matters! Participate in the extension of our 2012 reputational risk and IT survey. Just scan the quick response code here or go to ibmrisksurvey.com

Your input will be added to what we anticipate will be the largest survey ever conducted on this important subject. You will receive the new analysis and report on the survey findings in early 2013. Thank you very much for your participation.

RLW03009-USEN-00