reputational risk and it - 2013

© 2012 IBM Corporation

IBM Global Technology Services

Executive summary:

Reputational risk and ITHow security and business continuity can shape the reputation and value of your company

RLP03019-USEN-00

© 2012 IBM Corporation2

Reputational risk and IT: introduction

Make a resolution to make 2013 the year that your enterprise makes reputational risk an integral part of IT risk management.

IBM is happy to provide this presentation for use in fostering discussions in your organization about the connections between IT risk and reputational risk.

The information in this presentation is provided “as is.” IBM is not responsible for any changes made to the presentation by users outside of IBM.

For more information, visit:

ibm.com/services/riskstudy



Your reputation is at risk every day. An IT issue can set off a series of events that can have significant impact on business value.

IT eventStorms trigger power outage

Partial failure in data center UPS

Critical servers fail

Highly visible service outage

Reputation suffers

News reports on the web

People talk Confidence, trust waver

Business value damaged

Penalties accrue

Customers defect

Stock price falls



To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study.

The study survey was conducted by the Economist Intelligence Unit on behalf of IBM

Respondents were asked questions about their companies’reputational and IT risk efforts, plans and spending to provide a detailed picture of IT reputational risk management around the world

Respondents: 427

North America, 33%

Europe, 29%

Asia Pacific, 26%

Middle East/Africa,

8%

Latin America, 5%

Industries: 23*

Banking, 19%

IT/Tech, 15%

Energy/ Utilities, 13%Insurance,

11%

Financial Markets, 9%

Professional Services, 5%

All others, 28%

Job titles: 15*

IT manager, 24%

CIO/CTO/ Tech director, 12%

CEO/President/ Managing Director, 13%

CRO/Risk Director, 3%

Other C-suite, 14%

SVP/VP/ Director, 11%

Other non-C-suite,

23%

Company sizes: 5

$500M or less, 37%

$500M to $1B, 13%

$1B to $5B, 16%

$5B to $10B, 9%

$10B or more, 27%

*Top responding categories shown.



The study results revealed three key observations concerning IT’s impact on reputational risk.

#1 IT risks have a major impact on a company’s

reputation

#2 Companies have rising IT risk concerns related to

emerging technology trends

#3 Companies are integrating IT risk and

reputational risk management, with strongest focus on threats to data and systems

“IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.”

C-level executive, Malaysian agriculture and agribusiness company


Reputational risk and IT: perception vs. reality

There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.

80%rate reputation as excellent or very good

17% rate their company’s overall ability to manage IT risk as very strong

There is room for improvement in almost every organization

Source: Q1: How would you rate your company’s current reputation within its industry?Q5: How would you rate your company’s overall ability to manage IT risk?



IT risks strongly affect the factors most important to a company’s reputation — making IT risk integral to reputational risk.

78%include IT risk management as part of reputational risk management

“IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.”

IT manager, French IT and technology company

Most important to reputation

Best-in-class product/service 29%

Customer engagement 24%

Trusted partner status 14%

Strongly affected by IT risk

Customer satisfaction 46%

Brand reputation 41%

Compliance 40%

Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q6: Which of the following is the single most important factor driving your company’s reputation?Q3: In your estimation, how much do IT risks affect the following?



Data breach tops the list of IT risk factors that can cause the most reputational harm.

Top three IT risk factors harmful to reputation

61%data breach

44%systems failure

37%data loss

Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.



Companies’ perceptions differ from reality when it comes to the comprehensiveness of their reputational risk protections.

Data breach

perceptionVery confident/confident about level of protection 70%

realityHave access to the latest

security threat intelligence 32%

Systems failure

perceptionVery confident/confident about level of protection 70%

realityHave 24x7 expert technical

support coverage 52%

Data loss

perceptionVery confident/confident about level of protection

76%

realityPerform testing including business users

45%

*Companies are overlooking the IT fundamentals that can enhance their ability to mitigate reputational risk

Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?Q17: Which of the following procedures, processes and controls do you have in place?


Payment processor

Hackers intrude core line of business.

Nearly 130 million customers affected.

Online gaming community

Community and entertainment sites hacked.

Around 100 million customer records compromised.

Retailer

Customer data stolen over more than 18 months.

At least 45 million records stolen.

Estimated costs: up to $900M

Estimated costs: up to $500M

Estimated costs: $3.6B

Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.

Reputational risk and IT Study: security findings

Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day.



The impact of IT risk events on “reputational recovery” is measured in months, not hours or days like recovery time objectives (RTO).

Website outage

0-6 months

78%

6-12 months

14%

12+ months

8%

System failure 72% 17% 10%

Workforce mobility 71% 18% 11%

Data loss 70% 17% 12%

Inadequate continuity plans 65% 21% 13%

Insufficient DR measures 63% 24% 12%

New technology 64% 18% 18%

Data breach 65% 19% 16%

Compliance failure 64% 22% 14%

Poor IT skills / tech support 64% 22% 14%

Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors?Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?



Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.

Only28% of companies “very strenuously” require their vendors, partners and supply chain to match levels of risk control *

� How many outside sources does your company rely on?

� Are you enforcing your IT risk mitigation policies on these sources?

� How are you monitoring your sources’compliance with your standards?

“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”

Chief marketing officer, American education

company

Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?

* Average


Reputational risk and IT: security, continuity and social media

Most companies have security items in place to react to reputational threats, but this is only part of the picture.

Critical security fundamentals currently in place

Firewall management 79%

Identity/access controls 71%

Network & endpoint protection 60%

Danger: Up to 40% of companies are missing critical security protections

But

Companies are overlooking many of the items that can proactively protect their reputations before harm happens

Cloud security protection 23%

Access to latest security threat intelligence

32%

Penetration testing/ethical hacking 43%

“Being proactive and preventive is much more effective than being reactive.”

IT manager, American energy and utilities company

Source: Q17: Which of the following procedures, processes and controls do you have in place?



Companies also have continuity basics in place, but are missing the opportunity to leverage IT fundamentals for additional protection.

Companies have the continuity basics in place

Backup/restore testing 78%

Fully documented DR plan 68%

Automated backup processes 67%

Now

There is untappedpotential to use IT fundamentals to better manage reputational risk

Change management 45%

24x7 onsite maintenance/ repair for critical equipment 51%

24x7 software tech support 53%

Up to 55% of companies can improve reputational risk management through the use of IT fundamentals

Source: Q17: Which of the following procedures, processes and controls do you have in place?



Companies are using social media tools to do business; now they need to use them to protect their reputations.

Social media used to communicate with customers

Company website 87%

Social media/networking tools 50%

Text messaging (SMS) 46%

Company-branded mobile application

44%

But only

27%provide for

employee social media use during crisis

19%have

incorporated social media into their disaster recovery plans

Companies are missing the opportunity to leverage social media to protect and recover their reputations

Source: Q21: Which of the following channels does your organization use to communicate with customersQ17: Which of the following procedures, processes and controls do you have in place?


Reputational risk and IT: who owns it?

When asked who was most accountable for the company’s reputation, respondents put responsibility squarely with the CEO.

80%CEO

31%

CFO 27%

CIO23%

CRO22%

CMO

CEO: Best able to drive reputational risk management throughout an organization

CMO: The critical link between the company and its customers

Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.


Reputational risk and IT: focus and funding

New technologies and social media are leading factors behind an increased focus on reputational risk.

64%will increase focus on reputational risk compared to five years ago

Why increase?

New technology/ social media, 43%

Previous event harmful to competitor/industry, 20%

Previous event harmful to company, 18%

Board of directions/C-suite mandate, 10%

Other, 7%Shareholder pressure, 3%“Technology is

an amplifier in all it touches, for better and worse. If we use it, we must manage it rigorously.”

CIO, Barbados professional services firm

Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago?Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?


Reputational risk and IT: focus and funding

Often as a result of increased spending, companies are reportingadequate funding to manage reputational risk.

60%

say they have adequate funding to provide the level of IT risk management needed to protect the organization’s reputation

For many organizations, adequate funding means increased funding

57%have increased spending over the past 12 months

59%will increase spending

over the next 12 months

“Underestimating the cost of reputational risk greatly exceeds the cost of protection.”

Finance manager, American financial services company

Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk?Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?


Reputational risk and IT: what you can do now

Start a reputational risk dialogue across your enterprise.

� Have the reputational risk

conversation — the sooner, the better

� Elevate your discussion — lead

with reputational risk to justify IT

investments X

� Team up with your risk colleagues

� Confirm partners’ compliance with

your standards

� Extend your reporting and escalation process to include

reputational risk impact



Incorporate the key characteristics of companies reporting excellent reputations.

Organizations reporting their reputation as:

Excellent

Very good

Average or worse

Integrate IT into reputational risk management

83% 81%

64%

Have strong/very strong IT risk management capacity

84%

63%

28%

Have adequate IT risk management funding

78%

59%

36%

Very strenuously require supply chain to match standards

58%

38%33%

Companies with excellent reputations see stronger links between IT threats and reputation—especially customer satisfaction and brand reputation

Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q5: How would you rate your company’s overall ability to manage IT risk?Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk?

1

23

45


Add your voice to the discussionTake the reputational risk survey online and get a complimentary copy of the 2013 expanded report

21


Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company.

Download the full study report includes all you’ve seen today, plus other important findingsibm.com/services/riskstudy

Scan the code or go to bit.ly/ibmrisksurvey

Get the experts’ views on managing IT riskThe Reputational Risk Webcast Series features industry and IBM experts exploring the relationship between reputation and IT risk

ibm.com/services/riskstudy/webcasts

Explore how IBM can help you with:� Security� Business continuity� Technical support services

Request to speak with an IBM specialist about your business needs


Thank you for your interest


© Copyright IBM Corporation 2012

IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.

Produced in the United States of AmericaNovember 2012

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

reputational risk and it - 2013

Documents

previous event harmful

risk management required

reputational risk management

risk management part

manage reputational risk

risk management

social media

risk related