Date post: | 19-Oct-2014 |
Category: |
Documents |
View: | 499 times |
Download: | 1 times |
© 2012 IBM Corporation
IBM Global Technology Services
Executive summary:
Reputational risk and ITHow security and business continuity can shape the reputation and value of your company
RLP03019-USEN-00
© 2012 IBM Corporation2
Reputational risk and IT: introduction
Make a resolution to make 2013 the year that your enterprise makes reputational risk an integral part of IT risk management.
IBM is happy to provide this presentation for use in fostering discussions in your organization about the connections between IT risk and reputational risk.
The information in this presentation is provided “as is.” IBM is not responsible for any changes made to the presentation by users outside of IBM.
For more information, visit:
ibm.com/services/riskstudy
© 2012 IBM Corporation3
Reputational risk and IT: introduction
Your reputation is at risk every day. An IT issue can set off a series of events that can have significant impact on business value.
IT eventStorms trigger power outage
Partial failure in data center UPS
Critical servers fail
Highly visible service outage
Reputation suffers
News reports on the web
People talk Confidence, trust waver
Business value damaged
Penalties accrue
Customers defect
Stock price falls
© 2012 IBM Corporation4
Reputational risk and IT: introduction
To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study.
The study survey was conducted by the Economist Intelligence Unit on behalf of IBM
Respondents were asked questions about their companies’reputational and IT risk efforts, plans and spending to provide a detailed picture of IT reputational risk management around the world
Respondents: 427
North America, 33%
Europe, 29%
Asia Pacific, 26%
Middle East/Africa,
8%
Latin America, 5%
Industries: 23*
Banking, 19%
IT/Tech, 15%
Energy/ Utilities, 13%Insurance,
11%
Financial Markets, 9%
Professional Services, 5%
All others, 28%
Job titles: 15*
IT manager, 24%
CIO/CTO/ Tech director, 12%
CEO/President/ Managing Director, 13%
CRO/Risk Director, 3%
Other C-suite, 14%
SVP/VP/ Director, 11%
Other non-C-suite,
23%
Company sizes: 5
$500M or less, 37%
$500M to $1B, 13%
$1B to $5B, 16%
$5B to $10B, 9%
$10B or more, 27%
*Top responding categories shown.
© 2012 IBM Corporation5
Reputational risk and IT: introduction
The study results revealed three key observations concerning IT’s impact on reputational risk.
#1 IT risks have a major impact on a company’s
reputation
#2 Companies have rising IT risk concerns related to
emerging technology trends
#3 Companies are integrating IT risk and
reputational risk management, with strongest focus on threats to data and systems
“IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.”
C-level executive, Malaysian agriculture and agribusiness company
© 2012 IBM Corporation6
Reputational risk and IT: perception vs. reality
There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.
80%rate reputation as excellent or very good
17% rate their company’s overall ability to manage IT risk as very strong
There is room for improvement in almost every organization
Source: Q1: How would you rate your company’s current reputation within its industry?Q5: How would you rate your company’s overall ability to manage IT risk?
© 2012 IBM Corporation7
Reputational risk and IT: perception vs. reality
IT risks strongly affect the factors most important to a company’s reputation — making IT risk integral to reputational risk.
78%include IT risk management as part of reputational risk management
“IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.”
IT manager, French IT and technology company
Most important to reputation
Best-in-class product/service 29%
Customer engagement 24%
Trusted partner status 14%
Strongly affected by IT risk
Customer satisfaction 46%
Brand reputation 41%
Compliance 40%
Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q6: Which of the following is the single most important factor driving your company’s reputation?Q3: In your estimation, how much do IT risks affect the following?
© 2012 IBM Corporation8
Reputational risk and IT: perception vs. reality
Data breach tops the list of IT risk factors that can cause the most reputational harm.
Top three IT risk factors harmful to reputation
61%data breach
44%systems failure
37%data loss
Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.
© 2012 IBM Corporation9
Reputational risk and IT: perception vs. reality
Companies’ perceptions differ from reality when it comes to the comprehensiveness of their reputational risk protections.
Data breach
perceptionVery confident/confident about level of protection 70%
realityHave access to the latest
security threat intelligence 32%
Systems failure
perceptionVery confident/confident about level of protection 70%
realityHave 24x7 expert technical
support coverage 52%
Data loss
perceptionVery confident/confident about level of protection
76%
realityPerform testing including business users
45%
*Companies are overlooking the IT fundamentals that can enhance their ability to mitigate reputational risk
Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?Q17: Which of the following procedures, processes and controls do you have in place?
© 2012 IBM Corporation
Payment processor
Hackers intrude core line of business.
Nearly 130 million customers affected.
Online gaming community
Community and entertainment sites hacked.
Around 100 million customer records compromised.
Retailer
Customer data stolen over more than 18 months.
At least 45 million records stolen.
Estimated costs: up to $900M
Estimated costs: up to $500M
Estimated costs: $3.6B
Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.
Reputational risk and IT Study: security findings
Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day.
© 2012 IBM Corporation11
Reputational risk and IT: perception vs. reality
The impact of IT risk events on “reputational recovery” is measured in months, not hours or days like recovery time objectives (RTO).
Website outage
0-6 months
78%
6-12 months
14%
12+ months
8%
System failure 72% 17% 10%
Workforce mobility 71% 18% 11%
Data loss 70% 17% 12%
Inadequate continuity plans 65% 21% 13%
Insufficient DR measures 63% 24% 12%
New technology 64% 18% 18%
Data breach 65% 19% 16%
Compliance failure 64% 22% 14%
Poor IT skills / tech support 64% 22% 14%
Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors?Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?
© 2012 IBM Corporation12
Reputational risk and IT: perception vs. reality
Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.
Only28% of companies “very strenuously” require their vendors, partners and supply chain to match levels of risk control *
� How many outside sources does your company rely on?
� Are you enforcing your IT risk mitigation policies on these sources?
� How are you monitoring your sources’compliance with your standards?
“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”
Chief marketing officer, American education
company
Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?
* Average
© 2012 IBM Corporation13
Reputational risk and IT: security, continuity and social media
Most companies have security items in place to react to reputational threats, but this is only part of the picture.
Critical security fundamentals currently in place
Firewall management 79%
Identity/access controls 71%
Network & endpoint protection 60%
Danger: Up to 40% of companies are missing critical security protections
But
Companies are overlooking many of the items that can proactively protect their reputations before harm happens
Cloud security protection 23%
Access to latest security threat intelligence
32%
Penetration testing/ethical hacking 43%
“Being proactive and preventive is much more effective than being reactive.”
IT manager, American energy and utilities company
Source: Q17: Which of the following procedures, processes and controls do you have in place?
© 2012 IBM Corporation14
Reputational risk and IT: security, continuity and social media
Companies also have continuity basics in place, but are missing the opportunity to leverage IT fundamentals for additional protection.
Companies have the continuity basics in place
Backup/restore testing 78%
Fully documented DR plan 68%
Automated backup processes 67%
Now
There is untappedpotential to use IT fundamentals to better manage reputational risk
Change management 45%
24x7 onsite maintenance/ repair for critical equipment 51%
24x7 software tech support 53%
Up to 55% of companies can improve reputational risk management through the use of IT fundamentals
Source: Q17: Which of the following procedures, processes and controls do you have in place?
© 2012 IBM Corporation15
Reputational risk and IT: security, continuity and social media
Companies are using social media tools to do business; now they need to use them to protect their reputations.
Social media used to communicate with customers
Company website 87%
Social media/networking tools 50%
Text messaging (SMS) 46%
Company-branded mobile application
44%
But only
27%provide for
employee social media use during crisis
19%have
incorporated social media into their disaster recovery plans
Companies are missing the opportunity to leverage social media to protect and recover their reputations
Source: Q21: Which of the following channels does your organization use to communicate with customersQ17: Which of the following procedures, processes and controls do you have in place?
© 2012 IBM Corporation16
Reputational risk and IT: who owns it?
When asked who was most accountable for the company’s reputation, respondents put responsibility squarely with the CEO.
80%CEO
31%
CFO 27%
CIO23%
CRO22%
CMO
CEO: Best able to drive reputational risk management throughout an organization
CMO: The critical link between the company and its customers
Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.
© 2012 IBM Corporation17
Reputational risk and IT: focus and funding
New technologies and social media are leading factors behind an increased focus on reputational risk.
64%will increase focus on reputational risk compared to five years ago
Why increase?
New technology/ social media, 43%
Previous event harmful to competitor/industry, 20%
Previous event harmful to company, 18%
Board of directions/C-suite mandate, 10%
Other, 7%Shareholder pressure, 3%“Technology is
an amplifier in all it touches, for better and worse. If we use it, we must manage it rigorously.”
CIO, Barbados professional services firm
Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago?Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?
© 2012 IBM Corporation18
Reputational risk and IT: focus and funding
Often as a result of increased spending, companies are reportingadequate funding to manage reputational risk.
60%
say they have adequate funding to provide the level of IT risk management needed to protect the organization’s reputation
For many organizations, adequate funding means increased funding
57%have increased spending over the past 12 months
59%will increase spending
over the next 12 months
“Underestimating the cost of reputational risk greatly exceeds the cost of protection.”
Finance manager, American financial services company
Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk?Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?
© 2012 IBM Corporation19
Reputational risk and IT: what you can do now
Start a reputational risk dialogue across your enterprise.
� Have the reputational risk
conversation — the sooner, the better
� Elevate your discussion — lead
with reputational risk to justify IT
investments X
� Team up with your risk colleagues
� Confirm partners’ compliance with
your standards
� Extend your reporting and escalation process to include
reputational risk impact
© 2012 IBM Corporation20
Reputational risk and IT: what you can do now
Incorporate the key characteristics of companies reporting excellent reputations.
Organizations reporting their reputation as:
Excellent
Very good
Average or worse
Integrate IT into reputational risk management
83% 81%
64%
Have strong/very strong IT risk management capacity
84%
63%
28%
Have adequate IT risk management funding
78%
59%
36%
Very strenuously require supply chain to match standards
58%
38%33%
Companies with excellent reputations see stronger links between IT threats and reputation—especially customer satisfaction and brand reputation
Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q5: How would you rate your company’s overall ability to manage IT risk?Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk?
1
23
45
© 2012 IBM Corporation
Add your voice to the discussionTake the reputational risk survey online and get a complimentary copy of the 2013 expanded report
21
Reputational risk and IT: what you can do now
Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company.
Download the full study report includes all you’ve seen today, plus other important findingsibm.com/services/riskstudy
Scan the code or go to bit.ly/ibmrisksurvey
Get the experts’ views on managing IT riskThe Reputational Risk Webcast Series features industry and IBM experts exploring the relationship between reputation and IT risk
ibm.com/services/riskstudy/webcasts
Explore how IBM can help you with:� Security� Business continuity� Technical support services
Request to speak with an IBM specialist about your business needs
© 2012 IBM Corporation22
Thank you for your interest
© 2012 IBM Corporation23
© Copyright IBM Corporation 2012
IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.
Produced in the United States of AmericaNovember 2012
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.