Reputational risk and the C-suite

7/28/2019 Reputational risk and the C-suite

http://slidepdf.com/reader/full/reputational-risk-and-the-c-suite 1/12

Reputational risk and the C-suite How IT risks can shape a company’s reputation and value—the enterpriseexecutives’ point o view

IBM

Research Report

Risk Management

Findings from the 2012 IBM Global Reputational Risk and IT Study



Reputational risk and the C-suite: How IT risks can

shape the reputation and value of your company—

the enterprise executives’ point-of view draws upon

an IBM study that investigates how organizations

around the world are managing their reputations in

today’s digital era, where IT is an integral part o the

organization and IT ailures can result in reputational

damage. The online survey and interviews were

conducted by the Economist Intelligence Unit

on behal o IBM. We would like to thank all o

the executives who participated in the survey and

interviews or their valuable time and insight.

About the survey

The survey, conducted in June 2012 by the

Economist Intelligence Unit, included responses

rom 427 senior executives rom around the world.

O them, 42 percent are C-level executives. About

33 percent o respondents are rom North America,

29 percent rom Europe, and 26 percent rom Asia-

Pacic. Companies with less than US$500M in

revenue comprise 37 percent o respondents, and 52

percent come rom companies with more than US$1B

in revenue. The survey covers nearly all industries,

including banking (19 percent), IT and technology

(15 percent), energy and utilities (13 percent), and

insurance (11 percent).

The 2012 IBM Global Reputational Risk and IT Study survey, conducted by the Economist Intelligence Unit, gathered inormation rom 427senior executives—including 176 C-suite members—rom around the world.

Middle East/ Arica, 8%

Latin America, 5%

North America, 33%

Europe, 29%

Asia Pacifc,26%

ProessionalServices, 5%

All others,28%

FiscalMarkets, 9% Insurance,

11%

CEO/President/ Managing Director 13%

CIO/CTO/Techdirector, 12%

CFO/Treasurer/

Comptroller, 8%CMO/Marketingdirector/Branddirector, 1%

IT manager,24%

$500M or less,37%

$500M to $1B,13%

$1B to $5B,16%

$5B to $10B,

9%

$10B or more,27%

Respondents: 427 Industries: 23*

Job titles: 15† Company sizes: 5

*Top responding categories shown †Break-out of C-suite titles

CRO/Risk director, 3%

Other C-suite, 5%

Banking, 19%

IT/Tech, 15%

Energy/ Utilities, 13%



A spotless reputationBusiness leaders usually have a good understanding o the

value o their organization’s reputation. A strong reputation

generates stakeholder trust. I a company is trusted, customers

will buy and recommend its products; prospective investors

and employees will want to become part o it; and communities

will welcome its operations.

The unortunate reality, however, is that corporate reputationsare increasingly dicult to manage in the digital era, and can

be easily sullied by any number o actors—among them IT

ailures. With social media sites such as Facebook and Twitter

boasting over 950 million and 500 million users respectively,

and business-ocused LinkedIn providing instant connections

in over 200 countries, there is now a highly visible and

immediate alternative to a company’s own communications

regarding its reputation.

“All C-level executives need to be awareo the technology risks that can afect our reputation in the marketplace.”

— CIO, insurance company, Mauritius

In response, more organizations have introduced reputational

risk as a distinct category within their enterprise risk

management rameworks. Our research nds that companies

have begun to pay closer attention to the links between IT

ailures and reputational damage. It looks at how executives are

attempting to protect their brands rom what could arguably be called “a preventable glitch.”

Based on CEO, CIO and CFO responses to the study, three

principal orces drive corporate reputations: provision o a

best-in-class product or service, customer satisaction and

compliance. CFOs add protability to the mix, as well.

Considering how companies are becoming increasingly

dependent on technology to ulll all our—to say nothing

o running the business—the consensus is clear: IT risk can

imperil companies’ productivity, damage customer relations

and ultimately erode trust.

It is interesting to note that—compared to each other and to

study respondents as a whole—CEOs, CIOs and CFOs oten

have widely divergent opinions on the aect o IT risk on their

companies’ reputations and reputational risk management

practices. To some extent, these dierences can be attributed

to each C-suite executive’s area o expertise and point o view.

Such dierences o opinion can be good or an organization,

encouraging exploration o all areas o risk and potential

solutions. They can also, however, result in a skewed view

o the reputational risk and IT connection and inadequate

unding or protections. In these cases, companies may beneft

rom the holistic and objective recommendations o a third-

party consultant.

This report describes how C-suite executives around the world

are seeking to protect their organizations’ reputations by

adapting to the pervasiveness o technology and ongoing shits

in the business environment and IT landscape.

Risk Management 3



4 Reputational risk and the C-suite

An ounce of preventionCEOs, CIOs and CFOs have begun to look more closely at

the reputational implications o IT ailures. Study respondents

say that IT exerts a particularly strong inuence on brand

reputation, compliance, customer satisaction and protability.

(see Figure 1).

C-suite executives also identiy three core responsibilities o

the IT unction where reputational risks are the highest:

• Security(84percent)

• Businesscontinuity(77percent)

• Technicalsupport(65percent)

It is easy to understand why executives believe that security

has stronger links to reputational risk than IT unctions such

as business continuity or technical support. A company’s

reputation would surely sufer, or example, i its customer

database was breached and customer credit card numbers were

stolen. It is interesting to note, however, that when individual

C-suite executives were asked about the specic IT risks with

the biggest impact on their companies’ reputations (see Figure

2), their answers were ar less denitive than those o study respondents as a whole. This begs the question whether the

C-suite has the inormation necessary to make appropriate IT

and reputational risk management decisions.Brand reputation

41%

48%

35%

Compliance

48%

Customer satisaction

Proftability

32%

42%

39%

41%

43%

59%

27%

46%

24%

23%

18%

21%

CEOs All studyrespondents

CIOs CFOs

Figure 1. Among the our business elements cited most oten by C-suite

executives as “very much” aected by IT risks, there is a signiicant divergenceo opinion between CIOs and CFOs.

Data breaches

Data loss

Systems ailures

Websiteoutages

37%

44%

CEOs All studyrespondents

CIOs

25%

22%

29%

18%10%

19%

18%

17%

15%

8%

12%

10%

18%

CFOs

Figure 2. CEOs, CIOs and CFOs are less deinitive than all study respondents when selecting the top three IT risk actors impacting theircompanies’ reputations.

61%



While all C-suite executives agree on the importance o

securing against data breaches, they difer on the importance

o business continuity risks. CEOs and CFOs put data loss

in second place among their top three IT risks actors;

CIOs place systems ailures at number two. Systems ailures

are number three on CEOs and CFOs lists, while website

outages—which was not a top three answer among all study

respondents—rank third in CIOs lists.

When it comes to technical support ailures,CMOs indicate extended reputational recovery times o 12 to 24 months.

While technical support ranks third among core IT

responsibilities in terms o the possible threat posed to a

rm’s reputation, all study respondents rank it at the top o

the list o ailures that require between six and 24 months

o recovery time. In act, chie marketing ocers (CMOs),

who are arguably closest to the public pulse when it comes

to their companies’ reputations, extend the recovery time orinadequate technical support to between 12 and 24 months,

a potentially critical hit to a company’s competitive position.

Only about 12 percent o respondents say they have recently

experienced severe technical support ailures, but the intensity

o risk is elevated by the relatively long recovery times

ollowing an incident o this nature. The intensity o risk can

be urther elevated as a company adopts new technologies such

as cloud and social media.

Reactive versus proactive

One problem identied by the study ndings is that many companies take a reactive approach to IT risk management.

They typically dedicate resources to risks like data thet and

Risk Management 5

cybercrime, systems ailure and data backup ailure where they

have experienced serious ailures in the past. But they pay less

attention to emerging risks that have not yet caused major

reputational damage. CEOs, CIOs and CFOs report that

resources are least oten allocated to proactive items such as

technical support, the use o social media tools in their disaster

recovery plans and change management

MESSAGE TO THE CEO:

“Underestimating the cost o reputational risk greatly exceeds the cost o protection.Being proactive is preerable tobeing reactive.”

IT manager, energy and utility company, US

Executives are, however, attempting to look beyond therearview mirror. O the 63 percent o C-suite respondents who

say their company will ocus more on managing its reputation

in the uture, nearly hal (46 percent) say this is driven by the

growthoftechnologyandsocialmedia,whileonly18percent

cite previous adverse experiences as the primary driver. Not

only are companies more willing to look or blind spots in their

risk management rameworks, they are also dedicating the

necessary resources to support their IT risk management. Over

90 percent o C-suite respondents say their IT budget will

grow over the next 12 months due to reputational concerns,

and 16 percent say the increase will be more than 20 percent.

As one US-based study respondent argues, “Underestimatingthe cost o reputational risk greatly exceeds the cost o

protection. Being proactive is preerable to being reactive.”




Five characteristics o highly trusted companies

For the purposes o this study, a “successul” organization

is one that respondents identifed as enjoying an “excellent”

reputation. Interestingly, only 30 percent characterized their

company in these terms. Notwithstanding the bias inherent

in the sel-rating process, an analysis o relative reputational

perormance reveals that these organizations share a

common approach o linking strong IT risk management

capabilities with a solid understanding o how specifc IT

risks can threaten reputation. While this list is by no means

exhaustive, these characteristics have been distilled down to

the ollowing list o fve key success actors.

Integration o reputational and IT risk

Notably, an overwhelming majority (83 percent) o

executives who characterized their frms as having

excellent reputations say their company has integrated IT

into reputational risk management (see Figure 3). Still, the

act that nearly two-thirds (64 percent) o those who

rated their frms’ reputation as average or worse than

their competitors also say that IT has been integrated intoreputational risk management underscores that this alone

does not guarantee success.

Mapping o IT threats to key elements o reputation

Successul organizations perceive stronger links

between IT threats and key elements o reputation.

The correlation is especially strong between IT and customer

satisaction and brand reputation.

Strong IT risk management capability

About 84 percent o companies with an excellent

reputation say they have strong or very strong IT

risk management capacity (see Figure 3). This compares

with ewer than 30 percent o companies with reputations

described as average or weaker than those o their

competitors. Not surprisingly, strong IT risk management

capabilities also mean that the company experiences ewer

severe reputational incidents. For example, in the case o a

data thet/cybercrime event, approximately 80 percent o

study respondents who rate their frm’s IT risk management

as “very strong” say they can recover in six months or less,compared with only about hal o those with “weak” IT

risk management.

Robust IT risk management unding

Successul frms have well-resourced IT risk

management unctions (see Figure 3). The proportion

who say their frm’s IT risk management unction has

adequate unding alls rom 78 percent or those with excellent

reputations to 59 percent o those with very good reputations,

and to 36 percent o the remainder.

Strenuous supply chain control

Successul frms are signifcantly more likely than

others to report that they very strenuously requirevendors and supply chain partners to meet the same levels

o control as required internally (see Figure 3). The proportion

o respondents who say they do this drops rom 58 percent

o those rated excellent to 38 percent o very good and to 33

percent o the others.

Larger frms are generally better equipped to manage IT risks

than smaller frms. This accounts or the higher proportion o

large frms with excellent reputations. However, organizations

o all sizes have succeeded in managing IT risks to contribute

to building excellent reputations.

1

2

3

4

5



Risk Management 7

Figure 3. Important IT risk elements and how oten they are implemented by companies o varying reputational strength. The study ound a direct relationshipbetween IT unding and reputational risk management success.

Integrate IT intoreputational risk

management

83%

Have strong/ very strong IT risk

management capacity

Have adequate ITrisk management

unding

Very strenously require vendors and partners to match standards

81%

64%

84%

63%

28%

78%

59%

36%

58%

38%33%

Organizations categorizing their reputation as:

Excellent Very good Average or worse




Reputation and the supply chain The organization’s supply chain is a point o concern or all

study respondents. When a supplier, vendor or other third

party experiences an IT ailure related to the organization’s

systems, data or customers, that ailure can have as signicant

a reputational impact as a ailure within the organization.

Further increasing the risk, third parties are more challenging

to control than in-house systems and staf.

C-suite executives are more concerned about the supply chain

risk gap than study respondents as a whole. Analysis o the

responses o CEOs, CIOs and CFOs reveal that there are

particular areas where they view their companies as requiring

no control at all on the part o their partners (see Figure 4). In

particular, CEOs identiy suppliers’ disaster recovery measures

and systems ailure protections to be a source o concern.

CIOs’ areas o concern are systems ailures and data loss, while

CFOs see no supplier control in the areas o IT skills, disaster

recovery plans and business continuity plans.

The marked diference between the responses o all study

respondents compared to responses o C-suite executives

makes supply chain control an area o concern to which most

companies will want to pay increased attention. The public will

almost always blame the corporation, rather than its website

vendor, when a data breach happens. In getting to the bottom

o the supply chain control issue, it will be important to

determine whose perception is accurate, the C-suite or other

executives, and a third-party consultant may prove invaluable

in making this assessment.

Figure 4. The C-suite sees more instances o “no control at all” over thereputational risk management attributes o their third-party suppliers, ascompared to study respondents overall.

Lack o IT skills

12%

17%

13%

Inadequate business

continuity plans

29%

Data breaches

Inadequate disaster recovery measures

10%

19%

11%

29%

7%

13%

11%

15%

10%

19%

15%

29%

7%

13%

11%

15%

7%

13%

11%

15%

Data loss

Systems ailures

All studyrespondents

CEOs CIOs CFOs



Risk Management 9

It is interesting to note that only CIOs include themselves

on the list. O even greater importance is the act that CEOs,

CIOs and CFOs assign each other ar less responsibility or

their companies’ reputations than do study respondents as

a whole. In some cases, responsibility is assigned to other

C-level executives such as the chie risk ocer or chie security

ocer, indicating that reputational responsibility may be more

compartmentalized—and reputational risks less holistically

managed—than may be good or the organization.

The level o reputational responsibility assumed by the C-suite

is consistent with broader trends toward greater C-level

responsibility or integrated enterprise-wide risk management.

In a 2011 study 1 o 391 senior executives sponsored by IBM

and conducted by the Economist Intelligence Unit (EIU), 71

percent o respondents said that C-level executives were “very

involved” in their organization’s overall risk management

strategy,and88percentsaidtheyexpectedthislevelof

involvement to increase. Yet executives suggest that the most

successul strategies come together when risk managers with

diferent specialties collaborate to provide integrated risk proles to senior management. Over three-quarters o C-suite

participants say that IT risk exposures are escalated to the

C-level efectively.

The expanding role o marketing in protecting reputation suggests the need or closer collaboration between CMOs and CIOs.

A 2005 EIU survey 2

ound that marketing managers played aminor part in the management o reputational risk, and their

unction was limited mostly to a communications role as the

company’s “eyes and ears” on reputational threats. In the

2012 study results, both CEOs and CFOs said that their chie

Top-down and bottom-up approaches to

managing IT-related reputational risks Thevastmajority(85percent)ofC-suiterespondentsin

the study say the CEO is most accountable or their

company’s reputation, ollowed by CFO (33 percent),

CIO (27 percent) and CMO (25 percent). O particular

note, close to two-thirds say that accountability is shared

among more than one C-level position.

CEO

Who is responsible?

85%

CFO

33%27%

CIO

25%

CMO

Figure 5. Who is most responsible or a company’s reputation? C-suiteexecutives overwhelming give irst place to the CEO. Only CIOs includedthemselves among the top three.




marketing ocer is one o the top three corporate executives

responsible or the company’s reputation. This expanding

role o the marketing unction suggests a need or closer

collaboration between CIOs and CMOs as companies employ

technology to make sense o mountains o marketing data that

can contain hidden insights into a company’s reputation.

Protecting reputation through

communication While IT specialists are accountable or technical recovery

ater an incident, they need to work closely with counterparts

in marketing, communications and public relations to clearly

communicate with stakeholders in the atermath o a ailure.

Experienced IT executives invariably say that these messages

need to be both swit and brutally honest, especially in an

environment where the media are primed to pounce on

perceived corporate deceit.

Communications to convince stakeholders that the causes o

an IT ailure have been addressed can sharply cut the time

needed to restore trust, but the harm that a particular IT

ailure causes to stakeholders increases the efort required. For

example, website outages inict only minor inconvenience on

customersandarefairlyeasilyexplained.About78percentof

study respondents say they recover rom such incidents in less

than six months. At the other end o the scale, it takes longer

to recover rom reputational damage due to cybercrime, partly

because it tends to inict more serious harm on stakeholders

and also because it can be harder to sell the message that the

problem has been entirely xed.

Going social with risk managementSocial media eature prominently in executives’ reasoning,

both in interviews and in study responses, about why they are

growing more concerned about protecting their companies’

reputations. Since social networking is enabled by technology,

there is a tendency to lump it in with IT-related technical risk.

But social media channels are not risks in themselves; rather

they are ampliers o an organization’s reputation (or better

or worse). This means they should be evaluated as part o an

organization’s overall communications mix.

Only 19 percent o C-suite respondents saytheir company has a disaster recovery planthat includes the use o social media tools.

Social media have moved beyond their initial unction o

enabling consumer-to-consumer communications. Blogs

ocused on specialized business and technical communities

have a growing impact on business-to-business (B2B)

enterprises. In act, “social” may no longer be an appropriate

term to describe peer-to-peer exchanges among community

members. In any event, the need to mitigate potential

reputational damage posed by accelerated communications is adiferent challenge than efectively using social media as a tool

or engaging stakeholders. This study suggests that strategies

to deal with the latter are still in their inancy. Only 19 percent

o study respondents say that their company has a disaster

recovery plan that includes the use o social media tools.

33%

33%

CMO respondents highlight two areas whereextended recovery times may require intensifed

external communications

Inadequate businessresilience plans

Lack oIT skills



Risk Management 11

Best practices for improving reputational

risk management performanceC-suite members interested in improving their organizations’

reputational risk management perormance can learn rom the

best practices identied by executives who participated in this

study. Efective strategies include:

• Be proactive rather than reactive. Be prepared to invest

in developing comprehensive reputational risk management

strategies that include robust controls on IT risks—particularly those related to security, business continuity

and technical support—as well as other reputational risks.

• Create an organization where line of business

executives and IT managers collaborate with other risk

management specialists. Together they should be tasked

with presenting a comprehensive prole o organization-

wide reputational risks to senior management.

• Engage in scenario analysis, especially with new and

emerging technology. Don’t wait or an incident to

happen. There are plenty o case studies to be used as a

basis or “what i” planning.

• Assess risks across the whole supply chain. A ailure

by a downstream supplier can be just as devastating as an

internal problem, and risk controls can be harmonized

among key players. Likewise, B2B companies should

collaborate with customers to provide assurance that all

relevant risks are well managed.

• Consider outside help. Employing an outside consultant

with a proven track record can aid your company’s

reputational and IT risk management eforts. An outside

consultant can look at the big picture rom an objectivepoint o view, which may prove invaluable in eliminating

areas where company executives have a perception o

adequate protection while actual processes and procedures

indicate potential weaknesses.

ConclusionOrganizations o all sizes are paying more attention to

threats to their reputations stemming rom today’s digital

environment. This concern is reected in more integrated,

enterprise-wide approaches to risk management and increased

attention being paid to the direct reputational impacts o

IT risks. These include risks stemming rom the use o new

technologies. Security has edged out business continuity as the

most important connection between IT risks and reputation.

MESSAGE TO THE CEO:

“IT… is like the heart pumping

blood to the whole body, so any ailure could threaten the wholeorganization’s survival.”

— IT manager, IT and technology company,

France

The ndings o the 2012 IBM Global Reputational Risk and

IT Study demonstrate the importance o managing IT risks

within the context o the array o reputational risks conronting

the organization. When that happens, companies can enjoy the

trust and support o their key stakeholders, which ultimately

drives business perormance.



Please Recycle

© Copyright IBM Corporation 2012

IBM CorporationIBM Global Technology ServicesRoute 100Somers,NY10589

Produced in the United States o AmericaDecember 2012

IBM, the IBM logo and ibm.com are trademarks o International Business Machines Corp., registered in many jurisdictions worldwide. Other producand service names might be trademarks o IBM or other companies. A current list o IBM trademarks is available on the Web at “Copyright andtrademark inormation” at www.ibm.com /legal/copytrade.shtml.

This document is current as o the initial date o publication and may bechanged by IBM at any time. Not all oferings are available in every countryin which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the termsand conditions o the agreements under which they are provided.

1 Key trends driving global business resilience and risk: Findings rom the 2011 IBM Global Business Resilience and Risk Study. September, 2011.

2 Reputation: Risk o risks. Economist Intelligence Unit. December, 2005.

For more information To help you share the inormation presented in this report

with your colleagues, you can download the corresponding video report at http://youtu.be/cyyW19DyaAU . To learn

more about how IBM can help you protect your organization’s

reputation by strengthening IT risk management, contact your

IBM representative or visit the ollowing websites.

For security and IT risk management, visit:

http://www-935.ibm.com /services/us/en/it-services/

managing-risk-security-resiliency/index.html

Security essentials or CIOs:

ibm.com /smarterplanet/us/en/business_resilience_

management/article/security_essentials.html

For business continuity and IT risk management, visit:

ibm.com /services/continuity

For technical support and IT risk management, visit:

ibm.com /services/techsupport

View the IBM reputational risk and IT inographic at:

ibm.co /repriskinfographic

Add your voice to the discussion Your opinion matters! Participate in the extension o our 2012reputational risk and IT survey. Just scan the quick response

code here or go to ibmrisksurvey.com

Your input will be added to what we anticipate will be the

largest survey ever conducted on this important subject. You

will receive the new analysis and report on the survey ndings

in early 2013. Thank you very much or your participation.

CIW03084-USEN-00

http://www.ibm.com/legal/copytrade.shtml


http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_RL_RL_USEN&htmlfid=RLW03004USEN&attachment=RLW03004USEN.PDF




http://youtu.be/cyyW19DyaAU

http://www-935.ibm.com/services/us/en/it-services/managing-risk-security-resiliency/index.html



http://www.ibm.com/smarterplanet/us/en/business_resilience_management/article/security_essentials.html



http://www.ibm.com/services/continuity

http://www.ibm.com/services/techsupport


http://ibm.co/repriskinfographic


http://www.ibmrisksurvey.com/











http://www.ibm.com/services/continuity





http://youtu.be/cyyW19DyaAU




Date post:	03-Apr-2018
Category:	Documents
Upload:	ibm-india-smarter-computing
View:	220 times
Download:	0 times

Reputational risk and the C-suite

Documents