Articles
The Challenges of Addressing Reputational Risk
Preserving corporate reputation is the key information assurance challenge facing organisations today. This year's high-level Corporate Executive Programme annual Gleneagles conference identified key emerging risks.
In a series of intensive workshop sessions at Gleneagles corporate global risk managers, CIOs and Chief Information Security Officers came up with major current and emerging risk areas. The main issues relate to people and process, not technology. Topics included:
- Reputational Risk Rises up the Agenda
- Employees and Third Parties as a Risk
- The risk from digital democracy
- Just-in-time or just-too-late?
- Digital immigrants vs digital natives
- Build Culture not Controls
Secure today for a secure tomorrow
Recent high profile data leakages and the volatility of the credit crunch have raised awareness of the severe risk to corporate reputation caused by uncoordinated governance of people and technology.
This year's Corporate Executive Programme (CEP) annual conference, at Gleneagles, Scotland, focused on reputational risk reduction by integrating better links between people, technology and business. The challenges are wider than ever, as operational security extends its scope to cover reputational risk, and as the traditional roles of IT security and corporate risk managers converge.
As Claudia Natanson, Chair of the CEP and Chief Information Security Officer at Diageo, explained: "Protecting brand, revenue and reputation demand even greater challenges for today's security practitioners who must now secure organisations today for tomorrow's workforce and for a changing business climate. Companies which are able to understand the true nature of technological risks will find themselves more flexible in providing security solutions that underpin all facets of their functional and business processes."
Reputational Risk Rises up the Agenda
Recent high profile security lapses have put reputational risk high up corporate agendas. "Reputation loss is more destructive than credit loss or market loss," said one speaker, a global risk manager in the finance sector.
With reputation hard won, but easily lost, it is a paradox that any organisation's two best assets, people and data, present the biggest challenges in terms of protecting that reputation.
Employees and Third Parties as a Risk
One senior global manager was concerned about the risk of employees in various departments (such as marketing and sales) cutting procedural corners in the interests of gaining speed to market and competitive advantage. Corporations look at this issue holistically across the business, he said, as security issues reach far beyond IT to impact an entire organisation.
Another concern was the security of third parties, especially outsourcers in remote countries relying on legacy computers.
People and data issues are intertwined. "Data defines the organisation - it is the organisation's DNA, therefore who wants to access it, how, and what is the data they want access to, are key concerns," said another senior speaker.
The risk from digital democracy
One challenge for organisations is to secure the future from today, especially as the range of future threats is broadening, according to Robert Philips, CEO of Edelman UK.
One new threat he discussed is the rise of 'digital democracy'.
"We have moved away from pyramid-shaped, top down information flows to cross information flows." he said, explaining that this new, more open, structure greatly increases the threat of data leakage.
He also warned that companies and brands that do not address societal issues such as climate change, will be held to account by the new breed of more interconnected "active citizens", with adverse implications for corporate reputation.
Just-in-time or just-too-late?
Another speaker, looking at wider threats such as pandemics, famine, and power supply, urged organisations to pay close attention to global interdependences, pointing to the speed in which a "just-in-time" business model can turn into "just-too-late".
Digital immigrants vs digital natives
Addressing the people issues has never been more important. There is currently much debate about how to handle the new generation of "digital natives" who have grown up with IT and who expect the workplace to deliver the capabilities for social networking, through sites such as Facebook.
The dilemma about trends such as social networking, especially for many in the heavily regulated finance sector, is whether to have strict controls, or whether to be permissive. This is compounded social networking being a route attracting and retaining bright young graduates.
Build Culture not Controls
The long term solution to getting people "buy-in" is to engender culture change and an atmosphere of trust.
"The answer is not to build more controls because the company will get bogged down -and people will always find workarounds - therefore it is more effective to look to attitudes of employees' integrity and alertness," said one speaker. "You can best protect reputation by building culture, not controls, and through people not processes."
Building culture, trust and awareness requires a range of "soft skills", encompassing sensitive communications and staff education from risk and security managers, if they are to tackle internal cultural attitudes throughout their organisations.
Preservation of reputational risk ultimately depends on people, their buy-in and their awareness.
Natanson stressed the need for all employees to be involved and to be aware of operational and reputational risk areas.
"We need awareness, awareness, awareness," she said. "No amount of control or compliance will secure anything because the weakest link is ourselves."
The Corporate Executive Programme
The Corporate Executive Programme is the only forum to unite cross-functional senior executives from across all business lines, including public and private sectors, to address enterprise-wide risk strategically, openly and confidentially. CEP membership includes top level executives from the world's largest organisations including Diageo, HSBC, Mitsubishi UFJ and Intel.
This years Gleneagles conference on reputational risk had board level speakers from IT and business in global corporations.
For more details about the Corporate Executive programme contact John Lyons (01442 831574) or email john.lyons@globalcep.com
