Why Reputational Risk is a Security Risk and What to Do About It
In 2007, Aon’s Global Risk Management Survey identified reputational risk as the top concern for global enterprises. A decade later, in the latest such survey by Aon, “damage to reputation/brand” retained its number one spot among more than 50 other categories of risks. Even though recognition of reputation’s importance has been high for years, preventive risk management efforts have not kept up. By narrowly focusing on prevention of security incidents or cybersecurity breaches as the main approach to warding off brand damage, corporate security is partially to blame. Security teams should instead recognize that reputational issues can cause security incidents themselves and that using intelligence teams to monitor and analyze reputational risk is much-needed by the leadership of most global organizations.
Reputational Issues with Impact on Security
Reputational risk is typically defined as the loss to a business or organization through reputational damage, with the term “loss” highlighting a threat primarily to finances. Insofar as security is connected, many sources suggest a one-way relationship, with security failures resulting in reputational problems. A 2018 CEO and board risk survey by Deloitte, for example, found that “security risks, including both physical and cyber breaches” were the most frequently noted cause for reputational risk.
While true, this portrayal is simplistic and security leaders must recognize the many ways that reputational risk can directly influence the threat environment for organizations. As a start, we recommend considering “the four P’s:” Products, Policies, People and Politics.
- Products (and services) – Reputational risk is often centered on perceptions about products and whether, among other negative qualities, they are unethical, substandard, fraudulent or harmful. Such opinions, which can quickly shift and create threats, can easily trigger security incidents. Pharmaceutical companies that manufacture and sell opioids once thought of as innocuous, for example, are now facing a social backlash with severe security implications. In August 2018, more than 500 people protested outside the Stamford headquarters of Purdue Pharma, the manufacturers of OxyContin, as part of a campaign led by activists angered by the growing national opioid crisis.
- Policies – An organization’s underlying corporate practices – on governance, employee relations, global strategy or manufacturing practices, among other issues – can also be seen as unethical or unfair. These factors can likewise have a tangible impact on security, as was the case with YouTube’s introduction of a new policy that resulted in some bloggers losing advertising revenue and having their content censored. In April 2018, this policy served as a triggering event for Nasim Aghdam’s subsequent shooting attack on YouTube’s headquarters that injured three employees.
- People – People are a company’s main asset, but also a significant source of reputational risk. A controversial public statement or a case of sexual misconduct involving a senior executive can cause a scandal with widespread reputational ramifications. Other risks may stem from a wide range of factors related to an executive’s background or lifestyle. Of course, mid-level managers can also be a source of risk due to their actions within the workplace, as a brief glance at some of the lower-ranking company reviews on sites such as Glassdoor.com illustrate effectively.
- Politics – Sometimes overlapping with the issues above is negative sentiment generated by the actions of companies or their employees that are politically motivated or impact the political sphere. At our current historical moment of heightened partisanship, explicitly or implicitly ascribing to a social or political stance is likely to draw ire from those with opposing views and can even serve as a rationale for demonstrations or violence. Just ask Uber. In early 2017, protestors chained themselves to the entrance of the company due to former CEO Travis Kalanick’s participation in President Donald Trump’s Strategic and Policy Forum.
Intelligence Analysis as a Reputational Risk Solution
As with other abstract and amorphous issues, managing reputational risk requires leveraging intelligence teams that can monitor and analyse threats before they get physical. The first step in creating an intelligence program that can track reputational risk is to conduct a risk assessment; that is, to identify which of the risks above (or any others) are most relevant to the organization. An open-source intelligence (OSINT) review of the organization should provide some answers, but a workshop with key stakeholders within the company can deepen understanding. Second, analysts need to determine where they will source relevant information from. In some cases, they may need to find specialized online review sites or forums; alternatively, most social media monitoring systems can be calibrated to track reputational issues.
Third, we recommend that intelligence teams find internal organizational allies that can serve as additional recipients of analysis or as potential partners on monitoring if a team does not have adequate resources. Within the corporate environment, such internal partners can include government affairs, communications or marketing, for instance.
This last point is especially important. Most companies have a fuzzy notion of reputational risk and who is responsible for it, so taking ownership of analysis can bring great benefits to intelligence teams and corporate security broadly. As the 2018 Deloitte survey mentioned above notes, only 50 percent of organizations can identify reputational risk events and only 53 percent have the capacity to analyze them and predict their impact. Intelligence teams should take advantage of this vacuum to make a value-added contribution while bolstering their own exposure and reputation.
The Risk Matrix is a monthly column on SecurityMagazine.com. Check in every month for new insights into international risk management strategies.