Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Triple threat: How to handle three top risks to reputation

Chuck Saia | August 26, 2016

After receiving a poor performance review, an employee takes to social media and speaks negatively about the organization and its leaders, creating a dialogue around the organization’s culture that goes viral…

A cybercriminal discovers a vulnerability in an organization’s security system, steals the Social Security numbers of millions of its customers, and demands a ransom payment for the decryption key needed to recover the sensitive data…

A third-party vendor fails to follow regulations when handling client records and inadvertently releases sensitive customer information, resulting in negative media attention and a steep fine for the organization…

The scenarios above are examples of three risks that are of growing concern to management executives and board members: culture, cyber, and third parties. When a risk in one of these areas goes unchecked, it has the potential to impact one of an organization’s most valuable assets—its reputation.

A negative impacting event can lead to a number of challenges, including increased regulatory scrutiny, apprehension from clients and customers, detrimental attention in social and traditional media, and investor skepticism.

Organizations that transform risk from a traditional management approach into a strategic enabler with strong governance, robust reporting, reputational sensing (see sidebar), and an innovative mindset to continuously improve can adjust strategies and mitigate risk to take on calculated risk that enables growth.

Here’s a closer look at culture, cyber, and third-party risks and how reputation may be impacted by each.

Culture risk: Getting everyone to operate from the same playbook
Culture describes the set of values, beliefs, and behaviors that shape how work gets done at an organization. It was high on the list of Global Human Capital Trends for 2016, a Deloitte survey of more than 7,000 business and HR leaders from 130 countries. Eighty-six percent of the respondents said culture was an important priority, but only 19 percent believe they have the “right culture.”

I believe that it’s up to senior leaders to set the right culture “tone” and communicate examples of do’s and don’ts to make sure everyone is reading from the same playbook. Chapter 1 in any culture playbook should be about reputation, in my opinion. It is important for everyone to understand how precious the organization’s reputation is and how it’s everyone’s responsibility, not just a small group of individuals who oversee it.

When professionals don’t behave in accordance with their organization’s established values, reputation may be impacted.

Take, for example, employees who are on their way out of an organization. Regardless of the nature of their departure—leaving for another job or being let go—these employees may pose a culture risk as adhering to the organization’s values is no longer a priority. They may lose focus, become distracted, or—in a worst-case scenario—attempt something malicious by deliberately dispensing with sensitive information.

In my experience, 90 percent of detrimental workplace behavior happens when a professional is about to leave an organization. That’s why it’s a good idea to establish a process to mitigate an incident before it becomes a crisis. An organization can do this by proactively communicating its core values to professionals, encouraging its leaders to set an example, and using tools to identify potential bad behavior to avert a reputational crisis.

3 key elements to managing reputational risk

Managing risks related to culture, cyber, and third party-as well as the many other risks organizations face in today's globally connected business landscape-may be a major challenge. Many business risks have the potential to transform into reputational risk, which is why, in my opinion, it's essential for organizations to have a comprehensive, strategic risk management program with the following three elements:

Governance: Having dedicated risk officers who sit on the executive committee with the CEO and CFO is one key element in making risk more strategic. I've seen how effective risk management can be when the right people are in the right roles, meeting on a regular basis to talk about strategic and emerging risk issues. A strong governance model helps establish reputational risk as a priority in an organization.

Reporting: Having a robust, agile process to report risk-including reputational risk-is also important. Reporting lessens the likelihood of surprises that blindside an executive team. An effective, consistent reporting process allowed organizations to stay proactive on risk issues. Knowing what potential risks an organization faces-and knowing risk-sensing data is being reported consistently and uniformly-helps CEOs and board members accurately assess, prioritize, and provide context for each risk issue.

Sensing: Leading edge "listening" or sensing tools allow organizations to monitor risks to their reputation 24/7/365, to better gauge their competition and the changing external environment, and to quickly adjust strategies and devise mitigation tactics. Reputation often evokes emotions, but emotional decision-making may lead to poor decisions. Risk sensing replaces emotion and second-guessing with facts and logic.

At Deloitte, we have dedicated communication campaigns related to culture. They describe real-life scenarios, including leaving a laptop accessible at a coffee shop and sending a presentation with confidential information to a personal email address. The campaigns aim to reinforce what is and isn’t expected behavior and to empower our professionals with guidance on what to do if they witness misconduct.  

Organizations can use cutting-edge tools to pick up on behavior that appears to be atypical, such as a drastic increase in email to an external account or access to confidential information by someone who typically doesn’t need access.

It’s not possible to prevent all cases of culture risk, but continuous core value communications can strengthen mitigation efforts.

Cyber risk: A downside of digital
Cybercrime is commonplace in today’s digital world. We have seen that where there’s money to be made crime often flourishes. We regularly hear about attacks on large institutions in the news but rarely hear about the thousands of unsuccessful attempts that happen frequently to businesses small and large.

A cyberattack may wreak havoc on an organization and its reputation. The impact can range from the quantifiable—regulatory fines and customer notification—to the less quantifiable—brand damage, theft of intellectual property, espionage, destruction of data, and attempts to immobilize key infrastructure. Understandably, clients and stakeholders may lose trust in an organization that cannot protect their confidential information.

When I sit down with clients, the topic of cyber security invariably comes up in our conversations. They describe how an attack could affect their day-to-day business, but they’re also concerned about how their organizations will be perceived during and after an attack. In Deloitte’s Reputation@Risk report, which surveyed 300 executives from organizations representing every major industry and geographic region, security was the second highest driver of reputational risk, just behind ethics and integrity.

And it’s not just executives who are concerned with cyber risks. Regulators are increasingly critical of organizations and have proposed additional regulations and/or making existing rules more stringent. In the past two years, at least two agencies (the SEC’s Office of Compliance Inspections and Examinations and the Financial Industry Regulatory Authority) have examined cybersecurity practices at financial institutions and released their recommendations.

Given the volume of attempts, many clients, regulators, and other stakeholders understand and, to some degree, accept the fact that an organization will probably face a cyber incident. It’s not a matter of “if” but “when.” In a hyper-connected world, how an organization responds to an incident is drawing more interest than ever before. Seeing an incident unfold live has decision-makers stepping up their efforts to strengthen their infrastructure to better prepare, respond, and recover from a cyber incident.

A strong infrastructure requires coordination throughout the entire organization. I believe a good place to start is a crisis playbook that describes how your crisis response team is organized and managed. It generally would include documentation of policies, procedures, and protocols, highlighting who is responsible for what. And it would create guidelines for communication—who’s on point for sending updates and when to alert the board, the CEO, and other senior leaders.

A crisis playbook is generally not set in stone. By design, it should be fluid to account for changes in risk tolerance, resourcing, strategy, and other factors. Another critical practice, in my opinion, for many organizations in the preparation stage is a wargame simulation. We perform these exercises within my team, and the lessons learned have helped us enhance our crisis playbook.

Digital life is here to stay, so it’s safe to say that cyber will continue to remain at the top of the list of business risks for the foreseeable future. For many organizations, a cyber incident is inevitable, but an approach that’s secure, vigilant, and resilient can help protect, preserve, and enhance an organization’s reputation.

Third-party risk: Extending the umbrella
Third parties, known collectively as the extended enterprise, include vendors, affiliates, service providers, and more. I believe that these entities can make or break an organization and its reputation. What they do is tied to you. If they don’t share your values and follow your guidelines, threats may emerge. And as the extended enterprise grows and becomes more complex, the potential for risk increases. It’s critical for organizations to understand and manage the actions of third parties in a strategic manner.

In a recent Deloitte survey of 170 organizations, 87 percent of the respondents said they have faced a disruptive third-party incident in the last two to three years. Top areas of third-party risk in the survey included disruption to customer service, breach of regulation or law, and a breakdown in the supply chain. What’s most disconcerting is the lack of confidence in this area. In the survey, 93 percent said they have low to moderate levels of confidence in the tools and technology used to manage third-party risk.

Like culture and cyber risks, the toll a third-party risk can extract on reputation is big. Take, for example, a vendor that inadvertently makes confidential client information available to the public. In many instances the stakeholders won’t come down on the vendor; they’ll come down on the organization that vendor is serving as well as its leaders.

Given the escalating risk of third party relationships, many senior leaders are evaluating their approach and looking for ways to get a better handle on the extended enterprise.

The first step in improving a third party risk approach may seem obvious, but it’s often the most difficult: determining who is actually in the extended enterprise. Once the third parties are identified, an organization can develop questionnaires to evaluate which parties they believe pose the risk and take steps to mitigate the risk or, in some cases, sever ties with the vendor.

Leaders responsible for the extended enterprise can then proceed with several risk reduction initiatives such as enhanced monitoring, assurance activities, and transparency. They can adopt a more disciplined approach for making a business case for using a third party, and they can make visits to third-party locations.

It’s up to the organization to ensure that a vendor shares its values. At Deloitte, we ask ourselves, “Has this vendor earned the privilege of doing business with us?” We take our reputation very seriously and that includes our clients’ satisfaction. Our vendors are an extension of us and play a critical role in our ability to deliver seamless and top notch service across our entire network and around the globe. Asking ourselves this question guides our assessment and decision-making for who we allow to help us do that job.

With a solid reputation risk foundation in place, not only can an organization mitigate extended enterprise risk, but it can also increase the value that third parties deliver.

Risks related to culture, cyber, and third party are top-of-mind issues for many senior executives, and given the dynamic nature of each, they will likely remain major concerns well into the future. I believe organizations that make protecting, preserving, and enhancing their reputations a priority will have a better chance at managing these risks and converting emerging risks into strategic opportunities.