Managing Reputational Risk in an Era of the Unthinkable: Brand Implications of Major Breaches Part 1
Updated: Jun 21, 2019
We live in an era of sometimes unfathomable risk. From the November 2015 attacks in Paris that left 130 victims dead to the deep breach at Equifax that exposed 145 million consumers’ most intimate data, people, places, and companies are dealing with the unexpected every day, and one of the primary repercussions is to the integrity of their brands.
It’s common to assume that many of these events have a short lived impact. In the aftermath of the October 2017 massacre in Las Vegas, stocks dipped and investment banks estimated up to 6 months of reduced demand, but tourism was expected to rebound to levels seen before the event within a year.
The repercussions of such events live on far longer in the ongoing calculus of risk, expense, and operations that they so strongly influence. Risk managers for the Las Vegas Police, MGM International and other hospitality companies have to balance the costs of security enhancements with the broader expense and risk landscape of their business. No amount of spending can reduce risk to zero and too much spending can threaten the integrity of the bottom line
All of these high profile security events have not only operational implications but also reputational ones – bottom line impacts on the brand and the ways the brand influences revenue, market valuations, credit worthiness, regulation, and operations themselves. Reputational risk surfaces in surprisingly diverse ways and one of the major ways risk managers can benefit the bottom line is by demonstrating the organization’s flexibility and resilience in the face of brand damage.
This is the first of a two-part series on understanding reputational risk as an enterprise-wide concern requiring an enterprise risk management approach. Reputational risk goes far beyond considerations of physical or cyber-security. Let’s talk about all the ways brand damage is likely to materialize.
The remainder of this first part will focus on understanding and mitigating the first-order, bottom line impacts of reputational risk – revenue and valuation. In part two we’ll focus on the second-order but equally important impacts on credit worthiness and operating costs.
Revenue & Reputation: Securing the Bottom Line When Bad Stuff Happens.
Often the easiest cost to imagine is loss of customers during a brand impacting event. However, some risk managers find it difficult to quantify impacts on future revenue in the aftermath of these incidents. Consider the horrific attacks in Paris in 2015 – Tourism rebounded quickly to pre-attack levels but the attacks undoubtedly reduced the share of international travelers who would otherwise have come to the city.
While this impact can be difficult to quantify, it’s not impossible. By focusing on the primary stakeholder for this cost (in this case tourism consumers) we can go a long way toward modeling the impact of brand damaging events. Maintaining information not only on the sentiments of your customers but acquiring data on the average consumer in your sector is key for calibrating risk models. Further, true brand recovery in the aftermath of a high profile event can only be evaluated when you know what potential as well as loyal customers are looking for or are concerned about.
Reputation & the Markets: The Real Risks of Devaluation
After a brand impacting incident companies almost immediately see effects on stock. Stock prices plummet and there are subsequent losses stemming from these initial dips. Given the herd mentality of investors it is critical to reassure savvy shareholders that the risks to the company are being well managed. Here a strong enterprise risk management approach can provide executives with the right information at the right time to convey to the market that the root causes are known and being addressed. A robust culture of risk management can provide hard evidence of the actions the company is taking to ameliorate the costs of the incident in question. In some cases there is little that can be done to prevent an immediate reputational hit, but demonstrating an awareness of the all the ways the costs of the incident have and will materialize goes a long way toward demonstrating resilience to investors.