Managing Reputational Risk in an Era of the Unthinkable: Brand Implications of Major Breaches Part 2
Updated: Jun 21, 2019
In the first part of this two-part series, we discussed how the reputational impact of major breaches in physical or information security can be managed to protect a company’s bottom line. This second part looks a little further ahead to evaluate how a company’s costs are impacted by such risks and can be managed to preserve profitability.
Reputation and the Cost of Money - In some cases lenders may determine that reputational damage has impacted revenues, operational costs or the overall financial health of an organization so much that the costs to borrow increase. For organizations with low debt levels this financial risk can be managed to drastically reduce these costs.
For others it may become extremely costly. No matter where your organization sits on the debt spectrum resilience is crucial in all areas of the business so you can strengthen lenders’ view as they re-evaluate the health of your business. An enterprise-wide response is ideal to mitigate the often expensive effects of increased borrowing costs. Make sure you’ve built that risk resilience into cash flow, operational costs, and the impact of big events on overall market value.
Reputation and Operations – Like revenue, the impact to operational costs is easy to see in the short term. Increased spending on response efforts, outside counsel, security experts, and more are easy to quantify. However, long after the brand impacting event organizations continue to feel further effects on operations.
Three common areas with ongoing operational cost implications are risk mitigation, compliance spending and the cost of personnel. Often firms respond to brand damaging incidents by throwing money at the problem. Stakeholders and executives get comfort from the immediate spending, but that spending is rarely commensurate with the risks involved. Rather than spending boatloads of money on beefed up compliance and audit or unfettered cybersecurity spending, organizations need to ensure that new spending is matched to the amount of risk reduction needed.
The costs of increased turn-over or retention after a big event are harder to quantify. Just as reputational damage impacts customers' views of an organization, employees may require more compensation or be easier to lure away if your brand suffers. Focusing on employee sentiment may seem unnecessary in the immediate aftermath of a brand damaging event but it may save you in turnover and talent acquisition costs down the road.
Reputation and Regulation - Depending on the type of incident, regulators might have cause to step in. While fines and legal fees may be unavoidable, a strong risk management program can be critical to avoiding more onerous regulatory oversight. The right kind of program goes well beyond demonstrating large, active programs in compliance or audit.
True risk management means that organizations demonstrate, on an ongoing basis, how they manage risks effectively, including how they can detect and respond to failures. Furthermore, showing regulators how your organization protects customers through enhanced resiliency efforts can also give the regulators good cause for not taking their most restrictive actions.
Big Reputational Risk Means Big Action
Given the diverse ways big reputational risks can drive up costs, organizations should take a broad approach when managing such risks. Since no part of the enterprise is safe from brand damage, risk management against this damage needs to be undertaken at enterprise scale. Companies need to look broadly at the value of preventative risk mitigation before a major incident occurs, and consider investing in resiliency to limit the eventual costs to the brand and organization of such incidents.
In today’s high risk environment, risk managers need to provide executives with prospective information about the enterprise-wide risks they face and then dive in fully to help with both the response to extreme incidents, and with reassuring all those with a stake in recovering from these traumatic events.