IBM Research Report

Risk Management

Reputational risk and the C-suite
How IT risks can shape a company’s reputation and value—the enterprise executives’ point of view

Findings from the 2012 IBM Global Reputational Risk and IT Study

Reputational risk and the C-suite: How IT risks can shape the reputation and value of your company— the enterprise executives’ point-of view draws upon an IBM study that investigates how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of the organization and IT failures can result in reputational damage. The online survey and interviews were conducted by the Economist Intelligence Unit on behalf of IBM. We would like to thank all of the executives who participated in the survey and interviews for their valuable time and insight.

About the survey The survey, conducted in June 2012 by the Economist Intelligence Unit, included responses from 427 senior executives from around the world. Of them, 42 percent are C-level executives. About 33 percent of respondents are from North America, 29 percent from Europe, and 26 percent from AsiaPacific. Companies with less than US$500M in revenue comprise 37 percent of respondents, and 52 percent come from companies with more than US$1B in revenue. The survey covers nearly all industries, including banking (19 percent), IT and technology (15 percent), energy and utilities (13 percent), and insurance (11 percent).

Respondents: 427
Latin Middle East/ America, 5% Africa, 8% North Asia Pacific, 26%

Industries: 23*
All others, 28%

Banking, 19%

America, 33%

Professional Services, 5% Europe, 29% Fiscal Markets, 9% Insurance, 11%

IT/Tech, 15%

Energy/ Utilities, 13%

Job titles: 15†
CEO/President/ Managing Director 13% CIO/CTO/Tech director, 12% CFO/Treasurer/ Comptroller, 8% IT manager, 24% Other C-suite, 5%
*Top responding categories shown

Company sizes: 5
$10B or more, 27%

$500M or less, 37%

$5B to $10B, 9% $1B to $5B, 16% $500M to $1B, 13%

CMO/Marketing director/Brand director, 1% CRO/Risk director, 3%
of C-suite titles

† Break-out

The 2012 IBM Global Reputational Risk and IT Study survey, conducted by the Economist Intelligence Unit, gathered information from 427 senior executives—including 176 C-suite members—from around the world.

Risk Management

3

A spotless reputation
Business leaders usually have a good understanding of the value of their organization’s reputation. A strong reputation generates stakeholder trust. If a company is trusted, customers will buy and recommend its products; prospective investors and employees will want to become part of it; and communities will welcome its operations. The unfortunate reality, however, is that corporate reputations are increasingly difficult to manage in the digital era, and can be easily sullied by any number of factors—among them IT failures. With social media sites such as Facebook and Twitter boasting over 950 million and 500 million users respectively, and business-focused LinkedIn providing instant connections in over 200 countries, there is now a highly visible and immediate alternative to a company’s own communications regarding its reputation.

Based on CEO, CIO and CFO responses to the study, three principal forces drive corporate reputations: provision of a best-in-class product or service, customer satisfaction and compliance. CFOs add profitability to the mix, as well. Considering how companies are becoming increasingly dependent on technology to fulfill all four—to say nothing of running the business—the consensus is clear: IT risk can imperil companies’ productivity, damage customer relations and ultimately erode trust.

“All C-level executives need to be aware of the technology risks that can affect our reputation in the marketplace.”
— CIO, insurance company, Mauritius

It is interesting to note that—compared to each other and to study respondents as a whole—CEOs, CIOs and CFOs often have widely divergent opinions on the affect of IT risk on their companies’ reputations and reputational risk management practices. To some extent, these differences can be attributed to each C-suite executive’s area of expertise and point of view. Such differences of opinion can be good for an organization, encouraging exploration of all areas of risk and potential solutions. They can also, however, result in a skewed view of the reputational risk and IT connection and inadequate funding or protections. In these cases, companies may benefit from the holistic and objective recommendations of a thirdparty consultant.

In response, more organizations have introduced reputational risk as a distinct category within their enterprise risk management frameworks. Our research finds that companies have begun to pay closer attention to the links between IT failures and reputational damage. It looks at how executives are attempting to protect their brands from what could arguably be called “a preventable glitch.”

This report describes how C-suite executives around the world are seeking to protect their organizations’ reputations by adapting to the pervasiveness of technology and ongoing shifts in the business environment and IT landscape.

4

Reputational risk and the C-suite

An ounce of prevention
CEOs, CIOs and CFOs have begun to look more closely at the reputational implications of IT failures. Study respondents say that IT exerts a particularly strong influence on brand reputation, compliance, customer satisfaction and profitability. (see Figure 1).

Brand reputation

41% 48% 35% 48% 32%

It is easy to understand why executives believe that security has stronger links to reputational risk than IT functions such as business continuity or technical support. A company’s reputation would surely suffer, for example, if its customer database was breached and customer credit card numbers were stolen. It is interesting to note, however, that when individual C-suite executives were asked about the specific IT risks with the biggest impact on their companies’ reputations (see Figure 2), their answers were far less definitive than those of study respondents as a whole. This begs the question whether the C-suite has the information necessary to make appropriate IT and reputational risk management decisions.

Compliance

42% 39% 41% 43%

Data breaches

25% 22% 29% 61%

Customer satisfaction

59% 27% 46% 24% 23% 18% 21% CFOs All study respondents Website outages Data loss

18% 10% 19% 37%
20 18% 40 60 80

Profitability

Systems failures

17% 15%

CEOs

CIOs

44% 8% 12% 10% 18% CFOs All study respondents

Figure 1. Among the four business elements cited most often by C-suite

executives as “very much” affected by IT risks, there is a significant divergence of opinion between CIOs and CFOs.

C-suite executives also identify three core responsibilities of the IT function where reputational risks are the highest: • Security (84 percent) • Business continuity (77 percent) • Technical support (65 percent)

CEOs

CIOs

Figure 2. CEOs, CIOs and CFOs are less definitive than all study respondents when selecting the top three IT risk factors impacting their companies’ reputations.

20

40

60

80

Risk Management

5

While all C-suite executives agree on the importance of securing against data breaches, they differ on the importance of business continuity risks. CEOs and CFOs put data loss in second place among their top three IT risks factors; CIOs place systems failures at number two. Systems failures are number three on CEOs and CFOs lists, while website outages—which was not a top three answer among all study respondents—rank third in CIOs lists.

cybercrime, systems failure and data backup failure where they have experienced serious failures in the past. But they pay less attention to emerging risks that have not yet caused major reputational damage. CEOs, CIOs and CFOs report that resources are least often allocated to proactive items such as technical support, the use of social media tools in their disaster recovery plans and change management

When it comes to technical support failures, CMOs indicate extended reputational recovery times of 12 to 24 months.
While technical support ranks third among core IT responsibilities in terms of the possible threat posed to a firm’s reputation, all study respondents rank it at the top of the list of failures that require between six and 24 months of recovery time. In fact, chief marketing officers (CMOs), who are arguably closest to the public pulse when it comes to their companies’ reputations, extend the recovery time for inadequate technical support to between 12 and 24 months, a potentially critical hit to a company’s competitive position. Only about 12 percent of respondents say they have recently experienced severe technical support failures, but the intensity of risk is elevated by the relatively long recovery times following an incident of this nature. The intensity of risk can be further elevated as a company adopts new technologies such as cloud and social media.

MESSAGE TO THE CEO:

“Underestimating the cost of reputational risk greatly exceeds the cost of protection. Being proactive is preferable to being reactive.”
IT manager, energy and utility company, US

Reactive versus proactive
One problem identified by the study findings is that many companies take a reactive approach to IT risk management. They typically dedicate resources to risks like data theft and

Executives are, however, attempting to look beyond the rearview mirror. Of the 63 percent of C-suite respondents who say their company will focus more on managing its reputation in the future, nearly half (46 percent) say this is driven by the growth of technology and social media, while only 18 percent cite previous adverse experiences as the primary driver. Not only are companies more willing to look for blind spots in their risk management frameworks, they are also dedicating the necessary resources to support their IT risk management. Over 90 percent of C-suite respondents say their IT budget will grow over the next 12 months due to reputational concerns, and 16 percent say the increase will be more than 20 percent. As one US-based study respondent argues, “Underestimating the cost of reputational risk greatly exceeds the cost of protection. Being proactive is preferable to being reactive.”

6

Reputational risk and the C-suite

Five characteristics of highly trusted companies For the purposes of this study, a “successful” organization is one that respondents identified as enjoying an “excellent” reputation. Interestingly, only 30 percent characterized their company in these terms. Notwithstanding the bias inherent in the self-rating process, an analysis of relative reputational performance reveals that these organizations share a common approach of linking strong IT risk management capabilities with a solid understanding of how specific IT risks can threaten reputation. While this list is by no means exhaustive, these characteristics have been distilled down to the following list of five key success factors. Integration of reputational and IT risk Notably, an overwhelming majority (83 percent) of executives who characterized their firms as having excellent reputations say their company has integrated IT into reputational risk management (see Figure 3). Still, the fact that nearly two-thirds (64 percent) of those who rated their firms’ reputation as average or worse than their competitors also say that IT has been integrated into reputational risk management underscores that this alone does not guarantee success.

with fewer than 30 percent of companies with reputations described as average or weaker than those of their competitors. Not surprisingly, strong IT risk management capabilities also mean that the company experiences fewer severe reputational incidents. For example, in the case of a data theft/cybercrime event, approximately 80 percent of study respondents who rate their firm’s IT risk management as “very strong” say they can recover in six months or less, compared with only about half of those with “weak” IT risk management. Robust IT risk management funding Successful firms have well-resourced IT risk management functions (see Figure 3). The proportion who say their firm’s IT risk management function has adequate funding falls from 78 percent for those with excellent reputations to 59 percent of those with very good reputations, and to 36 percent of the remainder.

4

1

Mapping of IT threats to key elements of reputation Successful organizations perceive stronger links between IT threats and key elements of reputation. The correlation is especially strong between IT and customer satisfaction and brand reputation.

2

Strenuous supply chain control Successful firms are significantly more likely than others to report that they very strenuously require vendors and supply chain partners to meet the same levels of control as required internally (see Figure 3). The proportion of respondents who say they do this drops from 58 percent of those rated excellent to 38 percent of very good and to 33 percent of the others.

5

Strong IT risk management capability About 84 percent of companies with an excellent reputation say they have strong or very strong IT risk management capacity (see Figure 3). This compares

3

Larger firms are generally better equipped to manage IT risks than smaller firms. This accounts for the higher proportion of large firms with excellent reputations. However, organizations of all sizes have succeeded in managing IT risks to contribute to building excellent reputations.

0

100

80

60

40

20

83% 81% 64%

84%

78% 63% 59% 58% 38%

36% 28%

20

40

60

80

100

0

Risk Management

7

33%

Integrate IT into reputational risk management

Have strong/ very strong IT risk management capacity

Have adequate IT risk management funding

Very strenously require vendors and partners to match standards

Organizations categorizing their reputation as: Excellent Very good Average or worse

Figure 3. Important IT risk elements and how often they are implemented by companies of varying reputational strength. The study found a direct relationship
between IT funding and reputational risk management success.

8 Reputational risk and the C-suite

Reputation and the supply chain
The organization’s supply chain is a point of concern for all study respondents. When a supplier, vendor or other third party experiences an IT failure related to the organization’s systems, data or customers, that failure can have as significant a reputational impact as a failure within the organization. Further increasing the risk, third parties are more challenging to control than in-house systems and staff. C-suite executives are more concerned about the supply chain risk gap than study respondents as a whole. Analysis of the responses of CEOs, CIOs and CFOs reveal that there are particular areas where they view their companies as requiring no control at all on the part of their partners (see Figure 4). In particular, CEOs identify suppliers’ disaster recovery measures and systems failure protections to be a source of concern. CIOs’ areas of concern are systems failures and data loss, while CFOs see no supplier control in the areas of IT skills, disaster recovery plans and business continuity plans. The marked difference between the responses of all study respondents compared to responses of C-suite executives makes supply chain control an area of concern to which most companies will want to pay increased attention. The public will almost always blame the corporation, rather than its website vendor, when a data breach happens. In getting to the bottom of the supply chain control issue, it will be important to determine whose perception is accurate, the C-suite or other executives, and a third-party consultant may prove invaluable in making this assessment.
Lack of IT skills 12% 17% 13% 29% 10% Inadequate business continuity plans 19% 11% 29% 7% 13% 11% 15% 10% Inadequate disaster recovery measures 19% 15% 29% 7% 13% 11% 15% 7% 13% 11% 15% CIOs CFOs

Data breaches

Data loss

Systems failures

All study respondents

CEOs

Figure 4. The C-suite sees more instances of “no control at all” over the
reputational risk management attributes of their third-party suppliers, as compared to study respondents overall.

Risk Management

9

Top-down and bottom-up approaches to managing IT-related reputational risks
The vast majority (85 percent) of C-suite respondents in the study say the CEO is most accountable for their company’s reputation, followed by CFO (33 percent), CIO (27 percent) and CMO (25 percent). Of particular note, close to two-thirds say that accountability is shared among more than one C-level position.

It is interesting to note that only CIOs include themselves on the list. Of even greater importance is the fact that CEOs, CIOs and CFOs assign each other far less responsibility for their companies’ reputations than do study respondents as a whole. In some cases, responsibility is assigned to other C-level executives such as the chief risk officer or chief security officer, indicating that reputational responsibility may be more compartmentalized—and reputational risks less holistically managed—than may be good for the organization. The level of reputational responsibility assumed by the C-suite is consistent with broader trends toward greater C-level responsibility for integrated enterprise-wide risk management. In a 2011 study1 of 391 senior executives sponsored by IBM and conducted by the Economist Intelligence Unit (EIU), 71 percent of respondents said that C-level executives were “very involved” in their organization’s overall risk management strategy, and 88 percent said they expected this level of involvement to increase. Yet executives suggest that the most successful strategies come together when risk managers with different specialties collaborate to provide integrated risk profiles to senior management. Over three-quarters of C-suite participants say that IT risk exposures are escalated to the C-level effectively.

Who is responsible?

CEO
85%
CFO
33%

CIO
27%

CMO
25%

The expanding role of marketing in protecting reputation suggests the need for closer collaboration between CMOs and CIOs.
A 2005 EIU survey2 found that marketing managers played a minor part in the management of reputational risk, and their function was limited mostly to a communications role as the company’s “eyes and ears” on reputational threats. In the 2012 study results, both CEOs and CFOs said that their chief

Figure 5. Who is most responsible for a company’s reputation? C-suite

executives overwhelming give first place to the CEO. Only CIOs included themselves among the top three.

10

Reputational risk and the C-suite

marketing officer is one of the top three corporate executives responsible for the company’s reputation. This expanding role of the marketing function suggests a need for closer collaboration between CIOs and CMOs as companies employ technology to make sense of mountains of marketing data that can contain hidden insights into a company’s reputation.

customers and are fairly easily explained. About 78 percent of study respondents say they recover from such incidents in less than six months. At the other end of the scale, it takes longer to recover from reputational damage due to cybercrime, partly because it tends to inflict more serious harm on stakeholders and also because it can be harder to sell the message that the problem has been entirely fixed.

Protecting reputation through communication
While IT specialists are accountable for technical recovery after an incident, they need to work closely with counterparts in marketing, communications and public relations to clearly communicate with stakeholders in the aftermath of a failure. Experienced IT executives invariably say that these messages need to be both swift and brutally honest, especially in an environment where the media are primed to pounce on perceived corporate deceit.

Going social with risk management
Social media feature prominently in executives’ reasoning, both in interviews and in study responses, about why they are growing more concerned about protecting their companies’ reputations. Since social networking is enabled by technology, there is a tendency to lump it in with IT-related technical risk. But social media channels are not risks in themselves; rather they are amplifiers of an organization’s reputation (for better or worse). This means they should be evaluated as part of an organization’s overall communications mix.

CMO respondents highlight two areas where extended recovery times may require intensified external communications
Inadequate business resilience plans Lack of IT skills

Only 19 percent of C-suite respondents say their company has a disaster recovery plan that includes the use of social media tools.
Social media have moved beyond their initial function of enabling consumer-to-consumer communications. Blogs focused on specialized business and technical communities have a growing impact on business-to-business (B2B) enterprises. In fact, “social” may no longer be an appropriate term to describe peer-to-peer exchanges among community members. In any event, the need to mitigate potential reputational damage posed by accelerated communications is a different challenge than effectively using social media as a tool for engaging stakeholders. This study suggests that strategies to deal with the latter are still in their infancy. Only 19 percent of study respondents say that their company has a disaster recovery plan that includes the use of social media tools.

33

%

33%

Communications to convince stakeholders that the causes of an IT failure have been addressed can sharply cut the time needed to restore trust, but the harm that a particular IT failure causes to stakeholders increases the effort required. For example, website outages inflict only minor inconvenience on

Risk Management

11

Best practices for improving reputational risk management performance
C-suite members interested in improving their organizations’ reputational risk management performance can learn from the best practices identified by executives who participated in this study. Effective strategies include: • Be proactive rather than reactive. Be prepared to invest in developing comprehensive reputational risk management strategies that include robust controls on IT risks— particularly those related to security, business continuity and technical support—as well as other reputational risks. • Create an organization where line of business executives and IT managers collaborate with other risk management specialists. Together they should be tasked with presenting a comprehensive profile of organizationwide reputational risks to senior management. • Engage in scenario analysis, especially with new and emerging technology. Don’t wait for an incident to happen. There are plenty of case studies to be used as a basis for “what if” planning. • Assess risks across the whole supply chain. A failure by a downstream supplier can be just as devastating as an internal problem, and risk controls can be harmonized among key players. Likewise, B2B companies should collaborate with customers to provide assurance that all relevant risks are well managed. • Consider outside help. Employing an outside consultant with a proven track record can aid your company’s reputational and IT risk management efforts. An outside consultant can look at the big picture from an objective point of view, which may prove invaluable in eliminating areas where company executives have a perception of adequate protection while actual processes and procedures indicate potential weaknesses.

Conclusion
Organizations of all sizes are paying more attention to threats to their reputations stemming from today’s digital environment. This concern is reflected in more integrated, enterprise-wide approaches to risk management and increased attention being paid to the direct reputational impacts of IT risks. These include risks stemming from the use of new technologies. Security has edged out business continuity as the most important connection between IT risks and reputation.

MESSAGE TO THE CEO:

“IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization’s survival.”
— IT manager, IT and technology company, France

The findings of the 2012 IBM Global Reputational Risk and IT Study demonstrate the importance of managing IT risks within the context of the array of reputational risks confronting the organization. When that happens, companies can enjoy the trust and support of their key stakeholders, which ultimately drives business performance.

For more information
To help you share the information presented in this report with your colleagues, you can download the corresponding video report at http://youtu.be/cyyW19DyaAU. To learn more about how IBM can help you protect your organization’s reputation by strengthening IT risk management, contact your IBM representative or visit the following websites. For security and IT risk management, visit: http://www-935.ibm.com/services/us/en/it-services/ managing-risk-security-resiliency/index.html Security essentials for CIOs: ibm.com/smarterplanet/us/en/business_resilience_ management/article/security_essentials.html For business continuity and IT risk management, visit: ibm.com/services/continuity For technical support and IT risk management, visit: ibm.com/services/techsupport View the IBM reputational risk and IT infographic at: ibm.co/repriskinfographic

© Copyright IBM Corporation 2012 IBM Corporation IBM Global Technology Services Route 100 Somers, NY 10589 Produced in the United States of America December 2012 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NONINFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
1 Key trends driving global business resilience and risk: Findings from the 2011 IBM Global Business Resilience and Risk Study. September, 2011. 2

Add your voice to the discussion
Your opinion matters! Participate in the extension of our 2012 reputational risk and IT survey. Just scan the quick response code here or go to ibmrisksurvey.com

Reputation: Risk of risks. Economist Intelligence Unit. December, 2005.

Please Recycle

Your input will be added to what we anticipate will be the largest survey ever conducted on this important subject. You will receive the new analysis and report on the survey findings in early 2013. Thank you very much for your participation.

CIW03084-USEN-00