Managing Reputational Risk in an Era of the Unthinkable: Brand Implications of Major Breaches

6 minutes

Charles Plummer
December 21, 2017

We live in an era of sometimes unfathomable risk. From the November 2015 attacks in Paris that left 130 victims dead to the deep breach at Equifax that exposed 145 million consumers’ most intimate data, people, places, and companies are dealing with the unexpected every day, and one of the primary repercussions is to the integrity of their brands.
It’s common to assume that many of these events have a short lived impact. In the aftermath of the October 2017 massacre in Las Vegas, stocks dipped and investment banks estimated up to 6 months of reduced demand, but tourism was expected to rebound to levels seen before the event within a year.

The repercussions of such events live on far longer in the ongoing calculus of risk, expense, and operations that they so strongly influence. Risk managers for the Las Vegas Police, MGM International and other hospitality companies have to balance the costs of security enhancements with the broader expense and risk landscape of their business. No amount of spending can reduce risk to zero and too much spending can threaten the integrity of the bottom line

All of these high profile security events have not only operational implications but also reputational ones – bottom line impacts on the brand and the ways the brand influences revenue, market valuations, credit worthiness, regulation, and operations themselves. Reputational risk surfaces in surprisingly diverse ways and one of the major ways risk managers can benefit the bottom line is by demonstrating the organization’s flexibility and resilience in the face of brand damage.

This is a comprehensive look on understanding reputational risk as an enterprise-wide concern requiring an enterprise risk management approach. Reputational risk goes far beyond considerations of physical or cyber-security. Let’s talk about all the ways brand damage is likely to materialize.

The first portion will focus on understanding and mitigating the first-order, bottom line impacts of reputational risk – revenue and valuation. In the latter half we’ll focus on the second-order but equally important impacts on credit worthiness and operating costs.

Revenue & Reputation: Securing the Bottom Line When Bad Stuff Happens.

Often the easiest cost to imagine is loss of customers during a brand impacting event. However, some risk managers find it difficult to quantify impacts on future revenue in the aftermath of these incidents. Consider the horrific attacks in Paris in 2015 – Tourism rebounded quickly to pre-attack levels but the attacks undoubtedly reduced the share of international travelers who would otherwise have come to the city. While this impact can be difficult to quantify, it’s not impossible. By focusing on the primary stakeholder for this cost (in this case tourism consumers) we can go a long way toward modeling the impact of brand damaging events. Maintaining information not only on the sentiments of your customers but acquiring data on the average consumer in your sector is key for calibrating risk models. Further, true brand recovery in the aftermath of a high profile event can only be evaluated when you know what potential as well as loyal customers are looking for or are concerned about.

Reputation & the Markets: The Real Risks of Devaluation

After a brand impacting incident companies almost immediately see effects on stock. Stock prices plummet and there are subsequent losses stemming from these initial dips. Given the herd mentality of investors it is critical to reassure savvy shareholders that the risks to the company are being well managed. Here a strong enterprise risk management approach can provide executives with the right information at the right time to convey to the market that the root causes are known and being addressed. A robust culture of risk management can provide hard evidence of the actions the company is taking to ameliorate the costs of the incident in question. In some cases there is little that can be done to prevent an immediate reputational hit, but demonstrating an awareness of all the ways the costs of the incident have and will materialize goes a long way toward demonstrating resilience to investors.

Reputation and the Cost of Money

In some cases lenders may determine that reputational damage has impacted revenues, operational costs or the overall financial health of an organization so much that the costs to borrow increase. For organizations with low debt levels this financial risk can be managed to drastically reduce these costs. For others it may become extremely costly. No matter where your organization sits on the debt spectrum, resilience is crucial in all areas of the business so you can strengthen lenders’ view as they re-evaluate the health of your business. An enterprise-wide response is ideal to mitigate the often expensive effects of increased borrowing costs. Make sure you’ve built that risk resilience into cash flow, operational costs, and the impact of big events on overall market value.

Reputation and Operations

Like revenue, the impact to operational costs is easy to see in the short term. Increased spending on response efforts, outside counsel, security experts, and more are easy to quantify. However, long after the brand impacting event organizations continue to feel further effects on operations.

Three common areas with ongoing operational cost implications are risk mitigation, compliance spending and the cost of personnel. Often firms respond to brand damaging incidents by throwing money at the problem. Stakeholders and executives get comfort from the immediate spending, but that spending is rarely commensurate with the risks involved. Rather than spending boatloads of money on beefed up compliance and audit or unfettered cybersecurity spending, organizations need to ensure that new spending is matched to the amount of risk reduction needed.

The costs of increased turn-over or retention after a big event are harder to quantify. Just as reputational damage impacts customers’ views of an organization, employees may require more compensation or be easier to lure away if your brand suffers. Focusing on employee sentiment may seem unnecessary in the immediate aftermath of a brand damaging event but it may save you in turnover and talent acquisition costs down the road.

Reputation and Regulation

Depending on the type of incident, regulators might have cause to step in. While fines and legal fees may be unavoidable, a strong risk management program can be critical to avoiding more onerous regulatory oversight. The right kind of program goes well beyond demonstrating large, active programs in compliance or audit. True risk management means that organizations demonstrate, on an ongoing basis, how they manage risks effectively, including how they can detect and respond to failures. Furthermore, showing regulators how your organization protects customers through enhanced resiliency efforts can also give the regulators good cause for not taking their most restrictive actions.

Big Reputational Risk Means Big Action

Given the diverse ways big reputational risks can drive up costs, organizations should take a broad approach when managing such risks. Since no part of the enterprise is safe from brand damage, risk management against this damage needs to be undertaken at enterprise scale. Companies need to look broadly at the value of preventative risk mitigation before a major incident occurs, and consider investing in resiliency to limit the eventual costs to the brand and organization of such incidents. In today’s high risk environment, risk managers need to provide executives with prospective information about the enterprise-wide risks they face and then dive in fully to help with both the response to extreme incidents, and with reassuring all those with a stake in recovering from these traumatic events.

Charles Plummer

Releated Posts

April 2, 2024 / Biljana Cern

Cybersecurity Risk is a Board-Level Issue

Elevating Cybersecurity: A Strategic Imperative for Boards This presentation addresses the imperative of understanding and managing cybersecurity risk at the board level. Despite the growing threat landscape, only

By Biljana Cern

March 25, 2024 / infoedge

Taking the Temperature on AI’s Impact on Cybersecurity in 2024

A cornucopia of infosec insights to chew on these Holidays. In this episode, we carve up concerns around increased specialization and silos forming between red, SecOps, and compliance

By infoedge

March 15, 2024 / Biljana Cern

NIST CSF 2.0: Making CISO’s Lives Easier with the New Govern Function

The National Institute of Standards and Technology (NIST) has recently unveiled Cybersecurity Framework 2.0 (CSF 2.0), marking a significant advancement in cybersecurity risk governance practices. This updated framework,