Cyber and reputation risk are dominoes
Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.
I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.
The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.
Humans as a root cause is also a topic I cover in World-Class Risk Management.
As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.
The same thing applies to cyber risk and even compliance risk.
They are all dominoes.
A case study:
- There is a possibility that the manager in HR that recruits IT specialists leaves.
- The position is open for three months before an individual is hired.
- An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
- A system vulnerability remains open because there is nobody to apply a vendor’s patch.
- A hacker obtains entry. CYBER RISK
- The hacker steals personal information on thousands of customers.
- The information is posted on the Internet.
- Customers are alarmed. REPUTATION RISK
- Sales drop.
- The company fails to meet analyst expectations for earnings.
- The price for the company’s shares drop 20%.
- The CEO decides to slash budgets and headcounts by 10% across the board.
- Individuals in Quality are laid off.
- Materials are not thoroughly inspected.
- Defective materials are used in production.
- Scrap rates rise, but not all defective products are detected and some are shipped to customers.
- Customers complain, return products and demand compensation. REPUTATION RISK
- Sales drop, earnings targets are missed again, and …….
- At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
- The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
- Multiple breaches are not detected. CYBER RISK
- Hackers steal the company’s trade secrets.
- Competitors acquire the trade secrets and are able to erode any edge the company may have.
- The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
- Sales drop. Earnings targets are not achieved, and……..
It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.
But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.
One decision at a low level in the company can have a domino effect.
Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Hi, Norman. Sounds like a book worth checking out. Comments about cyber and reputation being dominoes are spot on. I especially found the slide deck interesting in contrasting the approaches of Tillerson and Browne from a safety standpoint. It is clear that Tillerson meant what he said when he referred to the Valdez crisis as a “turning point,” and I was impressed with the new process he installed in its aftermath and that he signed off personally on a decision to shut a project down. It always fascinates me when I see examples of companies criticized by the press (as the deck pointed out had happened when Exxon walked away from risky projects) when they focus on doing the right thing. Another example is the WSJ’s criticism of J.P. Morgan’s 2007 earnings which lagged the industry because they were dumping their subprime portfolio while other institutions kept on buying the junk despite the risks.
Norman,
Oh dear! I am sure there is some good stuff in the book, but why on earth wrap it all up with crazy risk-speak?
From what I can glean the book is really about human behaviours and attitudes, not reputation. I can’t see the point of the title because reputation is a consequence type and its bad practice to silo risks according to these. I have the same problems with so called ‘safety risk’, ‘financial risk’ and ‘environmental risk’ etc.
If we are to group risks at all, this is best done on a risk source or cause basis (using ISO 31000 definitions). So, if anything, this book is really behaviour-related risk or even human factors. But then, I guess that title would not sell as well.
I see this as just another reason that we need to drop the R word and move away from all these crazy categories and artefacts like ‘risk appetite’. Sorry, I know that I sound like a squeaky wheel, but despite what the reviewers of this book might think, I doubt sprinkling text with ‘risk this’ and ‘risk that’ increases the sum of human knowledge much. It only leads us deeper into the conceptual mire we find ourselves.
Grant, I agree (as usual)
Dear Norman,
Can you please be more disagreeable. This is boring!
Kindest regards
I’ll take that (r deleted) of boring you
I agree with Grant, and don’t believe ‘loss of reputation’ or ‘cyber’ are risks, but categories of risk. Reputation doesn’t just seep away, it happens because a risk occurs.
If a risk is a set of circumstances leading to a loss, taking your example above, we have:
Overall objective: To maintain company profits
Sub-objective: Maintain reputation for technology edge
Risks: Customers stop buying due to fears over data loss; Hackers steal trade secrets.
Responses: Apply vendor patches immediately on receipt; Analytics to detect hackers.
Norman, this illustrates the point that you are making: any risk (cyber, reputation, or otherwise) must be set into the context of the organisation’s objectives, otherwise we finish up with ‘risk registers’ all over the place (see previous blogs). The ‘domino’ effect just has to be taken into account when identifying risks, wherever they occur.
“For the want of a nail the shoe was lost,
For the want of a shoe the horse was lost,
For the want of a horse the rider was lost,
For the want of a rider the battle was lost,
For the want of a battle the kingdom was lost,
And all for the want of a horseshoe-nail.”
Benjamin Franklin
Let me pose an alternative perspective, as one newer to the field. While I agree with the comments above, including viewing the “domino” description, I have always believed that reputation risk is a residue phenomenon – a situation resulting from the results of all other risks, the entity’s responses and unforeseen events that affect an entity. The “domino” metaphor implies a sequential, direct causal relationship (from one event or issue even).
Can one manage “reputation risk” by itself, or should the entity really behave in a manner that would cut off issues and unfavorable events/opinion leading up the (ultimate) effect on reputation?
Am I off base here?
How do you assess ‘reputation risk’? You do it by assessing its effect, which as I illustrate is an increasing likelihood that the actions of customers, regulators, shareholders, and others might change in some way. Changes in reputation are not the residue effect.
Neither are they the original source of risk.
Meaning via the “outcome”? The “increasing likelihood that the actions of customers, regulators, shareholders, and others might change in some way” to me is an outcome-based assessment.
Not disagreeing…just looking at it differently. The “increasing likelihood…” is based on other actions (or inactions).
Do you define risk as the effect of uncertainty on objectives? If not, then how?
Risk is defined differently based on the document one refers to, but to me, risk is the effect of uncertainty on the *achievement* of objectives, as you note.
Reputation to me is the aggregation of all aspects of an entity’s dealings with external parties – good and bad. Customer relationships (i.e., experiences), civic values and actions, contributions to the general (public) good, etc. Using that barometer, assessing reputation risk should somehow comprehend a similar aggregation.
Again, I am not debating the points, nor am I disagreeing. I am merely giving my perspective derived from my 38 years as a CPA and 27 as audit partner, perhaps from a pragmatic angle.
OK, let’s build on that.
I agree with your definition of reputation, although I think you have multiple reputations (integrity, customer service, product quality, design, and so on) that can be valuable or damaging in different ways.
So what then is reputation risk? Is it the extent and likelihood of a change in your reputation? Or is it the effect of a change in one of the dimensions of your reputation?
If the latter, it is a source of business risk. If the former, how do you assess it?
Revenue can be affected by multiple things, one of which could be your reputation among customers. If attaining a certain level of revenue is one of your objectives, then to run the company you need to aggregate somehow all the potential events and circumstances (what might happen) that would cause you to achieve, miss, or exceed your target.