Cyber and reputation risk are dominoes
Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.
I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.
The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.
Humans as a root cause is also a topic I cover in World-Class Risk Management.
As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.
The same thing applies to cyber risk and even compliance risk.
They are all dominoes.
A case study:
- There is a possibility that the manager in HR that recruits IT specialists leaves.
- The position is open for three months before an individual is hired.
- An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
- A system vulnerability remains open because there is nobody to apply a vendor’s patch.
- A hacker obtains entry. CYBER RISK
- The hacker steals personal information on thousands of customers.
- The information is posted on the Internet.
- Customers are alarmed. REPUTATION RISK
- Sales drop.
- The company fails to meet analyst expectations for earnings.
- The price for the company’s shares drop 20%.
- The CEO decides to slash budgets and headcounts by 10% across the board.
- Individuals in Quality are laid off.
- Materials are not thoroughly inspected.
- Defective materials are used in production.
- Scrap rates rise, but not all defective products are detected and some are shipped to customers.
- Customers complain, return products and demand compensation. REPUTATION RISK
- Sales drop, earnings targets are missed again, and …….
- At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
- The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
- Multiple breaches are not detected. CYBER RISK
- Hackers steal the company’s trade secrets.
- Competitors acquire the trade secrets and are able to erode any edge the company may have.
- The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
- Sales drop. Earnings targets are not achieved, and……..
It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.
But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.
One decision at a low level in the company can have a domino effect.
I welcome your comments.