Reputational risk and IT - Disaster Recovery Journal · 2019-11-26 · Reputational risk and IT: security, continuity and social media Now There is untapped potential to use new tools

© 2012 IBM Corporation

Reputational risk and ITHow security and business continuity can shape the reputation and value of your company

IBM Global Technology Services

© 2012 IBM Corporation2

Introduction

Perception vs. reality

Security, continuity and social media

Who owns it?

Focus and funding

What you can do now


Reputational risk is a growing topic of business conversation, with IT playing a major role.

3

How IT affects reputation riskReputation is built (and broken) inWebSocial media

Reputational risk and IT: introduction


To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study.

4

Respondents: 427

Company sizes: 5Job titles: 15

Industries: 23*

North America, 33%

Europe, 29%

Asia Pacific, 26%

Middle East/Africa,

8%

Latin America, 5%

Banking, 19%

IT/Tech, 15%

Energy/ Utilities, 13%Insurance,

11%

Financial Markets, 9%

Professional Services, 5%

All others, 28%

Other C-suite, 14%

CIO/CTO/ Tech director, 12%

CEO/President/ Managing Director, 13%

Other non-C-suite,

23%$500M or less, 37%

$500M to $1B, 13%

$1B to $5B, 16%

$5B to $10B, 9%

$10B or more, 27%

IT manager, 24%

*Top responding categories shown.


The study survey was conducted by the Economist Intelligence Unit on behalf of IBM

Respondents were asked questions about their companies’ reputational and IT risk efforts, plans and spending to provide a detailed picture of IT reputational risk management around the world

CRO/Risk Director, 3%

SVP/VP/ Director, 11%


The study results revealed three key observations concerning IT’s impact on reputational risk.

#1 IT risks have a major impact on a company’s

reputation

#2 Companies have rising IT risk concerns related to

emerging technology trends

#3 Companies are integrating IT risk and

reputational risk management, with strongest focus on threats to data and systems

5


“IT and reputational risk can destroy your company in one night!”


Introduction



Who owns it?

Focus and funding

What you can do now


80%rate reputation as excellent or very good

There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.

7

17%rate their company’s overall ability to manage IT risk as very strong

There is room for improvement in almost every organization

Reputational risk and IT: perception vs. reality

Source: Q1: How would you rate your company’s current reputation within its industry?Q5: How would you rate your company’s overall ability to manage IT risk?


IT risks strongly affect those factors that are most important to a company’s reputation — making IT risk integral to reputational risk.

8


78%include IT risk management as part of reputational risk management

Most important to reputation Strongly affected by IT risk

“IT is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.”

Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q6: Which of the following is the single most important factor driving your company’s reputation?Q3: In your estimation, how much do IT risks affect the following?

Best-in-class product/service

Trusted partner status

Customer engagement

Customer satisfaction

Compliance

Brand reputation

29%

24%

14%

46%

41%

40%


Lack of attention to fundamentals such as planning, testing, skills and support is often the root cause of risk events.

Companies are most confident about security and event-driven IT risks; less confident about new technology and continuity risks.

9

Very confident or confident about

Less or not at all confident about


Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?

System failures

Data breaches

Data loss 76%

70%

70%

IT skills/tech support

Business continuity plans

New technology (cloud)

Workforce mobility 21%

20%

14%

14%


Data breach tops the list of IT risk factors that can cause the most reputational harm.

10


61616161%%%%

44444444%%%%

37373737%%%%

data breach

system failure

data loss

Top three IT risk factors harmful to reputation

Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.


The most harmful IT risk factors have different recovery times, each with significant short- or long-term impact on business value.

11


Even 6 months’ recovery time affects half an annual report’s figures

* **Risks that companies are least confident in their ability to manage — new technology, continuity plans and IT skills/tech support — are also those that can do the longest-term harm to business value

0-6 months 6-12 months 12+ months

Website outage

System failure

Workforce mobility

Insufficient disaster recovery measures

Data loss

Inadequate continuity plans

New technology

Data breach

Compliance failure

Poor IT skills/tech support

Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following?


Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.

12

39% of companies are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control

Only

� How many outside sources does your company do business with on a regular basis?

� How thoroughly have you communicated your IT risk mitigation standards to these sources?

� How are you monitoring your sources’ compliance with your standards?


“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”

Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?


In summary, companies may be overestimating their ability to manage reputational risk.

13

� More than two-thirds of companies include IT risk management in reputational risk management

� Only 17% rate their company’s ability to manage IT risk as very strong

� Companies are confident in their ability to manage security and event-driven risks

� Companies are far less confident in the areas of continuity, IT skills and tech support — fundamentalswith lengthier recovery times

� 4 out of 5 companies rate their reputation as good or very good

� Only 39% of the same companies require vendors, partners and supply chain to be properly vigilant

Perception Reality



Introduction



Who owns it?

Focus and funding

What you can do now


Most companies have security items in place to react to reputational threats, but this is only part of the picture.

15

Reputational risk and IT: security, continuity and social media

Top three security items currently in place

Companies are overlooking many of the items that can proactivityprotect their reputations before harm happens

But

Source: Q17: Which of the following procedures, processes and controls do you have in place?

Message to the CEO: “Penetration testing should be conducted at the project level to assess security standards compliance”

Firewall management

Internal audit

Identity/access controls

72%

79%

71%

Cloud security protection

Penetration testing/ethical hacking

Access to latest security threat intelligence

23%

32%

43%


Emerging technologies represent both a continuity threat and an opportunity to proactive manage communications in a crisis.

16

Companies have the continuity basics in place


Now

There is untappedpotential to use new tools to expand and enhance proactive risk management

Source: Q17: Which of the following procedures, processes and controls do you have in place?

Message to the CEO: “Being proactive and preventive is much more effective than being reactive.”

Backup/restore testing

Fully documented DR plan

Automated backup processes

68%

78%

67%

Social media guidelines for use in crisis

Change management

Include social media tools in DR plans 19%

27%

45%


Companies are using social media tools to do business; now they need to use them to protect their reputations.

17

But only

27% 27% 27% 27% provide for employee social media use during crisis

19% 19% 19% 19% have incorporated social media into their disaster recovery plans

Companies are missing the opportunity to leverage social media to protect and recover their reputations

Social media used to communicate with customers


Source: Q21: Which of the following channels does your organization use to communicate with customersQ17: Which of the following procedures, processes and controls do you have in place?

Company website

Text messaging (SMS)

Social media/networking tools

Company-branded mobile application

46%

50%

44%

87%


Summary: To better protect their reputations, companies need to be proactive about security, continuity and social media use in a crisis.

18

� Protecting their reputations with reactive security measures

� Overlooking important proactive security measures, most importantly penetration testing

� Testing/automating backups as part of documented disaster recovery plans

� Leaving untapped new tools than can provide enhanced proactive continuity protection

� Incorporating social media into their communications with customers

� Missing the opportunity to mitigate reputational risk that social media can offer

Companies are: But companies are also:



Introduction



Who owns it?

Focus and funding

What you can do now


When asked who was most accountable for the company’s reputation, respondents put responsibility squarely in the C-suite.

20

80%

CEO

31%

CFO

27%

CIO23%

CRO22%

CMO

CEO:CEO:CEO:CEO: Best able to drive reputational risk management throughout an organization but has less time to devote to the task

CFO:CFO:CFO:CFO: Possibly a reflection of old organizational structure, when most risk was financial in nature

Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.

Reputational risk and IT: who owns it?


Respondents also agreed that the C-suite needs to know about risk exposures before they become risk events.

21

73% yes

27% no� Are “timely” and “effective” clearly defined in IT and

reputational risk management plans?

� Are default action plans in place for most common types of IT risk affecting reputation?

� Do the people in charge have the expertise and authority to formulate the right responses? (CIO yes; CFO possibly not)?

� Do the people in charge have the bandwidth to respond quickly?

Reputational risk and IT: who owns it?

companies agreeing that risk exposures are escalated in a timely and effective manner

But “timely” and “effective” can be subjective

Source: Q19: Do you believe that IT risk exposures are escalated to the board and C-level management in a timely and effective manner so as to protect your company’s reputation?


Introduction



Who owns it?

Focus and funding

What you can do now


New technologies and social media are leading factors behind an increased focus on reputational risk.

23

Reputational risk and IT: focus and funding

64% will increase focus on reputational risk compared to five years ago

New technology/ social media, 43%

Previous event harmful to competitor/industry, 20%

Previous event harmful to company, 18%

Board of directions/C-suite mandate, 10%

Other, 7%Shareholder pressure, 3%Among those who

will be reducing or keeping their focus on reputational risk the same, top reason is competing priorities within the organization

Why increase?

Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago?Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?


Often as a result of increased spending, companies are reporting adequate funding to manage reputational risk.

24

Reputational risk and IT: focus and funding

60606060%%%%

say they have adequate funding to provide the level of IT risk management needed to protect the organization’s reputation

For many organizations, adequate funding means increased funding

have increased spending up to 20% over the past 12 months

46%will increase spending

up to 20% over the next 12 months

45%

Message to the CEO: “Underestimating the cost of reputational risk greatly exceeds the cost of protection.”

Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk?Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?


Introduction



Who owns it?

Focus and funding

What you can do now


Managing reputational risk: best practices for IT.

26

Reputational risk and IT: what you can do now

� Do a reality check

� Think continuity and resilience

� Focus on the fundamentals

� Confirm partners’ compliance with your standards

� Build an up-to-date reporting and escalation process


Get your own copy of the full study report — and take the survey yourself — at the IBM booth (38/39).

27

Reputational risk and IT: what you can do now

Full study report includes all you’ve seen today, plus

other important findings and insights

www.ibm.com/services/riskstudy

Make your voice heard!

Take the reputational risk survey online and get a complimentary copy of the upcoming expanded report

Get a free iPad case when you complete the survey in the IBM booth (while supplies last)


Thank youyouyouyou for attending!

Pat [email protected]


© Copyright IBM Corporation 2012

IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.

Produced in the United States of AmericaAugust 2012

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Documents

Reputational risk and IT - Disaster Recovery Journal · 2019-11-26 · Reputational risk and IT: security, continuity and social media Now There is untapped potential to use new tools