when the storm hits: cybersecure reputation risk management · · 2015-12-01when the storm hits:...
TRANSCRIPT
When the Storm Hits:Cybersecure Reputation Risk Management
©2015 Ramaley Group, LLC
Ken Ramaley, CIA, CRMAManaging Director
Ramaley [email protected]
When you’re tired of auditing like it’s 1999
What do you these companies have in common?
©2015 Ramaley Group, LLC
Formal Definition:A collective perception of a firm’s past actions and results that describe the firm’s (perceived) ability to deliver specific outcomes. (Ramaley Group 2012)
What is Reputation?
©2015 Ramaley Group, LLC
Reputation is not measured on a simple scale
©2015 Ramaley Group, LLC
Reputation does not exist in a vacuum• Two parameters: Firm, expectation type• Example: Reputation of firm A for delivering on expectation B
“Overall impression” (aka, “Firm Reputation”) is roughly the weighted sum of expectation-reputation scores, but the weighting is critical
Aggregated Reputation Measurement
©2015 Ramaley Group, LLC
=
𝑖=1
𝑛
(𝑅𝑖)(𝑆𝑉𝑖)
n = number of attributes important to stakeholdersRi = firm’s reputation for executing on attribute iSVi = stakeholder value associated with attribute i
OverallFirmReputation
Practical examples
©2015 Ramaley Group, LLC
Consider a few dimensions of firm reputation for the well-known firms below:
Firm Product Quality Social Responsibility
Customer Service
Reputation Risk Management: Recent Case Examples
©2015 Ramaley Group, LLC
Reputation Risk Driver Analysis Framework (RRDA)
©2015 Ramaley Group, LLC
Direct Experience
Perceived
Reality
Expectations
CompanyCommunications
Trusted Media
Personal Needs
Environment
Marketing /Image
Reputation Risk management:
Know the areas you do not controlManage the areas you do control
Monitor your execution on these actions
Weak Reputation Controls=
Poorly-Understood Perceptions
©2015 Ramaley Group, LLC
Susan G Komen Planned Parenthood Press Release Swift (Surprising!) internal and external reactions
Scrambling for responses
Strong Reputation Controls=
Well-Understood Perceptions
©2015 Ramaley Group, LLC
World Triathlon Corporation Cancelled Ironman Lake Tahoe Triathlon scheduled for 9/21/2014
Within 2 hours, 100+ posts on major triathlon forum, overwhelmingly negative
WTC - Preventive Reputation Management Thru Transparency
©2015 Ramaley Group, LLC
Most Approaches to Reputation Risk Management are Reactive
©2015 Ramaley Group, LLC
Reputation is a “Marketing Problem”
“Ahead of the Curve” = Damage Control before it gets TOO big
Audit’s Role in Reputation Risk Management
©2015 Ramaley Group, LLC
Analysis/Understanding of Designed
Controls and Policies
Incident response review
Identification of control weaknesses in
preventive reputation risk programs
Auditing Reputation Management Processes
©2015 Ramaley Group, LLC
Best parallel is Disaster Recovery
Planning
Scripted, tested solutions
Continuous Monitoring / Early
Detection
Post-Incident Application
©2015 Ramaley Group, LLC
Applying the RRDA framework to a post-incident example
©2015 Ramaley Group, LLC
Environment
Marketing /Image
Personal Needs
CompanyCommunications
Trusted Media
Direct Experience
Reputation Risk management:
Know the areas you do not controlManage the areas you do control
Monitor your execution on these actions
Reputation Risk Driver
Analysis Framework
Perceived
Reality
Expectations
How was the response communicated?
Where were customers and other key stakeholders getting their information?
How well did the firm understand stakeholder expectations?
What work was done to understand the (weighted) impact to core customer segments?
Cause and Effect Diagram Drives Next Steps
©2015 Ramaley Group, LLC
RRDA ClarityCause and Effect Diagram
©2015 Ramaley Group, LLC
Environment
Perception/ Reality
Gap
Marketing Personal Needs
Company Communications
Trusted Media DirectExperience
Filling in the “Formula”
©2015 Ramaley Group, LLC
Ultimately, stakeholder DATA will be required to provide accurate assessment of reputation risk. Since reputation is driven by stakeholder perception, there is no adequate substitute for engaging key stakeholders to measure reputation risk exposure
Audit can outsource collection of data, or may be able to rely on business data.
Potential Audit Issue: If the business does not have stakeholder data to inform reputation-impacting decisions, do they really understand their reputation?
Testing Reputation Controls
©2015 Ramaley Group, LLC
• Detective reputation controls (most common) are best tested by providing the business with something to detect!– Mystery shopping– Associate testing
• Proactive reputation controls (rare) must be tested as any data collection plan – is it well-conceived and executed? Will it enable shifts in the RRDA model to be avoided and/or detected before they impact reputation?
Continuous Surveillance of Reputation
©2015 Ramaley Group, LLC
Social Media “chatter” measurement tools
Complaint volume and texture Periodic, independent market research
Since reputation is primarily based on perception rather than reality, standard customer service metrics may be helpful but will not paint a complete picture of reputation
PREVENTIVE APPROACH
©2015 Ramaley Group, LLC
The best way to create a burning platform for reputation is an immersive approach Help leaders understand the risk Create sense of urgency Educate front-line associates
Understanding key elements (or shortcomings) of firm policy is a key to nipping inevitable reputation disasters in the bud.
The BIG TWO Questions
©2015 Ramaley Group, LLC
Has management formulated a plan to address reputation-impacting events? Does it include preventive reputation training distributed to all customer-facing associates?
Is management continuously aware of how stakeholders perceive their firm and its actions?
Questions?
©2015 Ramaley Group, LLC