when the storm hits: cybersecure reputation risk management · · 2015-12-01when the storm hits:...

When the Storm Hits:Cybersecure Reputation Risk Management

©2015 Ramaley Group, LLC

Ken Ramaley, CIA, CRMAManaging Director

Ramaley [email protected]

When you’re tired of auditing like it’s 1999

What do you these companies have in common?


Formal Definition:A collective perception of a firm’s past actions and results that describe the firm’s (perceived) ability to deliver specific outcomes. (Ramaley Group 2012)

What is Reputation?


Reputation is not measured on a simple scale


Reputation does not exist in a vacuum• Two parameters: Firm, expectation type• Example: Reputation of firm A for delivering on expectation B

“Overall impression” (aka, “Firm Reputation”) is roughly the weighted sum of expectation-reputation scores, but the weighting is critical

Aggregated Reputation Measurement


=

𝑖=1

𝑛

(𝑅𝑖)(𝑆𝑉𝑖)

n = number of attributes important to stakeholdersRi = firm’s reputation for executing on attribute iSVi = stakeholder value associated with attribute i

OverallFirmReputation

Practical examples


Consider a few dimensions of firm reputation for the well-known firms below:

Firm Product Quality Social Responsibility

Customer Service

Reputation Risk Management: Recent Case Examples


Reputation Risk Driver Analysis Framework (RRDA)


Direct Experience

Perceived

Reality

Expectations

CompanyCommunications

Trusted Media

Personal Needs

Environment

Marketing /Image

Reputation Risk management:

Know the areas you do not controlManage the areas you do control

Monitor your execution on these actions

Weak Reputation Controls=

Poorly-Understood Perceptions


Susan G Komen Planned Parenthood Press Release Swift (Surprising!) internal and external reactions

Scrambling for responses

Strong Reputation Controls=

Well-Understood Perceptions


World Triathlon Corporation Cancelled Ironman Lake Tahoe Triathlon scheduled for 9/21/2014

Within 2 hours, 100+ posts on major triathlon forum, overwhelmingly negative

WTC - Preventive Reputation Management Thru Transparency


Most Approaches to Reputation Risk Management are Reactive


Reputation is a “Marketing Problem”

“Ahead of the Curve” = Damage Control before it gets TOO big

Audit’s Role in Reputation Risk Management


Analysis/Understanding of Designed

Controls and Policies

Incident response review

Identification of control weaknesses in

preventive reputation risk programs

Auditing Reputation Management Processes


Best parallel is Disaster Recovery

Planning

Scripted, tested solutions

Continuous Monitoring / Early

Detection

Post-Incident Application


Applying the RRDA framework to a post-incident example


Environment

Marketing /Image

Personal Needs

CompanyCommunications

Trusted Media

Direct Experience

Reputation Risk management:

Know the areas you do not controlManage the areas you do control

Monitor your execution on these actions

Reputation Risk Driver

Analysis Framework

Perceived

Reality

Expectations

How was the response communicated?

Where were customers and other key stakeholders getting their information?

How well did the firm understand stakeholder expectations?

What work was done to understand the (weighted) impact to core customer segments?

Cause and Effect Diagram Drives Next Steps


RRDA ClarityCause and Effect Diagram


Environment

Perception/ Reality

Gap

Marketing Personal Needs

Company Communications

Trusted Media DirectExperience

Filling in the “Formula”


Ultimately, stakeholder DATA will be required to provide accurate assessment of reputation risk. Since reputation is driven by stakeholder perception, there is no adequate substitute for engaging key stakeholders to measure reputation risk exposure

Audit can outsource collection of data, or may be able to rely on business data.

Potential Audit Issue: If the business does not have stakeholder data to inform reputation-impacting decisions, do they really understand their reputation?

Testing Reputation Controls


• Detective reputation controls (most common) are best tested by providing the business with something to detect!– Mystery shopping– Associate testing

• Proactive reputation controls (rare) must be tested as any data collection plan – is it well-conceived and executed? Will it enable shifts in the RRDA model to be avoided and/or detected before they impact reputation?

Continuous Surveillance of Reputation


Social Media “chatter” measurement tools

Complaint volume and texture Periodic, independent market research

Since reputation is primarily based on perception rather than reality, standard customer service metrics may be helpful but will not paint a complete picture of reputation

PREVENTIVE APPROACH


The best way to create a burning platform for reputation is an immersive approach Help leaders understand the risk Create sense of urgency Educate front-line associates

Understanding key elements (or shortcomings) of firm policy is a key to nipping inevitable reputation disasters in the bud.

The BIG TWO Questions


Has management formulated a plan to address reputation-impacting events? Does it include preventive reputation training distributed to all customer-facing associates?

Is management continuously aware of how stakeholders perceive their firm and its actions?

Questions?


when the storm hits: cybersecure reputation risk management · · 2015-12-01when the storm hits:...

Documents