Category Archives: Reputation Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

Defining Reputational Risk

Posted on by

The following article is part of a new blog series that will explore ideas, concepts, discussions, arguments and applications associated with the field of enterprise and strategic risk management.

One of the more striking conclusions contained in Aon’s 2015 Global Risk Management Survey is that damage to reputation and/or brand was considered by the survey cohort to be the most significant risk to the enterprise. The survey was conducted in Q4 of 2014 and received input from over 1,400 respondents coming from both the private and public business on a worldwide basis.

The “Top Ten” most identified risks included:

  1. Damage to reputation/brand
  2. Economic slowdown/slow recovery
  3. Regulatory/legislative changes
  4. Increasing competition
  5. Failure to act or retain top talent
  6. Failure to innovate/meet customer needs
  7. Business interruption
  8. Third-party liability
  9. Computer crime/hacking/viruses/malicious codes
  10. Property damage.

The survey results should not come as any real surprise given the number of sensational news stories coming from around the world that highlight potential or real reputational or brand problems. We have witnessed data breaches ranging from credit card identity theft in consumer retail, to serious product recall notifications in the food and beverage industry, to product performance/ warranty failures in the automotive arena, as well as “hints of reputational quality,” defined as “trust” in the early stage politics of the presidential selection process involving private vs. public use of email servers. There is little doubt that news, sensational or not, impacting reputational or brand, will continue for some to come. The real question is: Should anyone care?

Defining reputational/brand risk is hard to accomplish:

Based on some additional research done by my colleague Sylvesto Lorello, reputational risk is not a new concept, but it arguably has no established or universally agreed upon definition. Academic and business thinking about this subject continues to evolve. Within the insurance underwriting community that I have been in touch with, reputational or brand risk is being compared in scope to contingent liability risks, but with a serious caveat: the basis of the risk is highly variable and the duration of the risk event/loss event is difficult to pin down economically.

The concept of reputation and brand for example, are notably absent from the 2004 framework for enterprise risk management proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is also overlooked in the Basel II international accord for regulating bank capital, which was also issued in 2004.

A lack of common standards or definitions of reputational risk mean that companies perceive it in different ways.

buy cytotec online orthomich.com/img/blog/jpg/cytotec.html no prescription pharmacy

Some risk practioners are beginning to view reputation as a “risk of risks” similar to the dialogue surrounding the “internet of things/objects.” Interestingly, an emerging dialogue is developing around whether reputation or brand is actually a risk or a residual event stemming from other extenuating risk domains or actions.

The ISO 31000 (2009)/ISO Guide 73:2002 definition of risk is the “effect of uncertainty on objectives.” In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information.

The U.S. Federal Reserve in 1995 defined reputational risk as “…the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.

buy vidalista online orthomich.com/img/blog/jpg/vidalista.html no prescription pharmacy

In this case, the definition points to the potential for hard data from which basis and duration can be calculated.

Definitional issues aside, eventually societies will develop benchmarks with which to measure reputational or brand acceptability. One way of thinking about this approach is shown in the following exhibit.

UntitledHere we ignore some of the more difficult definitional discussion around a combined reputation/brand perspective, and limit our view to reputation alone.

buy fluoxetine online thecifhw.com/wp-content/uploads/2023/10/jpg/fluoxetine.html no prescription pharmacy

From a practical early stage standpoint, an entities reputation could be view from potential threat and potential impact perspective. On the threat side, it may be possible to segregate threats into four categories:

  • Risk to reputation stemming from employment activities;
  • Risk to reputation coming from product or customer issues;
  • Risk to reputation derived from governance; and,
  • Other less easily classified risks to reputation.

These categories appear for graphical purposes as if they are mutually exclusive, but in reality, there are good examples of causal overlap that increased risk volatility and severity. Recent oil spills and automobile product failure/recalls are enduring situations where more than one causal category created a economically catastrophic reputational problem.

On the other side of the graphic we outline the potential impacts to reputation coming from the threat categories. Again, while not mutually exclusive or exhaustive, the impact areas include:

  • Customer base
  • Financial valuation
  • Brand and media
  • Staf
  • Other less easily defined impacts.

Coming next, who are the stakeholders and how might one approach measuring reputational risk.

What to Do About Reputation Risk

Posted on by

Of executives surveyed, 87% rate reputation risk as either more important or much more important than any other strategic risks their companies face, according to a new study from Forbes Insights and Deloitte Touche Tohmatsu Limited. Further, 88% say their companies are explicitly focusing on managing reputation risk.

Yet a bevy of factors contribute to reputation risk, making monitoring and mitigating the dangers seem particularly unwieldy. These include business decisions and performance in the following areas:

Financial performance: Shareholders, investors, lenders, and many other stakeholders consider financial performance when assessing a firm’s reputation.

Quality: An organization’s willingness to adhere to quality standards goes a long way to enhancing its reputation. Product defects and recalls have an adverse impact.

Innovation: Firms that differentiate themselves from their competitors through innovative processes and unique/niche products tend to have strong name recognition and high reputation value.

Ethics and integrity: Firms with strong ethical policies are more trustworthy in the eyes of stakeholders.

Crisis response: Stakeholders keep a close eye on how a company responds to difficult situations. Any action during a crisis can ultimately affect the company’s reputation.

Safety: Strong safety policies affirm that safety and risk management are top strategic priorities for the company, building trust, and value creation.

Corporate social responsibility: Actively promoting sound environmental management and social responsibility programs helps create a reputation “safety net” that reduces risk.

Security: Strong infrastructure to defend against physical and cybersecurity threats helps avoid security breaches that could damage a company’s reputation.

But brand crises make headlines with increasing frequency, and companies are laying responsibility at the feet of the C-suite, particularly chief risk officers. Deloitte reports that respondents considered the primary responsibility to rest with: the chief executive officer (36%), chief risk officer (21%), board of directors (14%), or chief financial officer (11%).

What can they do? The study offered these key points to consider when crafting a crisis management plan:

  • Don’t wait until a crisis hits to get ready. Monitoring, preparation and rehearsal are the most effective ways to get ready for a crisis event. Organizations that can plan and rehearse potential crisis scenarios should be better positioned to respond effectively when a crisis actually hits.
  • Every decision during a major crisis can affect stakeholder value. Reputation risks destroy value more quickly than operational risks.
  • Response times should be in minutes, not hours or days. Teams on the ground need to take control, lead with flexibility, make decisions with less-than-perfect information, communicate well internally and externally, and inspire confidence. This often requires outside-the-box thinking and innovation.
  • You can emerge stronger. Almost every crisis creates opportunities for companies to rebound. However, those opportunities will surface only if you’re looking for them.
  • When a crisis seems like it’s over, it’s not. The work goes on long after you breathe a sigh of relief. The way you capture and manage data, log decisions, manage finances, handle insurance claims, and meet legal requirements on the road back to normality can determine how strongly you recover.

But the real objective should be preventing these potential crises to begin with. Deloitte recommends exploring the possibilities of “risk sensing” – using real-time data to monitor the issues that might impact a company’s reputation:

Crisis management for C-suite executives

Check out the infographic below for more insights from the Deloitte Reputation@Risk survey:

Deloitte Reputation@Risk Global Survey

Cyberbreach and Reputation Woes Hack Away at Bottom Line for 44% of Financial Firms

Posted on by

According to the 2015 Makovsky Wall Street Reputation Study, released Thursday, 42% of U.S. consumers believe that failure to protect personal and financial information is the biggest threat to the reputation of the financial firms they use. What’s more, three-quarters of respondents said that the unauthorized access of their personal and financial information would likely lead them to take their business elsewhere. In fact, security of personal and financial information is much more important to customers compared to a financial services firm’s ethical responsibility to customers and the community (23%).

Executives from financial services firms seem to know this already: 83% agree that the ability to combat cyber threats and protect personal data will be one of the biggest issues in building reputation in the next year.

The study found that this trend is already having a very real impact: 44% of financial services companies report losing 20% or more of their business in the past year due to reputation and customer satisfaction issues. When asked to rank the issues that negatively affected their company’s reputation over the last 12 months, the top three “strongly agree” responses in 2015 from communications, marketing and investor relations executives at financial services firms were:

  • Financial performance (47%), up from 27% in 2014
  • Corporate governance (45%), up from 24% in 2014
  • Data breaches (42%), up from 24% in 2014

Earning consumer trust will take some extraordinary effort, as a seemingly constant stream of breaches in the news and personal experiences have clearly made customers more skeptical of data security across a range of industries. When asked which institution they trust more with their personal information and safeguarding privacy, today’s consumers ranked traditional financial institutions—including insurers—higher by a wide margin over new online providers, but a larger percentage of consumers do not trust any organization to be able to protect their data:

  • Bank/brokerage, insurance, or credit card company (33%)
  • U.S. Government (IRS, Social Security) or U.S. Postal Service (13%)
  • Current healthcare company (4%)
  • Online wallets (PayPal, Google Wallet, Apple Pay) (4%)
  • Retail chain or small businesses (4%)
  • All other (3%)
  • None of these organizations or companies can be trusted (39%)

 

Windows Server 2003 Expiration Brings Defense in Depth to Life

Posted on by

windows server 2003

The termination of support for Windows Server 2003 (WS2003) is less than four months away, leaving many enterprises in a race against the clock before the system’s security patches cease. In fact, 61% of businesses have at least one instance of WS2003 running in their environment, which translates into millions of installations across physical and virtual infrastructures. While many of these businesses are well aware of the rapidly approaching July 14 deadline and the security implications of missing it, only 15% have fully migrated their environment. So why are so many enterprises slow to make the move?

Migration Déjà Vu

The looming support deadline, the burst of security anxiety, the mad rush to move off a retiring operating system… sound familiar? This scenario is something we’ve seen before, coming just 12 months after expiration of Windows XP support.

While there may be fewer physical 2003 servers in an organization than there were XP desktops, a server migration is more challenging and presents a higher degree of risk. From an endpoint perspective, replacing one desktop with the latest version of Windows affects only one user, while a server might connect to thousands of users and services. Having a critical server unavailable for any length of time could cause major disruption and pose a threat to business continuity.

Compared to the desktop, server upgrades are significantly more complex, especially when you then add hardware compatibility issues and the need to re-develop applications that were created for the now outdated WS2003. Clearly, embarking on a server migration can be a very daunting process – much more so than the XP migration – which seems to be holding many organizations back.

Cost of Upgrading versus Staying

Moving off WS2003 can be a drain on time resources. While most IT administrators understand how to upgrade an XP operating system, the intricacy of server networks means many migrations will require external consultancy, especially if they are left to the last minute. It’s no wonder that companies this year are allocating an average of $60,000 for their server migration projects. Still, it’s a fair price to pay when you consider the cost of skipping an upgrade entirely. Legacy systems are expensive to maintain without regular fixes to bugs and performance issues.

And without security support, organizations will be left exposed to new and sophisticated threats. Meanwhile, hackers will be looking to these migration stragglers as their prime targets. For those who fall victim to exploits as a result, it’s not just financial losses they will have to deal with, but a blow to their reputation as well. It also means that companies continuing to run on WS2003 after support ends will be removed from the scope of compliance, adding other penalties that could further damage the business.

If they haven’t already, businesses still running on the retiring system should be thinking now about making an upgrade to Windows Server 2012. It’s easier said than done, of course. A server migration can take as long as six months, so even if businesses start their migration now, there could still be a two month period during which servers run unsupported. This means that organizations should be putting defenses in place to secure their datacenters for the duration of the migration and beyond.

Control Admin Rights

While sysadmins are notorious for demanding privileged access to applications, the reality is, allocating admin rights to sys-admins is extremely risky, since malware often seeks out privileged accounts to gain entry to a system and spread across the network. Plus, humans aren’t perfect, and the possibilities for accidental misconfigurations when logging onto a server are endless. In fact, research has shown that 80% of unplanned server outages are due to ill-planned configurations by administrators.

Admin rights in a server environment should be limited to the point where sysadmins are given only the privileges they need, for example to respond to urgent break-fix scenarios. Doing so can reduce exploit potential significantly. In an analysis of Patch Tuesday security bulletins issued by Microsoft throughout 2014, the risk of 98% of Critical vulnerabilities affecting Windows operating systems could be mitigated by removing admin rights.

Application Control

Application Control (whitelisting) adds more control to a server environment, including those that are remotely administered, by applying simple rules to manage trusted applications. While trusted applications run through configured policies, unauthorized applications and interactions may be blocked. This defense is particularly important for maintaining business continuity as development teams are rewriting and refactoring apps.

Sandboxing

Limiting privileges and controlling applications sets a solid foundation for securing a server migration, but even with these controls, the biggest window of opportunity for malware to enter the network – the Internet – remains exposed. Increasingly, damage is caused by web-borne malware, such as employees unwittingly opening untrusted pdf documents or clicking through to websites with unseen threats. Vulnerabilities in commonly used applications like Java and Adobe Reader might be exploited by an employee simply viewing a malicious website.

Sandboxing is the third line of defense that all organizations should have in place, at all times. By isolating untrusted content, and by association any web-borne threats or malicious activity in a separate secure container, sandboxing empowers individuals to browse the Internet freely, without compromising the network.

buy symbicort inhaler online www.scottsdaleweightloss.com/wp-content/uploads/2023/10/jpg/symbicort-inhaler.html no prescription pharmacy

Having instant web access is expected in modern workplaces, so sandboxing is ideal for securing Internet activity without disrupting productivity and the user experience.

Windows Server 2003 Migration: A Window of Opportunity

It shouldn’t take an OS end of life to spur change – especially security change. Organizations and their IT teams need to be thinking about how they can adapt their defenses, ensuring that they are primed to handle the new and sophisticated threats we see emerging every day. A migration is often the perfect time to revitalize an organization’s security strategy. With a migration process as a catalyst for reinvention, IT can lean on solutions like Privilege Management, Application Control and Sandboxing to not only lock down the migration, but carry beyond it as well, providing in-depth defense across the next version of Windows.