What is the financial impact of damage to your reputation or brand? How well are you protecting your reputation. Learn about the connection before Business Continuity, Security and IT for protecting your reputation.
Analyzing Business Continuity and Reputational Risk
1. Analyzing and Managing Risk
Taking the plunge into Business Continuity Management
Dawn Simpson, CBCP
VP of Market Development
January 23, 2014
2. Objectives
•
•
Defining the Business Impact Analysis
Examining risk:
o
Data supporting business risks and the
role of IT
o
Financial and other impacts of risk
o
Examining “Reputational Risk”
o
Making the IT and Reputational Risk
connection
o
•
Steps to take to strengthen your position
Resources and References
3. What is a BIA
(Business Impact Analysis)
The BIA helps you document and define the critical business functions, determine
your unique threats, how and what IT supports your critical business functions so
that you can prioritize and plan to mitigate the greatest risks first.
The BIA should provide data to assess the organization's ability to:
•
Eliminate or reduce the potential for injuries or the loss of human life.
•
•
•
Create awareness of unique business threats.
Develop a continuity action plan to bring the firm to “New Normalcy.”
Upon completion of the initial BCP, immediately deliver real benefits to
the organization.
4. IBM surveyed 2,316 business continuity and IT security
professionals on the following list of common cost categories
and threats for respondents to evaluate
Cost Categories
Threats
Reputation and brand
damage
Human error
Lost revenue due to system
availability problems
IT system failure
Lost productivity from downtime or
system performance
Cyber security or data
breach/data theft
Compliance and regulatory
failure costs
Third-party failure of
continuity or IT security
Forensics to determine root
causes
Data loss from backup or
restore failure
Technical support to
restore systems
Natural or manmade
disaster
7. Respondents apportioned total cost across the six cost
categories, using a 100-point scale
Lost productivity from downtime or
system performance
28
Technical support to restore
systems
Lost revenue due to system
availability problems
Compliance and regulatory
failure costs
Minor ($1M)
100 points
20
25
Forensics to determine root
causes
Reputation and brand
damage
36
35
2
4
5 4
17
11
15
9
7
Event-related
impact
37
12
22
Durationrelated impact
10
Moderate ($4.3M)
100 points
Substantial ($14.3M)
100 points
8. Examining a Common Threat:
Reputational Risk
The Mitigation of reputational risk has a definable value
-29%
•
The economic value of a company’s
reputation declines 29% as a result of an
IT breach of customer data*
Can IT functionality (i.e., loss of email or data) or a security breach
affect your brand value?
•
•
How do you protect your brand reputation?
Have you established strong integrated risk management (Business
Continuity and Security) programs?
*Reputation Impact of a Data Breach: US Study of Executives & Managers, *Sponsored by Experian® Data
Breach Resolution Ponemon Institute, November 2011.
9. Here’s what the BIG guys are saying…
IBM 2011 Annual Report – Item 1A “Risk Factors”
Cybersecurity and Privacy Considerations could impact the Company's
Business:
The company's products, services, and systems may affect critical third party operations or
involve the storage, processing and transmission of proprietary and sensitive or confidential
data, including personal information of employees, customers and others.
Breaches of security could expose the company, its customers or others to risk of loss…
resulting in litigation and potential liability for the company, as well as the loss of existing or
potential customers and damage to the company's brand and reputation.
IBM has one of the strongest brand names in the world, and its brand and overall reputation
could be negatively impacted by many factors… If the company's brand image is tarnished by
negative perceptions, our ability to attract and retain customers could be impacted.
Source: http://www.ibm.com/annualreport/2011/bin/assets/2011_ibm_sec10k.pdf
10. Making the reputation and IT risk connection
Incidents over the past 24 months that affected
reputation and brand value
Percentage of “yes” responses
IT system failure
67%
58%
Human error
Cyber security or data
breach/data theft
47%
Data loss from backup
or restore failure
Natural or manmade
disaster
Third-party continuity
or IT security failure
42%
23%
19%
“IT risk management is reputation
management.”
– IT security supervisor, US telecom company
11. Relating it to the BIA
1
Example: IBM identified a trend that has become a threat to a critical
business function – i.e. Brand Reputation
2
The financial and reputational impact of the threat was determined
and deemed a priority
3
Funding to protect reputation is required for success
4
IT is a key safeguard to protecting against reputational harm
5
Upon identifying the functional priorities and the IT support in place,
the company can determine if there are gaps to be mitigated based
on financial and risk based data and organizational goals
12. Reputation Recovery
In your estimation, how long on average has it taken for your organization’s reputation to recover
from damage caused by the following IT risk factors?
12+ months
6-12 months
0-6 months
Data breach
13%
16%
New technology
13%
15%
12%
19%
56%
Insufficient DR measures
11%
20%
56%
Poor IT skills / tech support
11%
Inadequate continuity plans
10%
Data loss
10%
Compliance failure
Mobility (BYOD)
System failure
Website outage
59%
58%
18%
59%
22%
54%
14%
64%
10% 14%
68%
8%
15%
6% 12%
68%
71%
Source: 2013 IBM Reputational Risk and IT Study, IBM and Economist Intelligence Unit
13. Barriers to achieving highly effective business
continuity and IT security management programs
Three key issues for organizational leadership to address
Lack of
strategy
30%
of respondents say their organizations do not
have a strategy for business continuity or IT
security management
Inadequate
funding
37%
say lack of funding is the leading barrier to
success, followed by disruptive technologies
and lack of expert or knowledgeable staff
No clear
ownership
28%
say the CIO has overall responsibility for
ensuring that IT operations are not disrupted,
followed by business unit leader (20%) and
“no one person”(11%)
14. What can you do now to address IT
and reputational risk?
Be proactive — and be prepared to invest in
IT controls
Create a collaborative environment —
encourage executives, risk management
specialists, and IT managers to work
together
Use reputational risk as a justification for
IT investment — and build a business case
Assess risk across the supply chain and
confirm partners’ compliance with your
standards
Consider outside help for an unbiased view
of perception versus the reality of your risk
exposure
16. Resources and references used in this
presentation
Read the IBM point
of view
Read the study
findings report
ibm.com/services/riskstudy
ibm.com/services/riskstudy
Your
score
129
out of
200
How well are you doing?
Find out with the
IBM Reputational Risk Index
Scan the code or go to www.ibmriskindex.com
Engage with a
consultant to
discuss your risk
exposures
Visit these websites:
www.DRII.org
www.drj.com
17. Dawn Simpson, CBCP
Thank
you
VP of Market Development
Trivalent Group
3145 Prairie St. | Grandville, MI 49418
616.301.6406 | dsimpson@trivalentgroup.com