How do I balance cybersecurity issues and other reputational and valuation risks?
First, you’re doing the right thing. According to a report released by the Ponemon Institute, the average U.S. company with 1,000 employees spends $15 million a year battling cybercrime. With attacks becoming more frequent and sophisticated, that number likely will rise in the future.
Unfortunately, the other risks posing threats to your business aren’t taking a holiday while you ramp up protection against malicious cyberattacks. Some of the biggest and costliest corporate events of late didn’t result from hacking. With Samsung, it was a product failure. With Chipotle, it was food contamination. With Volkswagen and Wells Fargo, it was poor governance and decision making. And, for United Airlines, it was customer service.
The lesson in each case: Threats come in all shapes and sizes. This is why I strongly encourage companies of all sizes to have an active enterprise risk management process in place.
I know it sounds like a huge and pricey undertaking, but it can be done efficiently. When you consider that 14 percent of Wells Fargo customers surveyed after their disaster said they had already left the bank, and that another 30 percent were considering it, you have to ask yourself whether you could afford not to have a responsive stakeholder feedback system in place.
Here are a few suggestions on ways you can implement a real-time, living enterprise risk management program without breaking the bank or tying up too many of your precious resources.
Make a stakeholder SWOT analysis part of your normal business continuity planning. Ideally, you’d have a designated team assigned to enterprise risk management and crisis preparedness. At the very least, make identifying potentially damaging risks a recurring topic at your senior management and board meetings. If you’re a private company, with or without a board, make it a part of your regular management meetings.
Don’t bury enterprise risk management in audit or compliance. To properly prepare, your entire organization needs to understand the potential value-depleting risks you face.
Take proactive measures to close gaps that exist between your company’s perception and its performance. If the perception of your company is misaligned with performance before a crisis hits, imagine the effect inconsistency will have when something goes wrong. One way to combat this is to communicate your company’s intrinsic value to your various stakeholders on an ongoing basis. Having built an understanding of your value creation track record potential before a triggering event can significantly reduce your vulnerability and help ward off proxy fights and shareholder activists seeking to take control of your board during a crisis-driven valuation diminution.
Run routine risk assessments and crisis scenarios. Understanding your risks and preparing for how to manage through them not only will help protect your reputation in times of crisis, but it also will lessen your potential reputation, legal, financial and cultural exposures. If you can demonstrate you were prudent and took every reasonable measure to mitigate risk, you’ll likely be less open to legal action on the back end.