Why Focus on Business Reputation Risk?

Return to Risk-Based Security
Created by the Security Executive Council

In a recent Security Executive Council (SEC) Security Barometer poll we found the one thing that security practitioners felt would most help their department and career is to become more involved with the business side of the organization. To achieve that goal successful risk managers must demonstrate a thorough understanding of what is important to senior executives.

Chart showing security barometer results

Consider the following recent news item: CFO magazine reported 66% of board directors see reputational risk as their top concern.

Many security practitioners may intuitively see the importance of reputational risk to their senior executives but the Security Leadership Research Institute (SLRI) Corporate Security Organization Structure, Cost of Services and Staffing Benchmark report tells a different story. Security and risk management practitioners were asked their top five risks that were the greatest concern to their organization. Only 4% of the chosen top risks corresponded to reputational risk.

Chart showing most commonly identified Board Level Risk from SLRI report

Drilling down further into the details of the report, it is interesting to note that two industries whose top risks did include a significant portion of reputational risks were transportation services (15%) and food & beverage (11%). How reputation can significantly affect revenue in these industries can be easily understood. But research has shown that across all industries businesses that have good reputations have higher valuations, they find it easier to attract good employees and they find it easier to maintain their good reputation over time. (For more information see "Communicating a Solid Corporate Reputation" from ComplianceWeek.

Damage to reputation is difficult to hide. The Security and Exchange Commission (SEC) has demanded publically traded companies clearly publish risks unique to the organization in their 10k reports. Recently the SEC sent letters to six major companies (all victims of large cyber attacks) instructing the companies to include information about the cyber-attacks in their earnings reports. The purpose of these disclosures is to ensure that investors are aware of the incidents - even though the major publicity surrounding the attacks has passed.

Next Steps
The purpose of sharing this information is not to have security chasing down risks to the organization’s reputation but rather to point out that becoming more involved in the business side of the organization requires understanding how senior executives view risk issues. Risk managers need to consider that the CFO survey found that 75% of the board members were seeking information on risk from a holistic, enterprise wide, viewpoint. Viewing risk in business silos is unlikely to match what the board is thinking.

SEC Tier 1 Leaders frequently refer to our Board Level Risk chart. The information in this chart was part of a research initiative to create a baseline corporate risk landscape that shows security’s involvement in risk management. The chart, while not meant to be exhaustive, can be used to map how the security function can add value through risk mitigation strategies across the enterprise. Viewing security programs in light of the board level risk categories they serve can help risk managers better connect with the business side of the organization.

Return to Risk-Based Security