How can a security leader build resilience and internal risk management programs to protect an organization’s reputation and, ultimately, operational continuity?

The Issue of Corporate Risk and Reputation

The issue of corporate risk and reputation for the C-suite is among the most pressing concerns for many multinational companies. After all, the impact of an issue or event to the organization — depending on the type of incident — could mean large regulatory fines, reputational damage linked to the loss of clients, damage to company share price, disruption or closure to business, and in some cases, criminal charges of negligence against executives and/or the organization.

The Enron scandal is a worst-case example of what can happen to a company if risk management is not prioritized within organizations which, in 2001, resulted in the bankruptcy of the company with more than $63.4 billion in assets, along with damage to shareholders and board members.  

But, of course, there are other examples that have caused companies to collapse, the C-suite to resign or be fired, or companies to shut down.

The BP oil spill from 2010 — which led to 172 million gallons of oil dumped into the Gulf of Mexico, followed by an explosion that killed 11 workers at the Deepwater Horizon drilling rig off the Louisiana coast — is a notable example in terms of impact to an organization. BP pleaded guilty to 12 felony counts from the accident and Transocean, the other company involved in rig operations, pleaded guilty to a misdemeanor violation of the Clean Water Act. BP’s share prices dropped by billions of dollars and caused a considerable drop in the price of crude oil.

The current and emerging risks to multinational, global enterprises or any size organization include cyber, natural disaster, and physical risks, which means that the potential impact can have far-reaching implications. Of added concern is that these risks are often not contained to a specific geography, given the transnational nature of work, the ability of different threat actors to operate remotely, but seek to exploit vulnerabilities, and the more frequent cases of natural disasters.

The issues of the “return to work;” how to manage international travel and the risk impacts of travel on employees; and the changing risk landscape due to COVID-19, all mean that the issue of managing an array of strategic risks will likely become more important in the coming months and years.

It is increasingly likely that technology companies bear legal risks or implications from compromised personal data or the potential for disinformation on their platforms — particularly if they operate in the U.K. and Europe and must follow the General Data Protection Regulation (GDPR) and data privacy restrictions. Incidents can result in huge fines, the restriction of a company’s ability to operate in some countries, and the loss of confidence in other platforms elsewhere in the world.

In other words, the current threat environment has changed the importance and balance of risk mitigation from a company’s reputation and branding protection perspective — and the evolving threat landscape highlights the importance of building resilience and internal risk management programs to protect an organization’s reputation and, ultimately, operational continuity.

How Can Security Executives Reduce Exposure and Protect Their Organization’s Reputation?

To more efficiently manage risk and minimize risk exposure, security executives can take seven practical steps:

1. Adhere to ISO frameworks and specific additional mitigation measures within more specific sectors, such as ISO 31,000 and ISO 27,000.
2. Establish clear policies for an acceptable residual risk level, which is often communicated to board members, shareholders and interested stakeholders.
3. Ensure that there is sufficient training and communication in terms of how specific risk issues are likely to cascade across different components of an organization. In the event of an incident, the impact on different components or branches across an organizational structure is often not clearly considered or understood. This further emphasizes the need for organizational training and planning ahead of incidents, in an attempt to ensure that the full impact of risks is considered.
4. Invest in internal corporate security teams conducting horizon scanning, stress testing of worst-case scenarios, emergency planning and measuring potential impact of various likely risks.
5. Build crisis management teams to reduce the impact of threats on an organization and ensure events are handled effectively. Put solid communication plans in place and involve relevant stakeholders early in the process.  
6. Focus on effective travel security risk management programs and solutions by understanding up-front risks and any subsequent changes in the threat environment where employees and travelers are going.
7. Conduct incident reviews and ideate changes to the existing security framework to manage issues more efficiency, as well as ensure that various internal systems become more resilient in terms of skill sets and use of relevant technology to reduce apparent vulnerabilities.