A Reputation Management Discussion

This past holiday season proved to be very costly for several major retailers in the United States. The massive US retailer Target, it turns out, was not the only victim of the cybercrime warfare during the busy holiday shopping season. A recent article from Reuters stated that up to 6 attacks on US merchants have been ongoing for months.

An organization’s reputation can be viewed as a driving force for success, a driving force which is complex and difficult to define. Without a positive reputation, potential customers and clients are wary to invest in or do business with a company in which they are uncertain in the quality of products, services provided and/or the company’s ability to accept payment for goods and services and protect accumulated personal information. A reputation for sound business and quality services is a necessity for doing business; it is the key that unlocks the door to opportunities for growth. Without this key, businesses become stagnant and never reach the high performing level. While it may be difficult to state precisely what it is, reputation is recognized as one of the cornerstones of a successful business.

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that you will do things differently.” – Warren Buffett

How does Risk Management aid in Reputation management?

In our blog regarding The Relationship Between Risk Management and Business Continuity Management, we expressed our view on the importance of the two being interconnected within organizations. Reputation risk management is a prime example of how the importance of the link between these two management systems is vital to an organization. Effectively identifying, assessing, and treating of risk related to reputation can safeguard a company’s reputation and reduce the risk to an acceptable level. This statement assumes that proper controls are put in place and in turn employees practice said controls. Further, effective business continuity and recovery plans allow companies to curtail damage caused by threatening events to a reputation. Combining these to management systems, and ensuring their synergy is essential to effective management of reputation risk.

Do you think the revealing news about Target, Neiman Marcus, and the other companies will dramatically affect their reputations with consumers and investors?

Are other retailers now realizing the potential risks they face and starting to address the problems before they cause an expensive solution?

Have we seen the last of this type of attack on a retailer’s credit card information system and ultimately the organization’s reputation?

Reputation risk management, as with all aspects of risk management must be systemically distributed throughout an organization at a granular level. All employees have the potential to dramatically effect a company’s reputation, and as such must be considered when managing risk. Though it is true the CEO and the board are the ones responsible to protect the company’s reputation, a culture of risk management should be embedded within an organization from the top down, to the bottom up. For more details on this approach to reputation risk management, see our previous article on the topic.

The series of attacks on credit card data and personal information isn’t new, but it serves to remind all of us the importance of trust when it comes to who we choose to allow the protecting of our personal information. The Payment Card Industry Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents. The PCI DSS standard is available with RM Studio and the use of the risk management tool and the Standard has proven to streamline the risk management process and significantly reduce time and money spent on recovery from security incidents.