Reputational Risk and IT - 2013

627 views

Published on

Read how security and business continuity can shape the reputation and value of your company.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
627
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Reputational Risk and IT - 2013

  1. 1. IBM Global Technology ServicesExecutive summary:Reputational risk and ITHow security and business continuity can shape the reputation andvalue of your companyRLP03019-USEN-00 © 2012 IBM Corporation
  2. 2. Reputational risk and IT: introductionMake a resolution to make 2013 the year that your enterprise makesreputational risk an integral part of IT risk management. IBM is happy to provide this presentation for use in fostering discussions in your organization about the connections between IT risk and reputational risk. The information in this presentation is provided “as is.” IBM is not responsible for any changes made to the presentation by users outside of IBM. For more information, visit: ibm.com/services/riskstudy2 © 2012 IBM Corporation
  3. 3. Reputational risk and IT: introductionYour reputation is at risk every day. An IT issue can set off a seriesof events that can have significant impact on business value. IT event Storms trigger Partial failure in Critical Highly visible power outage data center UPS servers fail service outageReputation suffers News reports on People talk Confidence, trust the web waver Business value damaged Penalties Customers Stock price accrue defect falls3 © 2012 IBM Corporation
  4. 4. Reputational risk and IT: introductionTo find out where and how IT makes its biggest impact on reputational risk— and uncover any gaps — IBM conducted a worldwide study. Respondents: 427 Industries: 23* Middle Latin East/Africa, America, 5% The study survey was 8% All others, 28% Banking, conducted by the North 19% Economist Intelligence America, 33% Unit on behalf of IBM Asia Pacific, IT/Tech, 26% Professional 15% Services, 5% Respondents were Financial asked questions about Markets, 9% Energy/ Europe, 29% Insurance, Utilities, 13% their companies’ 11% reputational and IT risk efforts, plans and spending to provide a Job titles: 15* Company sizes: 5 detailed picture of IT Other non- C-suite, IT manager, $10B or $500M or reputational risk 23% 24% more, 27% less, 37% management around the world SVP/VP/ CIO/CTO/ Director, 11% Tech director, $5B to 12% $10B, 9% Other CEO/President/ $1B to $5B, $500M to C-suite, 14% Managing 16% $1B, 13% Director, 13% CRO/Risk *Top responding categories shown. Director, 3%4 © 2012 IBM Corporation
  5. 5. Reputational risk and IT: introductionThe study results revealed three key observations concerning IT’s impacton reputational risk. #1 IT risks have a major impact on a company’s reputation #2 Companies have rising IT risk concerns related to emerging technology trends #3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems “IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.” C-level executive, Malaysian agriculture and agribusiness company5 © 2012 IBM Corporation
  6. 6. Reputational risk and IT: perception vs. realityThere seems to be a mismatch between how well companies ratetheir reputation and how well they are protecting it. rate reputation 80 % as excellent or very good17 % rate theirIT risk as very strong to manage company’s overall ability There is room for improvement in almost every organizationSource: Q1: How would you rate your company’s current reputation within its industry? Q5: How would you rate your company’s overall ability to manage IT risk?6 © 2012 IBM Corporation
  7. 7. Reputational risk and IT: perception vs. realityIT risks strongly affect the factors most important to a company’sreputation — making IT risk integral to reputational risk. 78 % include IT risk management as part of reputational risk management “IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organizations survival.” IT manager, French IT and technology companyMost important to reputation Strongly affected by IT risk Best-in-class product/service 29% Customer satisfaction 46%Customer engagement 24% Brand reputation 41%Trusted partner status 14% Compliance 40%Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q6: Which of the following is the single most important factor driving your company’s reputation? Q3: In your estimation, how much do IT risks affect the following?7 © 2012 IBM Corporation
  8. 8. Reputational risk and IT: perception vs. realityData breach tops the list of IT risk factors that can cause the mostreputational harm.Top three IT risk factors harmful to reputation 61 % data breach 44 % systems failure 37 % data lossSource: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.8 © 2012 IBM Corporation
  9. 9. Reputational risk and IT: perception vs. realityCompanies’ perceptions differ from reality when it comes to thecomprehensiveness of their reputational risk protections. Data breach Very confident/confident about level of protection perception 70% Have access to the latest security threat intelligence reality 32% Systems failure Very confident/confident about level of protection perception 70% Have 24x7 expert technical support coverage reality 52% Data loss Very confident/confident perception about level of protection 76% Perform testing including business users reality 45% * Companies are overlooking the IT fundamentals that can enhance their ability to mitigate reputational riskSource: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following? Q17: Which of the following procedures, processes and controls do you have in place?9 © 2012 IBM Corporation
  10. 10. Reputational risk and IT Study: security findingsWell publicized scenarios of financial and reputational impact due tosecurity breaches are in the news every day. Payment Online gaming Retailer processor communityHackers intrude core Community and Customer data stolenline of business. entertainment sites over more than 18 hacked. months.Nearly 130 million Around 100 million At least 45 millioncustomers affected. customer records records stolen. compromised. Estimated costs: Estimated costs: Estimated costs: up to $500M $3.6B up to $900M Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles. © 2012 IBM Corporation
  11. 11. Reputational risk and IT: perception vs. realityThe impact of IT risk events on “reputational recovery” is measuredin months, not hours or days like recovery time objectives (RTO). 0-6 months 6-12 months 12+ months Website outage 78% 14% 8% System failure 72% 17% 10% Workforce mobility 71% 18% 11% Data loss 70% 17% 12% Inadequate continuity plans 65% 21% 13% Insufficient DR measures 63% 24% 12% New technology 64% 18% 18% Data breach 65% 19% 16% Compliance failure 64% 22% 14% Poor IT skills / tech support 64% 22% 14%Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors? Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?11 © 2012 IBM Corporation
  12. 12. Reputational risk and IT: perception vs. realityCompanies may be opening themselves up to unintendedreputational risk by ignoring the impact of their partners. Only 28% of companies “very strenuously” require their vendors, partners and supply chain to match levels of risk control * * Average “A major deliverable was on How many outside sources does your a contractor’s company rely on? laptop, and it was stolen. We missed Are you enforcing your IT risk mitigation an important client policies on these sources? deadline and lost the source files for How are you monitoring your sources’ all the work.” compliance with your standards? Chief marketing officer, American education companySource: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?12 © 2012 IBM Corporation
  13. 13. Reputational risk and IT: security, continuity and social mediaMost companies have security items in place to react to reputationalthreats, but this is only part of the picture.Critical security fundamentals currently in place Firewall management 79% Identity/access controls 71% Network & endpoint protection 60% Danger: Up to 40% of companies are missing critical security protections But “Being proactive and preventive is much more effective than being reactive.” IT manager, American energy and utilities company Companies are overlooking many Cloud security protection 23% of the items that Access to latest security can proactively 32% threat intelligence protect their reputations before Penetration testing/ethical hacking 43% harm happensSource: Q17: Which of the following procedures, processes and controls do you have in place?13 © 2012 IBM Corporation
  14. 14. Reputational risk and IT: security, continuity and social mediaCompanies also have continuity basics in place, but are missing theopportunity to leverage IT fundamentals for additional protection.Companies have the continuity basics in place Backup/restore testing 78% Fully documented DR plan 68% Automated backup processes 67% Now Up to 55% of companies can improve reputational risk management through the use of IT fundamentals There is Change management 45% untapped potential to use IT 24x7 onsite maintenance/ repair for critical equipment 51% fundamentals to better manage 24x7 software tech support 53% reputational riskSource: Q17: Which of the following procedures, processes and controls do you have in place?14 © 2012 IBM Corporation
  15. 15. Reputational risk and IT: security, continuity and social mediaCompanies are using social media tools to do business; now theyneed to use them to protect their reputations.Social media used to communicate with customers Company website 87% Social media/networking tools 50% Text messaging (SMS) 46% But only Company-branded mobile 44% application 27% provide for employee social media use during crisis Companies are missing the 19% have opportunity to leverage incorporated social social media to protect and media into their disaster recovery plans recover their reputationsSource: Q21: Which of the following channels does your organization use to communicate with customers Q17: Which of the following procedures, processes and controls do you have in place?15 © 2012 IBM Corporation
  16. 16. Reputational risk and IT: who owns it?When asked who was most accountable for the company’sreputation, respondents put responsibility squarely with the CEO. CEO: Best able to drive reputational risk management throughout an organization 80 % CEO 31% CMO: The critical link CFO 27% 23% 22% between the company and its CIO customers CRO CMOSource: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.16 © 2012 IBM Corporation
  17. 17. Reputational risk and IT: focus and fundingNew technologies and social media are leading factors behind anincreased focus on reputational risk. 64 % will increase focus on reputational risk compared to five years ago “Technology is Shareholder pressure, 3% Other, 7% an amplifier in all it touches, Board of directions/ C-suite mandate, 10% for better and worse. If we use New technology/ it, we must Why social media, 43% manage it increase? rigorously.” Previous event harmful CIO, Barbados to company, 18% professional services firm Previous event harmful to competitor/industry, 20%Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago? Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?17 © 2012 IBM Corporation
  18. 18. Reputational risk and IT: focus and fundingOften as a result of increased spending, companies are reportingadequate funding to manage reputational risk. 60 % For many organizations, adequate funding means increased funding say they have adequate funding to 57% 59% provide the have increased spending will increase spending level of IT risk management over the past 12 months over the next 12 months needed to protect the organization’s reputation “Underestimating the cost of reputational risk greatly exceeds the cost of protection.” Finance manager, American financial services company Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation? Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk? Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?18 © 2012 IBM Corporation
  19. 19. Reputational risk and IT: what you can do nowStart a reputational risk dialogue across your enterprise. Have the reputational risk conversation — the sooner, the better Elevate your discussion — lead with reputational risk to justify IT investments X Team up with your risk colleagues Confirm partners’ compliance with your standards Extend your reporting and escalation process to include reputational risk impact19 © 2012 IBM Corporation
  20. 20. Reputational risk and IT: what you can do nowIncorporate the key characteristics of companies reporting excellentreputations. 1 Companies with excellent reputations see stronger links between IT threats and reputation—especially customer satisfaction and brand reputation 83% 81% 84% Organizations 78% reporting their reputation as: 64% 63% Excellent 59% 58% Very good Average or 2 36% 38% worse 3 28% 33% 4 5 Integrate IT into Have strong/ Have adequate IT Very strenuously reputational risk very strong IT risk management require supply management risk management funding chain to match capacity standards Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q5: How would you rate your company’s overall ability to manage IT risk? Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?20 Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk? © 2012 IBM Corporation
  21. 21. Reputational risk and IT: what you can do nowLearn more about the reputational risk and IT connection, and howIBM can help you protect the reputation and value of your company. Download the full study report includes all you’ve seen today, plus other important findings ibm.com/services/riskstudy Add your voice to the discussion Take the reputational risk survey online and get a complimentary copy of the 2013 expanded report Scan the code or go to bit.ly/ibmrisksurvey Get the experts’ views on managing IT risk The Reputational Risk Webcast Series features industry and IBM experts exploring the relationship between reputation and IT risk ibm.com/services/riskstudy/webcasts Explore how IBM can help you with: Request to Security speak with an IBM specialist about Business continuity your business needs Technical support services21 © 2012 IBM Corporation
  22. 22. Thank you for your interest22 © 2012 IBM Corporation
  23. 23. © Copyright IBM Corporation 2012 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America November 2012 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.23 © 2012 IBM Corporation

×