Mais conteúdo relacionado
Semelhante a Reputational Risk and IT - 2013 (20)
Reputational Risk and IT - 2013
- 1. IBM Global Technology Services
Executive summary:
Reputational risk and IT
How security and business continuity can shape the reputation and
value of your company
RLP03019-USEN-00
© 2012 IBM Corporation
- 2. Reputational risk and IT: introduction
Make a resolution to make 2013 the year that your enterprise makes
reputational risk an integral part of IT risk management.
IBM is happy to provide this
presentation for use in fostering
discussions in your organization
about the connections between IT
risk and reputational risk.
The information in this presentation
is provided “as is.” IBM is not
responsible for any changes made
to the presentation by users outside
of IBM.
For more information, visit:
ibm.com/services/riskstudy
2 © 2012 IBM Corporation
- 3. Reputational risk and IT: introduction
Your reputation is at risk every day. An IT issue can set off a series
of events that can have significant impact on business value.
IT event
Storms trigger Partial failure in Critical Highly visible
power outage data center UPS servers fail service outage
Reputation suffers
News reports on People talk Confidence, trust
the web waver
Business value damaged
Penalties Customers Stock price
accrue defect falls
3 © 2012 IBM Corporation
- 4. Reputational risk and IT: introduction
To find out where and how IT makes its biggest impact on reputational risk
— and uncover any gaps — IBM conducted a worldwide study.
Respondents: 427 Industries: 23*
Middle Latin
East/Africa, America, 5%
The study survey was 8%
All others,
28% Banking,
conducted by the North
19%
Economist Intelligence America,
33%
Unit on behalf of IBM Asia Pacific, IT/Tech,
26% Professional 15%
Services, 5%
Respondents were
Financial
asked questions about Markets, 9% Energy/
Europe, 29% Insurance, Utilities, 13%
their companies’ 11%
reputational and IT risk
efforts, plans and
spending to provide a Job titles: 15* Company sizes: 5
detailed picture of IT Other non-
C-suite, IT manager, $10B or $500M or
reputational risk 23% 24% more, 27% less, 37%
management around
the world SVP/VP/ CIO/CTO/
Director, 11% Tech director, $5B to
12% $10B, 9%
Other CEO/President/ $1B to $5B, $500M to
C-suite, 14% Managing 16% $1B, 13%
Director, 13%
CRO/Risk *Top responding categories shown.
Director, 3%
4 © 2012 IBM Corporation
- 5. Reputational risk and IT: introduction
The study results revealed three key observations concerning IT’s impact
on reputational risk.
#1 IT risks have a major impact on a company’s
reputation
#2 Companies have rising IT risk concerns related to
emerging technology trends
#3 Companies are integrating IT risk and
reputational risk management, with strongest
focus on threats to data and systems
“IT and reputational risk management
and mitigation are… key success
factors of our business and must be
given due emphasis.”
C-level executive,
Malaysian agriculture and agribusiness company
5 © 2012 IBM Corporation
- 6. Reputational risk and IT: perception vs. reality
There seems to be a mismatch between how well companies rate
their reputation and how well they are protecting it.
rate reputation
80 % as excellent or
very good
17 % rate theirIT risk as very strong to
manage
company’s overall ability
There is room for improvement
in almost every organization
Source: Q1: How would you rate your company’s current reputation within its industry?
Q5: How would you rate your company’s overall ability to manage IT risk?
6 © 2012 IBM Corporation
- 7. Reputational risk and IT: perception vs. reality
IT risks strongly affect the factors most important to a company’s
reputation — making IT risk integral to reputational risk.
78 % include IT risk management as part of reputational
risk management
“IT… is like the heart pumping blood to the whole body, so any failure could
threaten the whole organization's survival.”
IT manager, French IT and technology company
Most important to reputation Strongly affected by IT risk
Best-in-class
product/service 29% Customer satisfaction 46%
Customer engagement 24% Brand reputation 41%
Trusted partner status 14% Compliance 40%
Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?
Q6: Which of the following is the single most important factor driving your company’s reputation?
Q3: In your estimation, how much do IT risks affect the following?
7 © 2012 IBM Corporation
- 8. Reputational risk and IT: perception vs. reality
Data breach tops the list of IT risk factors that can cause the most
reputational harm.
Top three IT risk factors harmful to reputation
61 % data breach
44 % systems failure
37 % data loss
Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.
8 © 2012 IBM Corporation
- 9. Reputational risk and IT: perception vs. reality
Companies’ perceptions differ from reality when it comes to the
comprehensiveness of their reputational risk protections.
Data breach
Very confident/confident
about level of protection perception 70%
Have access to the latest
security threat intelligence reality 32%
Systems failure
Very confident/confident
about level of protection perception 70%
Have 24x7 expert technical
support coverage reality 52%
Data loss
Very confident/confident perception
about level of protection
76%
Perform testing including
business users reality 45%
* Companies are overlooking the IT fundamentals that can
enhance their ability to mitigate reputational risk
Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?
Q17: Which of the following procedures, processes and controls do you have in place?
9 © 2012 IBM Corporation
- 10. Reputational risk and IT Study: security findings
Well publicized scenarios of financial and reputational impact due to
security breaches are in the news every day.
Payment Online gaming Retailer
processor community
Hackers intrude core Community and Customer data stolen
line of business. entertainment sites over more than 18
hacked. months.
Nearly 130 million Around 100 million At least 45 million
customers affected. customer records records stolen.
compromised.
Estimated costs: Estimated costs: Estimated costs:
up to $500M $3.6B up to $900M
Illustrative purposes only. The actual facts and damages associated with these scenarios may vary
from the examples provided. Estimated, based on publicly available financial information, published
articles. © 2012 IBM Corporation
- 11. Reputational risk and IT: perception vs. reality
The impact of IT risk events on “reputational recovery” is measured
in months, not hours or days like recovery time objectives (RTO).
0-6 months 6-12 months 12+ months
Website outage 78% 14% 8%
System failure 72% 17% 10%
Workforce mobility 71% 18% 11%
Data loss 70% 17% 12%
Inadequate continuity plans 65% 21% 13%
Insufficient DR measures 63% 24% 12%
New technology 64% 18% 18%
Data breach 65% 19% 16%
Compliance failure 64% 22% 14%
Poor IT skills / tech support 64% 22% 14%
Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors?
Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?
11 © 2012 IBM Corporation
- 12. Reputational risk and IT: perception vs. reality
Companies may be opening themselves up to unintended
reputational risk by ignoring the impact of their partners.
Only 28% of companies “very strenuously” require their
vendors, partners and supply chain to match levels
of risk control *
* Average
“A major
deliverable was on
How many outside sources does your
a contractor’s company rely on?
laptop, and it was
stolen. We missed Are you enforcing your IT risk mitigation
an important client policies on these sources?
deadline and lost
the source files for How are you monitoring your sources’
all the work.” compliance with your standards?
Chief marketing officer,
American education
company
Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?
12 © 2012 IBM Corporation
- 13. Reputational risk and IT: security, continuity and social media
Most companies have security items in place to react to reputational
threats, but this is only part of the picture.
Critical security fundamentals currently in place
Firewall management 79%
Identity/access controls 71%
Network & endpoint protection 60%
Danger: Up to 40% of companies are missing
critical security protections
But
“Being proactive and preventive is much more effective
than being reactive.”
IT manager, American energy and utilities company
Companies are
overlooking many Cloud security protection 23%
of the items that
Access to latest security
can proactively 32%
threat intelligence
protect their
reputations before Penetration testing/ethical hacking 43%
harm happens
Source: Q17: Which of the following procedures, processes and controls do you have in place?
13 © 2012 IBM Corporation
- 14. Reputational risk and IT: security, continuity and social media
Companies also have continuity basics in place, but are missing the
opportunity to leverage IT fundamentals for additional protection.
Companies have the continuity basics in place
Backup/restore testing 78%
Fully documented DR plan 68%
Automated backup processes 67%
Now
Up to 55% of companies can improve reputational risk
management through the use of IT fundamentals
There is Change management 45%
untapped
potential to use IT 24x7 onsite maintenance/
repair for critical equipment 51%
fundamentals to
better manage 24x7 software tech support 53%
reputational risk
Source: Q17: Which of the following procedures, processes and controls do you have in place?
14 © 2012 IBM Corporation
- 15. Reputational risk and IT: security, continuity and social media
Companies are using social media tools to do business; now they
need to use them to protect their reputations.
Social media used to communicate with customers
Company website 87%
Social media/networking tools 50%
Text messaging (SMS) 46%
But only
Company-branded mobile 44%
application
27% provide for
employee social media
use during crisis
Companies are missing the 19% have
opportunity to leverage incorporated social
social media to protect and media into their
disaster recovery plans
recover their reputations
Source: Q21: Which of the following channels does your organization use to communicate with customers
Q17: Which of the following procedures, processes and controls do you have in place?
15 © 2012 IBM Corporation
- 16. Reputational risk and IT: who owns it?
When asked who was most accountable for the company’s
reputation, respondents put responsibility squarely with the CEO.
CEO: Best able to drive reputational risk
management throughout an
organization
80 %
CEO
31% CMO: The critical link
CFO
27% 23% 22% between the
company and its
CIO customers
CRO CMO
Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.
16 © 2012 IBM Corporation
- 17. Reputational risk and IT: focus and funding
New technologies and social media are leading factors behind an
increased focus on reputational risk.
64 % will increase focus on reputational risk compared to
five years ago
“Technology is Shareholder pressure, 3%
Other, 7%
an amplifier in
all it touches, Board of directions/
C-suite mandate, 10%
for better and
worse. If we use New technology/
it, we must Why social media, 43%
manage it increase?
rigorously.”
Previous event harmful
CIO, Barbados to company, 18%
professional
services firm
Previous event harmful to
competitor/industry, 20%
Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago?
Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?
17 © 2012 IBM Corporation
- 18. Reputational risk and IT: focus and funding
Often as a result of increased spending, companies are reporting
adequate funding to manage reputational risk.
60 % For many organizations, adequate funding means
increased funding
say they have
adequate
funding to
57% 59%
provide the have increased spending will increase spending
level of IT risk
management
over the past 12 months over the next 12 months
needed to
protect the
organization’s
reputation “Underestimating the cost of reputational risk
greatly exceeds the cost of protection.”
Finance manager, American financial services company
Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?
Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk?
Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?
18 © 2012 IBM Corporation
- 19. Reputational risk and IT: what you can do now
Start a reputational risk dialogue across your enterprise.
Have the reputational risk
conversation — the sooner, the better
Elevate your discussion — lead
with reputational risk to justify IT
investments X
Team up with your risk colleagues
Confirm partners’ compliance with
your standards
Extend your reporting and
escalation process to include
reputational risk impact
19 © 2012 IBM Corporation
- 20. Reputational risk and IT: what you can do now
Incorporate the key characteristics of companies reporting excellent
reputations.
1 Companies with excellent reputations see stronger links between IT threats
and reputation—especially customer satisfaction and brand reputation
83% 81% 84% Organizations
78% reporting their
reputation as:
64% 63% Excellent
59% 58% Very good
Average or
2 36% 38%
worse
3 28%
33%
4
5
Integrate IT into Have strong/ Have adequate IT Very strenuously
reputational risk very strong IT risk management require supply
management risk management funding chain to match
capacity standards
Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?
Q5: How would you rate your company’s overall ability to manage IT risk?
Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?
20 Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk? © 2012 IBM Corporation
- 21. Reputational risk and IT: what you can do now
Learn more about the reputational risk and IT connection, and how
IBM can help you protect the reputation and value of your company.
Download the full study report includes all you’ve seen today,
plus other important findings
ibm.com/services/riskstudy
Add your voice to the discussion
Take the reputational risk survey online and get a
complimentary copy of the 2013 expanded report
Scan the code or go to bit.ly/ibmrisksurvey
Get the experts’ views on managing IT risk
The Reputational Risk Webcast Series features
industry and IBM experts exploring the relationship
between reputation and IT risk
ibm.com/services/riskstudy/webcasts
Explore how IBM can help you with: Request to
Security speak with an IBM specialist about
Business continuity your business needs
Technical support services
21 © 2012 IBM Corporation
- 22. Thank
you for your interest
22 © 2012 IBM Corporation
- 23. © Copyright IBM Corporation 2012
IBM Corporation
IBM Global Services
Route 100
Somers, NY 10589 U.S.A.
Produced in the United States of America
November 2012
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other
countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a
trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time
this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other
product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is
available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are
available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and
conditions of the agreements under which they are provided.
23 © 2012 IBM Corporation