While reputational risk covers an increasingly wide range, damage to corporate reputation from cyber liability has moved top of the agenda, reports Graham Buck
Reputation is an idle and most false imposition; oft got without merit, and lost without deserving.” Shakespeare gave this line to Iago 400 years ago and today’s corporates are still grappling with the capricious nature of reputational risk.
There was no shortage of high-profile casualties in 2017, such as Pepsi’s misjudged Kendall Jenner advert, United Airlines forcibly removing a passenger from an overbooked flight, McDonald’s first UK strike and revelations about Bell Pottinger’s activities in South Africa that triggered the PR firm’s demise.
“Each of these crises relates to poor corporate governance, whether it was in the way businesses viewed and treated customers, workers or the wider society,” says James Bickford, managing director of research and advisory specialist the Reputation Institute. “All had a profound financial impact.”
What’s more, episodes from previous years continue to reverberate, such as Tesco’s £250m accounting ‘black hole’ from misreporting and tax avoidance strategies employed by US giants including Amazon and Starbucks.
However, while such episodes might have impacted on the stakeholders of these corporates, their clientele wasn’t directly affected. Companies mishandling risks involving their customers or workforce can suffer both financial and reputational damage; no more so than when hackers are able to infiltrate personal data.
US retailer Target became the “poster child for major data breaches” in 2013, reports James Burns, cyber product leader at CFC Underwriting. As Christmas approached, the company reported that 70m credit/debit card numbers and records of customers’ personal information had been stolen.
“Target suffered a 20 to 30 per cent drop in profit in the quarter following the breach; its perceived lack of customer involvement impacting very negatively,” says Burns. “While sales eventually recovered, it wasn’t enough to recoup losses suffered in the aftermath.”
Subsequent resulting pay-outs included US$10m to settle consumer lawsuits, nearly US$40m to US banks and credit unions for resulting losses and a further US$18.5m to state enforcement agencies last May. Added to this was a US$200m plus bill for credit card unions that reissued affected cards.
UK supermarket chain William Morrison was recently found liable for the actions of disgruntled employee Andrew Skelton, who in 2014 posted the payroll data – including names, addresses, bank account details and salaries – of nearly 100,000 employees.
The court’s decision to hold Morrison’s liable for the breach, despite it being the victim of criminal activity by a trusted employee, promises to have implications for other businesses. They include ride-sharing pioneer Uber, which concealed a hack affecting 57 million customers and drivers.
Diverse responses
Burns says companies learned much from high-profile data breach cases in 2015, involving telecoms group TalkTalk and retailer Carphone Warehouse. “Although both incidents were similar in nature, the companies’ respective responses were very different.”
Dido Harding, then TalkTalk’s CEO, promptly set out on what aimed to be a damage limitation exercise. Unfortunately this was done without the company “first getting its ducks in a row” as it emerged that around 157,000 customers had been affected by the breach rather than TalkTalk’s entire customer base of around four million.
“Carphone Warehouse actually suffered a bigger breach, but managed to handle it more adeptly,” adds Burns. “While TalkTalk’s breach led to a parliamentary enquiry, Carphone Warehouse was able to limit the media attention received. Damage to its share price was short-lived and the company lost only a small number of customers.”
In the aftermath of a cyber incident, companies can usually deploy considerable PR resource to help manage reputational impact,” says Nicholas Hartley, head of business improvement and innovation at specialist insurer Ecclesiastical. However, charities and not-for-profit organisations often lack the same level of resource or expertise to deal with the fallout.
“The damage that might be caused following a cyber incident could be far reaching and have an impact on future fundraising, as well as eroding public trust in the organisation,” he adds. “Charities are often held to a higher standard by the public than large corporations and research by The Charity Commission revealed that one in three people said their trust in charities had fallen between 2014 and 2016.”
Changing priorities
Airmic’s CEO, John Ludlow, believes that underlying issues driving reputational risk are steadily becoming less about money and capital, and more about relationships and trust.
“Modern technology, social media and the way that news is now communicated all mean that both issues and bad news travel even faster,” he observes. Social media not only spreads messages quickly but enables the impact of an event on a corporate to be gauged via Facebook and LinkedIn.
The way that people feel about issues has also become more important, with customers increasingly no longer prepared to put up with poor service. “There’s always the option to take their custom and support elsewhere,” Ludlow says. “Stakeholders not only have more power; in addition companies and organisations also have a whole plethora of different stakeholders.”
He says that corporate risk managers have to identify the threats and vulnerabilities that matter most. “To understand that first involves understanding the stakeholders. The traditionally-held assumption that ‘if it’s legal, it’s OK’ no longer works. “Risk management requires asking how stakeholders feel about an issue. For example, it might be perfectly legitimate for a company to exploit the advantages of a tax haven, but how do stakeholders feel about it?”
The Institute of Business Ethics (IBE) annually canvasses public opinion of business behaviour and the issues considered important. Its latest survey, issued last month, found that just over half (52 per cent) of respondents believe business behaves ethically; better than the 48 per cent recorded in December but still down on the figure of 59 per cent two years ago.
Corporate tax avoidance has been a major gripe since 2012, with 38 per cent of respondents citing it as an issue that needs to be addressed, against 43 per cent last year. Publication of the Paradise Papers in November, following on revelations in the Panama Papers, means that the issue is likely to continue in the spotlight.
Second comes excessive executive pay, rising from 28 per cent to 30 per cent. “Although there has been some movement on this issue by companies, as past shareholder approved policies take effect, it will still take time to move the dial,” says IBE director Philippa Foster Back. “Naturally the public perception is that the changes are not quick enough.” Exploitative labour – companies offering poor pay and working conditions – maintains third place at 27 per cent.
Future shocks
Biggest corporate casualty of 2017 could ultimately prove to be US film studio The Weinstein Company, with a stream of sleaze allegations directed at co-founder Harvey Weinstein. “Sexual misconduct and inappropriate behaviour has certainly become as damaging, if not more damaging, to corporates than financial impropriety,” says Bickford.
Data gathered by Reputation Institute shows corporate governance – perceptions of fairness, ethics and transparency – has a more significant impact on reputation than ever.
“Governance now counts for 17.2 per cent of overall reputation, second only to perceptions of products and services,” adds Bickford. “The public want to be able to trust the businesses they spend their money with, and the alleged behaviour seen at Weinstein puts that trust at most risk.”
Looking ahead, as more companies introduce artificial intelligence and robotics any resulting redundancies will be news and carries a potential reputational risk. “AI strips out costs and increases returns, which is good for shareholders but destroys jobs and is therefore less popular with consumers,” notes Lyndsey Bauer, a partner at Paragon International Brokers. “It can create, and fail to meet, consumer expectations over performance, physical safety, privacy or ethics.”
The change will have to be carefully managed if a backlash is to be averted, which will involve retraining and reskilling affected workers where possible.
Reputational risk and crisis management insurance is available for companies seeking additional protection for their reputation and brand value, with a number of products such as AIG’s ReputationGuard. Other leaders include Tokio Marine Kiln, the Liberty syndicate at Lloyd’s and Novae Insurance (now part of Axis); however, Bauer reports that the market is relatively limited, offering capacity of £50m to £100m.
“Insurers approach reputational risk on the basis that if the loss is calculable, definite and derives from a fortuitous event then it can be insured,” says Bauer. “However, as underwriters and buyers often place differing values on reputation it can be challenging to agree an amount acceptable to both parties. For the underwriter, revenue directly reflects the company’s reputation, enabling them to measure loss arising from a specific event.
The company’s risk/insurance manager will be invited to specify issues they regard as the biggest reputational threats. “This is important, given that views on corporate ethics and behaviour are regularly changing,” adds Bauer. Once identified, the underwriter will ask why each issue is a matter of concern and a little more detail on the reputational threat posed.
“This is essential so that the company knows exactly what reputational risk coverage it wants, the scope of the insurance being purchased and the self-insured retention it is willing to bear.”
The cover aims to ensure the company can financially survive a reputational risk event that impacts on its net profit and continue to meet its costs. It extends to the cost of employing a PR agency to devise a crisis communications plan. That plan, says Bauer means everyone should have a role that is tested, which includes communicating with customers, investors, employees and the general public respectively.
She cites Marks & Spencer as an example of adept crisis response. “When M&S suffered a data breach in October 2015 it owned up to it early on, demonstrated that it cared and assured customers that it was investigating the issue.”
This article was published in the January 2018 issue of CIR Magazine.
Download as PDF
More interviews and analysis
Contact the editor
Follow us on Twitter
Printed Copy:
Would you also like to receive CIR Magazine in print?
Data Use:
We will also send you our free daily email newsletters and other relevant communications, which you can opt out of at any time. Thank you.
YOU MIGHT ALSO LIKE