IBM recently released its 2012 Global Reputational Risk and IT Study. This study commissioned by IBM and conducted by the Economist Intelligence Unit, which specializes in doing these sorts of surveys correctly, in a credible way. They wanted to tease out how security and business continuity can shape the reputation and value of a company. This has always been a point of some considerable debate in the IT security community. There are several widely studied security and privacy breach incidents that have led people to believe that a company’s stock price only takes a temporary hit as the result of a highly public security incident. But the negative effects are temporary and within a year or so the stock price is back to normal. Probably the most commonly cited case is the TJX security incident from 2007.
Claims about lack of impact on reputational risk to company stock price have always struck me as being suspect for a couple of reasons. First, these incidents are the rare, big story that is so big and so egregious that it gets reported in the press. But reputation is built from the thousands of small interactions that happen with individual customers day after day. Reputation can suffer “death by a thousand cuts” and no one would notice. Second, I’m not an expert on these matters, but stock price far from the only valuation of a company. In my mind, stock price reflects people who have already decided to invest in the company or not. But it only indirectly reflects the reputation a company has with its customer base.
So it’s nice to see a study that actually talks to people about reputational risk instead of taking an econometrics approach to the issue. Based on these conversations, the study found the following:
“Based on this study of 427 senior executives worldwide, three principal forces drive corporate reputations: provision of a best-in-class product or service, customer engagement and trusted-partner status. Considering how companies are becoming increasingly dependent on technology to fulfill all three—to say nothing of running the business—the consensus is clear: IT risk can imperil companies’ productivity, damage customer relations and ultimately erode trust.”
The study also notes that “reputational risk” is emerging as its own distinct category in enterprise risk management programs.
Highlights from the 2012 Global Reputational Risk and IT Study
Here’s an infographic that summarizes some of the reputational risk study findings.