Michael D. Moberly March 5, 2014 ‘A blog where attention span really matters’.
According to Homeland Security News (March 4th) there is rising anxiety over the possibility of a cyber-attack on the U.S. power grid. In other words, both the private (industry) and government sectors respectively remain insufficiently set up to effectively counter the risks – threats posed by the cyber arena.
The report was produced by a Washington nonprofit called the Bipartisan Policy Center which admittedly did not produce much interest, primarily because there are literally hundreds of such entities ensconced throughout the ever expanding Washington, D.C. circular interstate highway system, many, if not most of which consistently seek notoriety and efficacy based on their presumed expertise and/or sought after endorsements from publicly recognized experts or airplay on C-SPAN.
With respect to this particular report, what did strike me as it having a higher level of credibility was that it was reportedly led by individuals whom most would agree possess unique insights into the subject matter, i.e., Michael V. Hayden, the former NSA and CIA director and Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission.
Readers are respectively reminded that the U.S. is one of a very few countries in which much of its infrastructure, i.e., utilities, transportation, communication, healthcare, banking, water, etc., are under private sector ownership. So what turned out to be no particular surprise in the report, but still distressing, is that a percentage of these companies remain variously reluctant to share (cyber-security, cyber-attack) information with other companies presumably inside or outside their infrastructure sector.
I understand the rationale behind most such reluctance, that is, to openly share experiential information, the basis for which has been loudly and repeatedly conveyed following the terrorist attacks of September 11, 2001, because it involves the potential for antitrust violations, or merely giving away very expensive and proprietary intellectual and structural capital that delivers competitive advantages, along with numerous other intangible assets.
That said, I am unaware of any disagreement among the more notable players and information sharing advocates (related to cyber-security and attacks) is that ‘sharing’ is essential to reducing – mitigating vulnerability which can be accompanied by the wrath, scorn, and certainly reputation risk, all of which will surely materialize and be directed to companies accused of not sharing and/or being out of compliance with cyber-security ‘rules of the day’.
Equally troubling, the report cites, are federal rules intended to safeguard, the electric/power utilities from cyber-attack, which, as one example, have a basic flaw, which is, they do not give companies sufficient incentive to continually improve and adapt to ever changing cyber risks and threats.
In my judgment, perhaps the most telling aspects of the report are…
- public utility commissions are generally well set up to address new problems, presumably risks and threat to their systems and grids for which regulated utilities can add security costs to the expenses which they bill their customers, providing the regulators determine those expenditures to be prudent and warranted. The problem lies, the report say, in the reality that many regulators lack sufficient expertise to make – distingush these types of judgments.
- the report alos raised the issue that public utility commissioners, who decide which utility expenses are prudent and eligible to be passed on to customers, have trouble determining the value of such (security) investments.
- outside experts who were not involved with the report, nevertheless, endorsed some of its findings, e.g., Samuel P. Liles, of Purdue University’s Cyber Forensics Laboratory, rather pessimistically characterized risk – threat information sharing best practices as constituting “hit or a miss” propositions.
- Nadya Bartol, a cybersecurity expert with the Utilities Telecom Council, a trade association of electric and water utilities, said the report was correct in asserting that utilities might not always come forward with helpful information. The reason, she says, is because “if utilities say, ‘I have this vulnerability,’ they may be subject to fines if the cited vulnerability turns out to be a violation. Too, this circumstance thus may prompt additional hesitation – reluctance to talk about cyber vulnerabilities because, “if a utility puts it out in the public space, it elevates the probability they may get hacked even more.”
As a side note to the general findings of this report, on the morning of September 11, 2001, within minutes of the terrorist attacks on the Pentagon, I received calls from former students who were employed in various agencies in the District of Columbia describing to me in detail, their personal observations of what was occurring. Having military experience myself, and being an ardent researcher in information asset protection strategy, I rather instinctively called an acquaintance who’s role was director of security for a super computing environment and asked her if she was observing any potential adverse activity on ‘the grid’.
My concern, and that of thousands of others, were that the attacks at the World Trade Center and Pentagon were possibly forerunners to larger secondary, but perhaps, more expansive ‘cyber attacks’ on the U.S. infrastructure.
Interestingly, the response I received from my super computer security expert was the following, ‘Mike, I don’t know if anything adverse is occurring on the grid, I’m watching CNN, I will get back to you’!
Michael D. Moberly March 4, 2014 ‘A blog where attention span really matters.’
As even the most wayward observers of the recent Olympics likely know, Under Armour, in partnership with Lockheed Martin, developed a full-body racing suit for U.S. Olympic speed skaters at Sochi. I have no objective evidence that Under Armour, and perhaps by extension, but to a lesser extent, Lockheed Martin will experience anything resembling a (crisis level) reputation risk relative to the dissatisfaction expressed by a handful of American Olympic speed skaters regarding the use of those specially designed full-body racing suits.
Initially the new suits’ were met with enthusiasm, and by most open source accounts met or exceeded expectations in Olympic trials. But that enthusiasm quickly turned to controversy in Sochi because some speed skaters’ felt they slowed the wearer down. Specifically, the suits were designed with vents at the back intended to release (body) heat, but skaters believed the vents actually let air in, thus undermining the suits’ intended aerodynamic characteristics.
Under Armour VP Kevin Haley was subsequently quoted as saying his company would “move heaven and earth to make [the suits] better.”
I am cautious not to characterize myself as a necessarily seasoned specialist in company reputation risk of the caliber of Nir Kossovsky and other experts in this increasingly specialized field. But does, or better yet, should this ‘suit issue’ really rise to the level of a company reputation risk?
It’s probably fair to assume Under Armour sought collaboration with aerospace giant Lockheed Martin, because LM had existing technologies coupled with the necessary intellectual and structural capital to execute the suits’ design. And, let’s not overlook the fact that LM is a U.S. based corporation, something which Ralph Lauren’s presumed cadre of reputation risk advisors overlooked in a previous Olympics’.
Understandably, I suspect, Under Armour believed these specialized full-body suits and their link to LM’s aerospace (advanced technology) gravitas, would elevate their relatively narrow, but expanding niche (brand) in the sports apparel sector. But, the adverse voices of a few speed skaters coupled with returning the suits for alteration, produced a ‘global podium’ for expressing their displeasure virally.
This is certainly not what Under Armour envisioned, nor is there evidence, nor should there be, that Under Armour would put their ‘brand’ on the ‘global stage’ in this manner absent well considered expectations that it would favorably advance their brand. But again, should this rise to becoming a full blown reputation risk, I just don’t think so. However, the path option(s) Under Armour chooses, to not merely put this challenge behind them, but instead work diligently and transparently to remedy this challenge with integrity and strong commitment will become their ultimate test.
Michael D. Moberly February 27, 2014 ‘A blog where attention span really matters’.
As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.
Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.
But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.
So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.
Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.
Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.
For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment. That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).
Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.
From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.
Qualitative risk-threat assessment
Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.
The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.
Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate. Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA. Collectively, the additional factors serve to expand the risk-threat equation.
Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.
The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.
Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,
500,000 records X $30 remediation cost per record = $15 million.
In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.
So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade. Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.
One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.
Sources for quantitative and qualitative data…
Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.
Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.
Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute Other Related Articles in Audit and Governance
Michael D. Moberly February 24, 2013 ‘A blog where attention span really matters’!
To the readers of my blog, please do not interpret this post as necessarily constituting an endorsement of a specific product or, in this instance a security technology.
But, I really did have a very stimulating, probing, and thought provoking conversation recently with one of the co-founders and now CEO of CrowdStrike, an Irvine, CA. based ‘security technology’ firm which Business Insider reported as being one of ‘The 15 Most Important Security Startups Of 2013’.
I am respectfully confident the other twelve security technology startups highlighted in the ‘Business Insider’ piece were exemplary in their own right and the various security technologies they developed and embedded in their product produce beneficial outcomes for their clientele – market space. But, in my view, CrowdStrike is perhaps, in a positive sense, somewhat atypical of numerous other technology startups which I have become familiar over the years, That is, based on my conversation with one of Crowdstrike’s founders, I surmised their experience and multiple symbiotic technologies and the relatively seamless and certainly strategic manner in which those technologies have been integrated was in no sense, merely a compilation of random outcomes of research in which someone eventually said, ‘hey, this may have some IT security applications’.
So, with many unremedied and forward looking concerns, risks, and threats facing businesses IT systems globally, CrowdStrike assembled a team of like-minded/experienced experts from various sectors to develop tiered-layered technologies to address the specific challenges expressed by the CFO’s, CTO’s, and CXO’s with whom they had acquired acquaintanceships.
CrowdStrike’s ‘pitch scripts’ appear o be genuinely fashioned and tailored to articulate and distinguish their technology in language c-suite’s can and do readily translate and convert in return-on-security-investment’ terms. But, more importantly, c-suites recognize CrowdStrike’s technology can mitigate problems they and many other companies were experiencing, i.e., the intangible asset losses emanating from the materialization of reputational risks, e.g., data breaches, etc.
So, by no stretch of one’s imagination could CrowdStrike’s founders’ and senior leadership be tagged as ‘newbies’ particularly in five essential areas in which appear to firmly grasp, i.e.,
· knowing – understanding, based on seemingly objective experiential research, the who, what, when, where, how, and why of networks of global adversaries.
· clarity of mission and purpose gleaned from countless conversations with c-suites globally.
· clear formulas for effectively framing the globally asymmetric contexts which risks and threats to IT systems can materialize.
· qualitative – quantitative recognition of ways which materialized (IT) risk – threats produce significant and often irreversible adverse economic – competitive advantage effects to companies.
· Integrate experienced language consistent with business decision making and risk prioritization.
Admittedly, IT security is not an arena in which I am as well versed as I am with intangible assets. As I have endeavored to convey in countless posts, I am an intangible asset strategist and risk specialist and have a clear understanding for identifying and mitigating adverse economic – competitive advantage impacts of data security breaches and/or manipulations to companies’ varied and contributory value combinations of intangible assets. And too, we know now, as economic fact, that intangible assets now routinely comprise 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability. So, any materialized risks targeting a company’s intangibles can have devastating outcomes.
I am particularly intrigued by CrowdStrikes’ development of indicators of materializing (IT security) risks and threats and their ability to link same to particular adversaries, in real time. All that, coupled with an awareness of adverse intangible asset impacts which risks-threats can bring to companies’ reputation, image, goodwill, and competitiveness, etc., solidly places them, in my view, in the category of being the right company with the right team, and the right strategy, at the right time to render them worthy of our attention, that is, possessing forward looking insights worthy of company decision makers’ attention.
Mr. Moberly personally researches and writes each post. Comments regarding my blog posts are encouraged and respected. Should a reader elect to utilize all or a portion of my posts, full attribution is expected and appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or email@example.com.
Please also see previous posts respectively titled, Intangible Assets Embedded In Security Products… and Intangible Asset Deliverables In Sales Reps’ Pitch Scripts.
Michael D. Moberly February 19, 2014 ‘A blog where attention span really matters!’
Tapping into the power of client self discovery…
There is little argument, certainly among education practitioners that what one discovers themselves, i.e., self discovery, is usually more memorable and presumably retained. Plus, it often triggers a desire for a ‘self discovery’ learner to share their discovery, suggests St. Louis-based Dale Furtwengler, author of ‘Pricing for Profit: How To Command Higher Prices For Your Products and Services’.
With respect to engaging a prospective client whom you aspire to sell a security product or system, the key to achieving ‘client self discovery’ Mr. Furtwengler says, lies in framing and posing the right questions. The questions should be posed in a manner that respectfully allows each prospective buyer to begin the process of assigning a value to the product or system in the context of the environment in which they are to be deployed.
Client self discovery however, seldom, if ever includes actually ‘telling’ a prospective client what the product or systems’ value is because in some instances, it can trigger skepticism or even resentment to being told this information versus exercising patience and respectful counsel that allows a pathway for the client to commence their own assessment and valuation process.
I define ‘pathway’ in the context of the previous days’ post which emphasized guiding prospective clients/buyers toward the concept – construct of ‘security intangibles’ produced by security products and/or systems as a value and/or return-on-security-investment assessment approach. This will allow prospective buyers to ‘discover’ at least initially…
- the added value the product/service will deliver to their space or environment, and also
- allow them to ‘validate’ that value, preferably through a particular experience, i.e., risk, threat, adverse event that has occurred to – in their company.
So, to effectively ‘tap into the power of client self-discovery’ the security sales professional needs to determine – assess whether a prospective buyer…
- understands and values the offerings, i.e., security products or systems and the ‘security intangibles’ that will be produced.
- recognizes the products – systems contributory value as a pathway for elevating company image as being a leader and innovator.
- has an interest elevating the company’s image and stature amongst its peers in its sector as an integral part of the overall value proposition innovation to the security products – systems being pitched.
Client self discovery…
Here are some qualities of an effective consultant that helped a client ‘self discover’ extracted from ‘The Strategic Planning Blog’.
“I asked a colleague recently how a strategic planning meeting with a new client turned out. Her response was conveyed as…
- the good news is, together we crafted an excellent and viable strategy.
- the bad news is, the clients believe they did it themselves. Adapted by Michael D. Moberly from a August 22, 2011 post at ‘The Strategic Planning Blog’ authored by John Johnson.
What my consultant peer considers bad (i.e., ego bruising) news would be music to my ear. Why? When the light of understanding and, thus, conviction turns on in the client’s head, it is considerately more powerful than when a vendor ‘spoon feeds’ your solution. What characterizes the development of a successful strategy is not necessarily a brilliant answer by the vendor, but a brilliant question posed by the vendor to the client that influences them to shift their thinking.
Strategy invariably involves new ways to approach problems and challenges as well as opportunities because it has become clear that the previously applied processes/ways were not working successfully. But new ways are sometimes interpreted as being threatening to some based on the assumption they are untried and therefore success is not guaranteed. The crafting of a new strategy is just the first step. The execution of that strategy is the vital next step and falls primarily in the client’s lap to ensure they are invested in its outcome.
Michael D. Moberly February 18, 2014 ‘A blog where attention span really matters!’
Respectful suggestions to security product developers, manufacturers, marketers, and sales…
Let’s start by accepting the economic fact that an expanding majority of our work, business transactions, R&D and manufacturing, etc., occur in a ‘globalized’ economy that is increasingly rooted in intellectual, structural, and relationship capital, i.e., intangible assets which now constitute 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability.
But, let’s also accept another reality, which is, while the above economic fact is routinely born out in numerous studies, starting, in my view, with The Brookings Institute’s Intangibles Project evolving over several years in the late 1980’s and early 1990’s culminating in the publication of ‘Unseen Wealth’ authored by Margaret Blair.
Unfortunately, however one may wish to call it, e.g., an economic fact or new business operational reality, neither has yet to become so self-intuitive to be permanently affixed to management team and c-suite radars or dashboards.
The initial step is to develop an understandable ‘pitch script’…
Regardless, this irreversible consequence of an economy and its business transactions being rooted in intangible assets, it becomes all the more essential for security product and/or system R&D, manufacturing, marketing, and sales to develop ‘pitch scripts’ that bring clarity to prospective clients – buyers insofar as recognizing the various ways a company can elevate its value, add sources of revenue, and solidify its sustainability, profitability, reputation, stature, image, goodwill, and relationship capital, merely through effective utilization of intangible assets already embedded in security services, products, and/or systems.
Too, a well designed and articulated ‘pitch script’ that brings clarity to security intangibles will elevate prospective client – buyer receptivity to paying a premium and also recognize the return on security investment (ROSI) that ‘security intangibles’ produce to favorably affect a company’s bottom line.
Well developed and articulated pitch scripts, says Dale Furtwengler, an especially intuitive St Louis-based business strategist and author of ‘Pricing for Profit: How To Command Higher Prices For Your Products and Services’ play a significant role in increasing the probability prospective clients/buyers will be inclined to make quicker buying decisions, while again, paying a premium.
Bringing real circumstance-environment specific clarity and relevance to ‘security intangibles’ also contributes to company’s achieving their strategic objectives. For example, when users of an environment, e.g., retail, office space, etc., feel (sense) their environment respects their patronage and/or productivity by introducing relevant security measures the outcomes are experiencing elevations in repeat customers – clients, or achieving a more productive and elevated employee retention rate.
Furtwengler also points out that the more clarity sales persons bring to buyers…
- leads to more informed decisions, and
- reduces the probability that buying decisions will be postponed.
A critical prelude to achieving success, Furtwengler emphasizes, and certainly no disagreement here, are that effective ‘pitch scripts’ must also describe…how to calculate the monetary value of the intrinsic (intangible) value which a vendor or consultants’ services and offerings will actually provide!
Furtwengler’s experience tells us further that when prospective buyers find themselves unable to distinguish one vendor’s services, products, or systems from another’s, a prospective client/buyer will likely and quickly turn to the conversation to (product) pricing. When this occurs, it generally translates as…
- the act of articulating and/or distinguishing the intrinsic (or, intangible) value a security product produces has not been effective, thus
- a prospective client or buyer may be inclined to view similarly competing offerings as distinctions without a difference.
That’s because, when this critical component is not credibly integrated into one’s ‘pitch script’, pricing becomes the dominant differentiator because many prospective buyers believe price to be the only remaining means to distinguish proposals and is something which business decision makers readily understand.
Furtwengler, certainly an experienced practitioner, draws attention to another reality, which is, most prospective buyers actually ‘expect to pay more to get more’, but only if ‘getting more’ adds actionable value and is recognizable to them, or users or consumers as a positive.
While acknowledging other issues and/or dynamics may be in play, Furtwengler wisely translates this as a vendors’ ability to…
- achieve quicker buying decisions, and command higher fees is substantially dependant on their ability to
- articulate the greater (security intangible) value their product and/or service will produce, coupled, of course, with a
- demonstration of specific strategies how that value can be monetized to benefit the buyers’ respective needs and demands as well as those of the users environment.
Admittedly, as Furtwengler respectfully emphasizes, and, as an intangible asset strategist, I must agree, it’s important to recognize that ‘the greater value’, i.e., security intangibles, initially derive from the deployment of tangible – physical assets, i.e., security products and/or systems.
It is at this point that Furtwengler describes the necessity for ‘value propositions’ which are what most prospective buyers of security products and systems will attach value to which I have taken some liberties of Furtwengler’s work, conveyed below, to hopefully render value propositions specifically relevant to security product-system sales. That is, value propositions should include, at minimum, these five components, i.e., security…
- Products’ innovative image: As this accrues it can manifest to elevate a company’s image and stature by being associated with and deploying specialized (leading edge) security – asset protection products.
- Vendors’ integrity and trust worthiness: As this manifests during sales calls, it manifests as reducing the amount of time required for a prospective client – buyer to make their buying decision.
- Product service and dependability: Simply stated, this means ‘doing it right the first time’ so clients-buyers do not lose time, patience, or deplete the products’ image and integrity of the vendor later due to expensive remediation and ‘down time’ before product/system deployment is fully operational.
- Vendor and/or sales reps’ must be very knowledgeable about the product or system they are selling: This translates as time savings. That is, one who knows their product well and can clearly articulate same in understandable terms, are helping prospective clients/buyers to recognize (a,) what they really want, need, and value to mitigate risks/threats,(b,) relative to their specific circumstance or environment.
- Speed andconvenience of the products’ integration/application into the buyers’ environment: For a prospective client this translates as time savings which can be a significant factor in buy – don’t buy decisions, especially when (a.) there are similarly competing products in play, and (b.) there is an immediate need for a particular security – asset protection product.
The ‘FUD’ factor…
I have never been a proponent of utilizing the FUD factor, i.e., sewing seeds of fear, uncertainty, and doubt in the minds of prospective clients-buyers perhaps through highly dramatized examples, as being a very respectful persuasion tool. I admire Furtwengler for excluding this still widely used practice, particularly when security, risk, and threat issues are in play as a presumptive starting point for a sales call. Admittedly, playing the ‘FUD card’ may be difficult to resist, especially if a prospective client has already had a risk – threat materialize, but still exhibits reluctance, dismissiveness, or is slow to make a buying decision.
Fortunately, I now see more security product-system vendors who previously found comfort in commencing sales calls with dramatized narratives that included highly subjective FUD factor aspects, now opting to incorporate variations of ‘security intangibles’.
I am most confident, security product developers, manufacturers, and vendors would be well served by adapting and incorporating variants of this language in their marketing/promotional materials and sales pitch scripts. Again, the rationale for incorporating this language is that today’s business environment is global, increasingly competitive and predatorial, and dominated by intangible asset intensive companies, whether their leadership – management teams’ acknowledge it or not.
In other words, it’s obligatory today that security product’s, and how they are developed, manufactured, marketed, promoted, and ultimately ‘pitched’ reflect these irreversible and paradigm shifting economic facts and business realities particularly as management teams, c-suites’ and boards become more operationally familiar with intangibles and their associated fiduciary responsibilities.
Inspiration for this post largely rose from various messages conveyed in Dale Furtwengler’s fine book ‘Pricing for Profit: How To Command Higher Prices for Your Products and Services’.
Michael D. Moberly February 17, 2014 ‘A blog where attention span really matters’!
I have been advocating for sometime the importance of articulating the additional value security systems, services, and products deliver, which I refer to as ‘security intangibles’. I would be remiss however, if I failed to note that, in today’s increasingly security conscious and (security) standards-compliance driven environments, those desiring to espouse – leverage ‘security intangibles’ should be aware that…
- legal counsel may caution public articulation because, they believe, by doing so, may unduly heighten user expectations, thus if/when a risk/threat does materialize, a company may subject itself to elevated liability exposures.
- intangible assets, by their nature, lack a conventional sense of physicality which some find far too esoteric to frame in product marketing materials or sales pitches, that sufficient enough to constitute a competitive advantages and/or client – user premium.
- intangible assets are routinely portrayed – reported, almost exclusively in accounting and valuation contexts. There is little broad-based familiarity how to convert ‘security intangibles’ in terms of what security products and/or services produce, outside those conventional parameters.
- some security practitioners hold the perspective that public announcements about the presence-use of security products and/or systems undermine (their) potential deterrent effects, and thus compromise the benefits they could produce.
Admittedly, these perspectives are understandable and even somewhat challenging to refute. However, based on my own, sometimes daily experiences in responding to these issues from various professional sectors, buyers (companies) are, as suggested, dismissing substantial value if they overlook or are dismissive of ‘security intangibles’, i.e., goodwill, reputation, and image, etc. And, by overlooking security intangibles, individual user imagination and perception becomes the dominant interpretive variable in which users come to draw their own, albeit subjective conclusions which may not take into account the value-added and risk – threat prevention premiums, i.e., ‘feel good, feel safe, be productive’ or security intangibles.
Collectively, this should remind buyers of security products, systems, and/or services of the economic fact – business reality that 80+% of most company’s value and sources of revenue, etc., evolve directly from intangible assets. Thus, user expectations, i.e., the necessity to ‘feel safe, feel secure, and be productive’ can be legitimately and prudently articulated in the form of the contributory value and competitive advantages rooted in security intangibles.
Convergence of environmental design and security…
Building and environmental design and security intangibles can, and frequently do converge. For example in a security product (vendor) presentation I recently witnessed, it was clear the product had multiple potential selling points and numerous environments where this product could be deployed and would likely exceed buyer and user expectations.
Unfortunately however, the products’ inventor either did not recognize or chose not to incorporate either in her presentations or sales calls. And again, this left the variously attractive and unique security intangible features of the product to the imagination, assessment, and measurement of uninitiated prospective buyers.
Had this security product inventor, turned vendor, developed a sales script narrative, something which I encouraged him to do, to artfully describe the products’ security intangibles and then demonstrate how to strategically bundle same, I have no doubt prospective client-buyer receptivity would be substantially elevated because, among other things, there would have been more measurable clarity and breadth to return-on-security-investment objectives.
Intangible asset value multipliers and risk mitigators…
Again, all too frequently, contributions intangible assets make to company value and/or serve as underliers or preservers of sources of revenue, are overlooked, neglected, or outright dismissed. One reason is that these important and relevant attributes may not be so obvious to the uninitiated because conventional assessment is obscured by (a.) intangible assets’ lack of physicality, and (b.) company management teams and procurement personnel do not know precisely where or how intangibles can be accounted for, e.g., reported on balance sheets or financial statements, or whether they should even be reported at all.
Collectively, these circumstances lend themselves to the value add and competitive advantage elements of security intangibles remaining unrecognized, un-protected, undervalued, or not valued at all.
So, why is it necessary to acquire an operational familiarity of intangible assets…?
Because I am an intangible asset strategist and risk specialists, I routinely and respectfully characterize intangible assets to prospective clients and/or company management teams as being akin to the proverbial ‘hand in front of our face in a pitch dark room’. That is, they’re often developed internally, sometimes over time, and become embedded in a company’s routine operations, processes, and functions, but, in many instances, remain under a management teams’ mba – tangible (physical) asset oriented radar and thus seldom reach prominence on their respective ‘dashboards’.
Similarly, company’s engage in countless HR-related functions as well as a range of business transactions in which the intangible asset components of either go unnoticed, unused, and seldom effectively exploited.
So, why, or how, I’m often asked, is it beneficial and necessary for company management teams, c-suites, and procurement personnel to acquire an operational familiarity with intangible assets now? And, how can such familiarity translate as multiplier effects and risk mitigators as the title of this post suggests?
The answer of course lies in being able to recognize, position, and exploit a company’s intangible assets, be they security intangibles or others, with the objective to extract as much value as possible in the form of generating favorable reputation, image, goodwill, and competitive advantages, etc., for the duration of the assets’ contributory value – functionality cycle.
Ultimately, it seems to me that when 80+% of a company’s value and sources of revenue either lie in or evolve directly from intangible assets, management teams are obliged to…
- begin exercising consistent, effective, and sufficient stewardship, oversight, and management of their intangible assets, and
- sustain control, use, ownership, and monitor the assets’ value, materiality, and risk.
Outcomes and multipliers of effectively incorporated security products…
Other, equally valuable and beneficial outcomes, i.e., multipliers of effectively incorporated security products, systems, and/or services include…
- recognizing the initial objective is to identify, unravel, and safeguard the sources of value which, in this case, the ‘security intangibles’ deliver to consumers and users of the environments in which they have been deployed.
- adding predictability to outcomes of materialized risks – threats buttressed by objective calculations for assessing people and property (asset) vulnerabilities, preventing, mitigating, and/or restricting potential cascading effects and their collective relevance to achieving projected returns, sustaining competitive positioning and internal – external synergies, efficiencies, and reputation.
- reducing the probability the ‘security intangibles’ will become a breeding ground of sorts, to costly, time consuming, and momentum stifling exposures and legal challenges that will erode and/or undermine security intangibles’ value, performance, and/or a company’s competitive advantages, reputation, image, and goodwill, etc.
- providing a durable foundation for aligning security intangibles’ utilization and exploitation with (a.) continuity-contingency planning, (b.) organizational resilience, (c.) risk management, and (d.) a company’s strategic business objectives.
- contributing to building a relevant and company specific operational culture attuned to security intangibles’ and the various ways they contribute value.
- treating the procurement and deployment of security products, systems, and/or services as genuine business decisions and not solely legal, accounting, or compliance processes.
- creating segues for converging security intangibles to achieve more timely awareness and thus opportunities to mitigate or restrict potential cascading affects of risks or threats that have materialized.
- providing an effective foundation for introducing knowledge management initiatives and balanced scorecard approaches to a company.
Security intangibles’ produced by security products, services, and/or systems…
- can be enterprise wide or circumstance specific blends, combinations, and/or collections of outcomes that enhance processes (structural capital), relationships (relationship capital), and guide activities, initiatives, and decision making which collectively create differentiators, competitive advantages, and additional (company) value. Michael D. Moberly.
- can be economically sustainable competitive advantages anchored in – evolving from features and capabilities of security products, services, and/or systems that set a company apart from its competitors by generating additional and sustainable revenue, user goodwill, sense of care, reputation, and image. Michael D. Moberly
- often emerge from the unique and sometimes times proprietary knowledge related to security products are deployed and used and the additional value that surfaces coupled with the unique understanding of how that knowledge can be used to extract the most value and competitive advantages to benefit users. This is a significant adaption by Michael D. Moberly of work published in McKinsey Quarterly, 2004.
- may not always be the result of a planned action or the product of specific capital allocation decisions. Adapted from Brookings Institution – Understanding Intangible Sources of Value by Michael D. Moberly
Security intangibles should become permanent fixtures on security product R&D, marketing, and sales dashboards because…
- most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability and sustainability today directly evolve from – lie in intangible assets.
- slight advances in technology, minor improvements in production, and/or small refinements in business processes through better utilization of intangible assets can afford companies tremendous competitive advantages over their market rivals. Christopher R.J. Pace adapted by Michael D. Moberly
- the contributory value delivered by most intangible assets can, if left unmanaged, un-monitored, and unmeasured become perishable and certainly very costly and time consuming to regenerate if compromised, lost, or undermined, particularly when considered it’s adverse effects among users and/or consumers. Too, when either occurs, economic – competitive advantage hemorrhaging can commence immediately and seldom ‘can the environments’ goodwill and reputation genie be put back into its bottle absent time, costs, and probably litigation that will adversely affect both goodwill, reputation, and revenue streams.
Michael D. Moberly February 13, 2014 ‘A blog where attention span really matters’.
In far too many instances, vendors, marketing, and sales personnel engaged in the security product, system, and/or services sector overlook, dismiss, or neglect to describe (familiarize) prospective client(s) with the intangible assets that will most assuredly accompany and add value to products, systems, or services being marketed and pitched.
What are ‘pitch scripts’ and how are they relevant to marketing, selling security intangibles…
Pitch scripts are persuasive tools to command premium fees and quicker purchasing decisions, especially when they include – describe intangible asset deliverables that enhance prospective clients’ value, competitive advantage, and profitability…(Dale Furtwengler)
The reality is, a majority of business transactions now occur in circumstances in which intangible assets are in play, often times with the transaction itself being dominated by intangible assets. Thus, it’s all-the-more likely that a favorable ’purchase decision’ will occur when sales, marketing, and/or business development practitioners duly incorporate ‘security intangibles’ in their ’pitch’ that draws favorable attention to the product, service, and/or systems’ deliverable security intangibles.
Why is this important…
Why is it important for security vendors (marketing and sales representatives, etc.) to reflect on this finding and incorporate it into their respective marketing – sales pitch scripts?, it’s because, globally speaking, 80+% of most company’s value, sources of revenue, growth, profitability, and sustainability lie in – evolve directly from intangible assets.
This makes it not merely prudent, but essential for…
- vendors to acquire an operational familiarity with what intangible assets their products deliver and how, and how the delivery of those intangibles are relevant to prospective buyers.
- prospective buyers to acquire an operational familiarity with intangible assets insofar as helping them discriminate and articulate, with greater precision, what they want the security products (services, systems) they purchase to produce on relevant to the environment and the users of the environment in which they are to be deployed.
An increasingly essential requisite for buyers and sellers of security products (services, systems, etc.) is to acquire this level of operational familiarity with intangible assets, to routinely act on the above, i.e., for…
- vendors, this includes understanding and being able to articulate the desirable and value add intangible assets their product can deliver – contribute to a broad array of environment.
- existing or prospective clients/buyers achieving operational familiarity with intangible assets will bring clarity to identifying and articulating, precisely what they want a security product (system, service) to achieve and develop objective means to assess actual pre and post outcomes and deliverables.
These perspectives evolve from informal, but respectful and random encounters I had with 100+ vendors – exhibitors at ASIS Internationals’ 2013 Annual Seminar & Exhibits held in Chicago. For those unfamiliar with this event, it is correctly touted as being the world’s largest security education and exhibits venue, with, as I understand it, well in excess of 5000 exhibitors displaying and marketing their innovative wares to 12,000+ attendees.
Admittedly, I am a intangible asset strategist and risk specialist who has been directly engaged in the security profession for 27+ years. Since I have been examining these issues, starting in the late 1980’s, I have consistently found, with few exceptions, that most security products, systems, and services produce – deliver meaningful and valuable intangible assets to most every environment in which they are applied, but largely remain unrealized, unattributed, and unmeasured.
For example, security products such as access control, intrusion detection, and/or CCTV systems, when correctly incorporated into an environment can produce constructive intangible assets that will compliment buyer’s operating culture and equally important, what have now largely become user’s expectations. As already noted, these expectations broadly translate as that sense of feeling safe, secure, and being in an environment where they can be productive. Absent the ability to clearly articulate these senses (deliverables) qualitatively and quantitatively, there will be a lot of unrecognized, unmeasured, and accounted for value left on the proverbial negotiating table.
Articulating ‘security intangibles’…
The responsibility for articulating this or related ‘sense’ of personal or asset safety, security, and ultimately return on security, lies primarily with vendors, because it is expected and assumed they know and understand the intricacies of their product relative to where, how, and/or whether it will accommodate a clients expressed concerns and needs and the boundaries and/or margins of its designed and intended application.
Too, much responsibility lies with vendors to thoroughly understand each prospective buyer’s environment and the needs and/or concerns they aspire to prevent or mitigate as well as what they want they seek to sustain or achieve on behalf of their users and their overall environmental culture and demeanor.
As consumers, we have come to expect that when we purchase most products’ retail, the transaction is supported and accompanied by a warranty, some type of service contract, or the retailer’s return policy which we may or may not ever have to execute. These are generally taken-for-granted manufacturers pledges of sorts, which translate for consumers as a favorable sense of assurance about a products’ quality, longevity, and functionality, i.e., a company’s reputation, which collectively reduces the likelihood we, as consumers, will have to incur any additional costs other than the inconvenience associated with returning the product to either its manufacturer or point of purchase if need be.
So, can or should security product manufacturers and vendors be expected to develop and possess in their sales pitch repertoire sufficiently precise language to articulate the actual intangible assets their product(s) will deliver once purchased and correctly deployed? In light of the economic fact that 80+% of most company’s value, sources of revenue, and competitive advantages evolve from intangible assets, I am confident the answer to that question can only be a resounding yes. Yes that is, that manufacturers should be cognizant of – routinely reflect on the intangible assets their product will produce even during its earliest stages of development. This will help ensure the intangible deliverables will be effectively conveyed in product marketing materials and ultimately be integrated in vendor – sales rep’s ‘pitch scripts’.
The underlying inspiration for this post is credited to my colleague Dale Furtwengler and the various messages conveyed in his fine book ‘Pricing for Profit: How To Command Higher Prices for Your Products and Services’.
Comments regarding my blog posts are encouraged and respected. Should a reader elect to utilize all or a portion of my posts, full attribution is expected and appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or firstname.lastname@example.org.
Michael D. Moberly February 6, 2014 ‘A blog where attention span really matters’.
Pharmaceutical company’s ‘futures market’ for reputational risk, kicking the ’reputational risk can down the road’.
As regular readers of this blog know, I am an intangible asset strategist and risk specialist who also has a strong interest in most ‘all things intangible’ including offering guidance to companies to avoid incurring potentially costly and with increasing frequency, irreversible reputational risks.
I am also an ardent NPR (National Public Radio) listener. Recently I listened to an NPR program, i.e., The Dianne Rehm Show, in which had three well versed guests variously addressed, from their respective perspectives, the subject of ‘low testosterone’ for men, of course with the benefit of Ms. Rehm’s formidable probing questions.
During the program, while listening to Ms. Rehm’s questions and the responses and remarks made by her guests, it occurred to me that pharmaceutical drug pitches, now well embedded in every media marketing format, may collectively constitute, for lack of a better term, a ‘futures market’ for reputational risk to ‘big pharma’.
My point is this, there are potential ‘future) reputational risks these media campaigns may pose to pharmaceutical companies in terms of influencing viewers/readers, i.e., men, to ‘self diagnose’ based on a generalized check list of physical and emotional symptoms someone has deemed to be associated with men experiencing low testosterone.
So, prompted no doubt, in large part, by the significant rise in prescriptions being written for drugs marketed as elevating or balancing men’s testosterone levels as necessary to mitigate or relieve men of the symptoms the media advertisements have associated with men experiencing ‘low T’. Now, we learn there are various research entities, including the FDA which have identified specific adverse side effects to consuming these drugs by men, several of which may rather obviously outweigh the benefits, e.g., elevating one’s vulnerability to incurring a heart attack in the initial 70+ days of taking the drug.
To bring more clarity to my question, are pharmaceutical companies that engage in media – marketing presentations aimed at producing not so subtle subliminal inclinations for viewers to (a.) self-diagnose based on the laundry list of symptom descriptors, and (b.) actually seek these recommended’ therapies from their physician, may be positioning (auctioning) themselves to incur future reputational risks in favor of more immediate revenue generation and profit making?
Too, one must ask whether skillfully created media messages that portray a particular disease as perhaps being more prevalent than it really may be, prompts me to reconsider the old adage of ‘the tail wagging the dog’, or, are drugs being manufactured in search of a disease?
The intent seems rather evident, that is to (a.) elevate awareness linked with readily understood symptoms, in order to (b.) create a broader market demand for the drug, when again, the health benefits or adverse complications are yet to be fully understood.
I claim to possess no insight or medical background to make any medical judgments on this matter. However, through my lens as an intangible asset strategist and risk specialist with strong interest in objectively elevating operational familiarity about corporate reputation risks, I find this, and other similar circumstances akin to ‘kicking the reputation risk can down the road’. That is, profitability now and costly reputation risk tomorrow, should this or other drugs are found or confirmed to be more physically or emotionally detrimental than what’s being conveyed in the media marketing disclaimers.
Michael D. Moberly February 5, 2014 ‘A blog where attention span really matters’!
The ACE Groups’ 2013 Survey of Reputation Risk…
For readers who may be unfamiliar with The ACE Group, it purports to be one of the world’s largest multiline property and casualty insurers for a diverse clientele with operations in 54 countries. In reviewing its 2013 report (survey) ‘Reputation at Risk’ authored by Andrew Kendrick, President, ACE’s European Group, there are some revealing findings that broadens current thinking regarding reputation risk. So much so that business decision makers globally would be well served at minimum, to read this entry, but also read ACE’s entire report.
Admittedly, I am a little unsure just how surprised I should be about ACE’s survey findings that merely one in five companies reported they are very effective at measuring external perceptions about their company. My absence of surprise emanates from the reality that I have yet to meet a marketing practitioner or buyer, for that matter, in any business sector, who does not purport to possess a fairly high level of insight into their consumer base, i.e., likes, dislikes, preferences, etc., but actually (objectively) measuring and translating those insights into clarity about external perceptions, seems to fall somewhat short. Obviously, marketing practitioners and buyers are likely to have little, if any, operational familiarity with company reputation risk or its management.
Need for measuring external perceptions…
For most of us working in this arena, we stipulate that measurement of external perceptions, i.e., reputation, can be challenging to get it right. Perhaps most of all, ‘getting it right’ is certainly not impossible, but it does require…
- an enterprise wide commitment, and
- not being considered sufficient if it merely a ‘snapshot-in-time’ description.
Companies today are obliged to engage in more frequent dialogue with external stakeholders to genuinely understand and assess their views and then…
- regularly monitor and (re-)evaluate their external environment as methodically as possible to identify reputational risks and/or threats that may be emerging – are on the horizon, and
- assess, if they materialize, the various ways they may adversely affect – jeopardize external relationships.
Some companies assume operational risks and reputation risks are synonymous…
While anecdotally, there is increasing evidence that some companies are treating reputational risk with the importance it deserves, a large percentage of companies are doing little, if anything of substance in this arena. Regarding the latter, the reasons are varied but generally originate from two rationales, i.e., reputation risk management…
- appears as being somewhat of a frontier concept which company decision makers are reluctant – reticent to develop the necessary safeguards, and also
- some companies have not developed or integrated relevant process – practices to effectively address ‘their’ reputation risk challenges, thus, it is seldom an action – discussion items in c-suites, in boardrooms, or among management teams to move it forward, and still
- some companies appear determined to argue that no special measures are necessary to safeguard or manage a company’s reputation, because, they assume, reputational risks are merely the outcome or product of materialized operational risks, and since operational risk is already being managed, they must have reputational risk covered as well.
Neither stance is persuasive, and certainly neither is defensible from the point of view of directors’ fiduciary duties to shareholders to protect (and grow) the assets of the company (not to mention other duties increasingly being introduced to take account of other stakeholders’ agendas). Inaction by directors could eventually land them in hot water in terms of personal liability, but we should not see the reputational risk agenda as one simply of threat and downside. There are many positive reasons for taking steps to master this difficult challenge.
Increased prevalence of reputation risk…
Few could argue successfully in my view that increases in the prevalence of materialized reputational risks…
- is variously linked to an elevated intensity of public scrutiny of company behavior and expectations, along with the rising importance of corporate sustainability,
- which have placed more emphasis on companies to demonstrate strong (business, operational) ethics and thus, changed stakeholder expectations in terms of how companies should be behaving.
But neither can companies afford to ignore the demands of those who are not shareholders, if a company is publicly held, instead, they must balance the needs of a broad range of stakeholders, including the public, their employees and the communities in which they operate. By doing so, creates a surer path to effectively safeguarding a company’s reputation. More specifically, as Warren Buffett is reported to have said, ‘we must continue to measure every act against not only what is legal, but also, what we would be happy to have written about it on the front page of a national newspaper.’
Underestimating reputation risk challenges…
Of course, I agree with ACE’S findings that (many) companies, and their management teams, underestimate the challenges associated with reputation risks, and their management.
Interestingly though, almost four in ten respondents to the ACE survey also report their companies have confidence in their ability to address and recover from a ‘crisis’ ala crisis management with 32% believing they are very effective at restoring reputation following the materialization of a risk event. Admittedly, I am skeptical about merging or assuming crisis management and reputation risk management are necessarily synonymous.
Most company management teams recognize however, that the time that companies now have to respond, be it a reputation risk that has materialized or some other form of crisis event, their potentially adverse impact should no longer be factored in weeks and months, instead, in hours and minutes, thanks in large part to the globally instantaneous functionality of expanding numbers of social media platforms. One outcome of this particular reputation risk phenomena is that fewer companies have the luxury of a second chance!
Quite understandably then, further findings of ACE’s survey suggest that companies actually be underestimating the speed which reputation risks can materialize and cascade, in other words, the various and multiple challenges associated with a crisis in what appears to be a ‘faster than real time’ context.
A reputation risk insurance perspective…
On the other hand, from an insurance perspective, two-thirds of ACE’s survey respondents feel inadequately covered for reputational risk. So, one can presume the respondents distinguished ‘crisis management’ from ‘reputation risk management’.
Broadly, survey findings indicate the insurance side has a potentially valuable role insofar as helping companies manage the more traditional – conventional types of risks more effectively initially, which can mitigate/reduce damages incurred by reputational risks by applying a ‘reputational risk lens’ which allows parties to more clearly recognize any (potentially adverse) external perspectives which are integral to a company’s reputation.
There is a lot at stake for companies…
‘Caught in the headlights’ may be an appropriate descriptor for a substantial number of companies, insofar as recognizing the speed and adverse realities of being the target of materialized reputational risks. Many, if not most of my reputation risk management colleagues agree that balancing speed of recognition coupled with agility in terms of having multiple response options at the ready.
There is no question that reputation is now critical, more than ever, to the long-term financial and competitive advantage health of any company.
Materialized reputation risks can produce severe financial consequences…
It should be quite obvious by now that a materialized reputational risk can have severe, long terms, and in a percentage of instances, irreversible financial consequences on a company, e.g.,
- adverse media attention, such as a product recall or major accident, can rapidly cascade and lead to lost sales, which affects a company’s liquidity.
- investors and banks may become uneasy and withdraw or limit a company’s access to capital which places additional strains on balance sheets, and with
- current and future revenue streams being more dependent on a company’s reputation, which is also a source of competitive advantage, it can become even more challenging to rebuild brands and restore stakeholder confidence.
Examples of company reputation quickly evaporating…
Arthur Andersen Company is a good example. Its demise in 2002, most agree, is attributed to irreparable reputational damage following terrible publicity the company received related to the Enron scandal. More recently, BP incurred significant reputation damage relative to its association with the Deepwater Horizon explosion in the Gulf of Mexico in 2010.
Of course, there are countless other examples, but, the corollary of this is that that companies with strong reputations should become beneficiaries to others’ (competitors in some instances) in terms of elevating share price performance, and stakeholder – customer trust. Some suggest that a positive and resilient reputation helps companies to deal more effectively with future crisis – reputation risk events, should they occur, because it creates a reserve of goodwill referred to many time here as ‘reputation capital or equity’ that can help the business to better endure and survive future adverse (reputation risk) events.
Effective reputational risk management is not just about responding well to so-called crisis events. In addition, it is about safeguarding, building, and routinely monitoring reputation.
(A special thanks to Andrew Kendrick, President, ACE European Group, 2013 ‘Reputation at Risk’ Report for inspiring this post.)