Michael D. Moberly October 8, 2014 ‘A long form blog where attention span really matters’.
CENTRA Technologies 2010 study, ‘Estimating the Economic Costs of Espionage’ close to perfection…
In an excellent, but somewhat overlooked, report published in May, 2010 and prepared for CENTRA Technology by the George Bush School of Government and Public Service at Texas A&M University, ‘researchers constructed a model initially designed for use by the government sector, but which, I find, has relevance to the private sector because it measures economic espionage losses by industry sector.
More specifically, the model identifies and distinguishes the severity and consequences of economic – cyber espionage incidents to the U.S. economy. The ‘CENTRA’ model which Texas A&M researchers constructed…
applies a (loss) ‘severity score’ between 0 and 1, and include open source (case study, incident) information so as to provide a qualitative estimate of the economic “consequences”.
- moderate, and/or
- high adverse (economic) consequences – losses, relative to
- the victim company’s industry sector, and thus factors two sets of variables, i.e.,
- Industry variables, i.e., assess the significance of where the incident of economic espionage occurred.
- the victim company’s industry sector, and thus factors two sets of variables, i.e.,
Note: Industry is derived from a combination of the percentage of GDP for each of the 14 industry sectors and the susceptibility/vulnerability of each sector. This process enables the CENTRA model to be individualized to a specific industry and recognizing potentially different consequences to the U.S. economy.
- Case variables i.e., assess the significance of economic espionage incidents on the basis of…
- characteristics of the theft (incident) itself.
- costs directly attributable to the incident (loss) and
- who the beneficiaries to the incident actually are.
- Seldom are two incidents of economic espionage identical. To address this, Texas A&M researchers, developed a system for weighing the variables and questions further analysis that such ‘weights’ prompt.
- So, the Texas A&M model requires practitioners to…
- first, identify the industry sector in which the incident occurred, and
- second, identify (individual, specific) ‘case – incident variables’.Ultimately, with all the variables measured, standardized, and weighted against each other, the CENTRA model calculates an overall severity score, which corresponds to individualized (company specific) consequence to incidents of cyber-economic espionage.
This post was inspired by a George Bush School of Government and Public Service, Texas A&M University research project titled “Estimating the Economic Costs of Espionage”. The reports was prepared for CENTRA Technology by the the Capstone research team comprised of Rich Bell, J. Ethan Bennett, Jillian R. Boles, David M. Goodoien, Jeff W. Irving, Philip B. Kuhlman, and Amanda K. White.
As always, reader comments are most welcome.
Michael D. Moberly October 7, 2014 ‘A long form blog where attention span really matters’.
In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.
Lewis translates the $140 billion annual IP loss to 508,000 jobs…
While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,
- determining which assets and/or impacts to include (factor) and
- the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.
But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011. Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.
Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.
CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…
- companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
- intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
- the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.
CSIS model includes components – classifications of malicious cyber activity and economic espionage…
This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…
- was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
- was an actual crime committed, i.e., a violation of federal law.
- were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
- would be additional costs incurred relative to…
- re-securing their IT networks.
- achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
- developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
- were damages to company reputations which tend to have a longer period for recovery, and lastly,
- were costs to re-establish and re-secure company supply chain networks.
What’s the harm…?
If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.
So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?
This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.
As always reader comments are most welcome.
Michael D. Moberly October 6, 2014 ‘A long form blog where attention span really matters.’
Stolen, misappropriated IP and other intangible assets…
When values are calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly, they may be (a.) quite subjective, (b.) merely regurgitated guesstimates, and/or (c.) embedded with inadvertent biases or political agendas and other variables that inevitably influence high or low valuations.
For example, it’s quite common to witness pundits and open source media to merely regurgitate high dollar losses (impacts) attributed to cyber – economic espionage, ranging between $100 to $500+ billion annually to the U.S. alone.
The worlds’ second oldest profession…
It’s important to recognize that an, as yet unknown percentage of malicious cyber activity, evolves into economic espionage.
There remain a percentage of policymakers, company c-suites, and management teams who find it to be an especially challenging ‘to get their arms and heads around’ insofar as articulating, with strategic clarity, precisely why cyber – information asset protection security and economic espionage prevention/mitigation initiatives are essential from the outset to any business initiative.
Objective calculation of losses and costs to materialized risks…
Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear, at first blush, to be relatively straightforward tasks. But, to be sure, there is much more to calculating and assigning dollar values to costs – losses than acquiescing to mere guesstimates.
Factors that influence companies to go public with their victimization…
Going public, represents, among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses attributed to the adverse acts, which, are often initially framed in passionate and angry descriptions how the acts and losses will impact the victims’ company..
Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess asset losses rapidly. In many instances, that’s because, the losses are not limited solely to stolen or undermined intellectual property or capital, i.e., trade secrets, and proprietary information, etc. Instead, the full extent of a targeted companies’ losses are frequently more strategic and include equally valuable structural and relationship capital and thus may not be immediately measurable or fully realized and calculated until well after the fact.
Again, assigning specific price tags to companies’ cyber – economic espionage losses is a challenging undertaking, because the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the ‘contributory value’ of various assets which serve as foundations to an infringed patent. For example, it’s not especially prudent then to assume the findings of the various surveys and studies produced over the years are the result of using objective data and calculations free from the influence of larger political, social, and national security agendas.
Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies produced whose focus has largely been to ‘dramatize’ the costs, losses, and adverse impacts attributed to cybercrime and economic espionage.
Having read and studied most, if not each of these studies/surveys over the past 25+ years, I interpret many of the methodologies and findings to be somewhat competitive in the sense that each appears to be conceptually broader in the ranges of dollar losses and adverse economic impacts and characterized in more dramatic fashion.
Calculating losses attributed to economic espionage require objectively framed equations…
For many years there has been a general inclination to accept, perhaps naively, after-the-fact prognosticative research regarding the valuation of losses attributed to cyber – economic espionage.
My counsel on that matter is that any formula or conventional intangible asset valuation methodology used to calculate the loss and/or compromise of intellectual properties should differentiate the assets which have been stolen and/or compromised by category, i.e., intellectual, structural, and relationship capital.
As always, reader comments are most welcome!
Michael D. Moberly September 24, 2014 ‘A blog where attention span really matters’!
Reputation risk management is not rocket science…
Company reputation risk represents a phenomenon which I believe most would agree, seldom needs to rise to the level of ‘rocket science’! Instead, reputation risk prevention, mitigation, and management require, among other things, consistency in…
- in product-service design, content, production, and delivery.
- processes for monitoring and responding to consumer-stakeholder likes-dislikes, i.e., opinions and criticisms without conveying sense of superiority, condescension, or indifference.
- anticipating origins and motives for reputation risks to materialize.
In most instances I believe, if a company’s reputation risk antenna are raised, and its radar is functioning effectively and both pointed toward customers, consumers, stakeholders, and horizontal risks, management teams can become aware of and assess various risks before or as they emerge, in other words at the earliest stages of (reputation risk) materialization.
One need not look far today…
One need not look far to observe the costly and often times irreversible remnants of fully materialized reputation risks that have gone unabated and enveloped companies, unfortunately, but frequently owing to various combinations of sight – hearing challenged management teams and occasional self-deluded wishful thinking combined with optically arrogant produced initiatives believed would improve and/or mitigate the circumstances.
Awkward and disingenuous…
Unfortunately, in numerous instances, and quite needlessly, when company reputation risks emerge, then materialize, the initial response appears awkward and disingenuous and must be ‘walked backed’ which collectively conveys to constituents whom the appeals are directed, a sense of unpreparedness, ineptness, and/or poor or non-existent counsel.
Again, when this occurs, company management teams have engaged in a substantial disservice to their cause, particularly if they assume thestakeholders, consumers, customers, and the multiple media and social media platforms whom they are endeavoring to message, are incapable of independent interpretation and assessment of a spokesperson’s artfully nuanced reputation risk mitigation language.
Did they really say that…?
With respect to the numerous (company) reputation risk events that have emerged in recent weeks and months, many have prompted me to ask…
- did she really just say that?
- didn’t she allow a trusted advisor to review her media language for alternative interpretations before rushing to a podium?
- how could she and her management team not have foreseen that when ‘x’ events, acts, and/or behaviors occur, it often produces fertile ground for risks to emerge that will simultaneously produce adverse affects to reputation, image, brand, etc.
Reputation risk Watergate style…
If a company spokesperson’s initial response to a materialized reputation risk suggests the event act, or behavior which precipitated the present risk is the first, I am inclined to be suspect of that management teams’ reputation risk monitoring obligation. So, in many respects, it appears that reputation risk inquiries have often boiled down to three of the more memorable questions posed to witnesses during the U.S. Senate’s ‘Watergate’ hearings held in 1973, that is
- what did you know?
- when did you know it?, and
- what did you do about it once you knew it?
Granted, with few obvious exceptions, materialized reputation risks to companies seldom draw the ire of Congress to the point of holding a hearing and subpoenaing c-suites to testify and account.
Company leadership proficiencies…
Company leadership and their designee’s are obliged now to be proficient insofar as anticipating, monitoring, and responding to reputation risks. One, among numerous reasons is that for company management teams which have had the wisdom, foresight, and good fortune to have ‘banked’ portions of constituent trust and goodwill and allow it to accumulate, all-the-while recognizing that their ‘bank balance’ can rapidly be depleted when substantial reputation risks emerge and the company’s responses to the ‘Watergate style’ questions described above prove disappointing, e.g., leadership ‘first responders’ convey…
- indifference and awkwardness with respect to possessing the professional demeanor and fortitude to effectively and favorably articulate the situation and direct the company to favorable reputational normalcy.
- ignorance as to the speed which reputation risks can emerge, materialize, and escalate only to claim insufficient time to conduct an investigation and respond accurately to the inevitable questions.
At minimum, the above, are preludes to commencing the costly and lengthy road to restore even partial recovery and replenish a company’s bank balance of trust, goodwill, and expectations!
C-suites should expect…
When substantial reputation risks strike a company its prudent for c-suites to expect consumers, stakeholders, the mainstream and social media respectively, to press for straight talk and transparency because each affected constituent group has become quite adept at dissecting and assessing a spokesperson’s authenticity and the validity of their responses, i.e., admissions of initial bungling, promises of future corrective action, and ‘throwing the most notorious violators farther and farther under the bus’.
Company reputations’ unraveling before our eyes…
Unfortunately, it has become far to routine to witness companies’ demise, i.e., their reputation unraveling before our eyes. And, we seldom have to wait very long to witness the next victim of usually a self-inflicted reputation risk wound. Also, many company management teams now understand the origins and costly remnants of materialized reputation risks, particularly those which have been shabbily handled through a combination of…
- naiveté or wishful thinking
- optically arrogant or indifferent statements.
In many respects, it appears for some company leaders, their initial action or inaction to a materialized reputation risk may ignite an already smoldering set of circumstances along with a pessimistically receptive constituent culture.
As always, reader comments are welcome.
Michael D. Moberly September 8, 2014 A long form blog where attention span really matters!
In this increasingly intertwined economic, political, and business global environment, we should come to recognize that neither citizens nor governments’ experience much, if any, strategic effectiveness/benefits by engaging in policies, military or diplomatic, which are understandably preceded with a “degrade and destroy” message. In other words, the ‘isms’ of terrorism, are treated as if they are tangible or physical assets, rather than intangible (non-physical) assets, and hence, once destroyed, contained, or substantially degraded, become irreplaceable or irreproducible in their previous form.
Yes, the terrorists themselves along with a large percentage of the acts they engage are very physical and tangible entities and absolutely despicable acts as are the horrifying and animalistic brutalities some participate. But, in large part their motivations and the associated ‘isms’ are strewn with and embedded, in an especially perverse sort of way, with intangibles, i.e., intellectual, structural, and relationship capital.
That is, the ‘isms’ embedded in much of the terrorists’ acts which we have seen and read about, particularly in recent weeks, regarding ISIL, are comprised of conglomerations of highly dogmatic manifestations in thinking, processes, and relationships. What’s more, these manifestations of intangibles have morphed into magnets in which single-minded ruthlessness has morphed into an inexplicably attractive recruiting mechanism.
That is not to suggest governments and all of their respective defense might are incapable of mitigating or defending against the ‘isms’ of global terror. But, if one examines and responds to terrorism through an intangible vs. tangible asset lens, perhaps the range of potential methodologies and options would look differently and the outcomes more desirable. A plausible possibility, right?
Respectfully, and most understandably, conventional anti-terrorism initiatives, while they may prompt immediate feel good responses in as much as they may ‘cut off the head of the snake’ as conveyed by General Colin Powell, former Chair, Joint Chiefs of Staff, Gulf War I. It’s quite clear, such tactics alone, seldom, if ever, produce the desired strategic change deeply embedded in hundreds of years of sect mistrust, war, and terrorism. Again, the ‘isms’ have become highly personalized often through individualized receptivity to radicalization in which intellectual, structural, and relationship capital (intangible assets) serve as underliers to the ‘isms’ of terror, which unfortunately often remain simplistically characterized as ‘winning the hearts and minds’ of an adversary.
Radicalization manifest as one transforms, re-purposes, and seeks congruence to their newly adopted intellectual, structural, and relationship capital, through alignment and/or participation in a terrorist organization.
Admittedly, I am an intangible asset strategist and risk specialist and direct my experience in intellectual, structural and relationship capital matters to serving the (private) business sector. I was also an airborne infantryman assigned to the 173d Airborne Brigade in Bin Dinh Province of South Viet Nam in 1969 in which there where both highly tangible military and intangible humanitarian tactics applied. The outcome…
As always, readers comments are most welcome.
Michael D. Moberly August 20, 2014 ‘A long form blog where attention span really matters’!
The globally irreversible economic shift away from tangible (physical) asset business dominance to intangible (non-physical) asset business dominance has paved the way for law firms to offer differentiating, relevant, and client specific services related to the management, stewardship, and oversight of their intangible assets. To believe otherwise would certainly constitute an irreparable misreading of the global economic and competitive advantage tea leaves.
This post provides compelling and viable rationales why boutique intellectual property and full service law firms will find it prudent, lucrative, and produce strategically durable competitive advantages and differentiators by delivering intangible asset specific services in business clients.
Why law firms should take note…
One reason emanates from Stone v Ritter (911 A.2d 362 (Del. 2006) which would obligate company leadership, akin to a fiduciary responsibility, to achieve sufficient operational familiarity with their intangible assets to provide consistent and effective asset stewardship, oversight, and management. More specifically, keep boards and significant stakeholders apprised of the status of key, revenue producing intangible assets.
Through my lens, Stone v. Ritter legitimizes opportunities for law firms, so inclined and inspired, to acquire the relevant skill sets to enable articulation and delivery of a variety of intangible asset services to today’s more enlightened and receptive business clients regardless of sector, size, or location. The skill sets will accrue as firm differentiators and competitive advantages to help mitigate stagnating revenues.
Comprehensive intangible asset services…
Collectively, the global universality of intangibles’ and business client’s increasing recognition they are valuable contributors – underliers to company profitability and sustainability, constitutes valid rationales and positioning for motivated law firms to respectfully engage both existing and prospective clients with proposals for intangible asset services. The addition of these services produce realistic potential for a law firm to become the initial and exclusive provider of a range of long-lasting intangible asset related legal services because intangible assets are always in play, and thus relevant components to every business client’s operations, initiatives, and/or transactions they routinely engage.
In a global business environment in which 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability evolve directly from intangible assets, it’s no particular secret that conventional financial statements and balance sheets, wherein intangibles largely go unreported, under-valued, and otherwise, unaccounted for, do not provide a complete picture of a company’s soundness, its value, or its strategic and competitive advantage health and potential.
It’s an undisputed and irreversible economic fact today that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability today either lie in or directly evolve from 15+ distinct categories of intangible assets ranging from intellectual, structural, and relationship capital, to reputation, brand, R&D, contracts, and hybrid (proprietary) technologies, etc.
Also emanating from this economic fact is the reality that business clients will, with increasing frequency, become fiduciarily obligated to seek legal advisory services variously related to the stewardship, oversight, management, commercialization, and safeguarding of the array of nuanced and company centric intangible assets they produce internally or acquire externally.
Original horizonal thinking and planning…
Law firm strategic planning is no longer a managerial luxury rather it has become a necessity for assuring firm sustainability, profitability, and brand. Collectively, the new realities associated with intangible asset business dominance, warrant levels of thinking and planning that permit horizontal sighted law firms and attorneys the latitude to secure the necessary skill sets to accommodate the expanding range of legal service opportunities emanating from the permanent role of intangible assets in today’s increasingly complex and globally intertwined business incubation, development, growth, and transaction environments.
Intangible asset intensive companies growing globally…
There is no other time in business governance – management history when steadily rising percentages of company value, sources of revenue, and growth potential originate, almost exclusively, from intangible assets.
The contributory value which unique and frequently company/operation centric (proprietary) intangible assets make to company’s value, revenue, competitiveness, brand, and market position, etc., are all too often, under-appreciated, undervalued, un-protected and ultimately their value becomes diluted or melds into open sources to be used by competitors..
Intangible assets are no longer mere tools to manage tangible (physical) assets. Instead, intangibles’ are frequently stand alone commodities that can be developed, positioned, and utilized to produce revenue, enhance competitive advantages, and add value to a company.
But, intellectual property and other forms of (proprietary) intangible assets, particularly intellectual, structural, and relationship capital, can advance a company economically and competitively, only so long as their control, use, ownership, value, and materiality are monitored and sustained.
However, the time frame when company’s can realize the most value from their intangible assets lies in their respective contributory value and functionality (life) cycles both of which are being compressed today, due in no small part to (a.) lower barriers to market, supply, and distribution chain entry by competitors, and (b.) rapid profits accruing to globally predatorial product/service piracy and counterfeiting operations that consistently pollute and de-value legitimate asset supply chains.
Forward looking prudence…
Staying out front of law firms’ go fast, go hard, go global business clientele is best achieved by developing and articulating proprietary and client specific intangible asset services that will accommodate the inevitable and irreversible needs and demands of current and future clients.
Adding intangible asset services to law firms’ repertoire will be disruptive…
For some attorneys and firms, delivering services specific to intangible assets will be misinterpreted as operationally disruptive to time honored conventions for delivering client services and therefore, dismissed. Respectfully, I do not believe such machinations are or should be relevant in the increasingly aggressive, predatorial, and winner-take-all professional services sector which we are in the midst.
Admittedly, not every firm’s business clients have achieved full operational familiarity with their intangible assets to articulate, with specificity, what legal services they need now and will need in the future. Through my lens, that’s a strong rationale why law firms should be tactically and strategically prepared now as the need and demand for such services rises, which it is sure to do.
Law firm re-boot, tactical and strategic speed…
Again, through my lens, what’s being proposed here is not exclusively an if or when, proposition. Rather it represents a rationale why law firms should consider re-booting themselves to inexpensively and rapidly acquire the capacity to achieve a level of professional comfort and expertise to engage clients’ about identifying, unraveling, distinguishing, exploiting, safeguarding, and monitoring the value, materiality, and risk to their intangible assets.
More specifically, while many law firms’ tactical speed, i.e., the efficiencies related to delivering client services, etc., remain important, continuing to be dismissive about firm’s strategic speed, i.e., developing proactive client services that directly reflect globally universal changes in economics is critical to firms’ sustainability. In other words, law firm strategic planning should be designed and executed so as to ‘avoid continuing to skate where the puck was, rather skate to where the puck is now and will be in the future’!
My counsel to law firms is to engage in strategic planning that includes a strong and collaborative vision that encompasses a firms’:
- organizational structure in terms of how its various practice areas and expertise can be collaboratively aligned to better address business clients’ intangible asset (service) needs, and
- become more accommodating to the inevitable and collective (global) universalities which the dominance of intangible assets produce.
In other words, attorneys’ and their respective practice areas are now obliged to consider how they may achieve a collaboratively lucrative solution insofar as providing intangible asset services. In other words, help structure the firms’ future to meet its future!
As always, reader comments are most welcome.
Michael D. Moberly August 17, 2014 ‘A long form blog where attention span really matters’!
A collaborative partnership… In 2013, CSIS (Center for Security and Internal Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Spoiler alert; Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program offered his best guess that ‘the upper limit (of the costs-losses attributed to cyber – economic espionage) might be somewhere under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.
$140 billion annually, 508,000 jobs…
While I have no basis to dispute those figure, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there may be some predictable factors insofar as arriving at the $140 billion annual loss figure especially. One of which lies in determining which assets and/or impacts to include and the methodology for determining their near term and long term value in terms of costs and losses companies will experience with respect to market space, competitive advantages, sustainability, etc. Routinely, asset loss – impact valuations attributed to cyber-economic espionage, irrespective of their accuracy or objectivity, produce dollar values characterized in broad ranges on the plus – minus side. Lewis claims, and I agree, describing value loss – impact estimates with such broad range estimates is reflective of multiple difficulties, among them being, as readers know, numerous companies may…
- be reluctant to reveal or inclined to conceal their losses,
- not know precisely which/what assets were targeted, stolen, comprised, or misappropriated.
Intellectual property (and other forms of intangible assets) are challenging to value with consistency and objectivity. So, when values are calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly, those figures, in my judgment, may be somewhat subjective and/or embedded with a particular bias or even agenda that in turn may influence high or low valuations.
For example, it’s relatively common to see open source media and their ‘talking heads’ to merely regurgitate extraordinarily high dollar volume losses (impacts) to the U.S. economy, attributed to cyber – economic espionage, ranging between $100 and $500+ billion annually.
But, Lewis wisely, yet provocatively, casts such wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011. Thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber espionage is a fraction of a percent of that global GDP figure. This, Lewis says, prompts additional questions, something which I have examined for many years, e.g. can the recipients and/or ultimate beneficiary of the targeted-acquired intangible assets expect to maximize their benefit and use? A second question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.
Having thoroughly studied many, what I respectfully refer to as ‘guesstimated’ economic espionage and stolen/infringed intellectual property (IP) reports over the course of 20+ years, I genuinely believe Dr. Lewis’ findings to be as flawless, encompassing, and accurate as can be reasonably expected in the multi-faceted and ambiguous arena from which to acquire reliable and replicable data points. For example, quite interestingly, the CSIS – McAfee report translates these asset loss estimates as representing perhaps as many as 508,000 U.S. jobs.
Conventional surveys to assess – assign dollar value to losses…
Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis quite correctly points out, generally provide imprecise values, unless the survey itself has been carefully constructed and managed. Too, a common challenge, insofar achieving credence to cyber-security-espionage survey findings, Dr. Lewis also points out, is that (survey) respondents are inclined to “self-select”. When this occurs, it introduces a potential source of distortion to the results. So, being mindful of these and other data collection challenges to this already sensitive topic for companies, Lewis suggests loss estimates be based on assumptions about scale and effect. Changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.
CSIS – McAfee Assessment model…
As a demonstration of Lewis’ intent to be as objective and encompassing as possible insofar as valuing losses attributed cyber and economic espionage, CSIS secured the expertise of prominent economists, intellectual property experts, security researchers, and even incorporated, what could appear at first blush irrelevant analogies to bring clarity to the figures they were reporting, e.g., comparative statistics for car crashes, product piracy, pilferage, crime stats, and drug usage which collectively were integrated, for comparison purposes, to serve as frameworks to draw upon in devising their assessment (valuation) model. By incorporating these analogies in the design of their assessment model, Dr. Lewis, CSIS, and McAfee were essentially suggesting, should my interpretation be correct, it’s problematic to rely exclusively on conventional methodologies, particularly time honored surveys, to identify dollar values to losses attributed to cyber-economic because…
- companies that (publicly) reveal losses attributed to cyber – economic espionage are frequently unable to distinguish, with the necessary precision, the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed.
- intellectual property – intangible asset losses are admittedly difficult to quantify with consensus, and when they are, the assessment – valuation is likely to reflect subjective guesstimates absent factoring numerous dependant variables which are invariably in play.
- the self-selection process associated with most conventional (time honored) survey methodologies, frequently produce some distortion to the findings.
CSIS model includes six classifications of cyber – economic espionage…
Insofar as actually commencing this much needed project, CSIS classified malicious cyber – economic espionage activities into six areas, i.e., wherein there…
- was a loss of intellectual property occurred.
- was an actual crime committed, i.e., a violation of federal law.
- was a loss of sensitive – proprietary business information.
- were opportunity costs involved, including business and/or service disruptions that adversely effected consumer/customer expectations and trust particularly those related to the victim company’s online activities.
- would be additional costs incurred by the victim company relative to securing their IT networks and incorporate greater resilience measures to provide quicker and fuller recovery when future attacks occur.
- damages manifested – materialized as reputational risks to the victim company.
Each of the above should be examined through a lens of reverence in that there is little question the inclusion of these and other factors, collectively help victim companies arrive at a more comprehensive and current appreciation for the losses, costs, and overall impacts caused by acts of cyber – economic espionage.
The worlds’ second oldest profession…
Economic (industrial) espionage is often euphemistically referred to as the world’s second oldest profession behind, of course, to prostitution. Readers do recognize that an, as yet unknown percentage of malicious cyber activity, evolves as economic espionage and is an obvious by-product of the continually evolving IT and Internet arenas. But still, as both cyber – economic espionage are irreversibly embedded in global cultures and business, there remain a percentage of policymakers, company c-suites, and management teams who find it a challenging phenomenon ‘to get their arms and heads around’ insofar as articulating, with strategic clarity, precisely why cyber security and economic espionage prevention/mitigation initiatives are so essential. The answers to these increasingly critical concerns, either of which, when they materialize, can produce substantial, if not utterly debilitating adverse effects to a company’s value, sources of revenue, profitability, growth potential, and overall sustainability. lie in well grounded research to aid c-suites and boards in framing their near term and strategic decisions, actions, and responses. CSIS – McAfee identified components of malicious cyber activity… In the CSIS – McAfee report, Lewis quite appropriately asks what should be counted insofar as arriving at better loss estimates attributed to cybercrime and cyber (economic) espionage. Interestingly, in an effort to address this question, Lewis categorizes malicious cyber activity into the following components, i.e., the…
- loss of intangible assets, i.e., intellectual property and sensitive business confidential/- proprietary information.
- opportunity costs linked to…
- service and employment disruptions, and
- reduced trust in online services and activities.
- additional costs
- securing company and supply chain networks
- resilience to – recovering from cyber attacks, i.e., developing/executing business continuity and resilience procedures.
- reputational risk materialization and damages.
What’s the harm…? If Dr. Lewis is correct in assuming, through the analogies he describes in the Report, some of which appear tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage which manifest as a ‘ceiling’ of sorts, for estimating losses. This suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP. For the U.S. then, in the context of its GDP, Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 million annually. To provide context for this estimate, Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 million in stolen/misappropriated intellectual properties he offers, does not translate to dollar for dollar gain to the recipients and/or ultimate beneficiaries, i.e., the economic, competitive advantage adversaries! As always, reader comments are most welcome!
Michael D. Moberly August 11, 2014 ‘A long form blog where attention span really matters.’
Objective calculation of losses and costs.
Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear at first blush to be relatively straightforward tasks. However, when intellectual properties and other categories of intangible assets are targeted and acquired by economic and competitive advantage adversaries, the legitimate holder of those assets is obliged to objectively assess their value?
Similarly, if a cyber attack temporarily brings down a company’s IT network, the targeted company is obliged to objectively calculate losses to productivity, sales, and essential communications as well as costs to return their system to operational normalcy with the necessart security upgrades. Obviously, there is much more to calculating and assigning a dollar values to such costs/losses than engaging in more guesstimates.
For regular readers, it should come as no surprise that there are significant differences of opinion globally about calculating the costs and losses attributed to malicious cyber activity and economic espionage directed to companies’ R&D, university-corporate research consortiums, etc. As conveyed in previous posts at this blog, dollar value losses cited in numerous respected surveys and studies range from a mere few billion dollars to hundreds of billion dollars annually. To be sure, assigning specific price tags to companies’ cyber – economic espionage losses is challenging, but too, the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the peripheral and contributory value of each of the other intangible assets underlying a patent for example. So, it may not be especially prudent to assume the findings of the various surveys and studies have been reached using objective data or calculations that are free from the influence of larger political, social, and national security agendas. This may be a reason why we are witnessing such a broad range of loss estimates regarding cyber – economic espionage.
Is economic-cyber the greatest transfer of wealth in history or merely a rounding error?
While I am not the originator of the above question, there are numerous responsible parties that do characterize losses attributed to cybercrime and economic espionage in this fashion, i.e., as constituting either the greatest transfer of wealth in human history, or merely as rounding errors in a $14 trillion dollar economy?
The former of course represents a perspective intended to elevate the significance and adverse impact of cybercrime-economic espionage, while the latter represents an opposite perspective which is to diminish the ‘sticker shock’ if you will, of the adverse impact by characterizing it in the context of what is to most as incomprehensible dollar amounts or collective national GDP’s.
Having said that, both perspectives, through my lens, warrant inclusion in the broader conversation.
Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies launched whose focus has largely been to dramatize the costs, losses, along with an array of adverse (economic, competitive advantage) impacts attributed to acts of cybercrime and economic espionage and adversely effecting either or both the private sector or national security/defense.
Having read and studied most, if not each of these reports over the past 25+ years, I interpret the findings and supporting documentation to be somewhat competitive in the sense that each report strives to be conceptually broader and offer broader ranges of losses and impacts and in more dramatic fashion.
Too, many reports, particularly those published in recent years, are collaborative, in that a known and usually global player (i.e., accounting, consulting, or IT firm) has partnered with a prestigous university (academic unit) or ‘think tank’ assuming this will elevate the reports’ credence and validity in the eyes of its previously targeted audience. In addition, more such reports include examples and/or mini-case studies describing the impact to victimized companies and/or organizations, whom, for multiple reasons have elected to ‘go public’, perhaps at the behest of federal (EEA) prosecutors and thus agree to seek prosecution of the perpetrators, whomever or whatever they may be.
Expectations of receiving damage – loss restitution…
Any victim company’s expectations of receiving damage or restitution payments is slim and therefore are largely symbolic when that is the finding of a court. That’s because a large percentage of those engaged in and prosecuted for EEA-related violations have international origins, which, while within the EEA’s scope may also find it useful to bring such action before the World Trade Organization (WTO).
Factors in play that influence companies to go public…
Readers recognize of course, there are numerous factors in play that comprise a company’s decision to ‘go public’. Going public, represents among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses being attributed to the acts, which, initially are often framed in passionate and angry guesstimates of how the acts and losses will impact the victims’ company and even who the culprit(s) may be and how the adverse act was actually committed.
Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess such losses very rapidly. That’s because, in many instances, the losses are not limited solely to lost or undermined intellectual capital, i.e., trade secrets, proprietary information, and IP. Instead, the full extent of a targeted companies’ losses are frequently more strategic in the form of relationship capital and thus may not be fully realized for several months out.
Reputation risk factor…
Another factor in play with respect to the counsel and ultimate decision to ‘go public’ with a companies’ victimization is the very real possibility that having the matter come under public and regulatory scrutiny, there is, unfortunately, a probability the victim company, will experience the materialization of reputation risk manifesting at some level. I refer to materialization of reputation risk with the phrase ‘at some level’, because such company specific reputation risks can manifest in different ways for different sets of consumers, stakeholders, and investors, etc.
Yes, a company’s reputation is an intangible asset of the first order. A company’s reputation is embedded with – comprised of many other contributing intangible assets which collectively produce significant value. In other words, reputation represents expectations, and therefore serves as the rationale in which consumers distinguish, seek, and likely purchase one product or service over another because it consistently meets or exceeds our expectations.
Calculating losses attributed to economic espionage require objectively framed equations…
For many years there has been a general inclination to accept, perhaps naively, the guesstimated findings of after-the-fact prognosticative research regarding losses – impacts attributed to cyber – economic espionage valuations. My counsel is that any formula, conventional intangible asset valuation methodology, and/or equation used to calculate the loss and/or compromise of valuable intellectual properties (intangible assets) caused by cyber-economic espionage should…
- differentiate the assets which have been targeted, lost, and/or compromised by category, i.e., intellectual, structural, and relationship capital to ensure the findings
- bring quantitative – qualitative distinctions and clarity to a fuller range of related acts/events which can materialize following an act of cyber-economic espionage, e.g., produce adverse stock market reactions if the targeted company is publicly traded, reputation risks, productivity losses, business disruptions, loss of consumer trust, expectations, and goodwill, as well as the costs required to re-establish IT and supply chain security, etc.
As always reader comments are welcome!
Michael D. Moberly August 8, 2014 ‘A long form blog where attention span really matters’!
Dr. James Lewis, Director and Senior Fellow, Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) very appropriately states, among countless other relevant and practical jewels of wisdom in his July, 2013 report titled, ‘The Economic Impact of Cyber Crime and Cyber Espionage’ that there is ‘a wide range of estimates of annual losses, from a few billion dollars to hundreds of billions’. That statement itself, is not particularly noteworthy, but the distinctive ways Dr. Lewis reframes the statement by identifying various alternative lens in which the impact of economic and cyber espionage can be viewed through comparisons and analogies is very worthy.
This obvious broad range reflects several difficulties, claims Lewis, i.e., because companies may…
- be inclined to conceal their losses,
- not be aware of what assets have actually been stolen, comprised, or misappropriated.
Granted, intellectual property (and other forms of intangible assets) difficult to objectively value, and when a value is assigned, in my judgment, it’s often subjective and/or embedded with particular agendas that produce especially high or low ($) valuations.
Some IP and intangible asset estimates rely on the work and findings of other surveys, which Lewis quite correctly points out, generally provide imprecise values, unless the survey itself has been carefully constructed and managed.
Too, a common challenge, insofar achieving credence to cyber-security survey findings, Dr. Lewis point out, is that (survey) respondents are inclined to “self-select”. When this occurs, it introduces a potential source of distortion in the results. So, being mindful of these and other data collection challenges to this already sensitive topic for companies, i.e., in economic and cyber espionage, matters, it is not uncommon, Lewis suggests, for loss estimates to be based on assumptions about scale and effect. Changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.
Components of malicious cyber activity…
In the report, Lewis starts by asking what should be counted insofar as arriving at better loss estimates caused by cybercrime and cyber espionage. Interestingly, Lewis categorizes malicious cyber activity into five components, i.e., the…
- loss of intangible assets, i.e., intellectual property and business confidential/proprietary information.
- loss of sensitive business information, including possible stock market manipulation •
- opportunity costs linked to…
a. service and employment disruptions, and
b. reduced trust in online services and activities.
4. additional costs
a. necessary to secure company and supply chain networks
b. for insurance.
c. to recover from cyber attacks, i.e., developing/executing business continuity and resilience procedures.
5. reputational risk materialization and damage to victimized companies.
Putting these components together, Lewis claims, and I agree, the cost of cybercrime and cyber espionage to the global economy can broadly be characterized in the hundreds of billions of dollars annually.
But, Lewis wisely and provocatively, casts those wide ranging estimates in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011. Thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber espionage is a fraction of a percent of that global GDP figure.
This, Lewis says, prompts additional questions, e.g. can the recipients and/or ultimate beneficiary of the acquired intangible assets expect maximum benefit/use?, and a second question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.
What’s the harm…?
If Dr. Lewis is correct in assuming, through the analogies he describes in the CSIS Report, some of which appear tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage which manifest as a “ceiling” for estimates of losses. This suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP. For the U.S. then, in the context of its GDP, Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 million annually to the U.S.
To provide context for this estimate, Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 million in stolen/misappropriated intellectual properties he offers, does not translate to dollar for dollar gains to the recipients and/or ultimate beneficiaries, i.e., the economic, competitive advantage adversaries.
As always, readers comments are welcome.
Michael D. Moberly July 29, 2014 ‘A long form blog where attention span really matters’.
Reputation risk resilience…
Admittedly, I do not know, other than a mere guesstimate, the number of companies which are current in their continuity, contingency, and resilience planning. I suspect, based on numerous conversations with company leadership teams who would presumably have an oversight role insofar as initiating and executing such plans, far fewer companies than today’s increasingly predatorial, competitive, and winner-take-all business (transaction) environment warrant, have current plans, in place.
Too, there is no reason to doubt a significant, but admittedly unknown percentage of the plans which are in place, have merged or morphed into web-based policy and procedure ‘manuals’ awaiting resurrection when a ‘reputation risk’ serpent stalkingly emerges from the murky and interconnected environs associated with global business.
A companies reputation is, generally it’s most valuable (intangible) asset…
As an intangible asset strategist and risk specialist, I strongly believe that continuity, contingency, and resilience planning must extend far beyond company’s IT systems, supply chains, and consumer, customer, client services to include the full spectrum (15+ categories) of intangible assets which most companies now produce, possess, utilize, and/or acquire.
The reason, it should not go unnoticed that today, 80+% of most company’s value, sources of revenue and ‘building blocks’ for growth, profitability, and sustainability globally reside in – evolve directly from intangible assets! Through my lens, that represents a fairly clear (fiduciary) obligation that a company’s key intangibles warrant safeguarding and their value, materiality, and risk consistently monitored.
A beneficial and instructive prelude to company reputation risk resilience…
A beneficial and instructive prelude for any company wishing to achieve the necessary (reputation risk) resilience that’s warranted in today’s go fast, go hard, go global business (transaction) environment begins by acknowledging the range of questions that will inevitably be asked and debated in c-suites, board rooms, among management team members, employees, on social media platforms and possibly within regulatory – oversight bodies, once a significant reputation risk materializes.
Examples of inevitable questions when reputation risk materializes …
The questions below are neither company nor event specific, but nevertheless, they are real and they can be framed in various ways and in various contexts to represent dominant (reputation risk) issues for which answers will be sought and demanded one a reputation risk emerges – materializes, e.g.,
- What is/are the origin(s) of this particular risk?
- Are the ways which the risk is adversely affecting company reputation describable, measurable, monitorable, and trackable?
- Can it be ascertained how-when the risk initially materialized to a level of company consciousness?
- Are there human initiators associated with the risk and if so, are they known?
- Is there any factual basis to the risk insofar as the manner in which it being characterized by any/all facets, and if so, will that influence the risks’ perpetuation for the near (long) term?
- Is the risk tangible insofar as requiring the company to ethically make operational and/or design decisions to the targeted product or service?
- Is the risk measurably gaining in strength, and, if so, how rapidly, why, and are the constituencies distinguishable?
- Is the depth and breadth of the risk, among consumers, stakeholders, investors, etc., subject to objective qualitative – quantitative measurement and monitoring?
- Is there a probability this particular, or simultaneous set of risks will subside on their own volition without an official (company) response or intervention?, wishful thinking doesn’t count.
- Is a formal (company) response and mitigating action required, and ethically and legally being advised?
- Does this particular reputation risk require a specific (nuanced) response or action that will resonate with the affected – complaining parties?, and, if so, can a response be fashioned to de-escalate further adverse rhetoric that exacerbates the (reputation) risk?
No single best strategy…
Experientially, I am hard pressed to suggest there is a single ‘best’ strategy that delivers answers to these (and myriad other) questions to consistently mitigate the asymmetric elements of reputation risk events due in large part o their distinctive origins and often company specific motivation, therefore any presumption there is a ‘one size fits all’ approach is poor strategy.
I do believe however, the most effective foundation to induce a recuperative path to a materialized reputation risk starts with having an…
objective, experienced, forward looking, ‘speak truth to power’, and rapid assessment and response mechanisms in place that fit a variety of scenarios, each with the potential to adversely affect a company’s primary sources of value, revenue, and/or market-sector competitive advantages!
Too, it is here that an intangible asset strategist and risk specialist should be close at hand. After all, effectively preventing or mitigating reputation risk cannot and should not be left exclusively to a counter campaign mounted by a public relations unit which has morphed into reputation risk.
A percentage of company’s that become embroiled in a reputation risk event will find a useful starting point to embarking on a mitigation and recovery strategy, or preferably resolve the risk in its early stages would be well advised to have a clear understanding that their company’s reputation is often comprised of – embedded with multiple and collaborative intangible assets that produce revenue generating competitive advantages which warrant safeguarding.
Not all reputation risks rise to a level of…
Insofar as developing a sound reputation risk resilience plan, it’s necessary to recognize, not all materialized (reputation) risks rise to a level in which life, death, or serious injury to consumers – users will occur, are imminent, or that, for publicly traded firms, stock price and market share will irreversibly decline. Some reputation risk events emerge initially as merely verbal expressions of displeasure regarding a specific company product or service. often on a social media platform. However, one need not look further, and I am not so sure this is a particularly distinctive example when derogatory expressions attributed to the former owner of the NBA’s Los Angeles Clippers’ made toward Clipper players themselves to witness the obvious and initial harm and financial damage which discipated quite rapidly following the teams’ purchase by Steve Balmer. In other words, while the former Clipper owners’ remarks were vile and racist by any standard, there is no particular reason to believe there will be permanency, due in part to the new NBA Commissioners’ prompt and substantial action.
On the other hand, some risk events may appear almost irrelevant insofar as the potential to adversely affect a company’s reputation, at least initially, because initial assessments find no compelling reason to manufacture an immediate response. However objective monitoring of such circumstances, with few exceptions, should always be monitored for a period of time. Absent monitoring, circumstances can quickly escalate by finding a receptive audience and rapidly encompass large blocks of consumers, stakeholders, and social media platforms in ways that indeed cast disfavor and suspicion on a company’s reputation.
Going inside a c-suite, Craig’s List example…
While I have absolutely no firsthand knowledge, I do believe it’s instructive never-the-less, to speculatively examine, in sort of a case study context, the decision that occurred in September, 2010 by Craig’s List and its ‘adult services’ section. Initially my thoughts were, this clearly falls into the proverbial ‘no-brainer’ category, or does it?
Again, I pretend to have no insider perspective on this matter, but I am confident there were numerous meetings/discussions in the months preceding the September, 2010 decision as their ‘adult services section’ was emerging as a genuine reputation risk. I fully suspect, the company’s decision making hierarchy were debating the larger question…’what should we do about our adult services section’, e.g., do we…
- retain the adult services section as is, and try to muscle through the current backlash, law suits, and reputational risks?
- retain the adult services section, but tone it down through monitoring and imposition of less provocative parameters, or
- jettison the entire adult services section immediately, which presumably would remove the accelerant that are influencing the rising levels of reputation risk?
I am confident these and variants of these questions were duly debated among legal counsel, public/media relation providers, reputation risk specialists, and financial advisors each offering their perspectives and prognostications about the outcomes of various courses of action being considered.
The fly on the wall…
Unable to be the proverbial ‘fly on the wall’ to actually witness first hand, these discussions, I’m thinking it’s not rocket science to assume the consensus reached in most of the early meetings, at least up to the September 4th decision to suspend the adult services section, were variously influenced by the economic fact – business reality that Craig’s List adult service section was a consistent revenue generator to the tune, it’s been reported, of $37+ million per year.
Too, I am equally confident that during some of the initial discussions among Craig’s List managerial hierarchy, when the ’what should we do about the adult services section’ question arose, there was at least periodic consensus to ‘ride this risk out’ for as long as was prudent. I presume the speed, depth, and breadth of the adverse reactions to the adult services section issue were being thoughtfully and thoroughly assessed. Of course, if that were true, I would be inclined to interpret it as…
….unless and/or until the adverse public reaction rises to some, perhaps pre-determined level, e.g. 15+ state’s attorney general’s filing civil actions and going public with their admonitions, only then would the remaining option of closing down the adult services section be considered prudent and ultimately executed.
Reputation risk management 101 vs. graduate level…
Should such speculation be reasonably close to correct, which I suspect it is, I would be further inclined to characterize Craig’s List response in the context of ‘no decision is a decision’. Ultimately, the situation Craig’s List soon found themselves in, was, pure and simple, ‘company reputation risk management 101‘ versus a graduate or Ph.D level it could have been.
Reputation risk intelligent company culture…
Of course, we must not overlook the reality that if such (adult) services were not in demand, particularly in a semi-anonymous web-based format, ala Craig’s List, it’s likely, from a business perspective, Craig’s List would have made the decision to discontinue that particular offering at the initial hint of problems (i.e., reputation risk) on the horizon or revenues being generated were insufficient to justify its continuation.
If that were the case, it’s likely Craig’s List could have leveraged their decision (to discontinue their adult services section) in a manner that would allow them to reap strategic accolades from their stakeholders and consumers versus being on the receiving end of civil actions from a growing list of detractors, special interest groups, and politicians. Bad timing on the part of Craig’s List, perhaps, but, it’s a good business reason to invest in a ‘reputation risk intelligent company culture’!
21st century version of a ‘wake up’ call…
Reputation glitches, such as the one Craig’s List experienced, duly represent 21st century versions of ‘wake-up calls’ for management teams, c-suites, and boards to closely and objectively examine and monitor how or whether their company culture is…
- attuned to and observant of reputational risk.
- genuinely reflects the company’s public behavior, and
- consistently meets the expectations of its customers, consumers, stakeholders, and clients?
This post was inspired by a paper produced by Deloitte titled ‘The People Side Of Risk Intelligence: Aligning Talent And Risk Management.
As always, reader comments and perspectives are welcome at email@example.com