Archive for 'Communicating Risk'

Sewing Intangibles of Fear, Uncertainty, and Doubt

August 8th, 2016. Published under Communicating Risk, Intangible asset strategy. No Comments.

Michael D. Moberly August 8, 2016 ‘A blog intersecting intangible assets and business’!

As noted in previous posts, fear, uncertainty, and doubt (FUD) are intangible assets (or liabilities) depending on who the recipient(s) may be, the content-context of what’s being conveyed, the motive – intent of the individual, movement, or organization conveying FUD, and how may influence and/or manifest as actions – reactions from/by those being targeted and receptive to the message.

It’s important to recognize, when an individual(s) achieves or assumes some type of leadership – spokesperson role that includes having a platform to exploit – intensify (current, future) fears, uncertainties, and doubts beyond the realities can influence – motivate the receptive to supportively band together.

A seemingly frequent outcome of purveyors of FUD is the listeners (observers, recipients, targets) to such pronouncements will acquire a sense of connection to those proselytizing. And, at some point will become regressively disillusioned to the point of wholly disregarding-dismissing alternative facts, reason, context, and reality in favor of the broad, over dramatized generalizations and half-truths being espoused.

One can routinely observe FUD principles or carefully contrived variations exploitatively woven into media advertisements as underliers to introducing and selling a large percentage of (new) products and services in ways that appeal to – accommodate – address broad numbers of prospective buyer’s – client’s circumstances, needs, aspirations, or frustrations with the status quo. Numerous researchers attribute such receptivity to the notion that fear, uncertainty, and doubt are grammatically and visually easy to convey.

Too, in many contexts, well scripted presentations (advertisements) that incorporate timely, relevant, and specific elements of FUD can influence receptive parties to assume there are relatively quick and simple (single) fixes. In other words, if x is purchased and deployed (generalization) one’s problems and/or frustrations, at least how they are perceived, will be substantially reduced, if not go away altogether. Of course, that seldom happens in full.

Lethal Autonomous Weapons Systems’ Intangibles

May 5th, 2016. Published under Communicating Risk, cyber warfare.. No Comments.

Michael D. Moberly April 5, 2016 ‘A blog where attention span really matters’!

Lethal autonomous weapons systems (LAWS) represent, in my judgment, an inevitable, but, as yet, incomplete class of weapons embedded with capabilities to independently select and engage targets (adversaries) without human (operator) assessment and/or interventional oversight.

LAWS are unlike existing (conventional) pilotless drone ‘aircraft’ in the sense they are – will be largely, if not wholly, autonomous. In other words, as I have come to understand LAWS, once deployed in various manifestations, they can surveil, assess, and execute in a wholly independent manner presumably with internal assessment and decisional guidance wrapped in AI (artificial intelligence) software.

The development and introduction of remotely piloted – controlled drones for operation in theaters of combat. counter-insurgency and counter-terrorism and for surveillance and intelligence gathering serve as real time hedges favoring expansion of risk adverse strategies, particularly, human life. Obviously, drones deployed in war fighting circumstances can deliver devastating munitions to specified adversaries – targets with the aid of satellite and global positioning systems, but only at the direction of their human operators and overseers, thus mitigating risk to requisite for ‘boots on the ground’.

Presumably LAWS, on the other hand, will be designed – programmed with capabilities to identify, assess, and self-authorize target engagement, i.e., seek, find, distinguish, select, and engage targets absent human intervention or oversight ala simultaneous introduction of infinite numbers of ‘jason bournes’ to a conflict theater. LAWS could presumably function (also) as ‘defensive’ weapons, i.e., as a theater interceptor – destroyer of an adversaries’ incoming munitions to supplant human reaction times.

Aside from the autonomy and independence of such weapons systems, their development and use is presumably intended to mitigate – favorably affect human’s – societies’ intangible senses – perceptions of risk, fear, and safety, while simultaneously serving as formidable strategic deterrents each being an intangible. To be sure, adversaries and allies alike are aggressively pursuing comparable-competing LAW war fighting capabilities, the theater functionality of which may be more-less effective, at which time the aforementioned intangible (asset) senses will likely change accordingly.

This post was inspired by the writings of Heather M. Roff, particularly an article published in Slate Magazine (online) dated April 7, 2016, titled ‘Killer Robots on the Battlefield: The Danger of Using a War of Attrition Strategy with Autonomous Weapons’ in advance of her testimony at the U.N.’s, April 11, 2016 ‘Convention on Certain Conventional Weapons’ in Geneva.

Vietnam War and Combat Intangible Frustrations

March 4th, 2016. Published under Communicating Risk. No Comments.

Michael D. Moberly March 4, 2016 ‘A blog where attention span really matters’!

“Those who fail to learn from history are doomed to repeat it”, a quote widely attributed to Sir Winston Churchill, variously confirms a range of frustrations shared by many Vietnam War combat veterans with respect to how the wars in Iraq and Afghanistan were prosecuted.

In the U.S., we have come to assume any war, particularly those post-WWII, breed proponents and opponents with the differences frequently arising from nuanced social, political, moral, and even national security arguments, that eventually, but inevitably, morph as untoward revelations about a war’s underlying rationale and prosecution, which, in turn, give rise to doubts, questions, frustrations, and public weariness, e.g.,

• what are the ‘knowns and unknowns’, i.e., foreseen and unforeseen tradeoffs and consequences?

• is the war being prosecuted as effectively (tactically, strategically) as it should and with sufficient translucency?

• what means exist for regularly measuring the war’s status, i.e., are specific political-moral-military-national security objectives being met?

To be sure, frustrations…evolve, repeatedly evidenced when tactical, strategic, and/or policy misjudgments and misdiagnoses occur, all-to-often marked by an absence of ‘lessons learned’ from numerous prior comparables, i.e., the Vietnam War vis-à-vis the Afghanistan and Iraq wars.

It is with confidence, had any military war planner – tactician asked any Vietnam War (ground) combat veteran, prior to deploying large numbers of U.S. troops to Afghanistan and Iraq, to describe risks-threats for which it would be prudent to train and prepare combat troops for in advance, their responses would likely evolve around…

• there will be more sophisticated versions of booby-traps’ of all types the former a term/phrase ludicrously modified to IED’s (improvised explosive devices) and ‘suicide bombers’.

• any prospect of ‘winning hearts and minds’ of independently indigenous (religious) sects-cultures marked by thousand year histories of conflict, will be a long, risky, costly, and very likely produce a disappointing outcome.

• the wars’ in general, and fighting specifically, (in Iraq, Afghanistan) will occur with 360-degree asymmetry, and 24/7 spontaneity.

• recognition that the primary, perhaps the primary difference insofar as combat in Iraq and Afghanistan to Vietnam, is terrain!

• training indigenous personnel for ‘standalone’ defense of their region – country will be challenging, time consuming, costly, and probably never produce a fully desirable outcome, lackluster performance of indigenous military will collectively translate to a political and social unsustainable willingness to continue indefinitely.

• mitigating – countering the influx and actions of religious indoctrinated – self-described insurgents will be challenging and achieve only sporadic territorial gains which can be quickly undermined – lost when troops are withdrawn.

It seems apropos then, to revisit the aforementioned quote attributed to Mr. Churchill, i.e., “those who fail to learn from history are doomed to repeat it”. It’s quite possible the U.S. military co-opted Mr. Churchill’s quote was co-opted and re-phrased to ameliorate the persistence of more recent tragedies as ‘lessons learned’. For example, the April, 1996 plane (Boeing 737) crash in Croatia that killed then Secretary of Commerce Ron Brown and 34 other American aides and business persons accompanying the Secretary on a trade mission. Following this incident, the U.S. Air Force primarily, compiled a 7,700-page document titled ‘lessons learned’.

One of the most significant takeaways from that document, in my judgment, was the fact that numerous civilian and military pilots had personal and recent knowledge of the risks and challenges associated with negotiating the runway – a landing at the same Croatian airport. Such reports, conveyed over a period of time prior to the crash of Secretary Brown’s plane, were probably at echelons well below what would be required to produce change. As the report admits, most, if not all of the relevant concerns went un-asked, until that is, the Secretary’s plane crashed, upon which it became ‘time to ask’.

Mr. Moberly is an intangible asset strategist and risk specialist and author of ‘Safeguarding Intangible Assets’ published by Elsevier in 2014, m.moberly@kpstrat.com View Mr. Moberly’s videos on YouTube at ‘Safeguarding Intangible Assets’.

Reporting Intangible Assets

January 21st, 2016. Published under Board oversight, Communicating Risk, Fiduciary Responsibility. No Comments.

Michael D. Moberly   January 21, 2016 ‘A business blog where attention span really matters’!

When-where ever there is institutionalized indifference about the treatment of IA’s (intangible assets) at the hands of organization-company boards, management teams, legal, security, marketing, and accounting, etc., there will be a comparable stifling of curiosity for pursuing the actual contributory role and value of IA’s apart from the growing fiduciary responsibility to engage IA’s beyond the singular catchall of goodwill as described in Stone v. Ritter, 911 A.2d 362 (Del. Supr. 2006).

Yes, it remains quite true, IA’s are seldom, if ever, reported on company balance sheets or financial statements, a reality which I suspect will change in the not too distant future. In large part, the change away from (IA) indifference and dismissiveness to acknowledgment and engagement will be influenced (also) by necessity, e.g.,…

  • to provide more complete portraits of organization value, competitiveness, sustainability, and performance.
  • otherwise, organizations will be left unnecessarily holding far too many unknowns, uncertainties, and risks.

Not being trained in organizational psychology per se, it would be a reach to state with absolute certainty why, how, or the depth of (organization) ‘IA deniers’. As an intangible asset strategist and risk specialist, experience rather clearly suggests however, that the rigid inflexibility I encounter with ‘IA deniers’ will be challenged as IA intensive – dependent organizations become the norm, coupled with the managerial requisite for…

  • making consistently effective decisions whenever, wherever, and however IA’s are in play which compliments organizations interest in attracting go fast, go hard, go global management teams.

Mr. Moberly is an intangible asset strategist and risk specialist and author of ‘Safeguarding Intangible Assets’ published by Elsevier in 2014, m.moberly@kpstrat.com View Mr. Moberly’s videos on YouTube at ‘safeguarding intangible assets’ or his CNN and CNBC videos at his webpage http://kpstrat.com

Intangible Asset Strategist – Risk Specialist

December 29th, 2015. Published under 'Safeguarding Intangible Assets', Communicating Risk, Company culture and reputation.. No Comments.

Michael D. Moberly December 29, 2015   ‘A business blog where attention span really matters’.  

I begin with the principle that decision makers, management teams, boards, and strategic planners have a (fiduciary) responsibility to consistently insure their organization is positioned to provide the necessary stewardship, oversight, and management of the various IA’s (intangible assets) an organization has in play. This includes capabilities to…

  • identify, unravel, cultivate, bundle, utilize, and extract as much value and competitive advantage as possible from its IA’s.
  • monitor, inhibit, and/or mitigate risks to those assets which, if materialized, would undermine (asset) contributory – collaborative value, competitiveness, and materiality.
  • sustain control, use, and ownership of the assets throughout their respective value cycle.

Absent these operational capabilities to execute at will, organizations are placing the value, competitive advantages, and revenue their IA’s produce at risk to irreversible undermining, erosion, or going to zero! In these circumstances, the value proposition which an IA strategist and risk specialist (consultant) can deliver include…

  1. Providing guidance/strategies as needed, for extracting value, delivering competitive advantages, and measuring IA performance.
  2. Adding predictability to business transaction outcomes, projected returns, and exit strategies when-where IA’s are in play.
  3. Assessing asset stability, defensibility, and fragility in both pre and post transaction contexts.
  4. Conducting IA due diligence designed to sustain competitive advantages and fully exploit asset synergies, efficiencies, and contributory value.
  5. Reducing the probability that project-transaction momentum can be stifled by recognizing and mitigating circumstances that can ensnare and/or entangle IA’s in play in costly and time consuming legal challenges undermine/erode asset value and performance which adversely affect reputation ‘risk points’.
  6. Bringing clarity to IA ’suitability’ factors, i.e., recognition, valuation, separability, transferability, life cycle, and risk.
  7. Introducing valuation and reporting of IA’s and integrating same in asset development, organization governance, and new initiatives.
  8. Designing organizational resilience (continuity, contingency) plans that fully encompass essential IA’s to provide rapid recovery following significant business disruptions, disasters, or other risk materialization.
  9. Monitoring IA value chains, i.e., the inter-connectedness between the production, acquisition, and utilization of IA’s vis-a-vis their contributory-collaborative value, revenue and competitive advantage generation.
  10. Building a ‘company culture’ that’s aligned – converges with an organization’s IA’s, i.e., mission, objectives, and strategic plan.

Intangible Asset Risk Assessments: Qualitative vs. Quantitative

February 27th, 2014. Published under Communicating Risk, Due Diligence and Risk Assessments, Enterprise risk management.. No Comments.

 Michael D. Moberly    February 27, 2014   ‘A blog where attention span really matters’.

As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.

Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.

But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.

So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.

Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.

Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.

For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment.  That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).

Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.

From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.

Qualitative risk-threat assessment

Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.

The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.

Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate.  Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA.  Collectively, the additional factors serve to expand the risk-threat equation.

Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.

Assessment process…

The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.

Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,

500,000 records X $30 remediation cost per record = $15 million.

In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.

So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade.  Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.

One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.

Sources for quantitative and qualitative data…

Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.

Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.

Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute  Other Related Articles in Audit and Governance

  

Reputation Risk…The Most Difficult Risk For Companies To Manage! Part II

February 5th, 2014. Published under Communicating Risk, Reputation risk.. No Comments.

Michael D. Moberly    February 5, 2014   ‘A blog where attention span really matters’!

The ACE Groups’ 2013 Survey of Reputation Risk…

For readers who may be unfamiliar with The ACE Group, it purports to be one of the world’s largest multiline property and casualty insurers for a diverse clientele with operations in 54 countries. In reviewing its 2013 report (survey) ‘Reputation at Risk’ authored by Andrew Kendrick, President, ACE’s European Group, there are some revealing findings that broadens current thinking regarding reputation risk. So much so that business decision makers globally would be well served at minimum, to read this entry, but also read ACE’s entire report.

Admittedly, I am a little unsure just how surprised I should be about ACE’s survey findings that merely one in five companies reported they are very effective at measuring external perceptions about their company.  My absence of surprise emanates from the reality that I have yet to meet a marketing practitioner or buyer, for that matter, in any business sector, who does not purport to possess a fairly high level of insight into their consumer base, i.e., likes, dislikes, preferences, etc., but actually (objectively) measuring and translating those insights into clarity about external perceptions, seems to fall somewhat short.  Obviously, marketing practitioners and buyers are likely to have little, if any, operational familiarity with company reputation risk or its management.

Need for measuring external perceptions…

For most of us working in this arena, we stipulate that measurement of external perceptions, i.e., reputation, can be challenging to get it right. Perhaps most of all, ‘getting it right’ is certainly not impossible, but it does require…

  • an enterprise wide commitment, and
  • not being considered sufficient if it merely a ‘snapshot-in-time’ description.

Companies today are obliged to engage in more frequent dialogue with external stakeholders to genuinely understand and assess their views and then…

  • regularly monitor and (re-)evaluate their external environment as methodically as possible to identify reputational risks and/or threats that may be emerging – are on the horizon, and
  • assess, if they materialize, the various ways they may adversely affect – jeopardize external relationships.

Some companies assume operational risks and reputation risks are synonymous…

While anecdotally, there is increasing evidence that some companies are treating reputational risk with the importance it deserves, a large percentage of companies are doing little, if anything of substance in this arena.  Regarding the latter, the reasons are varied but generally originate from two rationales, i.e., reputation risk management…

  • appears as being somewhat of a frontier concept which company decision makers are reluctant – reticent to develop the necessary safeguards, and also
  • some companies have not developed or integrated relevant process – practices to effectively address ‘their’ reputation risk challenges, thus, it is seldom an action – discussion items in c-suites, in boardrooms, or among management teams to move it forward, and still
  • some companies appear determined to argue that no special measures are necessary to safeguard or manage a company’s reputation, because, they assume, reputational risks are merely the outcome or product of materialized operational risks, and since operational risk is already being managed, they must have reputational risk covered as well.

Neither stance is persuasive, and certainly neither is defensible from the point of view of directors’ fiduciary duties to shareholders to protect (and grow) the assets of the company (not to mention other duties increasingly being introduced to take account of other stakeholders’ agendas). Inaction by directors could eventually land them in hot water in terms of personal liability, but we should not see the reputational risk agenda as one simply of threat and downside. There are many positive reasons for taking steps to master this difficult challenge.

Increased prevalence of reputation risk…

Few could argue successfully in my view that increases in the prevalence of materialized reputational risks…

  • is variously linked to an elevated intensity of public scrutiny of company behavior and expectations, along with the rising importance of corporate sustainability,
  • which have placed more emphasis on companies to demonstrate strong (business, operational) ethics and thus, changed stakeholder expectations in terms of how companies should be behaving.

But neither can companies afford to ignore the demands of those who are not shareholders, if a company is publicly held, instead, they must balance the needs of a broad range of stakeholders, including the public, their employees and the communities in which they operate.  By doing so, creates a surer path to effectively safeguarding a company’s reputation. More specifically, as Warren Buffett is reported to have said, ‘we must continue to measure every act against not only what is legal, but also, what we would be happy to have written about it on the front page of a national newspaper.’

Underestimating reputation risk challenges…

Of course, I agree with ACE’S findings that (many) companies, and their management teams, underestimate the challenges associated with reputation risks, and their management.

Interestingly though, almost four in ten respondents to the ACE survey also report their companies have confidence in their ability to address and recover from a ‘crisis’ ala crisis management with 32% believing they are very effective at restoring reputation following the materialization of a risk event. Admittedly, I am skeptical about merging or assuming crisis management and reputation risk management are necessarily synonymous.

Most company management teams recognize however, that the time that companies now have to respond, be it a reputation risk that has materialized or some other form of crisis event, their potentially adverse impact should no longer be factored in weeks and months, instead, in hours and minutes, thanks in large part to the globally instantaneous functionality of expanding numbers of social media platforms. One outcome of this particular reputation risk phenomena is that fewer companies have the luxury of a second chance!

Quite understandably then, further findings of ACE’s survey suggest that companies actually be underestimating the speed which reputation risks can materialize and cascade, in other words, the various and multiple challenges associated with a crisis in what appears to be a ‘faster than real time’ context.

A reputation risk insurance perspective…

On the other hand, from an insurance perspective, two-thirds of ACE’s survey respondents feel inadequately covered for reputational risk. So, one can presume the respondents distinguished ‘crisis management’ from ‘reputation risk management’.

Broadly, survey findings indicate the insurance side has a potentially valuable role insofar as helping companies manage the more traditional – conventional types of risks more effectively initially, which can mitigate/reduce damages incurred by reputational risks by applying a ‘reputational risk lens’ which allows parties to more clearly recognize any (potentially adverse) external perspectives which are integral to a company’s reputation.

There is a lot at stake for companies…

‘Caught in the headlights’ may be an appropriate descriptor for a substantial number of companies, insofar as recognizing the speed and adverse realities of being the target of materialized reputational risks.  Many, if not most of my reputation risk management colleagues agree that balancing speed of recognition coupled with agility in terms of having multiple response options at the ready.

There is no question that reputation is now critical, more than ever, to the long-term financial and competitive advantage health of any company.

Materialized reputation risks can produce severe financial consequences…

It should be quite obvious by now that a materialized reputational risk can have severe, long terms, and in a percentage of instances, irreversible financial consequences on a company, e.g.,

  • adverse media attention, such as a product recall or major accident, can rapidly cascade and lead to lost sales, which affects a company’s liquidity.
  • investors and banks may become uneasy and withdraw or limit a company’s access to capital which places additional strains on balance sheets, and with
  • current and future revenue streams being more dependent on a company’s reputation, which is also a source of competitive advantage, it can become even more challenging to rebuild brands and restore stakeholder confidence.

Examples of company reputation quickly evaporating…

Arthur Andersen Company is a good example.  Its demise in 2002, most agree, is attributed to irreparable reputational damage following terrible publicity the company received related to the Enron scandal. More recently, BP incurred significant reputation damage relative to its association with the Deepwater Horizon explosion in the Gulf of Mexico in 2010.

Of course, there are countless other examples, but, the corollary of this is that that companies with strong reputations should become beneficiaries to others’ (competitors in some instances) in terms of elevating share price performance, and stakeholder – customer trust.  Some suggest that a positive and resilient reputation helps companies to deal more effectively with future crisis – reputation risk events, should they occur, because it creates a reserve of goodwill referred to many time here as ‘reputation capital or equity’ that can help the business to better endure and survive future adverse (reputation risk) events.

Effective reputational risk management is not just about responding well to so-called crisis events. In addition, it is about safeguarding, building, and routinely monitoring reputation.

(A special thanks to Andrew Kendrick, President, ACE European Group, 2013 ‘Reputation at Risk’ Report for inspiring this post.)

Reputation Risk…The Most Difficult Risk For Companies To Manage! Part I

February 4th, 2014. Published under Communicating Risk, Reputation risk.. No Comments.

Michael D. Moberly    February 4, 2014   ‘A blog where attention span really matters’!

The ACE Groups’ 2013 Survey of Reputation Risk…

For readers who may be unfamiliar with The ACE Group, it purports to be one of the world’s largest multiline property and casualty insurers for a diverse clientele with operations in 54 countries. In reviewing its 2013 report (survey) ‘Reputation at Risk’ authored by Andrew Kendrick, President, ACE’s European Group, there are some revealing findings that broadens current thinking regarding reputation risk. So much so that business decision makers globally would be well served at minimum, to read this entry, but also read ACE’s entire report.

As readers know, there is nothing particularly new about companies experiencing risks to their reputation.  Too, as readers recognize, seldom, if ever, have company reputation risk(s) been as pervasive and ‘rapid acting’ as they are today.  All one needs to do is execute a quick scan of business publications wherein there is no shortage of articles which draw attention to the extent of ‘reputation risk’ challenges. For example, financial institutions and internet retailers have faced scrutiny and censure for data breaches, supermarkets and food suppliers have faced their own challenges over food production sourcing and contamination; and clothing/apparel retailers have been brought to task regarding poor conditions at outsourced manufacturing sites.

There’s certainly no argument here that a company’s reputation has become, for a variety of reasons, absolutely critical to its strategic financial and competitive advantage health.  That translates as most any company, whether it’s a university-based spinoff, early stage startup, small-medium enterprise, small-medium multinational, and one of the proverbial Fortune ranked corporations.

Reputational risk is different to other risks. It is difficult to define, measure and therefore manage – a task made more complicated by uncertainty over who ‘owns’ the issue inside companies.

Getting their heads around the most difficult risk category…

Four out of five executives surveyed for ACE’s report stated they regard their company’s reputation as its most significant asset. Nothing particularly new here!  But, and, it’s a very big but, despite evidence there is a growing understanding and appreciation for materialized reputation risks and their adverse impact on companies, one of the major challenges survey respondents revealed is quite straightforward, that is, “getting  their head around” the asymmetric and otherwise intangible nature of reputation risk.  More specifically, nine in ten of the survey’s respondents reported that company reputation risk is ‘the most difficult risk category to manage’!

Reputational risk is different to other risks. It is difficult to define, measure and therefore manage – a task made more complicated by uncertainty over who ‘owns’ the issue inside companies.

Also revealed from ACE’s report are respondents’ citing what they believe are factors that contribute to today’s growing corporate reputational risk environment.  ACE’s survey respondents expressed particular concern about the following trends that are influencing and elevating reputation risk levels, i.e.,

  • expanding global footprints and increasingly complex and risk laden supply chains.
  • increasingly dynamic and challenging regulatory environments from which compliance is now considered to be a core competence in many industries with failure to manage regulatory change effectively will inevitably lead to serious reputational damage.
  • rapid company expansion into new markets and the challenges associated with maintaining consistent (ethical, business, product) practices and standards in a boundaryless transaction environment.

Areas that business executives worry about most…

The survey’s respondents reported that…

  • damage to customer relationships, and the
  • adverse financial impact of materialized reputational risk, i.e., loss of earnings, impact on share price, and competitive advantage.
  • the speed at which reputation risks can materialize and cascade throughout a company and its supply – value chain.
  • the reality that reputation risks can emerge from anywhere, at any time, and from any place within a company or along its stakeholder and/or supply chain which makes reputation risks more difficult to predict.

Areas which companies judge themselves to be the weakest regarding reputational risk…

Interestingly, and quite revealing, is the fact that respondents to ACE’s survey cited particular areas where companies judge themselves to be weakest at reputational risk management…

  • measuring external perceptions of the company.
  • quantifying the financial impact of reputational risk, and because reputation risk impact is more difficult to quantify, it frequently makes it less well understood compared to conventional – tangible risks and threats.
  • restoring company reputation after reputational risk incidents have materialized.
  • absence of effective counsel about how to manage reputational risk which elevates sense of uncertainty and confusion about how best to manage reputation risk.

                 fewer than one-third of companies believe they are well prepared to address the above.

There are no singularly magic solutions, nor silver bullets to manage reputation risk…

While, the ACE survey suggested ‘insurance is not necessarily the panacea for the rapidly evolving and escalating challenges associated with company reputational risk, there are some things that insurers can do to collectively benefit their clients and mitigate, if not prevent, materialization of reputation risks.  Some effective measures – steps that business decision makers and management teams should not merely consider, but actually execute, include…

  • do more to evaluate and systematically track the perceptions of primary (external) stakeholders, i.e., customers, media, adverse lobbying groups, and governmental regulators.
  • help these entities acquire true perspectives and insights into challenging trends and problems companies face.

Respectfully, ACE’s global experience conveys that better (company, client) preparation and routine testing of response plans, i.e., business contingency, continuity, and resilience planning lays important foundations for a faster, more effective, and genuine response when reputation risks materialize including reputation restoration in the current instantaneously global social media environment. Again, ACE’s research does not convey there are any easy solutions, particularly when it comes to quantifying the financial impact of materialized reputational risks.

However, as noted here numerous times, as more management teams and business leaders attach a ‘reputational risk lens’ to the myriad of risks being routinely encountered, companies can be better positioned to evaluate any reputational consequences relative to (a.) action, or (b.) inaction.  And that, as readers know, are truly significant advances.  In other words, companies must get better at measuring and managing external perceptions. But, that said, ACE’s survey shows that only a quarter of companies are confident about how they evaluate the strength of stakeholder relationships which we know form a very critical foundational component to reputational risk management.

(A special thanks to Andrew Kendrick, President, ACE European Group, 2013 ‘Reputation at Risk’ Report for inspiring this post.)

Communicating Risk By Clarifying Risk Appetite

January 27th, 2014. Published under Communicating Risk. No Comments.

Michael D. Moberly     January 27, 2014   ‘A blog where attention span really matters’.

Companies and organizations encounter – engage risk every day, even multiple times per day, certainly no debate on that issue.  But, in my 25+ years of experience on the security – asset protection side of risk, I, like many of my colleagues, recognize business risk is perceived, defined, and addressed through a variety of lens, often dependent on (a.) one’s professional discipline, and (b.) their company specific responsibilities and/or oversight of assets.

One point I wish to make at the outset is this; as an intangible asset strategist and risk specialist, it is consistently necessary for me, when engaging clients, particularly new ones, that when the subject of risks arises, its absolutely critical that I recognize and respect that just because key business unit and management team members are at the same table, seldom do their perceptions and targets of risk necessarily coincide nor is consensus reached easily.

I attribute this circumstance in large part, to another reality, which is, a sizable number of management teams, c-suites, and boards, while they may generally know what intangible assets are, they (a.) variously remain operationally unfamiliar with the intangibles their company produces and utilizes, and (b.) have yet to feel compelled to achieve a higher level of operational familiarity to consistently engage their intangibles more effectively, competitively, and profitably.

Obviously, these realities present some challenges.  One is that it can impair the accuracy of a company’s risk assessment even though, as noted above, intangible assets are quite literally integral to most every aspect of conducting business regardless of industry sector, company size, or maturity.  Nevertheless, I endeavor to remain respectful of the various (business) risks management team members espouse through their diverse ‘lens’.   My initial objective is to respectfully guide management team members, c-suites, and boards, to recognize the ultimate target of their company’s risks – threats are, with increasing  consistency, intangible assets.

That is, for a substantial majority of companies globally, 80+% of their value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in or directly emerge from intangible assets.  My experiential expression of this economic fact – business reality generally produces the necessary intellectual and business bridge and/or linkage to achieving sufficient consensus to move forward on communicating an enterprise wide risk management initiative.

Admittedly, the notion that for most companies, their risks – threats, i.e., the ultimate, if not primary target are its intangible assets may be new.  Nevertheless, a significant percentage of economic – competitive advantage adversaries globally, are really seeking a company’s intellectual, structural, and relationship capital, i.e., intangible assets.  So, it is these intangibles that management teams are obliged to address and mitigate risks to, which starts by communicating (articulating) those risks, and putting in place practices, policies, and procedures designed to simultaneously sustain control, use, ownership, and monitor (the assets) value, materiality, and risks – threats.  That is, if their firm is to maintain its path of success, profitability, and competitive positioning.

But, insofar as most company’s never ending efforts to manage their risks, a fundamental question remains which warrants thoughtful attention, that is, how much risk, rightfully or wrongfully, do a company’s decision makers find acceptable as they pursue their company’s mission and objectives?  In other words, what is their ‘appetite for risk’?  Again, as an intangible asset strategist and risk specialist correctly gauging a company management teams appetite for risk is a responsibility I do not take lightly.

A complicating factor to answering the question lie in the reality that regulators, various oversight entities, and certainly stakeholders (and, stockholders) are seeking, if not demanding companies develop better descriptions of – and refinements in their risk management processes.

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, 2012 report titled Enterprise Risk Management — Understanding and Communicating Risk Appetite   suggests, in a related way, that communicating company risk should commence by…

·         understanding how much risk a company is willing to accept.

·         how should a company decide how much risk it is willing to accept?

·         to what extent should the risks which a company accepts, mirror stakeholders’ objectives and attitudes towards risk, and

·         how does a company ensure that its business units are operating within the agreed upon boundaries  which actually represent the company’s appetite for specific kinds of risk?

COSO defines ‘risk appetite’ as the amount of risk a company is willing to accept in pursuit of value. Each company pursues various objectives to add value and should recognize and understand the risk it is willing to undertake to achieve those objectives.

Accordingly, the COSO reports’ authors, suggest answers to the above questions essentially embody and/or frame a company’s risk appetite.  So, readers can assume then, that the foundation or starting point for developing and communicating a clearer understanding of a company’s risk appetite is determining…

·         which (business) objectives to pursue and which objectives should not be pursued, and

·         how to manage those objectives within the boundaries of a company’s agreed upon appetite for risk.

Admittedly, and unfortunately, some company management teams, c-suites, and boards, when asked, characterize ‘risk appetite’ as being an interesting theoretical discussion, probably best suited for a university lecture hall than a company’s conference room and probably more relevant to ‘risk management’ than ‘risk appetite’ and therefore, not easily integrated into a company’s strategic planning or even its day-to-day decision making.The COSO report’s authors though, believe that discussions regarding risk appetite exceed the theoretical.  This means, when effectively articulated, a company’s ‘risk appetite’ essentially provides guideposts and/or boundaries around the amount of risk a company should consider pursuing as part of say, a new (business) project, initiative, R&D, or transaction.  Therefore, presumably, a company which decides upon – accepts an aggressive appetite for (business) risk is more likely to set aggressive goals for itself, whereas a company that is (more) risk-averse, with a lower appetite for business risk, will likely set more conservative (business) goals and objectives.

Carried to the next logical level, readers can assume when a company’s visionaries and/or its decision makers consider or embark upon a particular business strategy, somewhere in that decision making process, preferably in advance of execution, there will be a determination as to whether the agreed upon strategy will actually align with and/or remain within the company’s risk appetite boundaries.  Again, when effectively communicated, a company’s ‘risk appetite’ can serve as a guide to management team members who are actually engaged in – responsible for setting the company’s goals and executing the necessary decisions to increase the probability those goals will be achieved and become sustainable relative to its operations and mission.

In other words, risk management decision making and compliance should not be executed as if  they were separate – distinct from strategic planning and daily decision making.  Rather both should be recognized as important components to a company’s culture, just as making decisions to attain a company’s (business) initiatives, projects, and objectives should be part of a company’s culture.

Again, an initial step, most would agree, to more fully embed risk management in a company, its decision makers and management teams should know and reach consensus on how much risk is acceptable insofar as developing strategies to accomplish both company-wide and individual business unit objectives for a company.

As a company and its management team actually begin to factor their risk appetite into their decision-making processes, they will become better positioned to (objectively) balance business risks with business opportunities.

For example, if a CEO expressed a need or desire to increase her company’s ‘risk appetite’ based on expectations that key aspects of its profitability were declining or would become stagnant, it’s quite likely…

·         if it were a financial services firm, by accepting a lower risk appetite, it may well choose to avoid opportunities that produce higher levels of risk while offering the possibility of higher returns, whereas

·         if it were a manufacturing firm, that accepts a higher appetite for risk may be more inclined to engage an opportunity to procure natural resources from a volatile country where its investment could be lost, literally at the whim of that country’s political leader(s). Obviously, in this instance the rewards may be high, but the risks are high as well.

So, company decision makers are obliged, if not fiduciarily responsible, to consider its risk appetite in unison with its goals and selecting which operational tactics to pursue.

I am very grateful for the work/research produced by Dr. Larry Rittenberg, Ernst & Young Professor of Accounting University of Wisconsin-Madison School of Business, Frank Martens, Director, PricewaterhouseCoopers in the development and writing of this blog post and I encourage readers to read their COSO Report titled ‘Thought Leadership in ERM   |  Enterprise Risk Management — Understanding and Communicating Risk Appetite’. 

Comments regarding my blog posts are encouraged and respected.  Should a reader elect to utilize all or a portion of my posts, full attribution is expected and appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com.