Entries tagged with “Reputation risk”.


Back in 2007, the 9/11 commission established a number of recommendations for the public and private sector that would help both the government and private businesses be prepared for a disaster.   Title IX of the Implementing Recommendations of the 9/11 Commission Act of 2007 (the Act.) directed the Department of Homeland Security (DHS) to develop and implement a voluntary program that would accredit and certificate private businesses have established a program using a set of standard processes that will “enhance nationwide resilience in an all hazards environment”.  This program officially known as “The Voluntary Private Sector Preparedness Accreditation and Certification Program”.  Known as PS-Prep in the business world (which I think is a heck of a lot better than VOPSPAC that sounds more like a drug to reduce upper lip sweat caused by a government initiative), it is similar to the ISO standards many companies embrace to demonstrate to their customers and potential customers an adherence to process and procedure standards designed to maintain and improve quality products and services.

Similar to ISO9000, this program is not mandatory, and does not direct the specific processes and procedures that prepare a business for a disaster.  The program does provide three different standards to be used in establishing the program and measuring the successful implementation for accrediting and certifying the program is in place and in order.  The three standards selected were determined by DHS in June of 2009 after public input to meet the comprehensive needs in the event of a disaster and can be applied to the majority of businesses. 

They are:

  • ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). Available at no cost.
  • British Standards Institution 25999 (2007 Edition) – Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management) The British Standards Institution is making both parts available for a reduced fee of $19.99 each.
  • National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. Available at no cost.

Embracing PS-Prep early may be a very good thing for several reasons.

  1. Utilizing the evaluation standards can identify any holes in your business continuity program and help to plug them.
  2. It differentiates you from your competition who are not participating.
  3. The focus on risk management from the board level due to SOX and other factors will be supported.
  4. While not mandatory, it can be a contributing factor in the securing business from government and other businesses during the bid process.
  5. If you do not have a continuity or disaster recovery program, it provides frame work for developing one.

For more information on PS-Prep, visit the FEMA site, or click here.

REPUTATION – while a company is known for the products and services it provides, one of the major reasons a purchase is made is based on the reputation of a company.   A company’s reputation is a wispy thing.  It’s made up of various bits and pieces, the quality of the product, the professionalism of the staff and management team, the contributions to the community, the handling of problems and issues that arise, the “trueness” of the company actions to the marketing image created.    A small mis-step can cause a stock price to fluctuate, and a large one, or several combined can cause a business to cease operations.

The oil situation in the Gulf of Mexico is a prime example of how perceived mishandling of a disaster affects the reputation of a company and the adverse effects it has on that organization.  In April of this year, BP stock was trading near the 52 week high of $62.50 per share.  This morning, the stock was trading below $32.00 and trending downward.  The disaster in the gulf and the subsequent handling of this catastrophic incident is a primary cause for the nearly 50% drop in stock pricing.

When the oil spill first happened,  I viewed it as a “Black Swan” event, an event that is unpredictable, carries a massive impact and after the fact (and in this case, once we get to after the fact) can be explained in a way that makes it less random and more predictable.  However, when I put this thought to a recent meeting of Business Continuity Professionals, an expert in the profession explained that oil company’s and those businesses associated in the industry are well aware of the hazards and risks related to deep oil exploration and would/should have plans in place for these types of events.  From my experience in building continuity programs, plans for irregular events and catastrophic issues are tested and improved through testing and tweaking.  These exercises are designed to help reduce the impact of the situation, and maintain a positive light on the reputation of the organization by showing:

  1. We have designed the process/program/product to be as safe as possible.
  2. In the event of an incident, we understand what is wrong and how to fix it.
  3. We are in control of the situation and are doing everything to return to normal as soon as possible.

A major part of the continuity event is communicating a common message for the organization and making sure all parties of the organization are in line with that message, in other words say what you are going to do, then do it.  If you make a promise, you need to be sure it is kept.  It’s not only important to manage the message and deliverables, but make sure the perception of what is happening is in line with what is actually occurring.

BP has made many positive commitments to the clean up and economic recovery to the individuals and companies that are being affected.  They have promised to promptly pay all authentic claims associated with the oil spill, they have promised to donate the net profits from the recovered oil to wildlife resuce organization, they have promised to pay for all the authentic claims associated with the spill and not be capped by the Government established level of responsibility.  These are all very positive things that would go a long way towards rebuilding the brand and reputation of the company.

It’s important for companies to remember that just saying something doesn’t make it happen.  People remember what was said (or what they thought they heard) and then measure a company against that point. 

Unfortunately it appears that there may be issues in the promise made and the actual delivery.  In a Bnet article posted on June 11th, Kristen Korosec, highlighted an issue with the oil spill claims that have been filed with BP and outsourced to a third party “BP Risk Management Firm is Really Good at Screwing OverOil Spill Claimants“.  The perception among claimants is that the comments Tony Hayward made concerning the claims process and appropriate payment (See Bnet posting) are not being met. 

From a disaster recovery perspective, it is important to monitor these issues and make the course corrections to keep from further eroding the reputation of the organization.  Additionally, I believe BP needs to get ahead of the curve to make sure these continual mis steps (be they perceived or real) stop happening.  Prompt positive action is needed to stop the downward spiral.

We’ve all seen the commercial.   Todd Davis the CEO of LifeLock looks to the moving billboard that is emblazoned with his social security number to show how confident he is that his identity can’t be stolen (it can and was done, because the offending company didn’t run a credit check).  Now Judge Andrew Guilford has indicated the service provided by LifeLock and similar companies is illegal.

One of the three major credit credit reporting organizations filed a suit in Federal court claiming that LifeLock was improperly requesting credit fraud alerts be placed on consumer accounts, which resulted in additional costs of millions of dollars every year (see the complaint here).

While I understand Experion’s claims of LifeLock crying “FIRE” when there is no smoke in the building, and regret the extra work required to proactively protect LifeLock customers, I see this decision setting a precedent that will push more work to consumers.

Judge Guilford’s ruling indicated that the original wording of the Federal Credit Reporting Act (FCRA) allowed for the consumer directly or an individual acting on behalf of or as a personal representative of the consumer to be the requester for the fraud alert when the consumer is or about to become a victim of fraud or related crime including identity theft (bolding and italicizing added by me).  Because LifeLock is a company, they do not meet this criteria and thus are unable to file the fraud alert.

SO, you ask, what does this mean to my company?   If your company suffers a data breach that causes sensitive employee or consumer data to be exposed, technically you are no longer able to contract with a company to provide the fraud alert service.  To protect the consumers from identity theft each individual would need to file a fraud alert with the three major credit reporting company in order to protect themselves.

This additional work shifted to the consumer could hurt your brand as well as your business reputation.   It may also affect your disaster recovery program for data breaches, something that needs to be reviewed and potentially updated with the Red Flag Rules set to go into place on August 1.

As a consumer, I hope that some compromise can be worked out that will allow a company to take the steps necessary to protect my identity, as a risk professional, I hope that occurs soon.