In order to answer the question I posed in Part 1, I’ll start with an analogy. Imagine if the medical or insurance professions used a list of “causes of death” which included:
Think about it. Isn’t bleeding often an outcome of the other four “causes”? As such, it wouldn’t make much sense for it to be listed as a distinct cause of death. It’s simply an outcome or symptom rather than a cause.
So, when does reputation damage occur? It occurs as an outcome from a wide variety of events. For example:
- A massive fraud event occurs in a bank and the bank’s stock price suffers and/or its market share falls as a result.
- One company merges with a competitor only to discover some profound incompatibility in culture and/or technology, which results in unhappy customers and ticked-off shareholders.
- There’s an unforeseen shift in the market that a company is unprepared to respond to, resulting in reduced market share and lower stock price because the company’s value proposition is diminished.
- An organization finds itself unable to meet its obligations to its creditors, or the people/organizations it has extended credit to can’t meet their obligations. The result -- potentially higher costs for additional credit and/or reduced share price.
Notice anything about these examples? They’re events that match the first four risk types listed in Part 1. Also, each of the examples reflects the effect of damaged reputation on stock price, market share, etc. So my point isn’t that the potential for reputation damage doesn’t exist. It absolutely does. My point is that reputation damage is not a type of risk. It’s an outcome.
Why does it matter?
Well, for one thing, I often hear people say that, “you can’t measure reputation risk.” Given my perspective above, I’d agree with them. You can, however, measure reputation damage. Not precisely, of course, but a high degree of precision is generally not realistic in risk analysis anyway.
Effective measurement is one of the biggest challenges operational and information security risk professionals face. Unfortunately, when the fundamental frameworks and definitions a profession uses are inconsistent (and sometimes illogical) you can pretty much write-off any hope of truly effective measurement.
Clearly, I’m operating from a particular perspective here; that in order for something to qualify as a type of risk it has to be an event. Other people may come to the table with a different perspective. So be it. Either way, what’s inarguable is that we have to be consistent. Event-based, outcome-based – it may not ultimately matter (although I think it does). Just choose one and be consistent.
I’m sure some people will think I’m focusing on fine points that don’t matter. And although it might feel like a fine point to some, I guess the notion of logical and consistent definitions isn’t a fine point in my mind. It’s foundational to any mature and credible profession.
What needs to happen?
This issue about how to account for reputation damage is just one of many similar challenges I’ve encountered in the risk domain. (Maybe my colleague Marty will write a post about why there’s no such thing as “Liquidity Risk”...). All I’m suggesting is that risk management professionals be a little less quick to blindly accept “conventional wisdom” and be willing to think critically about the foundations we’ve been operating from. There’s room for improvement.