Reputation Risk: Some Additional Thoughts

August 8, 2009


This is a follow-up post to the two part Richard Levick “reputation risk” series. The related posts are here: part 1, part 2, and some additional thoughts from Richard.

Below are my thoughts regarding some information and advice that Richard shared with us.

3.    What are the key components of a reputation?
Levick: … So the first rule is “Understand your reputation.”… If you don’t understand it, you can’t protect it.

This sounds like an absolute no-brainer statement but I cannot underscore how important this is for information security practitioners, especially those performing risk assessments. I have stated it elsewhere on my blog; we are in a unique position to truly gap the IT and business divide. Providing relevant business context to our leaders for the issues we want them to care about and respond to – is value for them and the company as a whole. In addition, this is more then just knowing buzzwords and when to drop them. We need to present ourselves as an authoritative reputation stakeholder when we talk about reputation risk to our managers and business leaders.

4.    How can reputation be impacted when there are IT security incidents?
Levick: … The issue is how the company behaves once a data breach is discovered….

So much can be written about this part of Richard’s answer; but let’s talk about this in the context of security controls. Generally speaking, there are three categories of security controls: preventive, detective, and response. So when it comes to reputation risk, I immediately try to consider what response controls my company has at its disposal to respond to a security incident that has the potential to be known outside our company.

There are two response controls that immediately come to mind (they could be called various things):

Communications Plan: Does your company have a communications plan? Does the communication plan take into account data loss or network breach scenarios? The questions are numerous….

Event Management Plan: Does your company or information security organization have an event management plan? How thorough is it? Does it tie into your communication plan? Do the right players in your company have a role in the event management plan? Again, a lot of things to consider.

Bottom line: The effectiveness of the response controls listed above can significantly factor into the magnitude of reputation risk. Now, when you factor in how and what is being communicated – that may be beyond your control – but I would challenge you to see these plans for yourself so when you estimate or articulate reputation risk – you are doing so with conviction and some level of confidence.

Finally, not everyone reading this may work for a large company that has a robust event management plan or a communication plan; let alone any plans at all. My advice, initiate the conversation and see it where it takes you or your management!


Something I heard while serving in the U.S. Marine Corps that has proved so valuable over the years is this: It is better to be tried by twelve then carried by six. Meaning, when faced with an opportunity to make a decision, escalate a situation, share information, or ask questions – it is better to do so NOW – and face ridicule / judgment – then do nothing at all. Take it for what it is worth…


5.    Can reputation be measured or quantified in units of dollars?

I agree that precisely measuring reputation in terms of dollars is challenging at best – but you can still perform some level of measurement. Generally speaking, reputation risk comes into play as a secondary loss form. Meaning, that certain incident information is known outside the company by someone that can be considered a stakeholder of our company (consumer, customer, government, etc…). A security incident could result in loss of customers, decreased sales, fines and judgments, class action law suits, negative publicity, etc…; most of which can be tied back to dollar values – and associated with reputation risk. Even if you disagree with this approach, if you are dealing with risk issues where reputation risk is a legitimate loss form, you can articulate that reputation risk is a contributing factor to the overall loss magnitude. Finally, I would caution using reputation risk as the FUD stick that Jack Jones mentions in a comment in post 2; but make sure your audience understands that you think reputation is an important part of the overall exposure; document it as well.

I hope you enjoyed the series. Have a splendid day!


Reputation Risk Q&A – Richard Levick (2 of 2)

August 6, 2009


This is part two of a reputation risk Q&A with Mr. Richard Levick; President and CEO of Levick Strategic Communications in Washington, DC.

Part one can be found here.

6. In your opinion, how do you distinguish between worst-case reputation loss versus expected reputation loss?

Richard Levick: One word – experience. That’s how you anticipate what’s coming next and prevent the worst-case scenario from coming to fruition. It’s all about staying one step ahead.

Today, the period of time between the gating event that alerts you to a brand crisis and the bet-the-company moment is increasingly indistinguishable. When video of two Domino’s employees defiling customers’ food was posted to YouTube earlier this year, one million people – a number greater than those who subscribe to The New York Times or The Wall Street Journal – had viewed it within the first 48 hours. What that tells us is that crises now move faster than ever before and that companies have to be ready to act at moment’s notice. That means preventing and responding to reputational risks and crisis needs to be in the DNA. You don’t get that by accident. Or maybe you do, but at a terribly high price.

To do it right and prepare ahead of time means knowing what regulators, Congress, or state attorneys generals are going to do next. It means anticipating the next moves of the plaintiffs’ bar. It means monitoring the blogosphere and other social and digital media for intelligence as to where the traditional media may soon be heading. It means identifying likely company risks now and extrapolating what this means in terms of Search Engine Optimization, High Authority Bloggers, and social media. If you are reading this last sentence and don’t understand what I mean, your company is at far greater risk than you think.

To get started, build a relationship with crisis managers now – before you need them – so that you can build the trust that fast action demands. In crisis, you’ve got to see how the dominos – no pun intended – are lined up and know how they’re going to fall. It’s the only way to keep up with a news cycle that is now measured in minutes, not hours.

7. What are the key controls an information security risk analyst should take into consideration when assessing reputation loss impact (or magnitude)?

Richard Levick: With virtually every traditional journalists now regularly reading blogs for story ideas, careful monitoring of the blogosphere provides invaluable intelligence as to the scope of the reputational damage that may result from IT security breach.

That means knowing the high-authority bloggers – those with the greatest influence over perceptions – that cover your industry. And it also means being ready to engage them should a data breach occur. By bringing bloggers into the fold, companies allow themselves an opportunity to shape the narrative before it influences the traditional commentary to follow – and thus limit the reputational damage potential at play.

8. Do you have any tips for effectively communicating reputation risk to middle management and executive leadership?

Richard Levick: In today’s media environment, the C-Suite has to know that everything it does – or chooses not to do – can potentially impact the corporate brand. That means always thinking like your consumers, investors, regulators, and stakeholders that run the gamut – and taking their perceptions into consideration whenever a decision that could potentially impact these audiences is made.

I think middle managers need to own issues like understanding who the High Authority Bloggers are and having personal relationships; anticipating risks and knowing who controls those terms on the search engines; tracking YouTube, Twitter, and other sites for signs of consumer or stockholder dissatisfaction or industry unrest; and recommending instant positive intervention. Middle managers need to think differently. Today is a good day to start.

9. Do you have a favorite reputation risk engagement that you are willing to share (regardless of outcome)?

Richard Levick: I often look back to what Hasbro did during the 2007 lead-paint scare because it demonstrates how a crisis can be transformed into opportunity if a company articulates leadership in solving the problems at hand.

While Hasbro did not initiate a single recall during the lead paint crisis, the company recognized that its entire industry was under siege. Inaction could have led to guilt by association in the Court of Public Opinion. More important, remaining on the sidelines could have allowed a significant opportunity to differentiate itself from the competition to slip by.

So, rather than sit back and let the competition take the heat, Hasbro stepped up by implementing a “Total Safety Program” and making the initiative a central element of its traditional and online marketing strategies. As a result, the company became the “gold standard” around which all of its competitors were forced to rally. Though it wasn’t directly impacted by the crisis, Hasbro took action to abate it. As a result, its October 2007 earnings jumped 64 percent from the previous year.

10. Are there any good sources of information you can recommend for learning more about this subject?

Richard Levick: I would point to four such resources maintained by my firm…

Levick Strategic Communications’ Bulletproof Blog™ (…

Our e-newsletter, High Stakes™ (…

Our Crisis Communications Desk Reference (…

And our book, Stop The Presses (

Also, I would encourage your readers to keep an eye out for our next book, on leadership during crisis in the digital age, which will be coming out in early 2010.


I intend on posting some of my thoughts on Richard’s answers in an upcoming post. I hope you found Mr. Levick’s perspective to be as useful and intriguing as I do. Regardless, thank you Richard for participating in this effort; I look forward to continued interactions.

Reputation Risk Q&A – Richard Levick (1 of 2)

August 5, 2009


This past April I had an opportunity to cross paths with a public relations business called Levick Strategic Communications (Levick) and its company leaders. A couple of things stood out to me about Levick that led up to this blog post.

1.    Reputation Risk. While I do not consider myself a public relations industry expert – I have had enough exposure to the industry to understand that Levick’s  subject matter expertise on brand and reputation risk is a significant differentiator of skill expertise compared to larger public relations shops and most of the professional consulting firms. In addition, given their location within Washington DC – you can have a high level of confidence in assuming that Levick is dealing with companies and news events that we hear, see or read about on a daily basis.

2.    Informative Blog. I really like Levick’s blog called “BulletProof”. The blog posts are informative, short, and relevant. Granted, they may not be information security or infosec risk management related – but most of the posts can be associated with the loss form we characterize as “reputation risk”.

It is truly my professional and personal pleasure to introduce to the readers of this blog, Mr. Richard Levick, the CEO of Levick Strategic Communications. Mr. Levick has agreed to answer some questions I prepared about reputation risk. The intent of this blog post is to bring some clarity to what reputation risk is and for Mr. Levick to offer some practical feedback that we as information security professionals can consume and apply in our daily activities.

Thank you Mr. Levick for agreeing to participate in this question and answer blog post.

Note: Mr. Levick’s answers to my questions were provided on July 14th, 2009. Ten questions were posed to Mr. Levick. The questions and answers will be split between this blog post and an additional post in the coming days.

1. What led you to participate in this blog post?

Richard Levick: Simply put, blogs are news. People are looking in the windshield for the day that digital media overtake traditional media when they should be looking in the rear-view mirror. Just a few weeks back, Zogby released a poll that shows the Internet has overtaken television, newspapers, and radio not only in terms of relevance; but reliability. Let me reiterate how critical that is: The Internet is where we go for truth. In a world where digital news sources are more widely read and more widely trusted, you’ve got to treat blogs with the same respect you would show The Washington Post, The New York Times, or The Wall Street Journal. Today, digital media is media.

2. What is reputation risk?

Richard Levick: Reputation risk is one of two things. It is either the ways in which internal or external forces are negatively impacting your brand right now or how they will. What are today’s risks? What are our likely future risks?

Today, companies are operating in a reputational perfect storm. First, the new President and Congress are clearly intent on regulating where they feel the past Administration and Congress have been lax. Sarbanes-Oxley represents the first half of the equation – transparency. Today, we are living through the more painful second half of the equation – accountability. Second, the explosion of digital media has created a world in which there are virtually no secrets. Speed has been redefined to moments, not news cycles. Third, the plaintiff’s bar, mommy bloggers (articulate and empowered consumers), and even regulators are a full Internet generation ahead of companies facing crisis.

Bottom line: companies must immediately stop and rethink they way they think about their brand, their reputation, risk, and crisis. The cheese has moved. What got you here won’t get you through tomorrow.

3. What are the key components of a reputation?

Richard Levick: That’s a great question – because it’s where most board members, CEOs, and corporate communications professionals most often make mistakes in crisis. Too often companies think that the key component of reputation is how they view their brand when it is actually how the brand is perceived by the company’s target audiences. You’ve got to take a Buddhist approach to reputation management; seek first to understand, and then be understood.

Too often, companies in crisis do the reverse; seeking to explain rather than focusing on what audiences want to hear – what you’re doing to solve the problems at hand, and what you’re doing to ensure that similar problems never arise again.

Let’s take the recent Washington Post crisis where they attempted to sell access. It is something other magazines in the Nation’s Capital can do because they are not the Washington Post. The Post’s reputation, their brand, is as the “investigative newspaper.” They birthed the modern age of investigative journalism with their brilliant coverage of Watergate. They can’t now be offering access to the highest bidder, no matter what the pressures of the Internet Age are. It violates their brand. So the first rule is “Understand your reputation.” It sounds so simple, but its not. GM forgot. Yahoo forgot. If you don’t understand it, you can’t protect it.

And then there is Wall Street. Too many very smart, very talented Wall Street executives and corporate communications professionals still think the problem is about communicating to their fraternity. But risk and crisis change your audience. You have to think differently about what you say, to whom, and how. We have seen time and time again that Wall Street, Detroit, and many marvelous brands are still thinking in terms of the traditional media paradigm and not the digital media paradigm. Talk about fighting the last war. So the second rule of protecting your reputation is to look forward, not backward.

4. How can reputation be impacted when there are IT security incidents?

Richard Levick: Data loss and theft is the issue du jour in the 21st Century marketplace, pitting privacy and commerce interests tet-a-tet. We all want the ease of commerce that the Internet provides, but are we willing to open up to the transparency it requires?

As a company that has handled many of the data loss cases, including, to date, the largest data loss in world history, we’ve seen time and again how reputations can be adversely impacted when the response isn’t adequate, or how they can be advanced when companies run to the light.

Companies must remember that they key issue isn’t that you’ve lost the data – stakeholders understand that they’ve traded an expectation of total privacy for the conveniences of the Digital Age. The issue is how the company behaves once a data breach is discovered. Did it demonstrate transparency by acting fast to notify the authorities and inform affected consumers of their precise exposures? Did it demonstrate accountability by addressing the problems that allowed a data loss to occur? If it hasn’t already, will it be implementing best security practices that limit the chances a data loss will ever occur again?

These are the issues at the heart of reputation management during an IT security incident because if they are handled well, they show concern for, commitment to, and action on behalf of those whose privacy may have been compromised. If they are handled poorly, brand credibility and trust suffer – and that’s a recipe for disaster in an e-commerce environment where trust trumps everything else.

5. Can reputation be measured or quantified in units of dollars?

Richard Levick: I think that is pretty tough to do. People can try, and I suspect a fluctuation in stock price can be one measure, as can value – but I think the true answer is ultimately no, and therein lies the problem. Inside and outside counsel can articulate likely exposures and potential associated costs. Investor Relations professionals can certainly identify market risks. Compliance officers can estimate the costs of non-compliance. And the list goes on. But can anyone really articulate the potential cost of loss of reputation? I think the end result is too often in a crisis very smart counselors save the arm but lose the patient.

Relatively speaking, it’s easy to quantify the legal exposure, losses in market share or stock price, or even declines in employee morale that can result from a particular corrective action during crisis. So when a CEO finds him or herself at the moment of truth, analysis paralysis usually sets in because there’s no concrete way to quantify the ways in which a particular corrective action – taken to strengthen brand reputation when it matters most – will positively impact the bottom line.

That’s why it’s so vitally important for the board to mandate courage in crisis situations. When the CEO is inundated with countless reasons not to act, he or she must have the freedom to look at all the risks at play and then decide which risks are acceptable in order to protect and preserve the brand.

I always look back to the marquee case study in crisis communications – the Tylenol tampering crisis of the early 1980s. Johnson & Johnson held two news conferences a day to keep its audience informed, without regard for the fact that each statement could potentially increase the pool of concerned stakeholders or legal liability. They took a calculated risk. They exercised courage and leadership by pulling all of their over the counter pain medications, not just Tylenol, without ever being asked to by any regulator or concern for stock price. As a result, Johnson & Johnson has enjoyed 30 years of being recognized as one of the top companies in the world and Tylenol is still the top pain-reliever on the market. What CEO wouldn’t trade that for one tough quarter?

Crises demand action. Companies shouldn’t shy away from that fact simply because reputational strength isn’t something that shows up on a balance sheet.