This past April I had an opportunity to cross paths with a public relations business called Levick Strategic Communications (Levick) and its company leaders. A couple of things stood out to me about Levick that led up to this blog post.
1. Reputation Risk. While I do not consider myself a public relations industry expert – I have had enough exposure to the industry to understand that Levick’s subject matter expertise on brand and reputation risk is a significant differentiator of skill expertise compared to larger public relations shops and most of the professional consulting firms. In addition, given their location within Washington DC – you can have a high level of confidence in assuming that Levick is dealing with companies and news events that we hear, see or read about on a daily basis.
2. Informative Blog. I really like Levick’s blog called “BulletProof”. The blog posts are informative, short, and relevant. Granted, they may not be information security or infosec risk management related – but most of the posts can be associated with the loss form we characterize as “reputation risk”.
It is truly my professional and personal pleasure to introduce to the readers of this blog, Mr. Richard Levick, the CEO of Levick Strategic Communications. Mr. Levick has agreed to answer some questions I prepared about reputation risk. The intent of this blog post is to bring some clarity to what reputation risk is and for Mr. Levick to offer some practical feedback that we as information security professionals can consume and apply in our daily activities.
Thank you Mr. Levick for agreeing to participate in this question and answer blog post.
Note: Mr. Levick’s answers to my questions were provided on July 14th, 2009. Ten questions were posed to Mr. Levick. The questions and answers will be split between this blog post and an additional post in the coming days.
1. What led you to participate in this blog post?
Richard Levick: Simply put, blogs are news. People are looking in the windshield for the day that digital media overtake traditional media when they should be looking in the rear-view mirror. Just a few weeks back, Zogby released a poll that shows the Internet has overtaken television, newspapers, and radio not only in terms of relevance; but reliability. Let me reiterate how critical that is: The Internet is where we go for truth. In a world where digital news sources are more widely read and more widely trusted, you’ve got to treat blogs with the same respect you would show The Washington Post, The New York Times, or The Wall Street Journal. Today, digital media is media.
2. What is reputation risk?
Richard Levick: Reputation risk is one of two things. It is either the ways in which internal or external forces are negatively impacting your brand right now or how they will. What are today’s risks? What are our likely future risks?
Today, companies are operating in a reputational perfect storm. First, the new President and Congress are clearly intent on regulating where they feel the past Administration and Congress have been lax. Sarbanes-Oxley represents the first half of the equation – transparency. Today, we are living through the more painful second half of the equation – accountability. Second, the explosion of digital media has created a world in which there are virtually no secrets. Speed has been redefined to moments, not news cycles. Third, the plaintiff’s bar, mommy bloggers (articulate and empowered consumers), and even regulators are a full Internet generation ahead of companies facing crisis.
Bottom line: companies must immediately stop and rethink they way they think about their brand, their reputation, risk, and crisis. The cheese has moved. What got you here won’t get you through tomorrow.
3. What are the key components of a reputation?
Richard Levick: That’s a great question – because it’s where most board members, CEOs, and corporate communications professionals most often make mistakes in crisis. Too often companies think that the key component of reputation is how they view their brand when it is actually how the brand is perceived by the company’s target audiences. You’ve got to take a Buddhist approach to reputation management; seek first to understand, and then be understood.
Too often, companies in crisis do the reverse; seeking to explain rather than focusing on what audiences want to hear – what you’re doing to solve the problems at hand, and what you’re doing to ensure that similar problems never arise again.
Let’s take the recent Washington Post crisis where they attempted to sell access. It is something other magazines in the Nation’s Capital can do because they are not the Washington Post. The Post’s reputation, their brand, is as the “investigative newspaper.” They birthed the modern age of investigative journalism with their brilliant coverage of Watergate. They can’t now be offering access to the highest bidder, no matter what the pressures of the Internet Age are. It violates their brand. So the first rule is “Understand your reputation.” It sounds so simple, but its not. GM forgot. Yahoo forgot. If you don’t understand it, you can’t protect it.
And then there is Wall Street. Too many very smart, very talented Wall Street executives and corporate communications professionals still think the problem is about communicating to their fraternity. But risk and crisis change your audience. You have to think differently about what you say, to whom, and how. We have seen time and time again that Wall Street, Detroit, and many marvelous brands are still thinking in terms of the traditional media paradigm and not the digital media paradigm. Talk about fighting the last war. So the second rule of protecting your reputation is to look forward, not backward.
4. How can reputation be impacted when there are IT security incidents?
Richard Levick: Data loss and theft is the issue du jour in the 21st Century marketplace, pitting privacy and commerce interests tet-a-tet. We all want the ease of commerce that the Internet provides, but are we willing to open up to the transparency it requires?
As a company that has handled many of the data loss cases, including, to date, the largest data loss in world history, we’ve seen time and again how reputations can be adversely impacted when the response isn’t adequate, or how they can be advanced when companies run to the light.
Companies must remember that they key issue isn’t that you’ve lost the data – stakeholders understand that they’ve traded an expectation of total privacy for the conveniences of the Digital Age. The issue is how the company behaves once a data breach is discovered. Did it demonstrate transparency by acting fast to notify the authorities and inform affected consumers of their precise exposures? Did it demonstrate accountability by addressing the problems that allowed a data loss to occur? If it hasn’t already, will it be implementing best security practices that limit the chances a data loss will ever occur again?
These are the issues at the heart of reputation management during an IT security incident because if they are handled well, they show concern for, commitment to, and action on behalf of those whose privacy may have been compromised. If they are handled poorly, brand credibility and trust suffer – and that’s a recipe for disaster in an e-commerce environment where trust trumps everything else.
5. Can reputation be measured or quantified in units of dollars?
Richard Levick: I think that is pretty tough to do. People can try, and I suspect a fluctuation in stock price can be one measure, as can value – but I think the true answer is ultimately no, and therein lies the problem. Inside and outside counsel can articulate likely exposures and potential associated costs. Investor Relations professionals can certainly identify market risks. Compliance officers can estimate the costs of non-compliance. And the list goes on. But can anyone really articulate the potential cost of loss of reputation? I think the end result is too often in a crisis very smart counselors save the arm but lose the patient.
Relatively speaking, it’s easy to quantify the legal exposure, losses in market share or stock price, or even declines in employee morale that can result from a particular corrective action during crisis. So when a CEO finds him or herself at the moment of truth, analysis paralysis usually sets in because there’s no concrete way to quantify the ways in which a particular corrective action – taken to strengthen brand reputation when it matters most – will positively impact the bottom line.
That’s why it’s so vitally important for the board to mandate courage in crisis situations. When the CEO is inundated with countless reasons not to act, he or she must have the freedom to look at all the risks at play and then decide which risks are acceptable in order to protect and preserve the brand.
I always look back to the marquee case study in crisis communications – the Tylenol tampering crisis of the early 1980s. Johnson & Johnson held two news conferences a day to keep its audience informed, without regard for the fact that each statement could potentially increase the pool of concerned stakeholders or legal liability. They took a calculated risk. They exercised courage and leadership by pulling all of their over the counter pain medications, not just Tylenol, without ever being asked to by any regulator or concern for stock price. As a result, Johnson & Johnson has enjoyed 30 years of being recognized as one of the top companies in the world and Tylenol is still the top pain-reliever on the market. What CEO wouldn’t trade that for one tough quarter?
Crises demand action. Companies shouldn’t shy away from that fact simply because reputational strength isn’t something that shows up on a balance sheet.
TO BE CONTINUED…