In its fifth annual board of directors survey, “Concerns About Risks Confronting Boards,” EisnerAmper surveyed directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies to find out what is being discussed in American boardrooms and, in turn, what those boards are accomplishing as a result.

According to the report, reputation remains the top concern across a range of industries:

Most Important Risks

“The financial cost and damage to reputation from a cyber/privacy breach is growing exponentially,” said Nancy Brady, EisnerAmper’s director of IT risk services. ”Directors have recognized the increasing risk companies face related to cyber/data security. Now they need to roll up their sleeves and, with the companies, address these risks.”

While reputational risk remained the top concern of respondents, the survey found that companies are not necessarily translating awareness into action. In fact, only 31% said they were concerned about crisis management.

“There were a surprising amount—close to a quarter of respondents—who had no plans, and others just informally ‘doing their best.’ This lack of formality to address the most significant risk identified existed across all organizations,” the report said. “When plans existed, they included both everyday operations—such as to keep a positive reputation and reduce the risk—and strategies to address a crisis affecting reputation.”

Despite the minimal plans in place, the directors surveyed seem to hold themselves and other company executives primarily responsible for the response to a reputational crisis. When asked who is responsible for executing such a plan, they reported:

responding to reputational risk crises

Respondents also showed improving confidence in the performance of the board, committees, external auditors and accounting departments.

How well is board addressing risks

Click here for the full report from EisnerAmper.


The worsening drought in California has called attention to a hodge-podge monitoring system that does not accurately measure water usage across the state.

A survey taken in May found that water usage was up drastically in some areas, such as Santa Ana. A closer look at usage, however, shows that the city’s consumption was up 10% rather than 60%, the Los Angeles Times reported.

Also, water agencies self-reported their data, causing discrepancies. While a 5% decrease in usage was reported statewide, water use had actually increased 1%. One reason was that the Los Angeles Department of Water and Power initially left the data for May blank, when L.A. actually had a 9% increase.

The state is planning its first mandatory survey later this year. But officials doubt the accuracy, as many water customers in the Central Valley farming region as well as parts of Fresno and Sacramento don’t have water meters.

California recently approved mandatory restrictions and fines of up to $500 a day for wasting water, but much of the state still relies on voluntary conservation.

“It’s not going to be a huge change from what we already have,” Kevin Pearson, media relations officer of the Eastern Municipal Water District told the Los Angeles Times earlier this month.  The eastern district has voluntary measures in place for the 768,000 people in western Riverside County.

Los Angeles has limited outdoor watering to three days a week since 2009, but is increasing enforcement of its conservation ordinance. It also recently raised its cash-for-grass rebate to $3 a square foot to encourage native plantings in place of water-dependent lawns.


Opioid abuse continues to be a serious public health problem, one that spills into the workplace far too frequently via workers compensation insurance claims.

Two recent studies from the Workers’ Compensation Research Institute (WCRI) help business executives and policymakers understand how physicians in a workers comp setting prescribe and monitor the use of this frequently abused class of drugs.

The first study shows how frequently physicians performed recommended follow-ups that reduce the chance for opioid abuse. The vast majority of longer-term opioid users don’t receive recommended testing for cases like theirs.

The second study shows that physicians in two states–Louisiana and New York–prescribed opioids at a far higher rate than is the norm elsewhere.

It has been more than two years since the federal Centers for Disease Control and Prevention (CDC) declared an epidemic of prescription painkiller abuse. Overdoses from prescription painkillers like hydrocodone (Vicodin), methadone, oxycodone (OxyContin) and oxymorphone (Opana) kill more people than heroin and cocaine combined, according to the CDC.

The first study, Longer-Term Use of Opioids 2nd Edition, looked at the prevalence of longer-term use of opioids in 25 states from 2010 to 2012 and was a follow-up to similar work stretching from 2008 to 2010. It examined how often the services recommended by medical treatment guidelines were used for monitoring and managing chronic opioid therapy. Those services include drug testing and psychological evaluations and treatment, which may help prevent opioid misuse resulting in addiction and even overdose deaths.

The study found a sizable increase across states in the use of drug testing over the study period, compared with the prior study. In some states, however, the percentage of longer-term opioid users who received these services was still low.

In the typical state, drug testing was used in 25% of all claims involving longer-term opioid use. That’s a larger percentage than found in the earlier study, in which 16% of claims included drug testing in the typical state. On the other hand, it means that in the median state, 75% failed to receive a recommended treatment guideline that would help battle a national drug-abuse epidemic.

While psychological evaluations are also recommended as part of monitoring patients receiving opioids, they were rarely performed: 10% of the time or less in most states. The 25 state median was 5%, basically unchanged from the prior study. This means that in a typical state, 95% of patients failed to receive a treatment recommended to minimize the chance that an injured worker will sink into drug addiction.

The second WCRI study found striking levels of narcotic use among injured workers in New York and Louisiana. The study, Interstate Variations in Use of Narcotics 2nd Edition, examined trends in the use of narcotics and prescribing patterns of pain medications in the workers’ compensation system across 25 states.

According to the study, the average injured worker in New York and Louisiana received more than 3,600 milligrams of morphine-equivalent narcotics per claim, twice as much as in the typical state. That amount is equivalent to an injured worker taking a 5-milligram Vicodin tablet every four hours for four months, or a 120-milligram morphine-equivalent daily dose for an entire month—a striking figure.

Throughout the country, the prescription of narcotics for pain relief is prevalent. In the study period, between 65% and 85% of injured workers who received pain medications got narcotics.

The danger of narcotic misuse resulting in death and addiction constitutes a top-priority public health problem in the United States. Employers are concerned as well; they want their workers to recover from injuries and, not incidentally, they desire to keep workers compensation costs reasonable.

Employers can educate injured workers about the dangers of opioids. Workers don’t want their lives torn apart by drug abuse, and no employer would want them to suffer. Employers also reduce their workers compensation costs by avoiding unnecessary opioid use.


Many of the attacks launched against today’s brands are as covert as they are debilitating. In today’s connected age, savvy cyber criminals often blitz companies with a flurry of activity across an array of online channels.

To make matters worse, employees who are using the Internet casually or personally create a vulnerability for businesses: workers could click on a phishing link sent to their personal account and unknowingly be exploited by cyber criminals, or they could bring harm to the business via a social media post they thought to be harmless.

And, let’s not forget that brands can also inflict damage on themselves, such as through executive scandals, accounting errors or failing to protect customers and investors. Even though these events may not involve a malevolent, third-party attacker, the resulting fallout can be just as severe as if they fell prey to one.

Given these circumstances, companies could face a barrage of both external and internal threats to their brand, customer loyalty and bottom line. So, how can they defend themselves? The same crisis management procedures brands use following an external attack should also extend to self-inflicted events. Every reliable, robust brand defense strategy should begin with an Internet Reputation Management Council (IRMC).

The Power of Many

No one stakeholder within a company can be solely responsible for online brand reputation management. Instead, businesses need to bridge the gap between departments, creating an environment in which employees across the marketing, security/IT, finance and legal departments unite and share resources to defend the brand—and it all begins with an IRMC.

Council members representing departments throughout the organization will become Internet reputation champions who work collaboratively, from within their individual departments, to ensure that ownership and management of the brand is carried out across the enterprise.

As such, an IRMC has the range and visibility to combat the multitude of Internet-based threats. To borrow a term from the military, an enterprise that deploys an IRMC is essentially following a “defense-in-depth” strategy, by creating a redundant, layered web of defenders.

The Members of an IRMC

Once a company decides to launch a cross-departmental IRMC, who makes up its members? Executive-level sponsorship will provide the vision for an Internet reputation strategy, facilitate cross-functional and resource collaboration, and build a brand-aware organizational culture. A team leader is responsible for executing that vision on a day-to-day basis and marshaling the resources needed to protect the brand. Area leaders will protect the brand from various departments within a business, including marketing, legal, investor relations, compliance, e-business, human resources, public relations, security and fraud, and IT.

Although all IRMC roles are important, it’s these area leaders who can make or break a brand’s Internet reputation. A successful response demands the full participation of every member of an IRMC. Even though response actions may be centered in one department, these crises are full-company situations. After all, it’s not as though the public would only render judgment in isolation, for example, against “Target’s security team” or “Yahoo’s executive search committee”—the entire brand is put under a microscope following an incident.

A Defender at Every Position

With an effective IRMC, companies like these can use the “power of many” to combat such Internet-based threats to their brand, even when they’re self-inflicted. An IRMC operates by:

  • Identifying key internal stakeholders and inviting them to collaboratively establish the guidelines of Internet reputation management within the company
  • Meeting regularly to keep abreast of industry and technology changes, as well as emerging forms of Internet-based threats
  • Establishing goals and targets, such as building a structure to set up a “Best of Breed Governance Policy,” and setting metrics to track performance
  • Preparing emergency response protocols
  • Implementing training policies and communication within each department
  • Reviewing, measuring, evaluating and managing progress against objectives

Although a fairly new concept, there are already real-world examples of effective IRMCs. AstraZeneca’s reputation council, for example, comprises a diverse group of those with “stakeholder responsibilities,” including representatives from sales, marketing, finance, human resources and communications. It reports directly to the CEO, and because of this structure, long-term risk management and prevention are infused into the company’s corporate focus.

Ultimately, the true value of an IRMC like AstraZeneca’s isn’t in how many attacks it directly neutralizes, but that it creates an organizational culture of Internet reputation management excellence, starting with the heads of core departments and working its way throughout the rest of the enterprise.

By the time the IRMC is engaged responding to an incident, significant damage has already occurred. The best-protected brands are those that have identified brand protection as a central part of their mission statements. Their investment in a culture of excellence, led by their IMRC, mitigates risks before they become reality, improves profits and creates value for customers, employees and other stakeholders.