Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

A New Approach to Managing a ‘Classic’ Reputation

coca cola sweetener challenge

A new Coca-Cola-sponsored contest seems to publicly acknowledge its reputational risk, but at a minimal cost that could manage or even reduce it.

In early August, the beverage giant announced its Sweetener Challenge, seeking non-employees (preferably scientists or agriculture or nutrition professionals) who can bring the company a “natural, safe, reduced, low- or no-calorie compound that generates the taste sensation of sugar when used in beverages and foods.” The winner will be announced in Fall 2018 and will receive $1 million.

Taxes on soda, the decline of its consumption, and mounting data that sours on sugar has unquestionably affected the bottom line for the company and put pressure on the broader beverage industry. By initiating the contest, Coke seems willing to try a fresh approach to manage or favorably alter its reputation as a brand founded on sugary cola, while simultaneously attracting and retaining consumers and generating sales. That seems far less risky than not trying new techniques.

“[Reputation risk] is created when expectations are poorly managed and exceed capabilities, or when a company simply fails to execute,” wrote Nir Kossovsky in the 2014 Risk Management article “How To Manage Reputation Risk.” “Managing expectations is all about governance, operations and risk management—the blocking and tackling of running a business. Clearly, there can be perverse brilliance in a business strategy of setting expectations very low.”

Last year, Coca Cola suffered a net revenue decline from $11.5 to $9.7 billion, making the $1 million prize a cost-efficient gamble that, as Kossovsky suggested, can “conceptualize an ideal state and implement a roadmap to reduce reputation risk.”

Other companies have turned to their audiences for new ideas to increase awareness and improve their reputations. Folgers was jonesing for a new jingle this year and paid a songwriting duo $25,000 for a flavorful new take on “the best part of waking up.”

Even the commercial aviation industry sought out-of-this-world innovations from average stargazers. When the X Prize Foundation wanted to inspire the private sector to pursue commercial space flight, it did so with a $10 million prize. The pursuit of the Ansari X Prize generated $100 million in new technologies and was ultimately won by the Tier One project’s ShapeShipOne, which was financed by Microsoft co-founder Paul Allen.

According to Kossovsky, “reputational events are tried in the court of public opinion,” and Coke’s will both there and in stores. The company’s new sugar substitute will be announced in October 2018 and will eventually make its way into supermarkets. With just a few sips, consumers can ultimately decide if the company’s investment and reputation risk management technique was a sweet move.

The Risk of Being Too Delicious

Shockwaves were felt around the wing-eating world last week, when Buffalo Wild Wings announced it will be discontinuing its Tuesday night half-priced wing promotion.

According to reports, the franchise’s decision was a difficult one as the promotion was “a major driver of traffic” and “boosted same-store sales” for some locations. Ultimately, the deal was just too delicious. With wing prices on the rise (jumping 11 cents per pound in a year), the promotion started to impact the company’s bottom line. In fact, the food chain blamed the historically high wing prices for its 63% profit drop in the second quarter, turning the crowd-pleasing promotion into a losing proposition.

It is an interesting risk that many organizations, especially in retail, must take, however. How do organizations develop a promotion that attracts new customers and entices existing ones to visit more frequently, purchase something new or add a service without causing any financial hardships? And, perhaps more importantly, at what point is the promotion no longer worth it?

The majority of promotions go off without a hitch. It is probably safe to say that most of them have either a positive or neutral effect. Companies must be prepared, however, for those rare deals that negatively impact businesses’ finances or reputation.

While Buffalo Wild Wings’ risk management approach to this promotion may have intervened in time to save them from a worse fate, others have not been so lucky.

Take, for example, seafood chain Red Lobster’s 2003 all-you-can-eat summer crab leg special that ultimately put the company in hot water. Parent company Darden’s then Chief Executive Joe Lee was quoted as saying, “It wasn’t the second helping, it was the third that hurt.” “And the fourth,” then Red Lobster President Dick Rivera added on a conference call to investors.

The deal lasted a bit too long and was linked to the wipeout of $405.9 million in stock value in a single session, with stock prices dropping 12%.

Red Lobster isn’t alone. In 2009, Kentucky Fried Chicken decided to introduce its new grilled chicken option by hiring mega star Oprah Winfrey to make an announcement during her show, giving away an online voucher for a free lunch. About 16 million people printed out the voucher. Stores ran out of food and eventually stopped accepting the coupon. Even worse, competitors jumped in and offered discounted meals to voucher holders.

Then there was McDonald’s, which gave away MP3 players with viruses; an unapproved promotion code for free Domino’s pizza was leaked to 10,000 people; and the obvious consequences of a 10 cent beer night at a Cleveland Indians game. What could go wrong? (Hint: chaos ensued.)

Risk management can play a vital role in supporting marketing initiatives, like the creation of an effective promotion. And, for practitioners managing an enterprise risk management program, it highlights just how important collaboration between different business areas really is.

Companies can be blinded by opportunities that include increased traffic, return customers and add-on purchases. Some deals are just too good to be true—not just for the consumer, but the company making the offer as well. It is apparent that the downside of the promotion must be carefully assessed and that tolerance limits be set in order to know when to pull the plug on a deal.

When developing a risk tolerance statement for a promotion, it’s important to also realize that sometimes the financial losses associated with a promotion is not the only thing to look at and might not be a bad thing at all.

Take a look at Costco, that refuses to raise the price on its $4.99 rotisserie chicken and $1.50 hotdogs.

“I can only tell you what history has shown us: When others were raising their chicken prices from $4.99 to $5.99, we were willing to eat, if you will, $30 to $40 million a year in gross margin by keeping it at $4.99,” the bulk wholesale giant’s Chief Financial Officer Richard Galanti told the Seattle Times in 2015.

The philosophy is rather simple and has worked for Costco. Cheap, delicious rotisserie chicken brings people into their warehouses. And, hopefully, on their way to pick up dinner, they will also grab new patio furniture, a television, golf clubs, a 64 oz. jar of mayonnaise and a five pound bag of cashews. The wholesaler banks on statistics indicating that consumers spend on average $136 each time they enter the warehouse.

Developing a promotion should not be done on a whim. Careful consideration must be taken before the promotion is introduced. Many different groups within the organization should be included in the conversation…and risk management can take the lead on bringing those groups together and initiating the dialogue.

So, before the company serves up that next mouth-watering deal, risk management must realize that it has a real opportunity to support value creation and show its worth way before the pot boils over.

Reputational Crises Put CEOs at Risk

When reputational crises hit, market cap, sales, margins and profits are all on the line. And these situations are becoming more frequent—and more costly—than ever, with a recent study showing an increase in losses from reputational attacks increasing by more than 400% in the past five years.

But it is not only the corporate entity facing challenges, individuals in leadership—particularly CEOs—face personal risk as well. It has become clear that CEOs need tools to protect themselves as well as their companies’ reputations. Since damage from reputational attacks takes place in the court of public opinion, traditional liability solutions, such as directors and officers coverage, are not effective. But new tools are available in the form of a reputation assurance solution that can help deter attacks from even happening and bundled insurances to mitigate the damage when they do occur.

Research by Steel City Re has found that:

  • Financial losses related to reputational attacks have increased by more than 400% in the past five years, a trend that continues.
  • There is an increase in public anger and, as a result, more blame is being cast upon recognizable targets, such as CEOs.
  • Anger by stakeholders is fueled by disappointment—the gap between expectations and reality—which is all too often fueled by the company’s own actions.

Against that backdrop, the turnover rate among CEOs is increasing, with 58 of the S&P 500’s CEOs transitioning out of their jobs in 2016 according to SpencerStuart (although not all as a result of reputational crises). That is the highest number since 2006, a 13% increase over 2015, and a 57% increase over 2012.

If that weren’t enough reason for concern, history shows that when strong companies and their brands come under fire, their reputations eventually recover, despite the initial and medium-term impacts. Individual reputations of those companies’ leadership are not nearly as resilient, however, especially at a time when society; be it the media, social media, politicians or direct stakeholders; seems intent on personifying crises and affixing blame on individuals in positions of authority. And for CEOs, a reputational crises can affect their career and compensation for many years ahead.

In this environment, it is essential that risk managers understand the tools that are available to protect both companies and senior executives personally. Serving as a third-party warranty and available only to highly qualified insureds, reputation insurance attests to the efficacy of the company’s governance and operational practices, as adopted and overseen by the board and implemented by the CEO. Such coverage can deter reputational attacks in much the same way as a security sign on the front lawn deters burglars. It is a sign of quality governance. And when incidents do occur, it provides a built in alternative narrative to counter the attacks that are bound to occur. Finally, it gives the company and key individuals financial indemnification to mitigate any damage that ultimately does take place.

Just as “doing the right thing” did not protect directors and officers from liability in the era before the wide adoption of D&O insurance, it is no guarantee that attacks in the court of public opinion won’t take a significant financial toll. But it is one of the few solutions proven in the court of public opinion. In today’s culture, reputations are in jeopardy as never before and risk managers must utilize all tools available to protect those on the front lines.