Reputational Crises Put CEOs at Risk

When reputational crises hit, market cap, sales, margins and profits are all on the line. And these situations are becoming more frequent—and more costly—than ever, with a recent study showing an increase in losses from reputational attacks increasing by more than 400% in the past five years.

But it is not only the corporate entity facing challenges, individuals in leadership—particularly CEOs—face personal risk as well. It has become clear that CEOs need tools to protect themselves as well as their companies’ reputations. Since damage from reputational attacks takes place in the court of public opinion, traditional liability solutions, such as directors and officers coverage, are not effective. But new tools are available in the form of a reputation assurance solution that can help deter attacks from even happening and bundled insurances to mitigate the damage when they do occur.

Research by Steel City Re has found that:

  • Financial losses related to reputational attacks have increased by more than 400% in the past five years, a trend that continues.
  • There is an increase in public anger and, as a result, more blame is being cast upon recognizable targets, such as CEOs.
  • Anger by stakeholders is fueled by disappointment—the gap between expectations and reality—which is all too often fueled by the company’s own actions.

Against that backdrop, the turnover rate among CEOs is increasing, with 58 of the S&P 500’s CEOs transitioning out of their jobs in 2016 according to SpencerStuart (although not all as a result of reputational crises). That is the highest number since 2006, a 13% increase over 2015, and a 57% increase over 2012.

If that weren’t enough reason for concern, history shows that when strong companies and their brands come under fire, their reputations eventually recover, despite the initial and medium-term impacts. Individual reputations of those companies’ leadership are not nearly as resilient, however, especially at a time when society; be it the media, social media, politicians or direct stakeholders; seems intent on personifying crises and affixing blame on individuals in positions of authority. And for CEOs, a reputational crises can affect their career and compensation for many years ahead.

In this environment, it is essential that risk managers understand the tools that are available to protect both companies and senior executives personally. Serving as a third-party warranty and available only to highly qualified insureds, reputation insurance attests to the efficacy of the company’s governance and operational practices, as adopted and overseen by the board and implemented by the CEO. Such coverage can deter reputational attacks in much the same way as a security sign on the front lawn deters burglars. It is a sign of quality governance. And when incidents do occur, it provides a built in alternative narrative to counter the attacks that are bound to occur. Finally, it gives the company and key individuals financial indemnification to mitigate any damage that ultimately does take place.

Just as “doing the right thing” did not protect directors and officers from liability in the era before the wide adoption of D&O insurance, it is no guarantee that attacks in the court of public opinion won’t take a significant financial toll. But it is one of the few solutions proven in the court of public opinion. In today’s culture, reputations are in jeopardy as never before and risk managers must utilize all tools available to protect those on the front lines.

Smaller Companies More Vulnerable to Employee Theft

It stands to reason that larger organizations would be more at risk of embezzlement by employees, but the reverse has been shown to be the case. Organizations with fewer than 150 employees are particularly at risk, accounting for 82% of all embezzlement cases, HiscoxHiscox2 found in its new report, Embezzlement Study: A report on White Collar Crime in America. Smaller organizations with tight-knit workforces are particularly vulnerable because of the trust and empowerment given to employees.

Incorporating employee theft cases active in the U.S. federal court system in 2015, the study found that 69% represented companies with less than 500 employees. Perpetrators are often “regular people who are smart, well-liked, and those you’d least expect to steal,” according to Hiscox. How does a trusted employee become a criminal? Motivations can range from financial pressure to a belief that they are underpaid by the company.

Employees with more tenure, access and control over finances are found to take the largest amounts. While the type of fraud can vary by industry, what is consistent is access to funds. In fact, managers were found more likely to steal than other employees.


For the second year in a row, the greatest number of cases, 17%, was in the financial services industry and second was nonprofits at 16%. Labor unions ranked third, followed by real estate/construction. The largest scheme was a $16.7 million loss in Texas; followed by ones in Connecticut at $9 million, Ohio at $8.7 million and Utah at $4 million.


Schemes include taking cash or bank deposits, forging checks, fraudulent credit card use, fake invoices and false billing of vendors and payroll fraud.

Companies can protect themselves in a number of ways, including putting checks and balances in place, performing background checks on employees who handle money and teaching employees how to detect fraud, according to Hiscox.


The study findings also include:


Vendor Risk Management: The Full Definition

cyber partners

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is an important concept and practice to put in place during the evaluation of your vendors and the procurement process.

A key feature of VRM is understanding your vendor’s cybersecurity program. This allows you to understand how well they’re going to be able to secure your data, both from a physical and cyber perspective. VRM helps ensure that your vendors have a contractual obligation for specific requirements and standards, therefore mitigating your organization’s risk.

There are a number of risks vendors can bring to your enterprise, including:


There are many legal risks associated with sharing sensitive information with third parties. For instance, if your vendor is breached and you lose your customers’ personally identifiable information (PII) like social security numbers or health care records, the law clearly states that you are responsible—not your vendor. Or, if you fail to spell out security expectations in your vendor contract, you may have no legal recourse whatsoever if your vendor compromises your data.


So much of vendor risk management is based on reputation. You are able to ask a lot of questions at the beginning of the vendor procurement process that may help you weed out the businesses you’d rather not work with, but you should also be monitoring news feeds during the procurement process. You, of course, would want to know if a business associate has been hit with a lawsuit during the time you were engaged with them and how that could affect the performance of their contract with you. And don’t forget about the reputational harm that could affect your company if your customers’ sensitive information is stolen due to an unsecure vendor.


If a vendor has a poor financial record or past performance, you’ll want to know that information before engaging in a business relationship. That’s why a lot of companies do credit monitoring for their vendors. You’ll also likely want to ask other organizations who have previously done business with the third party in question for references. This way, you’ll be able to clearly evaluate the vendor’s project plan and all the different things they’re planning to do before entering into a contractual relationship.


Of the various risks a vendor poses, there are some things you need periodic updates on, which are relevant only at certain points of a business relationship. If you’ve established a vendor’s credit worthiness at the beginning of the process, for example, you’ll likely feel quite comfortable about their financial standing during the rest of the process. This is a good example of how some elements of vendor risk do not require continuous monitoring. Cyberrisk, however, is not quite as simple.

Cyberrisk is unique in that things can happen on a moment’s notice which could catastrophically damage your organization. You simply cannot rely on periodic or infrequent snapshots and assessments of your vendor’s health to understand cyberrisk. The thing that makes cybersecurity “special” is that it can pose financial, reputational, and legal risks.

It’s important to understand that cyberrisk management doesn’t end when your vendor signs a contract. Managing vendor cyberrisk requires persistent awareness of how the vendor is doing with your security expectations. You have to know at all times whether they are accessing your network in an unauthorized manner, or if your most important data could be jeopardized by their actions. Any slip-up or incident may have a catastrophic impact on your business (and lead to some pretty embarrassing headlines).


Some losses from “traditional risks” can be recuperated easily and quickly. If a food and beverage vendor doesn’t show up one day to cater a meeting, you’re only dealing with a limited amount of loss. Or, if a vendor doesn’t complete a project to your expectations, there are reasonable steps you can take to remedy the situation without dramatically impacting the bottom line.

But if someone hacks into your corporate network through a vendor and steals your most precious data, the outcome could be catastrophic. Your reputation can be damaged irrevocably, financial losses can be huge, and legal liability may be hard to transfer to your vendor. This is why vendor risk management—and especially IT risk management—is not something to be taken lightly. All angles must be examined with every vendor, both large and small.

Why Aren’t We Performing Risk Management Well?

Whenever a project is being planned, risk management has to be part of the equation – things rarely go smoothly or completely as expected, and there will always be areas that present more risks than others. Whether they affect the projected timeframes, budgets or outcomes, it is the job of the project manager to identify them and ensure that provisions are in place to limit their impact should they occur.

However, failures are made in risk management every day – they helped to trigger the economic crisis in 2008, demonstrating that even the world’s biggest banks, which take financial and logistical risks every day, are not immune to risk mismanagement. With this in mind, it’s understandable that smaller projects and processes might suffer from errors made in risk management.

Why aren’t we performing risk management well, then? With project management an ever-growing sector and more and more jobs being created every day, the next generation of risk managers needs to be able to identify issues in order to rectify them.

Unknown Unknowns

One of the most problematic aspects of risk management is the concept of “unknown unknowns” – the risks that we can’t predict and don’t even know could occur. As thorough as a risk management plan might be, there are some areas that it just can’t cover because they technically do not exist until the project has started and will arise as a result of the ongoing work.

There is little that can be done about unknown unknowns – the only way that they can be completely avoided is if the project is never started, which is not a viable option. Any project inherently contains risks, but they can be risks that work out positively for the project and the organization. There is every chance that unknown unknowns may turn out that way.

Lack of Data

A lot of project risks are identified using historical data, which isn’t always credible – in the stock market, it is impossible to figure out future trends by using past events, and it’s the same here. However, data can be utilised to an extent, which means that the job is made a lot more difficult when it isn’t available.

A recent survey by the Economist Intelligence Unit states that more than half of risk executives at banks around the world have insufficient data to support a robust risk management strategy – therefore, there is no reason to suggest that, should the situation be the same in other industries, they would be any better equipped to produce a decent risk management strategy with the same data deficiencies.


On a very basic level, it can be quite intimidating to think about the number of risks that a project might possess, and risk managers can be concerned about seeming overly negative, affecting people’s opinions of the project and potentially the methods and processes used to complete the project. One might argue that if someone lacks this kind of forthrightness, they should not be involved in project management, but it is a weakness that has to be legislated for.

To not perform risk management thoroughly, however, smacks of incompetence and costs the organization as a whole both time and money. The responsible thing is to highlight risks so that they can be planned for in the event that they occur. Don’t worry about telling stakeholders anything they don’t want to hear – it just might trigger a different, better way of doing things.